Remote File Inclusion or RFI
Cross site scripting or XXS
Local file inclusion or LFI
Directory Traversal attack
RFI stands for Remote File Inclusion and it allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability occurs due to the use of user supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
Code execution on the web server
Denial of Service (DoS)
Local File Inclusion:
Local File Inclusion known as LFI. It
It is same as RFI.
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
By doing this you can get the admin id and password. after getting the Username and password you can access the control panel of admin and change the website details or whatever you like,you can do.
For more Details read this articles
What is SQL iNJECTION?
Implementation of SQL Injection
Cross site scripting or XXS :
It is is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site’s owner
Directory Traversal attack
A directory traversal (or path traversal) is to exploit insufficient security validation / sanitization of user-supplied input file names, so that characters representing “traverse to parent directory” are passed through to the file APIs.
The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.
Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.
You must be logged in to reply to this topic.