A Catalog of Security Attacks

Methods of attacking a web application from the attackers perspective and how to prevent each attack from the application developers perspective.

• Directory Scanning Attack - An attempt to discover the file structure of a web site in preparation for further attacks
• Link Crawl Attack - Traversing application links attempting to discover the structure of the application
• Path Truncation Attack - Examining directory listings by removing the filename portion of the URL
• CGI Scanning Attack
• File System Scanning Attack - Scan the local file system to match its structure and detect vulnerable files.

• Global Variable Injection Attack - Use parameters to inject arbitary values into uninitialized global variables in a PHP script.
• Remote File Injection Attack - Convince a PHP script to use a remote file instead of a presumably trusted file from the local file system.
• SQL Injection Attack - Attempt to get the database server to execute arbitrary SQL.
• Email Injection Attack - Attempt to get the program to send arbitrary emails.
• Command Injection Attack - Attempt to execute shell commands.
• Code Injection Attack - Attempt to execute arbitrary PHP code.
• Cross Site Scripting Attack - Attempt to coerce the program to outputing third party javascript.
• Cookie Tampering Attack - Attempt to manipulate an application’s cookie values.
• Parameter Manipulation Attack - Attempt to manipulate input to application validation and filtering.
• LDAP Injection Attack
• Globally Writable File Attack - File based input can be injected into other applications.

• Password Cracking Attack - Brute force password guessing
• Denial of Service Attack - If you can’t beat’em, shut them down.

• See security vulnerability catalog.
• See Web Application Security.