Session hijacking

User input is code which gets executed when the page is shown to other users.

Acquiring session ids by observing network traffic.

Search engine search term is code which gets executed when the search term is shown in the results page.

Session fixation

Clickjacking

Session hijacking

CSRF

HTTP response splitting

CSRF

Directory traversal

None of the above

User logs on to site A, then visits site B which has malicious link back to site A, which executes unwanted action.

Acquiring victim’s session id by observing network traffic.

Two websites are set on top of each other, first invisible, second visible, user clicks first the other before clicking the second.

Attacker logs on to site and acquires session id. Then they feed the id to the victim, and the attacker gains access to victim’s resources on the site.

Attacker gains control of the HTTP body by making the server print an extra CRLF sequence.

CSRF

Persistent cross-site scripting

Non-persistent cross-site scripting

HTTP response splitting

protect from cross-site request forgery attacks.

are codes shared by the server and the client to help in HTTP request validation.

are always created with the help of CSURF.

can be used to configure CORS.

checks the protocol, the port and the host.

is synonym to CSP.