Learn Cyber Security

Web Application Hacking - Part1 The scope of this course is not to learn SQL or data stores but we are going to examine some more information about data store hacking that we will find useful in the rest of the course. Currently, nearly all applications rely on a data store to manage data that is processed within the application. In many cases, this data drives the core application logic, holding user accounts, permissions, application configuration settings, and more. Data stores have evolved to become significantly more than passive containers for data. Most hold data in a structured format, accessed using a predefined query format or language, and contain internal logic to help manage that data. Typically, applications use a common privilege level for all types of access to the data store and, when processing data, belonging to different application users. If an attacker can interfere with the application’s interaction with the data store, to make it retrieve or modify di...

Securing WAF DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to  represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on differ- ent domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was ...