Disable and avoid using code that might allow an attacker to execute system commands remotely.
- Session fixation is an attack … where the attacker provides a user … with a valid session identifier. … It's similar to session hijacking, but reversed. … Instead of stealing a user's session ID, … the attacker gives the user a session ID, … one that the attacker controls. … In both cases, the result will be … that the user and the attacker are using … the same session identifier. … The purpose of the attack is the same. … An attacker can assume the user's identity … and share their access privileges. … Of course, the session that the attacker provides … will not be authenticated. … It won't be attached to a logged in user yet. … The attacker has to wait patiently. … When the user eventually logs into the website again, … the application stores a bit of data … in the session file to remember … that the user has logged in … and should be allowed to view other pages. … Now the attacker can take advantage … of the shared session and visit access-restricted pages. … Early session fixation attacks relied …
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting
Skill Level Beginner
Web Programming Foundationswith Morten Rand-Hendriksen58m 44s Beginner
Web Security: Same-Origin Policieswith Sasha Vodnik1h 54m Advanced
1. Security Overview
2. General Security Principles
3. Filter Input, Control Output
4. The Most Common Attacks
Next steps2m 26s
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.