Another two most common vulnerabilities that can be found in web applications XSS & XSRF....
b"
hello everyone my name is vijay kumar Devireddy and i am glad to have you back on my episode 46 today we are discussing about The next two exploits we're going to discuss are types of web application vulnerabilities.These are known as cross-site scripting and cross site request forgery. Cross-site scripting occurs when an attacker embeds malicious scripting commands into a trusted website.When this occurs the attacker's trying to gain elevated privileges, steal information from the victims cookies or gain other information stored by the victims web browser.During a cross-site scripting attack,the victim is the user, not the web server.The web server's already been compromised possibly.A cross-site scripting attack exploits the trust that exists between a user's web browser,and the web server that they're visiting.This often happens because the attacker's able to insert some malicious code into a web page that's being delivered from the server to the victim or client.There are three types ofcross-site scripting attacks:stored and persistent, reflected, and DOM-based attacks.A stored and persistent cross-site scripting attack attempts to get data provide by the attackerto be saved on to the web server by the victim.Now in a reflected cross-site scripting attack, the attempt here is to have a non-persistent effect which is activated by the victim clicking on a link on that site.In a DOM-based attack, this is going to attempt to exploit the victim's web browser itself and it's often called a clientside cross-site scripting attack.This comes from the fact that the user's document object model or DOM is vulnerable to the attack.The DOM is part of the user's web browser.To prevent cross-site scripting attacks,programmers should use output encoding of their web applications, to prevent codes from being injected into them during delivery and they should also use proper input validation to prevent the ability for HTML tags to be inserted by users when they're entering information on a web form. As a user, you can help protect yourself from cross-site scripting attacks by increasing the security settings from your cookie storage and disabling scripting language when you're browsing the web.Just like we talked about back in the webbrowser configuration lesson of application security. Whereas cross-site scripting focuses on exploiting the trust between a user's web browser and a website. Cross-site request forgery instead exploits the trust that a website has in a user.In a cross-site request forgery,the attacker forces the user to execute actions on a web server that they already have been authenticated to.For example, let's say that you've already logged into your banks website and provided your username and your password.At this point you're already authenticated and the website trusts you.If an attacker can send a command to the web server through your authenticating session,they are forging the request to make it look like it came from you.The attacker in this case will be unable to see the web server's response to his request or commands but he could still use this to transport funds from the victim, change their password or do a myriad of other requests on the victims behalf. To prevent cross-site request forgery from being successful, programers should require specialized tokens on web pages that contain forms.Such as captions, utilize special authentication and encryption techniques, scan any XML file submitted by a user, and requiring cookies to be submitted twice for verification to ensure they both match and have the proper integrity.
"