North Bay Linux Users’ Group

general meeting

Web Attacks 101: Cross Site Scripting, Cross Site Forgery and SQL Injection

When: Tue November 10, 2009 07:30 PM to 09:30 PM

Speaker: Doug Bierer

Location: O'Reilly Media

Cross Site Scripting is the #1 form of attack used in the web world today. The attack vector usually comes in the form of some sort of enticement in forum posting with a bogus link, or a bogus email which fools the victim into thinking they’re doing something to protect themselves (i.e. changing their online banking password, etc.).

Cross Site Forgery is in the Top 10 but is insidious in that the victim is the website. This form of attack hijacks valid user credentials and, unknown to the user, performs actions in their name which benefit the attacker.

SQL Injection is also in the Top 10. In this form of attack the cracker exploits vulnerabilities in how the input statements are formed to gain, first of all, detailed knowledge of a database, and secondly, the ability to extract sensitive information, or even to corrupt the database.

Published Tue 10 November 2009 by Glenn Kerbein