Web exploitation attacks websites and other web services.
Command Injection
Command injection exploits the user input to run commands on the system through the application. To prevent this, don’t use third party command line programs and sanitize user input using a third party library.
File Inclusion
Local file inclusion can load arbitrary files from the web server based on a GET parameter. Remote file inclusion allows loading files on remote systems also. Prevent this by avoiding dynamic including files or using a whitelist
Cross Site Scripting
Cross Site Scripting (XSS) is a client-side attack that attacks users through a vulnerability in the web site and running JavaScript. Reflected XSS stores the code in the URL and needs to be sent via a link. Stored XSS stores the script in a database, like a forum post and attacks everyone viewing the website. Preventing this requires sanitizing user input for certain characters, especially with a third party library.
SQL Injection
This attacks SQL databases by manipulating the query.
Clickjacking
Clickjacking uses an invisible iframe to trick the user into clicking unwanted buttons. Prevent this by setting the X-Frame-Options header to Deny, Sameorigin, or Allow-from domain.com in the HTTP response.
Cross Site Request Forgery
A CSRF attack uses a link to complete an action based on an existing session. Prevent this by enforcing input comes from the same origin, or use a CSRF token.
Directory Traversal
Directory traversal navigates outside of the intended directory to access other folders from the URL. Prevent this by not using user input to make system calls or using an index or filter characters.
File Upload
A file upload vulnerability allows a user to upload arbitrary files for the server to run. Prevent this with a file type whitelist, check uploaded file type, rename the file, remove executable permissions, scan for malware, ensure double extensions are not executed, and ensure only the upload folder has write permissions.
Vulnerability Scanners
Scanners crawl all pages on the site and attempt multiple attacks against each page. Configure the scanner for what to avoid, like password reset forms, watch out for captchas, read the log files, and validate the results.