Category:Attack

Application Security Threats

This category is for common types of application security attacks. These are the techniques that attackers use to exploit the vulnerabilities in applications. Attacks are often confused with vulnerabilities, so please try to be sure that the attack you are describing is something that an attacker would do, rather than a weakness in an application.

An attack article should include:
 * the Threat
 * the Vulnerability
 * a description of exactly how the attack works
 * tools and techniques for performing the attack

Work to be done here includes
Creating articles for the following topics:
 * Brute Force Attacks
 * Account Lockout
 * Credential/Session Prediction
 * Unauthorized Access Attempts
 * Session Fixation
 * Session Hijacking
 * Cross-Site Scripting
 * Buffer Overflow Attack
 * Format String Attack
 * Directory Indexing
 * File Path Abuse
 * Traffic Flood
 * Automation of Functionality
 * File location guessing (see Guessed or visible temporary file
 * ... make sure the attack is listed for each vulnerability

Note: many of the items marked vulnerabilities from CLASP and other places are really attacks. Some of the more obvious are:
 * Command injection
 * Log injection
 * Resource exhaustion
 * SQL injection
 * Reflection injection
 * Reflection attack in an auth protocol