Social Engineering

What is social engineering?

• Social engineering is the art of manipulating people so they give up
confidential information
• The attackers are trying to trick the victim for
Victim’s passwords or bank information
Access to victim’s computer - to secretly install malicious software–that
will give them access to passwords and bank information as well as
giving them control over the computer.
• Here's the key thing to remember about social engineering - it doesn't
involve hacking or exploiting computer vulnerabilities. Instead, it targets
the human element - our emotions, psychology, and biases.
• Social engineering occurs in four stages:
1) Preparation — attackers collect information about victims through
social media, telephone calls, email, text messages, the dark web, or
other sources

2) Infiltration — attackers typically approach victims by masquerading

as trusted contacts or authorities, and use information gathered
about the victim to gain their trust.
3) Exploitation — attackers “persuade” victims to give them sensitive
information such as account credentials, payment account details,
and other information that they can use to conduct a cyber attack.
(This persuasion can often be subtle, involving a link, an attachment,
a website, even a social media quiz.)

4) Disengagement — the attacker stops communicating with the victim,

carries out malicious activity, and disappears.
Social Engineering Techniques
• Phishing
• Pretexting
• Scareware
• Baiting
• Quid pro quo attacks
Phishing
• In a phishing attack, an attacker uses a message sent by email, social
media, instant messaging clients, or SMS to obtain sensitive
information from a victim or trick them into clicking a link to a
malicious website.
• They often use logos, images, or text styles to spoof an organization’s
identity, making it seem that the message originates from a work
colleague, the victim’s bank, or another official channel
Pretexting
• In pretexting, the attacker creates a false scenario or impersonates a
trusted authority figure to gain a victim's trust and extract information
• For example, the attacker might call someone pretending to be from IT
support, claiming to investigate a problem with the user's computer.
The attacker might then ask the victim to reveal their login credentials
or download remote access software, giving the attacker control over
the victim's machine
Scareware
• Scareware is a type of malware attack that directs the user to download or
buy malicious software to resolve a fake problem
• Scareware shows users pop-up security alerts that appear to be warnings
from real antivirus companies, usually claiming that files are infected or the
device is in danger. Other variants include warnings of memory limits,
clean-up services for unused applications, and other hardware- or
software-based updates.
• If the tactic works, the victim downloads fake software or visit the site that
may steal credentials or other personal information, including password
hashes.
Baiting
• This technique involves offering something enticing, like free software
or fake lottery wins, to trick victims into downloading malware or
revealing personal details
• The bait can be delivered through email, social media messages, or
even physical media like USB drives left in unsuspecting locations.
Quid pro quo
• Here, the attacker appears helpful by offering to solve a problem or fix
a technical issue. But their ultimate goal is to gain unauthorized access
or install malware in the process. For instance, the attacker might offer
to help a user reset their password, but in the process, trick them into
entering their credentials on a fake website.
Social engineering prevention
• Individual Awareness and Skepticism
• Technical Safeguards
• Organizational Measures
Individual Awareness and Skepticism
• Be cautious: Always be wary of unsolicited emails, calls, messages, or
even physical approaches, even if they seem to come from a familiar
source.
• Verify information: Don't click on links or attachments from unknown
senders. Always verify requests through trusted channels, like calling a
company directly using a phone number you know is correct (not one
provided in the suspicious message).
• Beware of urgency: Social engineers often try to create a sense of urgency
or panic to pressure victims into acting quickly. Take a moment to breathe
and assess the situation before responding.
Individual Awareness and Skepticism

• Protect your information: Don't share sensitive information like

passwords, Social Security numbers, credit card details, or other personal
details via email or over the phone unless you are absolutely certain of the
recipient's legitimacy. If a company you do business with asks for such
information, contact them through a trusted channel to verify.
• Be mindful of public Wi-Fi: Public Wi-Fi networks are not secure, so
avoid accessing sensitive accounts or conducting financial transactions on
them.
Technical Safeguards

• Strong passwords and MFA: Use strong, unique passwords for all your
online accounts and enable multi-factor authentication (MFA) whenever
possible. MFA adds an extra layer of security by requiring a second
verification step beyond just your password.
• Anti-virus and anti-malware software: Keep your devices up-to-date with
the latest security software to help protect against malware that might be
installed through social engineering tricks.
• Browser security settings: Enable features like pop-up blockers and
website verification to warn you about suspicious websites.
Organizational Measures
• Security awareness training: Organizations should provide regular
security awareness training to employees to educate them on social
engineering techniques and best practices for secure information
handling. This training should be ongoing, as new tactics emerge.
• Reporting procedures: Establish clear procedures for employees to
report suspected social engineering attempts. This allows for investigation
and helps the organization identify and address vulnerabilities.
• Limited access controls: Implement access controls that restrict
employee access to data and systems based on their job duties. This
principle of least privilege minimizes the potential damage if an employee
falls victim to a social engineering attack.
 Injection
• SQL Injection
• Code Injection
• Command Injection
• Mitigating SQL Injection
• Generic Injection Defenses
Injection attack
• An injection attack in web application security is a malicious
technique where an attacker inserts (injects) unauthorized code into a
seemingly legitimate part of a web application

• This code can then trick the application into performing unintended
actions, potentially compromising sensitive data or even taking over
the entire system.
Types of injection attacks
• SQL Injection (SQLi): The attacker injects malicious SQL code to
manipulate database queries. This can be used to steal data, modify
information, or even gain unauthorized access to the database server.

• Code injection/Command Injection: The attacker injects code that gets

executed on the web server itself. This can grant the attacker control over
the server, allowing them to install malware, steal data, or disrupt
operations.

• In all the three cases, the malicious code is sent to the web server in a HTTP
request
SQL Injection
• Here, the attacker manipulates database queries for malicious purposes.
• SQL injection attacks take place in the SQL interpreter

• Examples of SQL injection techniques:

An attacker might inject a WHERE clause that bypasses authentication
checks, allowing them to access unauthorized data

The attacker might use the UNION operator to combine the malicious
SQL query with the original query, retrieving unintended data
Snippet of code from simple
Node.js/Express.js server
/* Query the database, providing the `user_id` param from the HTTP
request body. */
const result = await sql.query('SELECT * FROM users WHERE USER = ‘ +
user_id);
/* Return the result of the SQL query to the requester in the HTTP response. */
return res.json(result)
In the case of a valid user_id, this query will return a user object to the
requester.
• const user_id = ‘1=1’
• The query looks like SELECT * FROM users WHERE USER = 1=1;
For this, the query will return ALL rows from the “users" table,
since 1=1 is always TRUE.
If users’ passwords are stored in the table, then the passwords of all
the users will be returned
• user_id = '123abc; DROP TABLE users;’
The query looks like SELECT * FROM users WHERE USER = 123abc;
DROP TABLE users;
This query deletes the users table permanently
• const user_id = '123abc; UPDATE users SET credits = 10000 WHERE user =
123abd;’
The query looks like SELECT * FROM users WHERE USER = '123abc;
UPDATE users SET credits = 10000 WHERE user = 123abd;
This query updates our own user account in the database
Code Injection
• The attacker injects code that gets executed on the web server itself.
Here, the attack takes place in the Command Line Interface (CLI)
Command Injection
• Command injection is an attack on the host operating system i.e. on the
operating system of web server.
• If we have direct access to the host Unix OS (over 95% of servers are Unix-
based), and our commands are interpreted as a super user, we can do
anything we want to that OS
• A compromised OS gives the hacker access to a number of very integral
files and permissions, such as:
• /etc/passwd
Keeps track of every user account on the OS
• /etc/shadow
Contains encrypted passwords for users
• ~/.ssh
Contains SSH keys for communicating with other systems
• /etc/apache2/httpd.conf
Configuration for Apache-based servers
• /etc/nginx/nginx.conf
Configuration for Nginx-based servers
• We can make use of command injection to cause more havoc than
expected including
Steal data from the server
Rewrite log files to hide our tracks
Add an additional database user with write access for later use.
Delete important files on the server.
Wipe the server and kill it.
 Make use of integrations with other servers/APIs (e.g., using a server’s
Sendgrid keys to send spam mail)
Change a single login form in the web app to be a phishing form that
sends unencrypted passwords to our site.
 Lock the admins out and blackmail them
Mitigating SQL injection
Prepared statements
• Prepared statements are often considered the “first line” of defense
against injection
• Prepared statements are easy to implement and well documented on the
web
A prepared statement separates the SQL code itself from the data being
used in the query.
The SQL statement acts as a template with placeholders (usually
question marks) representing the data values.
Traditional SQL Query
username = 'user123’
password = 'mypassword’
query = "INSERT INTO users (username, password) VALUES ('" +
username + "', '" + password + “’)”
# Execute the query
• The above approach is vulnerable to injection attack if username or password
contains malicious code
• In a traditional SQL query, the user-submitted data (variables) and the query
itself are sent to the interpreter/database together in the form of a string.
This means that if the user data is manipulated, it could change the intention
of the query.
Prepared statements
prepared_stmt = "INSERT INTO users (username, password)
VALUES (?, ?)"
# Execute with data binding
stmt.execute((username, password))
• In this example, username and password are provided separately and
securely bound to the placeholders only during execution
Prepared statements
• Prepared statements works in two steps:
First, the query (with placeholder values for variables) is sent to the
interpreter/database. So, the intention of the query is set and cannot
be changed
Next, the placeholders are replaced with the values provided by the
developer.
• It is because of the two step process, the user data cannot change the
intention of the query which was set in step 1.
Generic Injection Defenses
Principle of Least Authority
• The principle of least authority (often called principle of least
privilege) states that in any system, each member of the system
should only have access to the information and resources required to
accomplish their job
 Cross Site Request Forgery (CSRF)

• Types of CSRF Attacks

 Query Parameter Tampering
 Alternate Get Payloads
 CSRF against Post End Points

• Defense against CSRF attacks

 CSRF Tokens
• Cross-site request forgery (CSRF), also known as XSRF or one-click
attack, is a type of cyberattack that tricks a user/user's web browser
into performing unauthorized actions on a trusted website. The attack
makes use of user’s cookies and this attack is not noticed by the user .
Here, the attacker crafts links and forms
With a little bit of effort the attacker can cause a user to make requests
on his or her own behalf (with the link and form) – unknown to the user
generating the request
Query Parameter Tampering
• It is tampering with parameters
in a hyperlink
• Here, the attacker targets the
HTTP GET request
• Let’s imagine a banking website, MegaBank, made use of GET requests
with params. Look at this server-side routine:

/* Transfers funds from the authenticated user's bank account to a bank

account chosen by the authenticated user*/
app.get('/transfer', function(req, res) {
if (!session.isAuthenticated) { return res.sendStatus(401); }
if (!req.query.to_user) { return res.sendStatus(400); }
if (!req.query.amount) { return res.sendStatus(400); }
transferFunds(session.currentUser, req.query.to_user, req.query.amount,
(error) => {
if (error) { return res.sendStatus(400); }
 return res.json({
operation: 'transfer’,
amount: req.query.amount,
from: session.currentUser,
to: req.query.to_user,
status: 'complete’
});
});
});
• A hacker figures out that the web server uses HTTP GET params to
modify its flow of logic (in this case, determining the amount and
target of a bank transfer)
• The hacker crafts a URL string with those params:
<a href = https://www.mega-bank.com/transfer?to_user
=<hacker’s account>&amount=10000> click me </a>
• The attacker tricks the victim to click the link via email or social
media. On clicking the link, a HTTP GET request is initiated
Alternate GET Payloads
• An attacker can craft an image (instead of a link) to do the same
attack as we saw earlier
• <img src=“https://www.mega-bank.com/transfer?to_user
=<hacker’s account>&amount=10000” width =“0” height=“0”
border=“0”>
• When image tags are detected in the browser, the browser will
initiate a GET request to the src endpoint included in the <img> tag
• As such, an image tag (in this case an invisible 0 × 0 pixel image) can
be used to initiate a CSRF without any user interaction required.
CSRF Against POST Endpoints
• This attack targets the HTTP POST request
• CSRF attacks delivered by POST requests are created via browser
forms
• The attacker uses the “hidden” type attribute on form input in order
to seed data that will not be rendered inside of the browser.
CSRF Tokens
• The most powerful form of defense against CSRF attacks is the anti-
CSRF token, often just called a CSRF token. Most major websites rely
on CSRF tokens as their primary defense against CSRF attacks.
Security Misconfiguration
• A security misconfiguration is a flaw or weakness in a system or application
that occurs due to improper setup, negligence in maintaining robust security
protocols, or unintended oversight in the configuration process. These
misconfigurations can lead to unauthorized access, data breaches, and other
security incidents.

• Misconfigurations can occur at any level of an application stack, including the

platform, web server, application server, database, framework, and custom
code. They might involve unpatched flaws, default or unsecured
configurations, unprotected files or directories, unnecessary services running,
and improper permissions. Misconfigurations can happen due to human
mistakes.
• Unpatched Systems
Failing to apply updates or patches leaves a system vulnerable to known
threats. Regular patching is critical to maintaining security.

• Default Configurations
Many systems and applications come with default configurations that are
not secure. This could include default usernames and passwords, which
can be easily exploited if not changed.
• Unnecessary Features Enabled
Systems often come with many features enabled by default, some of
which may not be necessary for your operations. These unnecessary
features can increase your system's vulnerability.

• Improper Access Controls

Failing to properly configure who has access to what data can lead to
unauthorized access and data leakage. This includes both internal access
controls (among employees) and external ones (such as client access).
• Unprotected Files and Directories
Sensitive files and directories should be protected with the right
permissions to prevent unauthorized access.

• Misconfigured Network Devices

Incorrectly configured routers, switches, or firewalls can expose a
network to potential intrusions.
• Insecure Cloud Storage
As more businesses move to the cloud, misconfigurations in cloud storage
and services have become more prevalent. This could involve leaving
storage buckets open to the public or failing to encrypt sensitive data
• Default Credentials
Many devices and applications come with default usernames and
passwords, like 'admin' and 'password123'. If these aren't changed during
setup, it makes it extremely easy for attackers to gain access.

• Open Cloud Storage Buckets

For instance, an Amazon S3 bucket that is publicly accessible due to
misconfiguration can lead to massive data leaks. There have been several
high-profile incidents where sensitive data was inadvertently exposed
because of such misconfigurations.
• Unpatched Systems or Software
An example could be running an outdated version of WordPress for your
website. Older versions may have known vulnerabilities that can be
exploited by hackers if not patched or updated.

• Excessive Permissions
A mobile application that requests access to more resources on the device
than it actually needs to function is another example. For instance, a note-
taking app that requests access to your contacts and location could be a
misconfiguration.
• Unnecessary Ports Open
If a firewall is misconfigured to leave unnecessary ports open, it could
expose the network to potential attacks. For instance, having port 22 (used
for SSH) open to the entire internet can invite brute-force attacks.

• Unencrypted Data Transmission

If a website is misconfigured to use HTTP instead of HTTPS, the data
transmitted between the user and the website is not encrypted and can be
intercepted by attackers.
Why do misconfigurations occur?
• Forgetting to change the default settings
• Complexity of systems
• Being unaware of certain features or settings that could pose a security risk
• Outdated systems and software
The impact of security misconfiguration attacks

• Data Breaches: The most significant impact is unauthorized access to

sensitive data, which can lead to large-scale data breaches. This could
include sensitive customer data, confidential business information, or
proprietary technology.

• Financial Losses: A security breach can lead to substantial financial losses,

from the direct costs of addressing the breach to regulatory fines and
potential compensation to affected customers.
The impact of security misconfiguration attacks

• Reputation Damage: A data breach can significantly harm an

organization's reputation, leading to lost business, decreased customer trust,
and negative publicity.

• Disruption of Services: Security misconfigurations can allow attackers to

disrupt the services provided by the affected systems. This can lead to
downtime, loss of productivity, and potential loss of revenue.
The impact of security misconfiguration attacks

• Legal Consequences: If the breach results in the loss of customer data,

businesses may face legal actions. They might have to deal with lawsuits,
especially if they were found negligent in their duty to protect that data.

• Increased Future Risks: After a breach, the exploited system becomes a

known target for other potential attackers. This can increase future security
risks and requires additional monitoring and security measures.
Real life attack examples - Amazon S3 Misconfiguration
Attacks
How to prevent security misconfigurations?
1. Regularly Update and Patch Systems
2. Change Default Settings
3. Implement Strong Access Controls
4. Use Automated Tools for Detection
5. Regular Security Audits
6. Properly Configure Network Devices
7. Secure Cloud Storage
8. Employee Training
Broken Authentication and Session
Management
• Broken Authentication and Session Management is a security vulnerability
that occurs when the authentication and session management
mechanisms of a web application are flawed or improperly implemented.
• Authentication refers to the process of verifying the identity of users,
typically through usernames and passwords, while session management
involves maintaining and controlling the user's session after authentication.
• When these mechanisms are compromised or misconfigured, attackers can
exploit the vulnerabilities to gain unauthorized access to user accounts,
impersonate other users, or hijack sessions. This can lead to severe
security breaches and expose sensitive user information.
How can the authentication process be exploited?

• When a user logs in to a website, the site uses a proprietary algorithm

to generate a unique session ID. Their device then uses that session ID
as a key to their identity for the remainder of their user session.

• All of this information has to be sent back and forth between the user and
the server. If that information is not encrypted and is sent as plain text
instead, it becomes an attack vector. Hackers can then intercept user
credentials or session IDs to impersonate that person. This is
especially true when operating on a public network (e.g. coffee shop
wifi) or a public computer that anyone else can access.
Examples of Broken Authentication and
Session Management
• Credential stuffing
The stealing of usernames and passwords to gain unauthorized
access to user accounts across multiple websites and services is known
as credential stuffing. This technique relies on the fact that many
people reuse the same login credentials across different online
platforms. Attackers typically obtain these credentials from
breaches of other websites and then use automated tools to test
them on various websites in hopes of finding matches. Credential
stuffing exploits the widespread issue of password reuse and can lead
to unauthorized access to user accounts, compromising sensitive
information, and leading to financial or reputational damage.
Examples of Broken Authentication and
Session Management
• Brute force attacks
Another approach a cybercriminal could take is attempting a
brute-force attack wherein they repeatedly try common weak
passwords to guess a user’s correct password. It is also possible for
attackers to forge session IDs if they are not randomly generated.
For example, if an attacker intercepts several legitimate session IDs that
are enumerated, it is possible to guess the next legitimate session ID
and access the site fraudulently. These are commonly referred to as
man-in-the-middle attacks
Examples of Broken Authentication and
Session Management
• Password spraying attacks
• This type of cyberattack uses a single password against many user
accounts before moving on to another password to avoid triggering
account lockouts. This technique contrasts with brute force attacks,
which try many passwords against a single user account. Password
spraying targets the common use of weak passwords across multiple
accounts and takes advantage of the fact that many users opt for
simplicity over security. By exploiting the likelihood that at least some
accounts will use common passwords, attackers can gain unauthorized
access without alerting the authentication mechanisms designed to
lock accounts after a few unsuccessful login attempts.
What are the risks?
• Unauthorized Access to Sensitive Information
When attackers exploit broken authentication vulnerabilities, they can
gain access to sensitive data such as personal information, financial
details, or intellectual property. This unauthorized access can lead to
data breaches and privacy violations.

• Manipulation or Deletion of User Data

Once inside the system, attackers can manipulate or delete user data,
causing disruptions to services, loss of important information, and
potential legal ramifications.
What are the risks?
• Impersonation of Legitimate Users
By hijacking user sessions or impersonating legitimate users, attackers can
carry out fraudulent activities on behalf of the compromised accounts. This
could include fraudulent transactions, spreading misinformation, or
performing actions that tarnish the reputation of the affected individuals
or organizations.

• Escalation of Privileges
If the compromised account belongs to an administrator or privileged user,
attackers can escalate their privileges within the application. This can lead
to complete system compromise and greater control over critical functions.
What are the risks?
• Financial Losses and Legal Consequences
The aftermath of a broken authentication attack can result in financial
losses for businesses, especially if customer trust is compromised.
Moreover, organizations may face legal consequences for failing to
protect user data adequately.
How to prevent broken authentication
attacks
• To prevent man-in-the-middle type attacks on your site’s sessions, it is
important to encrypt this data in transit using an SSL certificate.
• Use a VPN
A VPN (virtual private network) is another effective way to protect
yourself from broken authentication vulnerabilities. VPNs enable users to
send and receive data across shared or public networks privately.
How to prevent broken authentication
attacks
• Implement a web application firewall
 You can prevent attackers from exploiting vulnerabilities or forging
session IDs by using a web application firewall (WAF). A WAF is
designed to scan and filter all incoming traffic to a website—it only
lets good visitors in and keeps malicious ones out.

 In addition, a WAF allows website owners to implement multi-factor

authentication (MFA), which requires users to provide an on-demand,
unique code when logging in, along with their username and password.
The code itself is usually delivered via text message, making it much
more difficult for a hacker to impersonate any one user or admin.
How to prevent broken authentication
attacks
• Enforce strong passwords
• Regarding brute force attacks, mentioned earlier in this article, it’s a
good practice to have access control and password policies for any and
all registered users on a site (this includes admin accounts, especially!).

• Strong passwords do not have complete words; instead, they consist of

a combination of random letters (both uppercase and lowercase),
numbers, and symbols to prevent users' passwords from being
easily guessed. Minimum password lengths should also be required,
and users should be required to update their passwords after multiple
failed login attempts are detected.
How to prevent broken authentication
attacks
• Use a secure session manager
 Implement a secure, server-side session management system that
creates a new, random session ID with high complexity each time
someone logs in. Ensure the session ID is not visible in the web
page's URL, is kept safe, and is properly discarded following a
user's logout, periods of inactivity, or after session timeouts.
Insecure Cryptographic Storage
• Insecure cryptographic storage refers to the practice of storing sensitive
information, such as passwords or other confidential data, in a way that
can be easily recovered by an attacker. This can occur when encryption is
used improperly, such as using weak algorithms or insufficient key
lengths, or when encryption keys or other sensitive data are stored in
plaintext or in a way that can be easily recovered
Examples of insecure cryptographic
storage
• Storing passwords in plaintext or using weak or reversible encryption
algorithms, such as MD5 or SHA1.

• Using encryption keys that are too short or too weak, such as using a 128-
bit key for AES encryption instead of a 256-bit key.

• Storing encryption keys or other sensitive data in plaintext or in a way that

can be easily recovered, such as storing them in a configuration file or in a
database without proper encryption or access controls.
Impact of insecure cryptographic storage
• Data breaches: Attackers can steal sensitive information if they can
crack the encryption or access the keys.

• Identity theft: Breached data like usernames, passwords, or Social

Security numbers can be used for identity theft.

• Financial loss: Financial data breaches can lead to stolen funds or

fraudulent charges.
How to Prevent Insecure Cryptographic Storage
• Use strong encryption algorithms: Strong encryption algorithms, such as
AES or RSA, should be used whenever possible to ensure that sensitive data
is properly protected.
• Where to Perform Encryption
Encryption can be performed on a number of levels in the
application stack, such as:
At the application level.
At the database level (e.g, SQL Server TDE)
At the filesystem level (e.g, BitLocker or LUKS)
At the hardware level (e.g, encrypted RAID cards or SSDs)
• Which layer(s) are most appropriate will depend on the threat model. For example,
hardware level encryption is effective at protecting against the physical theft of the
server, but will provide no protection if an attacker is able to compromise the server
remotely.
How to Prevent Insecure Cryptographic
Storage
• Use proper encryption settings: Proper encryption settings, such as using
sufficient key lengths and using proper modes of operation, should be used
to ensure that encryption is performed correctly.
Key size: The greater the key size, the higher the security. Key
sizes 1024 or less are associated with 80 bit security strength. Keys
sizes 2048 or higher are associated with 112 bit security strength.
How to Prevent Insecure Cryptographic
Storage
• Use secure key storage mechanisms: Encryption keys and other
sensitive data should be stored in a secure manner, such as using a key
management system or hardware security module (HSM).
• Use secure password storage mechanisms: Passwords should be
stored using strong cryptographic hashes, such as bcrypt or scrypt, to
ensure that they cannot be easily recovered.
• Perform regular security assessments: Regularly testing for
vulnerabilities and misconfigurations can help identify and fix security
issues before they can be exploited.
Failure to restrict URL access
• Failure to restrict URL access is a security vulnerability that arises when a
web application doesn't properly control which users can access specific
pages or functionalities. This can lead to unauthorized users accessing
sensitive information, taking actions they shouldn't be able to, or disrupting
the application entirely.
Here's a breakdown of the issue:
• Restricted vs. Public: Web applications often have different sections for
different user types. Admins might have access to configuration pages,
while regular users only see product listings. Failure to restrict URL access
means users can potentially bypass these intended limitations and access
areas they shouldn’t.

• Exploiting the Vulnerability: This vulnerability can be exploited through

techniques like forced browsing. Forced browsing attacks can take place
when:
 An attacker is able to correctly guess the URL of an unauthorized page
or
 An attackers use brute force to access an unprotected page or
 An attacker manipulates authorized pages to gain access to
unauthorized pages
Techniques used to guess URLs for restricted
pages or manipulate existing ones
Predictable URL patterns: If URLs follow a predictable pattern
(e.g., adding numbers or letters sequentially), attackers can try
variations to guess restricted URLs
Directory listing: Some servers accidentally allow directory listing,
revealing a list of folders and files within a directory. Attackers can
use this to identify potential hidden files or restricted pages.
Content guessing: Based on the application's functionality, attackers
might try to guess URLs for specific functionalities (e.g.,
"/admin/dashboard").
Impact of Failure to Restrict URL Access
• Data breaches: Unauthorized users might access sensitive data like
customer information, financial records, or internal documents.

• Unauthorized actions: Attackers could exploit this vulnerability to perform

unauthorized actions like deleting data, modifying configurations, or
injecting malicious code.

• Denial-of-service (DoS) attacks: In some cases, attackers might use this

vulnerability to overload the server with requests from restricted areas,
causing the application to crash and become unavailable to legitimate users.
Preventing Failure to Restrict URL Access
 Access control mechanisms: Implement proper access control mechanisms
to verify user permissions before granting access to specific URLs.

 Input validation: Validate all user input related to URLs to prevent them
from manipulating URLs to access restricted pages. This is like checking IDs
before granting access to restricted areas.

 Secure coding practices: Follow secure coding practices to avoid common

mistakes that might lead to this vulnerability. Think of it like building with
strong materials and proper construction techniques to create a secure
building.
Preventing Failure to Restrict URL
Access
• Unpredictable URL structures: Avoid predictable patterns in URL
structures to make them harder to guess.

• Disable directory listing: Ensure directory listing is disabled on the web

server to prevent attackers from peeking into directory structures.