Which of the following threat types involves the sending of invalid and manipulated requests through a user's client to execute commands on the application under their own credentials?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
A cross-site request forgery (CSRF) attack forces a client that a user has used to authenticate to an application to send forged requests under the user's own credentials to execute commands and requests that the application thinks are coming from a trusted client and user.
Although this type of attack cannot be used to steal data directly because the attacker has no way to see the results of the commands, it does open other ways to compromise an application.
Missing function- level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call.
An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries.
Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.
The correct answer is B. Cross-site request forgery.
Cross-site request forgery (CSRF) is a type of attack where an attacker sends a malicious request from a user's browser to a web application, without the user's knowledge or consent. The attack takes advantage of the user's existing authenticated session with the web application, enabling the attacker to execute actions on the application under the user's credentials.
In a CSRF attack, the attacker typically crafts a malicious link or form that, when clicked or submitted, sends a request to the vulnerable web application. The request may contain instructions to change the user's account settings, submit a fraudulent transaction, or perform other malicious actions.
To defend against CSRF attacks, web applications can implement measures such as using anti-CSRF tokens, validating the HTTP referer header, or implementing CAPTCHAs.
Injection attacks (A) involve the insertion of malicious code or data into a web application's inputs, to cause unintended behavior or access to sensitive information. SQL injection is a common example of an injection attack.
Missing function-level access control (C) refers to a vulnerability where a web application fails to properly restrict access to specific functions or resources based on the user's role or permissions.
Cross-site scripting (D) is a type of attack where an attacker injects malicious scripts into a web application, which then execute on other users' browsers. XSS attacks can be used to steal user data, modify website content, or perform other malicious actions.