Website Security Book

Security for websites, web-applications and web-services

Insufficient Authorisation

Estimates suggest at least 1 out of 6 sites have insufficient authorisation vulnerabilities.

Introduction

Injection Attacks

» Buffer Overflows
» CRLF Injection
» Cross-Site Image Overlaying (XSIO)
» Cross-Site Scripting (XSS)
» Cross-Site Tracing (XST)
» Email Injection
» Format String Attacks
» HTTP Response Splitting
» LDAP Injection
» OS Command Injection
» Path Injection
» Interpreted Language Injection
» Regular Expression Injection
» SSI Injection
» SQL Injection
» XPath Injection
» Remote File Inclusion

Session and Password Attacks

» Password Cracking
» Password Guessing
» Password Recovery Attacks
» Session Brute-Forcing
» Session Fixation
» Session Prediction

Indirect Attacks

» Client-Side Attacks
» Cross-Frame Phishing Attacks
» Content Spoofing
» File Backdooring
» Footprinting
» Intranet Attacks
» Packet Sniffing
» Phishing and Pharming
» Platform Attacks
» Search Engine Ranking Attacks
» Social Engineering

Logical Attacks

» Abuse of Functionality
» Authentication Bypassing
» Automated Attacks
» Business Logic Flaws
» Denial of Service
» Directory Indexing
» Insufficient Authentication
» Insufficient Authorisation
» Parameter Tampering
» Predictable Resource Location
» Timing Attacks

Other Attacks

» Cross-Site Request Forgery (CSRF)
» Cryptanalytic Attacks
» HTTP Request Smuggling
» JavaScript Hijacking
» -Minus Transactions Attack