Alphabetical Index of Terms and Terminology for Reference
The Web Security Glossary is for reference purposes.
Abuse of Functionality
An attack technique that uses the features and functionality of a web site to consume, defraud, or circumvent the site’s access controls. See also “Denial of Service”.
ActiveX controls
ActiveX controls are software based on the Component Object Model (COM) and formerly known as OLE controls. ActiveX controls are portable, reusable, and can be utilized by many development languages. They are widely used by web based applications to extend their functionality (i.e.: Windows Update site, etc.) See also “Java”, “Java Applets”, “JavaScript”, “Web Browser”.
Anti-Automation
Security measure that prevents automated programs from exercising web site functionality by administering the Turing Test to a user, which only a human could pass. See also “Visual Verification”.
Application Server
A software server that has the ability to execute dynamic web applications. Also known a middleware, this piece of software is normally installed on or near the web server where it can be called upon. See also “Web Application”, “Web Server”.
Attack Vectors
Method by which malware attempts to enter a system. This generally refers to a protocol such as HTTP, SMTP, FTP, IRC, IM, etc. Anti-Malware - A term generally applied to a software application which combats malicious code through detection and/or removal.
Authentication
The process of verifying the identity or location of a user, service or application. Authentication is performed using at least one of three mechanisms: “something you have”, “something you know” or “something you are”. The authenticating application may provide different services based on the location, access method, time of day, etc. See also “Insufficient Authentication”.
Authorization
The determination of what resources a user, service or application has permission to access. Accessible resources can be URL’s, files, directories, servlets, databases, execution paths, etc. See also “Insufficient Authorization”.
Backdoor
A Backdoor is a secret or undocumented way of gaining access to a program, online service, computer or an entire computer network. Most Backdoors are designed to exploit a vulnerability in a system and open it to future access by an attacker. A Backdoor is a potential security risk in that it allows an attacker to gain unauthorized access to a computer and the files stored thereon.
Backup File Disclosure: See “Predictable File Location”.
Basic Authentication
A simple form of client-side authentication supported in HTTP. The http-client sends a request header to the web server containing a Base64 encoded username and password. If the username/password combination is valid, the web server grants the client access to the requested resource. See also “Authentication”, “Insufficient Authentication”.
Bots
The term Bot (short for robot) is a type of program, which has evolved from RATs (see Spyware definitions). A bot usually leverages an internet facing port to deliver a program that awaits a further command upon which it can take remote control of the system. Bots are often combined with other infected machines to form a botnet (a network of bot-infected machines). Bots are used to turn an individual machine into a "zombie" that can then be used for actions such as co-ordinated DoS attacks on websites, spamming, or hired/sold to others for such use.
Brute Force
An automated process of trial and error used to guess the “secret” protecting a system. Examples of these secrets include usernames, passwords or cryptographic keys. See also “Authentication”, “Insufficient Authentication”, “Password Recovery System”, “Weak Password Recovery Validation”.
Buffer Overflow
An exploitation technique that alters the flow of an application by overwriting parts of memory. Buffer Overflows are a common cause of malfunctioning software. If the data written into a buffer exceeds its size, adjacent memory space will be corrupted and normally produce a fault. An attacker may be able to utilize a buffer overflow situation to alter an application's process flow. Overfilling the buffer and rewriting memory-stack pointers could be used to execute arbitrary operating-system commands.
CGI Scanner
Automated security program that searches for well-known vulnerabilities in web servers and off-the-shelf web application software. Often CGI Scanners are not very “stateful” in their analysis and only test a series HTTP requests against known CGI strings. See also, “Web Application Vulnerability Scanner.”
CGI Security:
See “Web Application Security”.
Client-Side Scripting
Web browser feature that extends the functionality and interactivity of static Hypertext markup language (HTML) web pages. Examples of Client-Side Scripting languages are JavaScript, JScript and VBScript. See also “ActiveX controls”, “Java Applets”.
Common Gateway Interface (CGI)
Programming standard for software to interface and execute applications residing on web servers. See also “Web Application”, “Application Server”, “Web Server”.
Configuration File Disclosure:
See “Predictable File Location”.
Content Spoofing
An attack technique used to trick a user into thinking that fake web site content is legitimate data.
Cookie
Small amount of data sent by the web server, to a web client, which can be stored and retrieved at a later time. Typically cookies are used to keep track of a users’ state as they traverse a web site. See also “Cookie Manipulation”.
Cookie Manipulation
Altering or modification of cookie values, on the client’s web browser, to exploit security issues within a web application. Attackers will normally manipulate cookie values to fraudulently authenticate themselves to a web site. This is an example of the problem of trusting the user to provide reasonable input. See also “Cookie”.
Cookie Poisoning:
See “Cookie Manipulation”.
Cross-Site Scripting (XSS)
An attack technique that forces a web site to echo client-supplied data, which execute in a user’s web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). See also “Client-Side Scripting”.
Debug Commands
Application debugging features or commands that assist in identifying programming errors during the software development process.
Denial of Service (DoS)
DoS attack technique that consumes all of a web site’s available resources with the intent of rendering legitimate use impossible. Resources include CPU time, memory utilization, bandwidth, disk space, etc. When any of these resources reach full capacity, the system will normally be inaccessible to normal user activity. See also “Abuse of Functionality”.
Directory Browsing:
See “Directory Indexing”.
Directory Enumeration:
See “Predictable File Location”.
Directory Indexing
A feature common to most popular web servers that exposes contents of a directory when no index page is present. See also “Predictable File Location”.
Directory Traversal
A technique used to exploit web sites by accessing files and commands beyond the document root directory. Most web sites restrict user access to a specific portion of the file system, typically called the document root directory or CGI root directory. These directories contain the files and executables intended for public use. In most cases, a user should not be able to access any files beyond this point.
Downloaders
A downloader is a file which when activated, downloads other files on to the system without the knowledge or consent of the user, those other files then carrying out malicious functions on the system.
Drive-by Download
This technique is used to surreptitiously download malware onto a user's machine. The attack generally includes exploits to browser or OS vulnerabilities, and may be separated into several pieces so that a user may be directed to several websites or domains to avoid detection by anti-malware programs.
Encoding Attacks
An exploitation technique that aids an attack by changing the format of user-supplied data to bypass sanity checking filters. See also “Null Injection”.
Exploits
An Exploit is a piece of code designed to attack a vulnerability on a computer system, or such an attack. Hackers and writers of Malware look for announcements of such vulnerabilities by manufacturers and other sources and then attack machines, which have not been patched against the vulnerability. The code is designed to enable an activity that otherwise could not take place, or to avoid system restrictions preventing such an activity. Various payloads attached to the exploits may provide the attacker with a number of ways into the compromised system.
Extension Manipulation:
See “Filename Manipulation”.
File Enumeration:
See “Predictable File Location”.
Filename Manipulation
An attack technique used to exploit web sites by manipulating URL filenames to cause application errors, discover hidden content, or display the source code of an application. See also “Predictable File Location”.
Filter-Bypass Manipulation:
See “Encoding Attacks”.
Forced Browsing:
See “Predictable File Location”.
Form Field Manipulation
Altering or modification of HTML Form-Field input values or HTTP post-data to exploit security issues within a web application. See also “Parameter Tampering”, “Cookie Manipulation”.
Format String Attack
An exploit technique that alters the flow of an application by using string formatting library features to access other memory space.
Frame Spoofing:
See “Content Spoofing”.
Hijacker
A Hijacker is a file with the ability to change your default Internet home page and/or to create or alter other Web browser settings such as bookmarks and redirection of Internet searches or Internet browsing to commercial sites that could offend the user or breach corporate policies on inappropriate or illegal content.
Hypertext Transfer Protocol (HTTP)
A protocol scheme used on the World Wide Web. HTTP describes the way a web client requests data and how a web server responds to those requests. See also “Web Server”, “Web Browser”.
Information Leakage
When a web site reveals sensitive data, such as developer comments or error messages, which aids an attacker in exploiting the system. See also “Verbose Messages”,
Insufficient Authentication
When a web site permits an attacker to access sensitive content or functionality without verifying their identity. See also “Authentication”.
Insufficient Authorization
When a web site permits an attacker to access sensitive content or functionality that should require increased access control restrictions. See also “Authorization”.
Insufficient Session Expiration
When a web site permits an attacker to reuse old session credentials or session ID’s for authorization. See also “Session Replay”, “Session Credential”, “Session ID”, “Session Manipulation”.
Insufficient Process Validation
When a web site permits an attacker to bypass or circumvent the intended flow control of an application.
Java
A popular programming language developed by Sun Microsystems(tm). See also “ActiveX controls”, “Web Browser”, “JavaScript”, “Client-Side Scripting”.
Java Applets
An applet is a program written in the Java programming language that can be included in a web page. When a Java enabled web browser views a page containing an applet, the code is executed by the Java Virtual Machine (JVM). See also “Web Browser”, “Java”, “ActiveX”, “JavaScript”, “Client-Side Scripting”.
JavaScript
A popular web browser client-side scripting language used to create dynamic web page content. See also “ActiveX”, “Java Applets”, “Client-Side Scripting”.
Key Loggers
A Key Logger is a type of surveillance software that has the capability to record every keystroke to a log file (usually encrypted). A Key Logger recorder can record instant messages; email and any information typed using the keyboard. The log file created by the Key Logger can then be sent to a specified receiver. Some Key Logger programs will also record any e-mail addresses used and Web Sites visited.
Known CGI file:
See “Predictable File Location”.
Known Directory:
See “Predictable File Location”.
LDAP Injection
A technique for exploiting a web site by altering backend LDAP statements through manipulating application input. Similarly to the methodology of SQL Injection. See also “Parameter Tampering”, “Form Field Manipulation”.
Meta-Character Injection
An attack technique used to exploit web sites by sending in meta-characters, which have special meaning to a web application, as data input. Meta-characters are characters that have special meaning to programming languages, operating system commands, individual program procedures, database queries, etc. These special characters can adversely alter the behavior of a web application. See also “Null Injection”, “Parameter Tampering”, “SQL Injection”, “LDAP Injection”, “Cross-Site Scripting”.
Null Injection
An exploitation technique used to bypass sanity checking filters by adding URL encoded null-byte characters to user supplied data. When developers create web applications in a variety of programming languages, these web applications often pass data to underlying lower level C-functions for further processing and functionality. If a user-supplied string contains a null character (\0), the web application may stop processing the string at the point of the null. Null Injection is a form of a meta-character Injection attack. See also “Encoding Attacks”, “Parameter Tampering”, “Meta Character Injection”.
OS Command Injection:
See “OS Commanding”.
OS Commanding
An attack technique used to exploit web sites by executing operating-system commands through manipulating application input. See also “Parameter Tampering”, “Form Field Manipulation”.
Page Sequencing:
See “Insufficient Process Validation”.
Parameter Tampering
Altering or modification of the parameter name and value pairs in a URL. Also known as “URL Manipulation”. See also “Uniform Resource Locator”.
Password Recovery System
An automated process that allows a user to recover or reset his password in the event that it has been lost or forgotten. See also “Weak Password Recovery Validation”.
Password Stealers and Crackers
A Password Stealer is a program resident on a computer, which is designed to intercept and report to an external person any passwords, held on that machine. A Password Cracker has the ability to decode any encrypted passwords.
Placebo Files
Placebo files are both clean files and files that may display malware-type tendencies, for example opening local ports, but are entirely innocuous. They are included in custom test sets to provide a control group.
Predictable File Location
A technique used to access hidden web site content or functionality by making educated guesses, manually or automatically, of the names and locations of files. Predictable file locations may include directories, CGI’s, configuration files, backup files, temporary files, etc.
Proxies
Proxies are designed to enable an external user to use a computer for their own purposes, for example, to launch DDoS / DoS attacks or send spam, so that the true originator of the attack cannot be traced.
Remote Access Trojan (RATs)
RAT is a piece of malware designed to run and gain access to a remote computer across a network or the Internet in order to carry out a particular purpose on that remote computer, that purpose being malicious and without the consent of the remote system's owner or user. Access is usually gained by use of a backdoor, either already installed or included in the code of the RAT.
Rootkit
Although the term referred originally to Unix systems, the term has come to more widely mean a set of tools or programs that are used on a host system, often in conjunction with malware, to allow attackers to exploit said system or a network. Rootkits can be used to hide applications from third party scanners and the term is also coming to mean more generalized cloaking utilities that mask the attacker's activities. Recently the term rootkit has become more publicly known after the anti-copy security software on several Sony-BMG audio CDs displayed rootkit-like tendencies as part of their Digital Rights Management strategy.
Secure Sockets Layer (SSL)
An industry standard public-key protocol used to create encrypted tunnels between two network-connected devices. See also “Transport Layer Security”.
Session Credential
A string of data provided by the web server, normally stored within a cookie or URL, which identifies a user and authorizes them to perform various actions. See also “Session ID”.
Session Fixation
An attack technique that forces a user’s session credential or session ID to an explicit value. See also “Session Credential”, “Session ID”.
Session Forging:
See “Session Prediction”.
Session Hi-Jacking
The result of a user’s session being compromised by an attacker. The attacker could reuse this stolen session to masquerade as the user. See also “Session Prediction”, “Session Credential”, “Session ID”.
Session ID
A string of data provided by the web server, normally stored within a cookie or URL. A Session ID tracks a user’s session or perhaps just his current session, as he traverses the web site.
Session Manipulation
An attack technique used to hi-jack another user’s session by altering a session ID or session credential value. See also “Session Prediction”, “Session Hi-Jacking”, “Session Credential”, “Session ID”.
Session Prediction
An attack technique used to create fraudulent session credentials or guess other users current session ID’s. If successful, an attacker could reuse this stolen session to masquerade as another user. See also “Session Credential”, “Session ID”, “Session Hi-Jacking”.
Session Replay
When a web site permits an attacker to reuse old session credentials or session ID’s for authorization. See also “Session ID”, “Session Credential”, “Insufficient Session Expiration”.
Session Tampering:
See “Session Manipulation”
SQL Injection
An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input. See also “Parameter Tampering”, “Form Field Manipulation”.
SSI Injection
A server-side exploit technique that allows an attacker to send code into a web application, which will be executed by the web server. See also “Meta-Character Injection”, “Parameter Tampering”, “Form Field Manipulation”.
Socially Engineered Attack
Exploits or hacking attempts which seek to use a user's susceptibility to fear, trust or titillation to gain entrance onto a user's system or information. Phishing and trojans are two types of attacks which rely almost exclusively on social engineering.
Spyware
Spyware is a form of software that makes use of a user's internet connection without his or her knowledge, usually in order to covertly gather information about the user. Once installed, the Spyware may monitor user activity on the Internet and transmit that information in the background to someone else. Spyware can also gather information about addresses and even passwords and credit card numbers. Spyware is often unwittingly installed when users install another program, but can also be installed when a user simply visits a malicious website.
Transport Layer Security (TLS)
The more secure successor to SSL. The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. TLS is based on the SSL protocol, but the two systems are not interoperable. See also “Secure Sockets Layer”.
Trojan
Trojan Horses or Trojans are destructive programs that pretend to be benign applications. Unlike Viruses or Worms, Trojan Horses do not replicate themselves; they can be damaging to networks by delivering other types of Malware.
Universal Resource Locator (URL)
A standard way of specifying the location of an object, normally a web page, on the Internet. See also “Parameter Tampering”.
Unvalidated Input
When a web application does not properly sanity check user-supplied data input.
URL Manipulation
Altering or modification of a web applications parameter name and value pairs. Also known as “Parameter Tampering”.
User-Agent Manipulation
A technique used to bypass web site browser requirement restrictions by altering the value sent within an HTTP User-Agent header. See also “Cookie Manipulation”.
Verbose Messages
Detailed pieces of information revealed by a web site, which could aid an attacker in exploiting the system.
Virus
A Virus is a program or piece of code attached to a file or diskette's boot sector; it is loaded onto a computer without the user's knowledge. Viruses are manmade (though they can be corrupted in use to form new variants of the virus) and replicate themselves by attaching themselves to files or diskettes, often soaking up memory or hard disk space and bringing networks to a halt. Most recent viruses are internet-borne and capable of transmitting themselves across and bypassing security systems. Minor variants of the same virus are classed as families of viruses.
Visual Verification
Visual oriented method of anti-automation that prevents automated programs from exercising web site functionality by determining if there is presence of mind. See also “Anti-Automation”.
Weak Password Recovery Validation
When a web site permits an attacker to illegally obtain, change or recover another user’s password. See also “Password Recovery System”.
Web Application
A software application, executed by a web server, which responds to dynamic web page requests over HTTP. See also “Web Server”, “Web Application”, “Web Service”.
Web Application Scanner:
See “Web Application Vulnerability Scanner”.
Web Application Security
Theory and practice of information security relating to the World Wide Web, HTTP and web application software. Also known as “Web Security”.
Web Application Firewall
An intermediary device, sitting between a web client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack. See also “Web Application Security”, “Web Server”.
Web Application Vulnerability Scanner
An automated security program that searches for software vulnerabilities within web applications. See also “Web Application Security.
Web Browser
A program used to display Hypertext markup language (HTML) web pages sent by a web server. See also “ActiveX”, “Cookie”, “Java Applets”, “JavaScript”, “Client-Side Scripting”.
Web Security:
See “Web Application Security”.
Web Security Assessment
A process of performing a security review of a web application by searching for design flaws, vulnerabilities and inherent weaknesses.
Web Security Scanner:
See “Web Application Vulnerability Scanner”.
Web Server
A general-purpose software application that handles and responds HTTP requests. A web server may utilize a web application for dynamic web page content. See also “Web Application”, “Application Server”, “Hypertext Transfer Protocol”.
Web Service
A software application that uses Extensible Markup Language (XML) formatted messages to communicate over HTTP. Typically, software applications interact with web services rather than normal users. See also “Web Server”, “Web Application”, “Application Server”, “Hypertext Transfer Protocol”.
Worm
A Worm is an insidious program or algorithm that replicates itself over a computer network or by email system and usually performs malicious actions, such as using up the computer's resources or distributing pornography and possibly shutting the system down. Unlike Viruses, Worms copy themselves as standalone programs and do not attach themselves to other objects.
The Web Security Glossary is for reference purposes.