Security Attacks

security.md

Modern Security Attacks

1. What is a CSRF attack? How does it use HTTP requests? And why do we call it the one-click attack?

2. What is an XSS attack? And what is the connection between it and cookies/sessions? What are the two main categories of XSS?

3. What is a phishing attack? How do attackers typically execute phishing attacks, and what are their primary goals?

4. What is a man-in-the-middle (MITM) attack? How do attackers perform MITM attacks, and what can be the consequences for victims?

5. What is End-to-End encryption (E2EE)? Provide an example of a well-known app using E2EE, and explain how that app uses it.

Simphiwe Ndlovu
Katleho
Thabiso

1. Imagine you're logged into your online banking account. A CSRF attack is like someone tricking you into clicking a hidden button that says "Send money to a stranger" without you knowing. It's called a "one-click attack" because just by clicking on what seems like an innocent link or visiting a webpage, you could accidentally trigger this hidden action. The attacker doesn't need your password; they're just taking advantage of the fact that you're already logged in. It's like if someone asked you to pass a sealed envelope to your bank teller, but inside was a request to transfer your money. Your bank would think it's from you because you delivered it, even though you didn't know what was inside.

2. An XSS (Cross-Site Scripting) attack is a type of web security vulnerability where an attacker injects malicious scripts into a trusted website. These scripts then execute in the browsers of users visiting the site. The connection to cookies and sessions is crucial, as XSS can be used to steal these, potentially compromising user accounts. XSS attacks can allow attackers to steal session cookies, enabling them to impersonate users and gain unauthorized access to accounts. They can also modify webpage content, redirect users to malicious sites, or perform actions on behalf of the user. The two types of attacks Stored (Persistent) XSS where malicious script is permanently stored on the target server and the other is Reflected (Non-Persistent) XSS where malicious script is embedded in a link and only activates when that specific link is clicked.

3.where they attempt to trick individuals into revealing sensitive information or taking harmful actions by posing as a trustworthy website. The common methods are sending forged emails that appear to be from legitimate sources and creating convincing replicas of trusted websites.

4.its like a sneaky mailman who intercepts your letters, reads them, and maybe even changes them before delivering. In the digital world, an attacker gets between you and the website or person you're trying to communicate with. The attacker can steal your passwords or credit card information.

5.End-to-End Encryption (E2EE) is like having a super-secret code that only you and the person you're talking to can understand.
Here's how it works:

• When you send a message, it gets turned into a jumbled code.
• This coded message travels across the internet.
• Only the person you're sending it to has the special key to turn the jumble back into a readable message.
• Nobody in between - not even the company running the app - can read your message.

A well-known app that uses E2EE is Signal.
How Signal uses E2EE:

1.When you start a chat with someone on Signal, your phones secretly agree on a unique code (or "key") for your conversation.
2. Every message you send gets scrambled using this code.
3. The scrambled message goes through Signal's servers, but they can't understand it.
4. When your friend's Signal app gets the message, it uses the secret code to unscramble it.
5. This happens for every message, call, or file you send.

@hunny-bee
@Tumelo2748
@NtokozoMitchell

1. CSRF is an attack where an attacker tricks a victim into performing unintended actions on a web app they're logged into.
   It exploits how web apps trust legitimate HTTP requests from authenticated users. Attackers can craft malicious requests and trick victims
   into executing them, like by including it, in an image.
   CSRF is called a "one-click attack" because the victim only needs to take a single action to execute the attack, which then uses their valid
   session to perform actions on their behalf.

2. In a reflected XSS attack, the malicious script is not stored on the server but is reflected off the server in a response.
   This often happens when a user is tricked into clicking a malicious link or submitting a specially crafted form.
   Example: An attacker sends a link with a malicious script embedded in the URL. When the victim clicks the link, the script is reflected off the
   server and executed by the victim's browser.
   Web apps can prevent CSRF by requiring unique tokens, verifying the Referer header, or using double-submit cookies.

3. A phishing attack is when an attempt is made to trick someone into disclosing sensitive data, including credit card numbers, usernames,
   passwords, or other personal information. In most cases, this is achieved by acting to be someone you can trust in online interactions.

   Attackers typically execute phishing attacks by sending fraudulent emails that appear to be from reputable sources. These emails often
   contain links to fake websites that look identical to legitimate ones, aiming to deceive recipients into entering their personal information.

4. Attackers position themselves between the sender and receiver to eavesdrop on exchanged data like credit card numbers, login
   credentials, or sensitive information.Email Hijacking: Attackers take control of email accounts (e.g., banks) to monitor transactions or send
   fake emails to victims.
   Wi-Fi Eavesdropping: Victims unknowingly connect to a malicious Wi-Fi network, allowing attackers to intercept their data.
   Consequences:
   Stolen data can lead to unauthorized purchases, financial account hijacking, and identity theft, leaving organizations and individuals
   vulnerable without their knowledge.

5. With end-to-end encryption (E2EE), messages are only read by the users who are chatting. This is a secure communication method.
   Messages sent over E2EE are encrypted on the sender's end and decoded only on the recipient's end. This means that any third party,
   including the service provider cannot access the sent data.

WhatsApp uses End-to-End Encryption to secure user communications. When a user sends a message on WhatsApp, the message is
encrypted on the sender's device using a unique encryption key. The encrypted message is transmitted over the internet to WhatsApp's
servers and then to the recipient's device. During this transmission, the message remains encrypted, ensuring that even if intercepted, it
cannot be read. Once the encrypted message arrives at the recipient's device, it is decrypted using the unique key that matches the sender's
encryption key. The recipient can then read the message in its original form.

Nhlanhla Msibi @Nhlanhla-advocate
Mpho Oganne
Nonhlanhla Mazibuko

1. A Cross-Site Request Forgery (CSRF) attack is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. Essentially, the attacker tricks the victim into making an unwanted request to a server on which they are authenticated. The attacker needs to get the user to execute this malicious request. This is often done by embedding the request in a malicious link, image, or script on a web page that the user visits.

It's called a one-click attack because, typically, all it takes for the attack to be executed is a single click by the user on a seemingly harmless link or button. In many cases, the user doesn't even realize they are making the request because the action can be embedded in an invisible image or an automatically executing script.

2. XSS attack is called cross-site scripting, which is a vulnerability in web applications that allows attackers to inject malicious scripts into trusted websites. These scripts are then executed by unsuspecting users. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to an end users. The injected code is then delivered to other users who access the web page or web application. When these users' browsers load the page, they execute the malicious script as part of the normal content.

XSS attacks allows an attacker to execute scripts in the context of a user's browser, making it possible for them to potentially steal cookies and the session identifiers stored in the cookies. This can lead to session hijacking, where the attacker gains unauthorized access to the user's session where they can impersonate the victim, performing actions and accessing data as if they were the legitimate use.

Main categories of XSS:

• Stored XSS which is also referred as persistent XSS:
  An attacker may inject malicious content (referred to as the payload), most often JavaScript code, into the target application which can then be stored in the application's database permanently. When a victim opens the affected web page in a browser, the XSS attack payload is served to the victim’s browser, which means that victims will end up executing the malicious script once the page is viewed in their browser. An example would be an attacker posting a comment on a blog post with the malicious code. The blog stores this comment in its database without proper sanitization. When other users view the blog post, the malicious script is executed in their browsers, potentially stealing their session cookies

• Reflected XSS:
  the attacker’s payload has to be a part of the request that is sent to the web server. It is then reflected back in such a way that the HTTP response includes the payload from the HTTP request. This often occurs when the user is tricked into clicking a malicious link or submitting a specially crafted form. The injected script is then included in the server's response to the user, and the browser executes it. This type of XSS is usually targeted at a single user.

3. phishing attack is a type of cyber attack where an attacker disguises themselves as a trustworthy entity to deceive individuals into divulging sensitive information such as usernames, passwords, credit card numbers, or other personal information. Phishing is a form of social engineering, relying on manipulating human psychology rather than exploiting technical vulnerabilities.

Crafting the Bait:
Email: The attacker creates a fake email that looks like it's from a legitimate source,like a bank, a social media site, or an online service. The email usually contains a message that aims to create a sense of urgency or curiosity like getting a message that says "your account has been compromised click here to secure it".

4. A Man-in-the-Middle attack is a type of cyber attack where the attacker secretly intercepts and relays communication between two parties who believe they are directly communicating with each other. The attacker can eavesdrop, alter, or inject false information into the communication, effectively taking control of the conversation without the knowledge of the legitimate parties.

The consequences of the victim are:

Financial Loss:
Victims may experience unauthorized transactions or withdrawals from their bank accounts.
Businesses may suffer from theft of financial information or intellectual property.
5. End-to-End Encryption is a method of data transmission where only the communicating users can read the messages. In E2EE, the data is encrypted on the sender's device and only decrypted on the recipient's device, ensuring that no intermediaries, including service providers, can access the contents of the communication.
WhatsApp uses end-to-end-encryption(What they want us to believe)

When a user sends a message, it is encrypted on their device using a unique encryption key.
This encryption key is only known to the sender and the intended recipient. Even WhatsApp servers do not have access to this key.