Web Security Causes and Affects by Thomas Bird

WhyYouComingFast — 2019-04-26 08:30:40 UTC

Ransomware is a malware which threatens the victim and stops them from accessing their data or even steal it. The malware wants you to pay for your data back.
It happens commonly by email with attachments to download which then infects the computer and takes over therefore allowing the attacker to control the computer.
Another way could be criminal software so you won't have to send emails to get access.
The ransomware can only be decrypted with the key the attackers has so they would ask for an untraceable bitcoin.
Ransomware could happen to anyone but most likely people who pay fast or businesses.

Definition

james_herne — 2019-04-26 08:31:09 UTC

"A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so."

What is an Injection Flaw?

txmbxrd — 2019-04-26 08:31:47 UTC

Injection flaws are a class of security vulnerability that allows a user to “break out” of the web application context. If your web application takes user input and inserts that user input into a back-end database, shell command, or operating system call, your application may be susceptible to an injection flaw.

A user exploits this by breaking out the intended "context" and appends additional and often unintended functionality. By allows injection flaws in your application you are allowing an attacker to create, read, update or delete and arbitrary data available to the application.

Examples

txmbxrd — 2019-04-26 08:32:43 UTC

There are many types of injection flaws. The most common being SQL injection.

Examples

james_herne — 2019-04-26 08:32:50 UTC

loss or theft of hard copy notes, USB drives, computers or mobile devices
an unauthorised person gaining access to your laptop, email account or computer network
sending an email with personal data to the wrong person
a bulk email using 'to' or 'cc', but where 'bcc' (blind carbon-copy) should have been used
a disgruntled employee copying a list of contacts for their personal use
a break-in at the office where personnel files are kept in unlocked storage

sta16000148 — 2019-04-26 08:33:14 UTC

Cross site scripting is a security flaw that exists because of how web browsers treat their information, such as cookies.
it involves injecting malicious code in a website, and using the websites permission to access information.
XSS requires a vector of attack such as an injection flaw, to add the malicious code to the website.

How Do You Protect Yourself

james_herne — 2019-04-26 08:33:39 UTC

Create complex passwords.
Watch for fraud.
Guard against identity theft.
Set up account alerts.
Anti-malware software

Variants of Cross Site Scripting

benjamin_curtis8 — 2019-04-26 08:35:53 UTC

There are multiple variants of cross site scripting meaning there is no single standardised classification. The primary variants are persistent and non-persistent.

Non-persistent (reflected):
Example of a non-persistent XSS flaw
Non-persistent XSS vulnerabilities in Google could allow malicious sites to attack Google users who visit them while logged in.
The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability. These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the content.

Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue.

A reflected attack is typically delivered via email or a neutral web site. The bait is an innocent-looking URL, pointing to a trusted site but containing the XSS vector. If the trusted site is vulnerable to the vector, clicking the link can cause the victim's browser to execute the injected script.

Persistent (or stored):
Example of a persistent XSS flaw
A persistent cross-zone scripting vulnerability coupled with a computer worm allowed execution of arbitrary code and listing of filesystem contents via a QuickTime movie on MySpace.
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.

For example, suppose there is a dating website where members scan the profiles of other members to see if they look interesting. For privacy reasons, this site hides everybody's real name and email. These are kept secret on the server. The only time a member's real name and email are in the browser is when the member is signed in, and they can't see anyone else's.

Suppose that Mallory, an attacker, joins the site and wants to figure out the real names of the people she sees on the site. To do so, she writes a script designed to run from other users' browsers when they visit her profile. The script then sends a quick message to her own server, which collects this information.

To do this, for the question "Describe your Ideal First Date", Mallory gives a short answer (to appear normal) but the text at the end of her answer is her script to steal names and emails. If the script is enclosed inside a