gruyere learn web application exploits defenses top

Because HTTP is stateless, Gruyere uses cookies to remember your identity. Unfortunately, these are stored on the client side, making them easy targets for manipulation.

| Exploit | Description | Real-World Analogy | |---------|-------------|---------------------| | (Cross-Site Scripting) | Injecting malicious scripts into trusted websites | A sticky note left on a cash register that tricks the next cashier | | SQL Injection | Manipulating database queries via unsanitized input | Calling a hotel front desk and pretending to be the manager to get a master key | | CSRF (Cross-Site Request Forgery) | Tricking authenticated users into unwanted actions | A signed check you didn’t write but your bank accepts | | Command Injection | Running OS commands through a vulnerable app | Yelling “open sesame” and the door obeys without checking | | Path Traversal | Reading arbitrary files on the server | Using ../../ to climb out of the guest folder into the vault | | IDOR (Insecure Direct Object Reference) | Accessing unauthorized data by changing an ID | Changing ?invoice=123 to ?invoice=124 to see someone else’s bill | | SSRF (Server-Side Request Forgery) | Making the server attack internal systems | Tricking a receptionist into calling a locked room for you |

: This vulnerability involves leaking sensitive data by including a Gruyere script (like a JSONP response) on a third-party malicious website. Remote Code Execution & DoS

Restez informé(e) des événements et promotions ebook

Paiements sécurisés

Paiements sécurisés

Gruyere Learn Web Application Exploits Defenses Top

Because HTTP is stateless, Gruyere uses cookies to remember your identity. Unfortunately, these are stored on the client side, making them easy targets for manipulation.

| Exploit | Description | Real-World Analogy | |---------|-------------|---------------------| | (Cross-Site Scripting) | Injecting malicious scripts into trusted websites | A sticky note left on a cash register that tricks the next cashier | | SQL Injection | Manipulating database queries via unsanitized input | Calling a hotel front desk and pretending to be the manager to get a master key | | CSRF (Cross-Site Request Forgery) | Tricking authenticated users into unwanted actions | A signed check you didn’t write but your bank accepts | | Command Injection | Running OS commands through a vulnerable app | Yelling “open sesame” and the door obeys without checking | | Path Traversal | Reading arbitrary files on the server | Using ../../ to climb out of the guest folder into the vault | | IDOR (Insecure Direct Object Reference) | Accessing unauthorized data by changing an ID | Changing ?invoice=123 to ?invoice=124 to see someone else’s bill | | SSRF (Server-Side Request Forgery) | Making the server attack internal systems | Tricking a receptionist into calling a locked room for you | gruyere learn web application exploits defenses top

: This vulnerability involves leaking sensitive data by including a Gruyere script (like a JSONP response) on a third-party malicious website. Remote Code Execution & DoS Because HTTP is stateless, Gruyere uses cookies to