Many users access web applications from a shared environment in which an attacker may have direct access to the same computer as the user. This gives rise to a range of attacks to which insecure applications may leave their users vulnerable. There are several areas in which this kind of attack may arise. Persistent Cookies … Read more
ActiveX controls are of particular interest to an attacker who is targeting other users. When an application installs a control in order to invoke it from its own pages, the control must be registered as “safe for scripting.” Once this has occurred, any other web site accessed by the user can make use of that … Read more
Session fixation vulnerabilities typically arise when an application creates an anonymous session for each user when they first access the application. If the application contains a login function, this anonymous session will be created prior to login and then upgraded to an authenticated one after they have logged in. The same token that initially confers … Read more
JSON hijacking is a special version of an XSRF attack, which in certain circumstances can violate the objectives of the browser’s same origin policy. It enables a malicious web site to retrieve and process data from a different domain, thereby circumventing the “one-way” restriction that normally applies to XSRF. The possibility of JSON hijacking arises … Read more
Frame injection is a relatively simple vulnerability that arises from the fact that in many browsers, if a web site creates a named frame, then any window opened by the same browser process is permitted to write the contents of that frame, even if its own content was issued by a different web site. Exploiting … Read more
HTTP header injection vulnerabilities arise when user-controllable data is inserted in an unsafe manner into an HTTP header returned by the application. If an attacker can inject newline characters into the header he controls, he can insert additional HTTP headers into the response and can write arbitrary content into the body of the response. This … Read more
The majority of interesting attacks against web applications involve targeting the server-side application itself. Many of these attacks do of course impinge upon other users — for example, an SQL injection attack that steals other users’ data. But the essential methodology of the attacker is to interact with the server in unexpected ways in order to … Read more