Attack / Abuse / Vulnerability

Abuse detection mechanism are generally based on: rate limiting. behavioral analysis or machine learning. ie: scoring every request by how different it is from the baseline. a sort of bot score...

Bad Bots are robots with bad intentions. They are also known as attackers. They walk through: web pages trying to find a form and to fill them trying: to send email in mass to create a fake...

brut force attack is another word for password guessing. This is a brut attack. Strong password Wait time after false attempt

A page that provides users with an interface to perform actions that the user might not wish to perform needs to be designed so as to avoid the possibility that users can be tricked into activating the...

A Cross-site request forgery (CSRF) is: a http request made by real users unknowingly with the help of the browser from a website to another target website (ie making the request a cross-site...

The goal of a Denial-of-service_attack is to send request to a server that will bring it down. The request that needs a lot of CPU are the most vulnerable (such as image resizing) (Example: with drupal,Dokuwiki)....

Spam or fake form submissions can be made by: a bot (spambot) and a human Example of form: newsletter Sign-up Account Sign-up Comments ... Fake form submission happen due to bots that scour...

image bomb is a DDOS attack that targets image api. Image processing are quite heavy and the server CPU will be overwhelmed pretty loaded. and if the result is cached, the storage may go up pretty...

An injection attack is when the attack pass to a program via its input some code that: modify the behavior or is executed

Password guessing is a common type of security attack. In this type of attack, a hacker attempts to log in to a computer using various combinations of usernames and passwords. The best method to prevent...

A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Rainbow tables are one tool that has been developed to derive a password by looking...

A session fixation attack proceeds in three steps. First, the attacker transplants a session identifier from his or her user agent to the victim's user agent. Second, the victim uses that session...

In order to assess the security of an application, security testing software are used and may acts as: * workload generator * forward proxy * vulnerability...

When the program create SQL statement with some input, an sql injection attack can modify the SQL behavior by injecting (ie modify it) a piece of SQL in the input. Below is an example of a SQL statement...

A vulnerability is a vector of attack in software. For instance: encoding / escaping is not used on user information, ie: in SQL, not using the SQL parameters in HTML, not escaping user information...

cross-site scripting (XSS) is a injection security vulnerability that happens when external javascript code is injected in the page via user input. Injected JavaScript can then steal authentication tokens...