What Are Injection Attacks

Injection attacks refer to a broad class of attack vectors. In an injection attack, an attacker supplies untrusted input to a program. This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. Injections are amongst the oldest and most dangerous attacks aimed […]

Read More →

What is Code Injection

Code Injection or Remote Code Execution (RCE) enables the attacker to execute malicious code as a result of an injection attack. Code Injection attacks are different than Command Injection attacks. Attacker capabilities depend on the limits of the server-side interpreter (for example, PHP, Python, and more). In some cases, an attacker may be able to […]

Read More →

Recommendations for TLS/SSL Cipher Hardening

Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are widely used protocols. They were designed to secure the transfer of data between the client and the server through authentication, encryption, and integrity protection. TLS/SSL technology is commonly used in websites and web applications together with the HTTP protocol. It is also used […]

Read More →

What is Remote File Inclusion (RFI)?

Using Remote File Inclusion (RFI), an attacker can cause the web application to include a remote file. This is possible for web applications that dynamically include external files or scripts. Potential consequences of a successful RFI attack range from sensitive information disclosure and Cross-site Scripting (XSS) to Remote Code Execution. Remote File Inclusion attacks usually […]

Read More →

Out-of-band XML External Entity (OOB-XXE)

As with many types of attacks, you can divide XML External Entity attacks (XXE attacks) into two types: in-band and out-of-band. In-band XXE attacks are more common and let the attacker receive an immediate response to the XXE payload. In the case of out-of-band XXE attacks (also called blind XXE), there is no immediate response […]

Read More →

What Are XML External Entity (XXE) Attacks

An XML External Entity (XXE) attack (sometimes called an XXE injection attack) is based on Server Side Request Forgery (SSRF). This type of attack abuses a widely available but rarely used feature of XML parsers. Using XXE, an attacker is able to cause Denial of Service (DoS) as well as access local and remote content […]

Read More →

What is Local File Inclusion (LFI)?

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application […]

Read More →

What is Server Side Request Forgery (SSRF)?

Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. Criminals usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network. An attacker may also leverage SSRF to access services available through the loopback […]

Read More →