Attack Definition:
Technique used by hackers to exploit the vulnerability (weakness/flaw
in any application/device) is called an attack.
In subsequent posts, we would be exploring attacks to identify their root cause, exploitation and remediation methods.
In subsequent posts, we would be exploring attacks to identify their root cause, exploitation and remediation methods.
Attack categories:
Serial No.
|
Attack Categories
|
1
|
Injection
|
2
|
Exploitation of authentication
|
3
|
Resource manipulation attack
|
4
|
Resource
depletion attack
|
5
|
Abuse of functionality
|
6
|
Embedded
malicious code execution
|
7
|
Protocol manipulation attack
|
8
|
Spoofing
|
9
|
Data structure attack
|
10
|
Path traversal
attack
|
Classification of attacks based upon categories:
1) INJECTION
|
||
SQL Injection
|
Blind SQL Injection
|
Static Code Injection
|
Dynamic Code Injection
|
Command Injection
|
LDAP Injection
|
Comment Injection
|
Special Character/Element Injection
|
Server-side Includes Injection
|
PHP Object Injection
|
Resource
Injection
|
XPATH Injection
|
Blind XPATH Injection
|
Full Path Disclosure
|
Web Parameter Tampering
|
Parameter Delimiter
|
String Format
Attack
|
Cross-site
scripting (CSS)
|
Content Spoofing
|
Content Security Policy
|
Cross-Origin Resource Sharing (CORS) RequestPreflighScrutiny
|
2) EXPLOITATION OF AUTHENTICATION
|
||
Account Lockout Attack
|
One-click Attack
|
Session Prediction
|
Session Hijacking Attack
|
Session Fixation
Attack
|
Cross Side
Request Forgery (CSRF)
|
Execution after Redirect
|
3) RESOURCE MANIPULATION ATTACK
|
||
Comment Injection
|
Special Character/Element Injection
|
Path Traversal
|
Relative path Traversal
|
Repudiation
Attack
|
Application
Setting Manipulation
|
Forced Browsing
|
Single Encoding Attack
|
Double Encoding Attack
|
Malwares
|
4) RESOURCE DEPLETION ATTACK
|
||
Asymmetric Resource Consumption
|
Cash Overflow
|
Denial of Service
|
Distributed Denial of Service
|
5) ABUSE OF FUNCTIONALITY
|
||
Account Lockout Attack
|
Cache Poisoning
|
Cross-user Defacement
|
Path Traversal
|
Mobile code: Invoking
Untrusted Mobile Code
|
Mobile code:
Object Hijack
|
Mobile code:
Non-final Public Variable Manipulation |
6) EMBEDDED MALICIOUS CODE
EXECUTION
|
||
Cross-Site Request Forgery (CSRF)
|
Logic/Time Bomb
|
Malwares
|
7) PROTOCOL MANIPULATION ATTACK
|
||
HTTP Request Smuggling
|
HTTP Response Splitting
|
Encryption Protocol Interception
|
Traffic Flood
|
8) SPOOFING
|
||
Cross Site Request Forgery (CSRF)
|
Cash Overflow
|
Denial of Service (DOS)
|
Distributed Denial of Service
(DDOS)
|
Man-in-the-Middle
(MIM)
|
Brute Force
Attack
|
9) DATA STRUCTURE ATTACK
|
||
Buffer Overflow
Attack |
Overflow Binary Resource file
|
Buffer Overflow via Environment Variables
|
10) PATH TRAVERSAL ATTACK
|
||
Full Path Disclosure
|
Relative Path Traversal
|
Source: OWASP (https://www.owasp.org)