perform command injection. The example shows a command

                  injection triggering a Trivial File Transfer Protocol (TFTP) Get
                  operation to download an exploit tool onto the victim web server.
                  Any command that could be executed under the privileges of the
                  IIS service and be crafted within the limitations of a uniform
                  resource locator (URL) could be used. The example performs a
                  single directory listing of the C root. But with minor tweaking,
                  TFTP commands could be used to download hacker tools to the

                  target and subsequently launch those tools to grant greater remote
                  control or true command shell access. This attack can be stopped
                  with metacharacter escaping or filtering. Many modern web
                  servers can be vulnerable to variations of this attack as new forms
                  of alternate encoding of the change-to-parent command are
                  crafted.



               XML exploitation is a form of programming attack that is used to
               either falsify information being sent to a visitor or cause their system
               to give up information without authorization. One area of growing

               concern in regard to XML attacks is Security Association Markup
               Language (SAML). SAML abuses are often focused on web-based
               authentication. SAML is an XML-based convention for the
               organization and exchange of communication authentication and
               authorization details between security domains, often over web
               protocols. SAML is often used to provide a web-based SSO (single

               sign-on) solution. If an attacker can falsify SAML communications or
               steal a visitor’s access token, they may be able to bypass authentication
               and gain unauthorized access to a site.

               Cross-site scripting (XSS) is a form of malicious code-injection attack
               in which an attacker is able to compromise a web server and inject
               their own malicious code into the content sent to other visitors.

               Hackers have discovered numerous and ingenious methods for
               injecting malicious code into websites via Common Gateway Interface
               (CGI) scripts, web server software vulnerabilities, SQL injection
               attacks, frame exploitation, DNS redirects, cookie hijacks, and many
               other forms of attack. A successful XSS attack can result in identity
               theft, credential theft, data theft, financial losses, or the planting of