Time
1 hour 51 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

[toggle_content title="Transcript"] Application attacks could be employed by malicious persons to attack an enterprise network environment. The first attack we are looking at is something called cross-site scripting which is also referred to as XSS. Cross site scripting, this is a type of attack. The attack occurs when the attacker a malicious person is able to convince a victim to run a malicious script within a web browsing session. The malicious person's this days that could either do that via e-mail or a phone call. They are able to convince a system user who is the victim to run a malicious script during a web browsing session. So in any cases they might call you as to tell you there's a problem on your system, and you by your system you say yes. The first thing they will want to do is, they want to gain control of your head and your arms. So they start asking you to navigate special sections within the computer. When you are telling them that yes you see those sections now they know they are getting you to move and to navigate as they wish. Then they ask you to open the website, a page of their choice at this point the attack is about to begin. You start to click on certain items on such pages you might be installing into your system or running a script that will possibly maybe even open a back door. A back door is a script that has been programmed by this malicious persons, they want you to down load it on such that they have unauthorized access into your system without having to authenticate themselves to your computer system. They can gain access to the computer on which you assert. That way they could put themselves as the man in middle, they could now monitor all your activities on the system. When people do cross site scripting attacks, they are also looking for ways to steal information, gather unauthorized information from your computer systems. They could steal your log on credentials, they could redirect your web pages navigation, they could also have access to information they are not meant to have access to. Another type of attack is something called the structured queer language or which we have as SQL attack. This is a language we use to query data bases. In an SQL attack a malicious person is able to send an SQL code to execute on an organizations data base through a web browsing session. Some organizations do not do proper secure coding on their servers, so if a malicious person is able to send an SQL code to execute on the organizations database, it is possible they could change product prices, it is possible that they could steal information as well. So changing product prices, changing the way the organization present data is modifying integrity of that machine. That is an attack against integrity. They could even tamper with the machines in such a way that those machines might shut down, that is an attack towards availability. So the overall understanding of this is a malicious person is able to inject the SQL code to execute on another organizations data base through a web browsing section. So those are the key words you need for the exam. It has to happen through a web browsing session and that way they could steal information, they could change information. It all bonders around modifying information without proper authorization which is an attack against integrity. [/toggle_content] Application Attacks Different from the trickery of social engineering attacks, this lesson demonstrates how Application Attacks are deliberately set in place by the malicious actions of someone tricking their way into the with direct requests that appears to be innocent and appropriate. We'll introduce you to several of these actions such as Cross-Site Scripting, SQL Attack and what these types of actions do once you've been tricked into providing access to the network.

Video Transcription

00:04
application attacks could be employed in by malicious persons. Toe attack on enterprise network environment.
00:12
The first attack we're looking at is something called cross site scripting, which is also referred to US Ex SS.
00:19
Yes, cross site scripting. This is a type of attack. The attack occurs when an attacker, a malicious person, is able to convince a victim to run a militia script within a Web browsing session.
00:32
The militias persons these days they will. They could even their email or a phone call.
00:40
They ableto convince a system user who is the victim
00:43
to run a militia script
00:46
during a Web browsing session. So in many cases they might call you as tell you there's a problem on your system. Are you by your system? You say yes. The first I think they don't want to do is they want to gain control of your head on your aunt's so they start asking you to navigate special sections within the computer
01:04
when you are telling them that, yes, you see those sections.
01:07
Now they know they're getting you to move on to navigate as they wish. Then they ask you to open the website
01:15
a pitch off their choice.
01:19
At this point, the attack is about to begin. You start to click on such an attempt on such pages you might be installing into your system or running a script that will possibly maybe even open a back door. A back door is a script that has been programmed by this malicious persons.
01:37
They want you to download it onto your system, such that
01:40
they have honored rice access into your system without having to authenticate themselves to your computer system. They can gain access to
01:49
the computer at which on which you are sad
01:52
That way they have. They could put themselves as a money in the middle. There could now money toe all your activities on the system. When people do cross site scripting attacks, they are also looking for ways to steal information.
02:07
Gala unauthorized information from your computer systems. I'm *** old. Still, your logon credentials you're there could redirect your webpages navigation. Decode also
02:19
have access to information they're not meant to have access to
02:23
another type of attack is something called the structure Queer language or which we have as SQL attack.
02:30
This is a language we used Toa quitting that our business. So in an SQL attack, a malicious person is able to send
02:40
on SQL Court to execute on organizations that are based through a Web browsing session. So some organizations do not do proper secure coding on their service. So if
02:55
a malicious person is able to send a coat on Estelle court to execute on the organizations that are based, it is possible that they could change product prices. It is possible that they could steal information as well. So
03:13
changing product prices changing the way the organization presents data
03:15
is modifying the integrity off that machine that is an attack against integrity. They could even
03:23
Tom, probably the machines in such a way that those machines might shut down.
03:29
That
03:30
is an attack towards availability. So you borrow understanding off. This is a malicious person is able to inject a SQL court to execute on other organizations that are based through a Web browsing session. So those are the key words you need for the exam. It has to happen
03:49
through a Web browsing session
03:51
on that way. The cool steel information, the cool change information it all bottles around more define information without proper authorization, which is an attack against integrity

Up Next

Fundamental Vulnerability Management

Vulnerability Management is a continuous information security risk process that requires management oversight and includes a 4-tier approach of: discovery, reporting, prioritization, and response

Instructed By

Instructor Profile Image
John Oyeleke
Lead IT Security Instructor
Instructor