When it comes to network configuration and change management, the request parameters are provided with SQL control characters. It starts the web application control character by sending them as part of an SQL query to the database, the attacker can read it either in the conventional manner. You can use a network management software to make things easy.
Behind the name cross-site scripting (XSS) hide two (sometimes even a third type) fundamentally different attacks. With cross-site scripting (XSS), attackers infiltrate the HTML control characters and code a client-side scripting language, such as JavaScript in a web page that runs in the browser of the victim.
This attack takes advantage of vulnerabilities in the local execution of scripts or initiates a cross-site request forgery. Server-side XSS refers to the smuggling of manipulated information in an application running on the web server script, so that, for example, in a dynamically generated include () file (possibly even from another server) executes.
Since HTTP is a connectionless protocol, the web application, the identification of a user is done using a Session ID. It is specified as Basic or Digest Authentication, Cookies, URL rewriting, or HTTP form parameters (GET or POST) for each request.
Session hijacking involves the attacker trying to gain knowledge of the session ID of the user, and then simulates the identity of the victim and the rights to access the web application.
Cross-Site Request Forgery presupposes an existing session between the user and the web application. The attacker uses various techniques (possibly XSS) or the user to move over a client-side scripts and direct the browser to call a malicious URL.
Unlike the session hijacking, the attacker obtains no knowledge of the session ID, since the attack takes place exclusively in the user’s browser.
Directory traversal
In a directory traversal attack, the attacker takes advantage of the lack of testing of the web application to engineered paths. With an e-mail injection, the attacker adds a contact form in manipulated data so that instead of the message being sent to the intended recipient by the provider of the web application. This option is usually abused for sending spam.
In a man-in-the-middle attack (MitM), the attacker sets up a connection without the victim noticing. The value in use is for the attacker is to manipulate redemptions requests to the web application. Encryption of data transfer using SSL protection becomes necessary to combat this issue. However, this protection is also ineffective if the attacker can obtain an SSL certificate from the concerned website to which a root certificate is installed in the victim’s browser.
In a denial of service (DoS) attack, the attacker tries to evade the Web server through a variety of connection requests.
