CSE 2102 - Module 11: Security and Privacy

Risk

Asset + Threat + Vulnerability

Session Hijacking

attacker obtains session cookie and impersonates a legitimate user

Session Sniffing

attacker monitors unencrypted network traffic (especially on public Wi-Fi networks) to capture session IDs

Cross-Site Scripting (XSS)

Inject scripts into web pages that are then viewed by other users

SQL Injection

attacker supplies specially crafted input that gets interpreted as part of a database query. allows attacker to read, modify, or delete data

Denial of Service DoS

floods a target system with so many requests that it becomes unavailable to legitimate users

DDos

compromised computers (a botnet) generate the attack traffic, making it harder to defend against

Buffer Overflow

attacker sends more data to a program's memory buffer than it can handle, causing it to overflow

to prevent: use safe language, check input sizes, test, update

Man-in-the-Middle

attacker secretly intercepts and alters communication between two parties

to prevent: HTTPS, 2FA, avoid public WiFi or use VPN

Supply-Chain Attack

attacker inserts malicious code into software updates, dependencies, or hardware from trusted suppliers