Buffer Overflow

10

Buffer Overflow exploits are attacks that alter the flow of an application by

overwriting parts of memory.

Format String Attack

11

Format String Attacks alter the flow of an application by using string

formatting library features to access other memory space.

LDAP Injection

12

LDAP Injection is an attack technique used to exploit web sites that

construct LDAP statements from user supplied input.

OS Commanding

13

OS Commanding is an attack technique used to exploit web sites by

executing Operating System commands through manipulation of

application input.

SQL Injection

14

SQL Injection is an attack technique used to exploit web sites that

construct SQL statements from user supplied input.

SSI Injection

15

SSI Injection (Server side Include) is a server side exploit technique that

allows an attacker to send code into a web application, which will later be

executed locally by the web server.

XPath Injection

16

XPath Injection is an attack technique used to exploit web sites that

construct XPath queries from user supplied input.

Information Disclosure

Directory Indexing

17

Automatic directory listing/indexing is a web server function that lists all of

the files within a requested directory if the normal base file is not present.

Information Leakage

18

Information Leakage is when a web site reveals sensitive data, such as

developer comments or error messages, which may aid an attacker in

exploiting the system.

Path Traversal

19

The Path Traversal attack technique forces access to files, directories,

and commands that potentially reside outside the web document root

directory.

Predictable Resource Location

20

Predictable Resource Location is an attack technique used to uncover

hidden web site content and functionality.

Logical Attacks

8

Copyright 2004, Web Application Security Consortium. All rights reserved.