Page 1486 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1486

exploit the trust that remote sites have in a user’s system to execute
               commands on the user’s behalf.

               XSRF attacks work by making the reasonable assumption that users

               are often logged into many different websites at the same time.
               Attackers then embed code in one website that sends a command to a
               second website. When the user clicks the link on the first site, he or
               she is unknowingly sending a command to the second site. If the user
               happens to be logged into that second site, the command may succeed.

               Consider, for example, an online banking site. If an attacker wants to
               steal funds from user accounts, the attacker might go to an online

               forum and post a message containing a link. That link is actually a link
               directly into the money transfer site that issues a command to transfer
               funds to the attacker’s account. The attacker then leaves the link
               posted on the forum and waits for an unsuspecting user to come along
               and click the link. If the user happens to be logged into the banking

               site, the transfer succeeds.

               Developers should protect their web applications against XSRF
               attacks. One way to do this is to create web applications that use
               secure tokens that the attacker would not know to embed in the links.
               Another safeguard is for sites to check the referring URL in requests
               received from end users and only accept requests that originated from
               their own site.



               SQL Injection

               Structured Query Language (SQL) injection attacks are even riskier
               than XSS attacks from an organization’s perspective. As with XSS
               attacks, SQL injection attacks use unexpected input to a web
               application. However, instead of using this input to attempt to fool a

               user, SQL injection attacks use it to gain unauthorized access to an
               underlying database.


               Dynamic Web Applications

               In the early days of the web, all web pages were static, or unchanging.
               Webmasters created web pages containing information and placed
               them on a web server, where users could retrieve them using their web
   1481   1482   1483   1484   1485   1486   1487   1488   1489   1490   1491