Understanding these terms can help web developers, administrators, and security professionals better defend against various web-based attacks.
| Cross-Site Scripting (XSS) | XSS is a type of vulnerability where attackers inject malicious scripts into web pages that are viewed by other users. These scripts can be executed in the context of a user’s browser, allowing the attacker to steal information or perform actions on behalf of the user. |
| SQL Injection | SQL injection is a technique where attackers inject malicious SQL code into input fields of a web application. If the application does not properly validate or sanitize input, the attacker can manipulate the database queries, potentially gaining unauthorized access or altering data. |
| Cross-Site Request Forgery (CSRF) | CSRF is an attack where an attacker tricks a user’s browser into making an unwanted request on a trusted site where the user is authenticated. This can lead to actions being performed on the user’s behalf without their consent. |
| Cross-Site Script Inclusion (XSSI) | XSSI involves including external scripts on a web page in a way that exposes sensitive information to an attacker. This can be exploited to steal user data or perform unauthorized actions. |
| Clickjacking | Clickjacking is a technique where an attacker tricks a user into clicking on something different from what the user perceives. The attacker overlays or disguises clickable elements on a web page, leading the user to unintended actions. |
| Directory Traversal/Path Traversal | Directory traversal is an attack where an attacker exploits insufficient input validation to access files or directories outside of the intended directory. This can lead to unauthorized access to sensitive files. |
| Man-in-the-Middle (MitM) | In a Man-in-the-Middle attack, an attacker intercepts and possibly alters communication between two parties without their knowledge. This can lead to eavesdropping, data theft, or the injection of malicious content. |
| Brute Force Attack | A Brute Force attack involves systematically trying all possible combinations of passwords or encryption keys until the correct one is found. This is often used to gain unauthorized access to user accounts. |
| Session Hijacking/Session Sniffing | Session hijacking, or sniffing, involves capturing and using session tokens to impersonate a user and gain unauthorized access to a web application. This is often accomplished through eavesdropping on unsecured connections. |
| Distributed Denial of Service (DDoS) | A DDoS attack involves overwhelming a target’s network, server, or website with a flood of traffic, rendering it inaccessible to legitimate users. |
| DNS Spoofing | DNS Spoofing is an attack where an attacker provides false DNS responses to redirect users to malicious websites. This can be used for phishing or to perform other malicious activities. |
| Zero-Day Exploit | A Zero-Day exploit targets vulnerabilities in software or hardware that are unknown to the vendor or the public. Attackers exploit these vulnerabilities before a patch or fix is available. |