- October 19, 2021: Added OGNL injection.
- April 1, 2021: Added server-side template injection.
- March 29, 2021: Added web shell attacks.
Vulnerabilities can be exploited in a number of ways. Refer to the following descriptions of the various forms of attack:
- Arbitrary Code Execution
a.k.a. “Remote Code Execution” (RCE)
When code is accessed and executed from a remote server without authorization and regardless of where the computer is geographically located.
When a computer system, network, or application has a vulnerability that allows attackers to get around normal security measures and gain a high-level access to the system (e.g., root access).
A systematic way of guessing of credentials.
- Click Fraud
Attempts to gain revenue via pay-per-click online advertising. The website owner is paid based on the number of visitors who click on the ads.
Tricks users into clicking on something different from what the user perceives in order to potentially get the user to reveal confidential information or allow others to take control of the computer.
- Cross-Site Request Forgery (CSRF)
Forces an authenticated user to execute unwanted actions on the web application.
- Cross-Site Scripting (XSS)
A scripting vulnerability, typically found in web applications that enables attackers to inject malicious client-side scripts into otherwise legitimate and trusted websites or web applications. An XSS vulnerability may be used by attackers to bypass access controls, such as the same-origin policy.
The unauthorized use of a computer's resources to mine cryptocurrency.
- Directory Traversal
a.k.a. “Path Traversal”
Allows attackers to access restricted directories and execute commands outside of the web server's root directory.
- Distributed Denial-of-Service (DDoS)
A method that overloads a target's web servers with simple requests or network packets at a greater volume than the server can handle. Once a server becomes overwhelmed, it becomes unable to respond to legitimate requests, therefore “denying” service to regular service users. Web servers may crash completely in some instances, as a result of a DDoS attack.
- Fileless Malware
Unlike other attacks where software is unknowingly installed, this leverages applications that are already installed and are generally considered to be safe.
- Form Grabbing
A method that collects data that are entered into browser forms.
Malicious code is added to the code (HTML, PHP forms, SQL, etc.).
Records the keys that are struck on a keyboard.
- Man-in-the-middle (MITM)
When communication between systems is intercepted by an outside entity. The attacker secretly relays and possibly alters the communication between the two parties who believe they are directly communicating with each other.
The use of online advertising to spread malware. It can involve legitimate online advertising networks and websites that have been injected with malicious or malware-laden advertisements.
- Network Attack
A category of attacks that overloads a target’s web servers with simple requests or network packets at a greater volume than the server can handle. Types of attacks include DDoS, brute force attacks (guessing passwords for user accounts on websites), and attacks that exploit SSL and Shellshock vulnerabilities.
- OGNL Injection
When an Object-Graph Navigation Language (OGNL) interpreter attempts to interpret user-supplied expression language data without validation, allowing attackers to inject their own code.
- Open Redirect
a.k.a. “Unvalidated Redirects and Forwards”
A user is redirected to a new website without any validation of the redirect target.
- Server-Side Template Injection (SSTI)
A malicious payload containing arbitrary template directives is injected into the template engine, which is then executed on the server-side, allowing attackers to have complete control of the server. This can occur when user input is concatenated directly into the template instead of passing it as data.
The [often repetitive] sending of unsolicited email.
- Web Shell
A web shell is a backdoor that an attacker can use to run malicious code on a compromised system.