CYBERATTACK

METHODS

PART 1

Hiral Patel
@gisacouncil
Cross site scripting attack
Cross-site scripting (XSS) is a form of client-side code injection
attack where the attacker inserts malicious scripts into a
legitimate web application. The objective is to execute these
harmful scripts within the victim's web browser when they visit
the compromised web application. The attack occurs as the
victim interacts with the web application, unwittingly executing
the injected malicious code. Essentially, the web application
unwittingly serves as a conduit for delivering the malicious
script to the user's browser.
 Steps for attack
1. Attacker finds the website with XSS vulnerability where input
validation or output encoding is not being taken care
2. Attacker injects bad code in the vulnerable website
3. This trusted website is requested by victim
4. In victim’s browser, the website will be opened but with
malicious payload
5. As the script like <Script> alert (document.Cookie)</script> is
inserted in the web page, unknowingly the cookies will be sent
to attacker.
6. After getting cookie of victim, attacker can do many malicious
activities.
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an end
user to execute unwanted actions on a web application in which
they’re currently authenticated. With a little help of social
engineering (such as sending a link via email or chat), an attacker
may trick the users of a web application into executing actions of
the attacker’s choosing. If the victim is a normal user, a successful
CSRF attack can force the user to perform state changing requests
like transferring funds, changing their email address, and so forth. If
the victim is an administrative account, CSRF can compromise the
entire web application.
 Steps for attack
1. Victim logins to the web application
2. Session id will be sent by web server to victim. Session id will be stored
in the cookies of the browser of a victim. For every request, server will
recognize the client with session-id only.
User has to be already logged into the application. Application has
authenticated to victim by sending the sessionid
3. Attacker sends the victim an email with the malicious link
https://bank.com/email/[email protected]
4. Victim clicks on the malicious link, request would be sent to the server
with the cookies attached. It is browser’s default functionality to
attach cookies of that domain with the request. Now web server will
search for the sessionid attached with request exists or not.
5. As session id is valid for particular request, server will execute and
change the email id as requested in malicious link.
Difference between XSS and XSRF
XSS XSRF

User trusts a badly A badly implemented

1.
implemented website website trusts the user.

Attacker’s trick user’s

Attacker injects a script
2. browser into issuing
into the trusted website
requests

User’s browser executes Website executes

3.
attacker’s script attacker’s request
 SQL injection is a cyber-attack focusing on exploiting
weaknesses in a website's database layer. Hackers
take advantage of inadequately sanitized user inputs
to tamper with the SQL queries processed by the

SQL database. When a user submits data through a form

on a website, such as a username and password for

Injection
logging in, the website typically constructs a SQL query
based on the user's input to fetch or manipulate data
in the database. However, if the website doesn't
properly validate or sanitize the user input, attackers
can insert malicious SQL code into these input fields.
Let us take an example as in below login page if
attacker does not know username and password and
if the webpage is vulnerable to SQL injection then it will
accept this string as shown in the below form.
Here in query condition username=’ ‘ or 1=1 --, as it is combined with OR
operation only one condition needs to be correct and 1=1 is always true
so the query is true and it ignores the password part because after 1=1
the comment line – is added so whatever is written after comment(--)
is ignored. This is why the query returns true and attacker can
successfully logins without any correct credentials
 Parameter Tempering
Parameter tampering is a form of web attack that involves
manipulating or interfering with the application business logic
that is exchanged between client and server to alter
application data, such as user credentials, permissions, and
price information. Usually, this information is stored on cookies,
hidden form fields or URL query strings. Parameters can be
manipulated in Cookies, Form fields manipulation, URL
manipulation or HTTP header manipulation.
The example shows how the parameters can be
tempered in Form fields
Man-in-the-middle attack

Attacker can secretly listen the conversation

between two legitimate users and after listening
the message it relays message to both the
parties, but both parties do not understand that
the message is coming from third person
Food for Thought
a) SQL injection attack
Question 1.

Identify the web

b) Cross-Site Scripting (XSS)
application attack where
the attackers exploit
vulnerabilities in c) LDAP Injection attack
dynamically generated
web pages to inject client-
side script into web pages Cross-Site Request Forgery
d)
viewed by other users. (CSRF)
Food for Thought
a) It is an attack used to gain
unauthorized access to a database.
Question 2

b) It is an attack used to modify

What is the best code in an application.
description of SQL
Injection? It is a Man-in-the-Middle attack
c)
between your SQL Server and
Web App Server

d) It is a Denial of Service Attack.

 Food for Thought
a) Parameter tampering
Question 3

Web application b) Cross site scripting

developers sometimes
use hidden fields on web
pages to save information c) Cross site request forgery
about a client session. The
most likely web based
attack due to this practice d) Cookie poisoning
is
 Food for Thought
a) To encrypt data exchanged between
two parties
Question 4
b) To impersonate a legitimate entity
What is the primary and gain unauthorized access.
objective of a Man-
in-the-Middle c) To intercept and possibly alter
(MitM) attack? communication between two parties.

d) To inject malicious code into web

applications and compromise
data.
 Food for Thought
Question 5.
a) Cross-Site Request Forgery
During an online banking session
through a web browser, a user receives
an email containing a link to an b) Cross-Site Scripting
entertaining website. Clicking the link
opens a new web browser session
featuring a video of cats playing a
piano. The next day, the user receives c) Clickjacking
what appears to be an email from their
bank, notifying them of unauthorized
access to their account from abroad. d) Web form input validation
The email prompts the user to call the
bank to verify a funds transfer. What
web browser-related security flaw was
exploited to compromise the user's
security?
Like and Share for more
awareness

Stay tuned for Part 2

Thank You