Open In App

Emerging Attack Vectors in Cyber Security

Last Updated : 21 Jun, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

In this article, we will discuss some emerging attack vectors with their potentially high impact on the security of web application. We will cover Introduction to attack vector, Insecure Direct Object Reference, Relative Path Overwrite, Directory Brute Forcing. Let’s discuss it one by one.

Attack Vectors :

  • Attack vector is basically a method used by the hacker or security analyst to penetrate into the target application for some malicious use or to check the security features of application.
  • Every ethical hacker has their own and unique attack vector to check the security of target application, this application may be a web application or android application but in this article we are mainly focusing on web application.
  • In this article you can learn some emerging attack vector with their impact. You can use any attack vector on the application, if and only if you have legal permission to check their security features. Don’t apply any attack vector on the application without prior permission from the application owner. It is totally illegal to penetrate into an application without legal permission.

Insecure Direct Object Reference :

  • Insecure Direct Object Reference is commonly known as IDOR, and it is basically a permission based vulnerability which allows an attacker to modify or access resources belonging to other users of the application. 
  • The Fundamental concept behind the IDOR vulnerability is that an endpoint of the application tries to give access for modifying and accessing the user data. Data may contain images, addresses, files and in some cases contain the username and password of a user.
  • Nowadays, IDOR is common and an emerging attack vector for web applications because, IDOR vulnerability gives access permission and any problem related to permissions cannot be fixed automatically or by default because, in web applications permission varies from user to user. 
  • For example, on any application, normal user and prime user have different access permission. Normal user and admin has different permissions for modification of data.
  • Basically, this class of vulnerability is everywhere. In fact it is so common that the majority of the web applications are affected by this.

Relative Path Overwrite :

  • Security researcher Gareth Heyes discovered the new attack vector, namely Relative Path Overwrite(RPO). RPO exploits the way browsers interpret relative paths during importing CSS files into DOM (document object model). Hence this attack is also known as Path Relative Style sheet Import (PRSSI).
Relative Path -
<link href="database/xyz.css" rel="stylesheet" type="text/css"/>
Absolute Path -
<link href="https://example.com /database/xyz.css" rel="stylesheet" type="text/css"/>
  • Example –
    For example, if the document is loaded at https://example.com /database , then the CSS will be loaded from the path https://example.com /database/xyz.css in the case of relative path. If website has URL : https://example.com/index.html and they link the <link href=”resource/rpo.css” rel=”stylesheet” type=” text/CSS”/> given path in HTML file. 

    In this scenario if we visit https://example.com/index.html , then website can import its CSS file through given path, but if attacker changes URL to https://example.com /index.htm/random/payload , it will also work due to the flexible nature of server-side programming languages and web frameworks, but this time CSS does not load from the path given in html file. And by adding the payloads at vulnerable end point, attacker can control the CSS of web application.

Directory Brute Forcing :

  • This is very popular and simple attack vector. Most of the ethical hacker’s use this vector to find hidden and sensitive directory on the web application. There are various automated tools available for testing this attack vector. 
  • Most of the time, developers forget to make sensitive files and directories hidden: like files containing database username, password, source code of website, etc. Due to this, information might leak at a particular endpoint and by brute forcing the directories, the attack may find the hidden data and sensitive information of web application. 
  • As a developer, it is good practice to make all the sensitive directories hidden from the user. 

Like Article
Suggest improvement
Previous
Emerging Attack Vectors in Cyber Security
Next
What is Phishing?
Share your thoughts in the comments

Similar Reads

Cyber Security and Cyber Crimes
Zero-day Exploit (Cyber Security Attack)
Top Information Security Attack Vectors
Difference between Cyber Security and Information Security
Difference between Network Security and Cyber Security
How Security System Should Evolve to Handle Cyber Security Threats and Vulnerabilities?
Difference between Software Security and Cyber Security
What is Mobile Security in Cyber Security?
Remediation Planning against Cyber Attack
Cyber Attack Life Cycle

S
siddhantgore
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox