C# - Common Security Threats & Vulnerabilities (Part 6/6)
20. Cross-Site Request Forgery
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
Example:
Upon loading Bob's malicious webpage, Alice is presented with a Service Downtime webpage
At this point the hidden iframe code embedded within Bob's malicious web page has already executed in Alice's browser and made changes to her account.
21. Components with Known Vulnerabilities
Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.
22. Server Side Request Forgery
In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.
No comments: