- What is a CSRF attack? How does it use HTTP requests? And why do we call it the one-click attack?
- What is an XSS attack? And what is the connection between it and cookies/sessions? And what are the two main categories of XSS?
- What is SQL injection? and what is the attacker’s intention from it?
- Consider the below SQL command, where is the vulnerability? think about some ways an attacker can misuse it:
const { username, password } = req.body
let strQry = `SELECT Count(*) FROM Users WHERE username=${username} AND password=${password}`;
- What does End-to-End encryption means? Share an example of an well-known app using E2EE, how is that app using it?
Arass , Amal, Afeaa,Mohammad Nazar,
1.Cross-site request forgery (CSRF), also known as one-click attack or session riding, is a type of cyber attack that tricks a user into submitting an unwanted web request to a website or application they are authenticated to. The attacker can then use the user's identity and privileges to perform actions such as transferring funds, changing an email address, or making a purchase.
2.Types of XSS: Stored XSS, Reflected XSS and DOM-based XSS. Cross-site Scripting attacks (XSS) can be used by attackers to undermine application security in many ways. It is most often used to steal session cookies, which allows the attacker to impersonate the victim.
3. SQL injection is a cyber attack where malicious SQL code is inserted into input fields of a website or app. The attacker's goal is to manipulate the database, steal data, bypass authentication, or even take over the entire system. It's a serious threat that requires proper input validation and secure coding practices to prevent.
4.The vulnerability lies in the lack of proper sanitization or parameterization of user inputs in the SQL query, making it susceptible to SQL injection attacks. An attacker could exploit this to bypass authentication, retrieve sensitive data, or execute malicious SQL commands. To mitigate this, use parameterized queries or prepared statements to separate SQL code from user input.
5.End-to-end encryption (E2EE) ensures that only the sender and recipient can read messages. WhatsApp uses E2EE by encrypting messages on the sender's device and decrypting them on the recipient's device, preventing anyone else, including WhatsApp itself, from accessing the content.