SMVDB

Your handy all in one vulnerability cheat sheet

Error-Based SQL Injection

40001
Error Based SQL Injection is an in-band SQL injection technique that allows hackers to take advantage of the database’s error output. One of the communication channels of the server is utilized to launch an attack and retrieve information using in-band injections. This is the easiest and most common intrusion technique used by an attacker. You can force data extraction by using a vulnerability in which the code will output a SQL error rather than the required data from the server.

DOM-Based Cross-Site Scripting (DXSS)

20004
DOM-based XSS (also known as DOM XSS or type-0 XSS ) arises when an application contains some client-side JavaScript that's being executed as a result of modifying the DOM “environment” in the victim’s browser by passing malicious JavaScript payload to a sink that supports dynamic code execution, such as `eval()` or `innerHTML`. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts.

Blind SQL Injection

40002
Blind SQL Injection is a type of SQL Injection attack that exists when the application doesn’t necessarily return the return of a SQL query to the front end, unlike in-band SQL Injection, the SQLi query doesn’t return direct output to the application thus it may take longer for the attacker to exploit. Blind SQL Injection has three types: Boolean-Based SQLi Boolean-Based (Content-Based) Blind SQLi technique asks the database True or False questions and determines the answer based on the application's response. Depending on the result, the content within the HTTP response will change, or remain the same. Time-Based SQLi Time-Based SQLi technique analyzes and checks if there is a delay in the request-response based on injecting a time-intensive operation payload, and by performing a boolean check and performing a delay or not, the main down back of this type is that it requires a stable internet connection to differentiate extract data correctly. Out-of-Band (OOB) SQLi Out-of-Band (OOB) SQLi technique where an attacker uses external resources to exfiltrate data from the database by performing HTTP or DNS requests to an external server, the main down back of this technique is that it depends on the capability of a database system to initiate outbound DNS or HTTP request may need to rely on the function available.

Stored Cross Site Scripting

30001
Stored Cross-Site Scripting (also known as second-order or persistent XSS) arises when the vulnerable web application receives user-supplied input from untrusted sources and stores it in places such as database, message forum, visitor log, comment field. The malicious content also gets included in later HTTP responses sent by the server. It’s the most damaging type of XSS , If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user browser for the same origin that is vulnerable to XSS .

Server-Side Request Forgery (SSRF)

30001
A Server-Side Request Forgery (SSRF) attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs or send requests externally. URLs can be manipulated, either by replacing them with new ones or by tampering with URL path traversal. Typically, attackers supply a URL (or modify an existing one) and the code running on the server reads or submits data to it or even generate empty request to it. Attackers can manipulate URLs to gain access to internal data and services that were not meant to be exposed – including HTTP-enabled databases and server configuration data.

Cross-Site Request Forgery (CSRF)

20003
'Cross-site Request Forgery' is an attack that forces authenticated users to submit an unwanted request to a Web application against which they are currently authenticated. CSRF attack works because browser requests automatically include all cookies including session cookies. Therefore, if the user is authenticated to the site, the site cannot distinguish between legitimate authorized requests and forged authenticated requests.

Improper Error Handling

10001
Improper Error Handling, also known as Error Handling Flaws occur when an error message that’s displayed to an end user provides clues about how an application or website operates. It would be a serious risk when detailed internal error messages such as database dumps, stack traces, and error codes are displayed to the user (attacker). Even if the error message doesn't provide a lot of details, inconsistencies in such messages can still reveal important clues on how a site works or what system/back-end is present. Sometimes it may also lead to sensitive information disclosure. The severity of improper error handling is scenario dependent, means in some scenarios this error exposes critical information and in other scenarios non-sensitive information thus the severity must be calculated for each scenario.

Reflected Cross Site Scripting (RXSS)

20002
'Reflection' is when a web application returns the data entered by a user via request into the web application response. 'Reflected Cross-Site Scripting' or 'RXSS' is a type of 'Browser Side Attacks or Client Side Attacks' attack where an attacker abuse the reflection and inexistence of input sanitization to inject JavaScript code into victim's responses to take control of their browsers, execute malicious code to steal session cookies, or even redirect them to other pages. Any reflected parameter of an application is suspected to be vulnerable but the most severe parameters are 'GET' parameters where an attacker can simply use the nature of 'GET' parameters where is being sent inside the URL to reflect malicious code into the victim responses. If the reflection happens via 'POST' parameter or what is sometimes referred to as 'Self Cross-Site Scripting' or 'SXSS' an attacker may not be able to exploit the reflection scenario unless there's no 'CSRF' protection. Sometimes an attacker may not be able to injection JavaScript Code, hence an attacker may try to inject another type of code such as HTML which is known as 'HTML Injection' to trick users into performing actions, or CSS code which is known as 'CSS Injection'