Path Traversal Attacks
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with ...
Rx iT World Hacking Tutorial
Password Spraying Brute Force Attack
Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application. For example, an attacker ...
Parameter Delimiter Attack
This attack is based on the manipulation of parameter delimiters used by web application input vectors in order to cause unexpected behaviors like access control and authorization bypass and ...
Mobile Code Object Hijack
This attack consists of a technique to create objects without constructors’ methods by taking advantage of the clone() method of Java-based applications. If a certain class implements cloneable() ...
Mobile_code_non-final_public_field
This attack aims to manipulate non-final public variables used in mobile code, by injecting malicious values on it, mostly in Java and C++ applications. When a public member variable or class used ...
Mobile_code_invoking_untrusted_mobile_code
This attack consists of a manipulation of a mobile code in order to execute malicious operations at the client side. By intercepting client traffic using the man-in-the-middle technique, a malicious ...
Manipulator-in-the Middle Attack (MITM)
The Manipulator-in-the middle attack (MITM) intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using ...
Man-in-the-Browser Attack
The Man-in-the-Browser attack is the same approach as Manipulator-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s ...
Log Injection Attacks
Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of ...
LDAP Injection
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to ...
HTTP Response Splitting
HTTP response splitting occurs when:Data enters a web application through an untrusted source, most frequently an HTTP request. The data is included in an HTTP response header sent to a ...
Function Injection Attack
A Function Injection attack consists of insertion or "injection" of a function name from client to the application. A successful function injection exploit can execute any built-in or user defined ...
Full Path Disclosure (FPD) vulnerabilities
Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL ...
Format String Attack
The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a ...
Form Action Hijacking Vulnerabilities
Form action hijacking allows an attacker to specify the action URL of a form via a paramter. An attacker can construct a URL that will modify the action URL of a form to point to the attacker's ...
Forced Browsing Attack
Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible. An attacker can use Brute Force techniques to ...
Execution_After_Redirect_(EAR)
Execution After Redirect (EAR) is an attack where an attacker ignores redirects and retrieves sensitive content intended for authenticated users. A successful EAR exploit can lead to complete ...
Embedding Null Code
The Embedding NULL Bytes/characters technique exploits applications that don’t properly handle postfix NULL terminators. This technique can be used to perform other attacks such as directory ...
Direct Dynamic Code Evaluation Eval Injection
This attack consists of a script that does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement, ...
Denial of Service (DoS) Attack
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for ...
