Context
High-level history of web browser and web technology evolution. Web attacks are described in a general fashion taking in account both server and client issues:
- buffer overflow
- sample code: sample applications or test scripts that are badly coded and can be exploited
- string validation attacks
- format string attacks
- canonicalisation attacks: attacks related to file naming exploitation on the server-side
- encoding attacks: used to bypass RegEx (Regular Expression) checks
- privilege escalation
- form tampering
- user-created content: back-doors or malicious server-side includes are uploaded into vulnerable web application to assist in web attacks
- XSS (cross site scripting)
- SQLIA (SQL injection attack)
- IDOR (Insecure Direct Object Reference)
- remote malicious file inclusion: common in old PHP
- CSRF (cross-site request forgery)
- access control weaknesses
- authentication and session management failures
- data confidentiality failures
- poor error handling