- What is a CSRF attack? How does it use HTTP requests? And why do we call it the one-click attack?
- What is an XSS attack? And what is the connection between it and cookies/sessions? And what are the two main categories of XSS?
- What is SQL injection? and what is the attacker’s intention from it?
- Consider the below SQL command, where is the vulnerability? think about some ways an attacker can misuse it:
const { username, password } = req.body
let strQry = `SELECT Count(*) FROM Users WHERE username=${username} AND password=${password}`;
- What does End-to-End encryption means? Share an example of an well-known app using E2EE, how is that app using it?
Room 11 , Pasand Yaba , Hana Abdulla , Ahmed Sabah , Muhammed Sabah , Ali Izaddin
1- A CSRF (Cross-Site Request Forgery) attack is a type of security exploit where an attacker tricks a user into unintentionally performing actions on a web application in which the user is authenticated. The attacker accomplishes this by embedding malicious code in a link or website visited by the user. When the user clicks the link or visits the website, their browser sends unauthorized requests to the target web application, which processes them as if they were legitimate actions by the user. CSRF attacks use HTTP requests to execute actions on the target application, such as transferring funds or changing account settings. They are often referred to as "one-click attacks" because they can be triggered with just one click by the user, without their knowledge.
2- XSS attacks involve injecting malicious scripts into web pages to steal sensitive information like cookies or session tokens from the user , Stored XSS (persistent) and Reflected XSS. Developers can prevent XSS by sanitizing input and using security measures like Content Security Policy (CSP).
3- SQL injection is when a sneaky hacker tricks a website into running bad commands. For example, imagine a website with a search bar. If the website is not well protected, the hacker could type something like this into the search bar: '; DROP TABLE users; -- :
4- user name = " or ""="
password = " or ""="
5- End-to-end encryption (E2EE) ensures that only the communicating users can read messages by encrypting data on the sender's device and decrypting it on the recipient's device, with no intermediary access. Signal is an example of an app using E2EE, where users' devices generate cryptographic keys for secure messaging. Messages are encrypted with the recipient's public key and decrypted with their private key, ensuring privacy and security. Signal's implementation of E2EE safeguards communications from eavesdropping and surveillance, making it highly secure.