Web Security and Privacy

4.

Server-Side Vulnerabilities

4.1.

Injection Attacks

4.1.1.

4.1.1.1.

4.1.1.2.

4.1.1.2.1.

4.1.1.2.2.

4.1.1.3.

Out-of-band SQLi

4.1.1.4.

Mitigation Strategies

4.1.1.4.1.

Parameterized Queries

4.1.1.4.2.

Prepared Statements

4.1.1.4.3.

4.1.2.

NoSQL Injection

4.1.2.1.

Common NoSQL Databases

4.1.2.2.

Injection Techniques

4.1.2.3.

Mitigation Strategies

4.1.3.

OS Command Injection

4.1.3.1.

Command Execution Vulnerabilities

4.1.3.2.

Prevention Techniques

4.1.4.

4.1.4.1.

LDAP Query Manipulation

4.1.4.2.

Mitigation Strategies

4.2.

Broken Authentication and Session Management

4.2.1.

Credential Stuffing

4.2.1.1.

Automated Attacks

4.2.1.2.

Prevention Techniques

4.2.2.

Brute-Force Attacks

4.2.2.1.

4.2.2.2.

Account Lockout Policies

4.2.2.3.

CAPTCHA Implementation

4.2.3.

Session Fixation

4.2.3.1.

Attack Mechanism

4.2.3.2.

Prevention Strategies

4.2.4.

Insecure Session ID Handling

4.2.4.1.

Predictable Session IDs

4.2.4.2.

Secure Session Storage

4.2.5.

Missing Function Level Access Control

4.2.5.1.

Privilege Escalation Risks

4.2.5.2.

Access Control Enforcement

4.3.

Insecure Deserialization

4.3.1.

Serialization Formats

4.3.2.

Exploitation Techniques

4.3.3.

Prevention Strategies

4.4.

Server-Side Request Forgery

4.4.1.

Internal Network Access

4.4.2.

Data Exfiltration

4.4.3.

Mitigation Techniques

4.5.

File Handling Vulnerabilities

4.5.1.

Unrestricted File Upload

4.5.1.1.

File Type Validation

4.5.1.2.

Storage Location Controls

4.5.2.

4.5.2.1.

Directory Structure Disclosure

4.5.2.2.

Prevention Techniques

4.5.3.

Local File Inclusion

4.5.3.1.

Exploitation Methods

4.5.3.2.

Mitigation Strategies

4.5.4.

Remote File Inclusion

4.5.4.1.

Remote Code Execution

4.5.4.2.

Prevention Techniques

4.6.

XML External Entity Injection

4.6.1.

XML Parser Vulnerabilities

4.6.2.

Impact of XXE Attacks

4.6.3.

Secure XML Parsing

4.7.

Security Misconfiguration

4.7.1.

Default Credentials

4.7.1.1.

Risks and Remediation

4.7.2.

Verbose Error Messages

4.7.2.1.

Information Disclosure

4.7.2.2.

Error Handling Best Practices

4.7.3.

Unpatched Systems

4.7.3.1.

Patch Management

4.7.3.2.

Vulnerability Scanning

4.7.4.

Insecure Service Configurations

4.7.4.1.

Disabling Unused Services

4.7.4.2.

Secure Defaults

Previous

3. Client-Side Vulnerabilities

Go to top

Next

5. Cryptography in Web Security