Introduction to Hacking: Web Applications

Vocabulary flashcards covering key concepts in web application hacking, including attack types and hacker methodologies.

Hacker's Mindset

Analyzing software to work with the existing codebase, seeking entry points rather than making them.

Hacker's Documentation

Keeping a record of prior attempts and lessons learned, with attention to detail in logging prior work.

Hacker's Continuous Learning

Constantly learning and adapting as techniques evolve and defenses improve.

Cross-Site Scripting (XSS)

Uploading malicious script code onto a website to steal data or perform mischief.

Three Main Categories of XSS Attacks

Stored, Reflected, and DOM-based.

Cross-Site Request Forgery (CSRF)

Forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

CSRF Attack Characteristics

Attack often goes unnoticed and can take advantage of a privileged user without their knowledge.

XML External Entity (XXE)

Attack relies on an improperly configured XML parser within an application's code to import external files.

SQL Injection

Web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

Components of Injection Attacks

SQL injection is the most common, injection attacks have two major components: an interpreter and a payload from a user that is somehow read into the interpreter.

Denial of Service (DoS)

Attack that bombards the server with requests, paralyzing the server and preventing legitimate visitors from gaining access.

Forms of DoS Attacks

Distributed, Code-level (regex DoS/ReDos), and Severity Levels.

Exploiting Third-Party Dependencies

Reliance on open-source software (OSS) as third-party dependencies can pose a significant security risk.

Risks of Reliance on OSS

OSS codebases may not be audited to the same lengths as your own code and are constantly being updated, requiring security assessment.