Today, we use XML files over JSON because of old, legacy applications which support communication only using XML files (for example SOAP) or because the XML Schema which is much more adult than JSON Schema or Swagger. Or you like XML or… you use Java! Anyway, regardless of the reason for your decision using this standard may be dangerous and today I want to show you one of the attacks called XML External Entity Processing (XEE).
Today, I will show you one of the most common tricks that are used to force users to click on something we do not want. I developed a simple jQuery plugin to make it simpler.
What is clickjacking?
It’s described very on Wikipedia but in a very simple sentence: users click on something different than they think they do. Example? Do you remember pop-ups with an X and when you click on it and another website shows up? Facebook is protected against this attack but imagine: you are on an interesting website, you click a “Read more” button and… you liked a Facebook profile. Then, you click one more time (because you think something did not work) and you go to the page you wanted. In very many cases you would not realize you added a Like somewhere. Sounds interesting?
One of the most popular vectors of attacks on web applications is Cross-Site Scripting, called XSS. I will show you how the attack works and how to protect on some kinds of the attacks.
Security becomes more and more important. Clients will not use our products if they will not trust us. On the other hand, sensitive data are a tasty morsel for attackers who can try use this data to grant access to another website or use them for phishing and so on. In this article, I will tell you about using this kind of vulnerabilities.
One of the most popular vectors of attack is SQLInjection. Almost every website on the Internet uses some kind of database like MySQL, PostgreSQL, MSSQL and so on. SQLi is a technique where an attacker edits a request to modify an SQL query to get information to which access does not have.