- What is a CSRF attack? How does it use HTTP requests? And why do we call it the one-click attack?
- What is an XSS attack? And what is the connection between it and cookies/sessions? And what are the two main categories of XSS?
- What is SQL injection? and what is the attacker’s intention from it?
- Consider the below SQL command, where is the vulnerability? think about some ways an attacker can misuse it:
const { username, password } = req.body
let strQry = `SELECT Count(*) FROM Users WHERE username=${username} AND password=${password}`;
- What does End-to-End encryption means? Share an example of an well-known app using E2EE, how is that app using it?
Room 3: Noor Alari, Ramah Madi, Rama Alzeer, Momena Salloum.
Q1. CSRF( Cross-Site Request Forgery ), is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. also known as one-click attack or session riding, is application in which they're currently authenticated a type of cyber attack that forces an end user to execute unwanted actions on a web.
it is to force the user to submit a state-changing request. Examples include:
• Submitting or deleting a record.
• Submitting a transaction.
• Purchasing a product.
• Changing a password.
• Sending a message.
using http request by:
• Authentication and Session Cookies:
o When a user logs into a web application, the server sends back a session cookie to the user's browser.
o This session cookie is then automatically included in subsequent requests to the same domain, authenticating the user.
• Malicious Link or Content:
o An attacker creates a malicious link, often embedded in a website, email, or another communication.
o The link leads to a request that performs an action on a target web application where the victim is already authenticated.
• Automatic Inclusion of Cookies:
o When the victim clicks on the malicious link, their browser automatically includes the session cookie associated with the target web application.
• Unauthorized Action:
o The malicious request is sent from the victim's browser, and the web application, trusting the request because it contains a valid session cookie, processes the request as if it came from the legitimate user.
"one-click attack" because the attack can be initiated with a single click on a seemingly harmless link. The victim might not be aware that they are triggering an action on a different site, and the attack can occur without any explicit user action beyond visiting a malicious page.
note: using SSL does not prevent a CSRF attack, because the malicious site can send an "https://" request.
Q2. XSS Attack (Cross-Site Scripting):
In simple terms, XSS is like a sneaky trick that bad guys use to mess with websites you visit. They inject harmful code, like secret commands, into the websites. When you open the compromised website, this code runs in your browser, and the bad guys can steal your info or do things on the website pretending to be you.
Connection Between XSS and Cookies/Sessions:
Imagine your online session is like a special key that lets you access a website without logging in every time. If bad guys use XSS, they can steal that key (cookie) or use it to pretend to be you, doing things you didn't ask for on a website.
Two Main Categories of XSS:
Stored XSS (Persistent XSS):
Example: Bad guys write a secret code in a comment on a website. When others read that comment, the code runs in their browsers, causing trouble.
Reflected XSS:
Example: Bad guys send you a special link. When you click it, the harmful code in the link runs in your browser, doing things it shouldn't.
Q3. SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. SQL injection attacks harness the power of code for malicious purposes, this can allow an attacker to view data that they are not normally able to retrieve, usually by infiltrating the backend of an application or webpage to view, alter, or delete information. This might include sensitive company data, valuable assets, or customer details.
Q4. The vulnerable part of the code:
let strQry =
SELECT Count(*) FROM Users WHERE username=${username} ANDpassword=${password}
;An attacker can exploit this vulnerability by manipulating the input values, for example by providing a malicious input for the username or password fields. For instance, if an attacker sets the username input to something like ' OR '1'='1' -- and sets the password input to an empty string, the resulting query would look like:
SELECT Count(*) FROM Users WHERE username='' OR '1'='1' -- AND password='';
In this case, the double hyphen (--) is used to comment out the rest of the query, making it possible for an attacker to bypass the password check and potentially gain unauthorized access.
Q5. End-to-end encryption (E2EE) is a secure communication method that prevents third parties from accessing data while it is being transferred from one end system or device to another. In E2EE, only the communicating users can read the messages, and no one in between, not even the provider of the communication service, can access the plaintext communication.
An example of a well-known app using E2EE is WhatsApp. WhatsApp uses the Signal Protocol, which is an open-source encryption protocol developed by Open Whisper Systems. When a user sends a message on WhatsApp, it is encrypted on the sender's device and can only be decrypted on the recipient's device. This ensures that the message content remains private and secure, even if the message is intercepted during transmission.