- What is a CSRF attack? How does it use HTTP requests? And why do we call it the one-click attack?
- What is an XSS attack? And what is the connection between it and cookies/sessions? And what are the two main categories of XSS?
- What is SQL injection? and what is the attacker’s intention from it?
- Consider the below SQL command, where is the vulnerability? think about some ways an attacker can misuse it:
const { username, password } = req.body
let strQry = `SELECT Count(*) FROM Users WHERE username=${username} AND password=${password}`;
- What does End-to-End encryption means? Share an example of an well-known app using E2EE, how is that app using it?
ROOM 8 : Lubna Abdelkhaleq // Nour Kayyali // Mahmoud Rumaneh // Ala'a Nusairat
Q1: Cross-site request forgery, alternatively referred to as session riding or one-click attack, represents a web security flaw enabling a malicious actor to manipulate users into executing unintended actions. This vulnerability provides an avenue for the attacker to bypass elements of the same origin policy, a protective measure aimed at preventing various websites from disrupting each other's functionality.
How It Uses HTTP Requests:
Attacker Crafts a Malicious Request:
The attacker creates a malicious link or form that, when triggered, sends a request to a vulnerable web application.
This request is designed to perform an unauthorized action on the victim's behalf.
Victim's Browser Sends Request Unknowingly:
The attacker tricks the victim into visiting the malicious link or submitting the form.
The victim's browser automatically includes any authentication cookies associated with the vulnerable web application in the request.
Application Executes Action:
The web application, unable to distinguish between a legitimate request from the user and the forged request, executes the action as if it came from the authenticated user. // it is a type of cyber attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. // In a CSRF, or "one-click attack," the attacker manipulates a user into unknowingly executing actions on a website where they are authenticated. With just a single click on a malicious link or content, the attacker can leverage the user's existing authentication to perform actions on the targeted site, exploiting the trust between the user and the website.
Q2: Cross-Site Scripting (XSS) attacks involve injecting harmful scripts into trusted websites. Attackers exploit vulnerabilities in web applications that fail to validate or encode user input. By tricking users into executing these scripts, attackers can access sensitive information stored by the user's browser, such as cookies or session tokens. // XSS attacks can steal cookie data by reading or modifying the malicious script injected into the website. // non-persistent (reflected) and persistent (stored).
Non-persistent (Reflected) XSS:
Reflected XSS involves the immediate execution of a malicious script, often delivered through manipulated URLs or form inputs. The web application instantly reflects the injected script back to the user's browser, posing a transient threat.
Persistent (Stored) XSS:
Stored XSS presents a persistent risk as the injected malicious script is permanently saved on the target server. Every time users access a specific page or resource containing the stored script, it is retrieved and executed from the server, impacting multiple users over an extended period.
Q3: SQL injection is a type of hack where bad actors sneak malicious code into a website's database by manipulating user inputs. This allows them to do unauthorized things, like accessing or messing with data. To prevent it, developers need to use secure coding practices. // the essence of a SQL injection attack: injecting malicious SQL code to manipulate the logic of a query. In real-world scenarios, attackers can exploit such vulnerabilities for unauthorized access, data manipulation, or other malicious activities.
Q4: In the given SQL command, the vulnerability lies in directly injecting user inputs into the query without proper validation. An attacker can exploit this by providing malicious input to manipulate the query.
For example, an attacker might input the following:
Username: ' OR '1'='1'; --
Password: ' OR '1'='1'; --
This would result in a manipulated query:
SELECT Count(*) FROM Users WHERE username='' OR '1'='1'; -- AND password='' OR '1'='1'; --
With this, the attacker can bypass the login check because the conditions '1'='1' always evaluate to true, granting unauthorized access.
Q5: End-to-end encryption is a security method that keeps your communications secure. With end-to-end encryption, no one, including Google and third parties, can read eligible messages as they travel between your phone and the phone you message. // WhatsApp is a popular messaging app that uses end-to-end encryption to protect user messages, voice calls, and video calls. E2EE on WhatsApp relies on the Signal Protocol, an open-source encryption method developed by Open Whisper Systems.
How Does E2EE Work?
1.Key Generation: Each user's device generates a unique pair of 2.keys: a public key and a private key.
Key Exchange: The public keys are shared with others to initiate secure communication.
3.Message Encryption: The sender's device encrypts messages using the recipient's public key.
4.Decryption: Only the recipient's device, which holds the corresponding private key, can decrypt the messages.