Authentication
A small piece of data sent from a server and stored on the user's computer by the browser, used to remember stateful information.
What is a cookie?
The process of converting data into a scrambled, unreadable format using a key.
What is encryption?
An attack that tricks a user's authenticated browser into sending an unintended command to a website they are logged into.
What is Cross-Site Request Forgery (CSRF)?
A type of malware that encrypts a victim's files and demands a payment, often in cryptocurrency, for the decryption key.
What is ransomware?
This three-letter acronym stands for a well-known list of common vulnerabilities and exposures.
What is CVE? (Common Vulnerability Exposures)
A JSON-based open standard (RFC 7519) for creating access tokens that assert claims.
What is a JWT? (JSON Web Token)
A one-way function that turns an input of any size into a fixed-size string of characters, often used to store passwords.
What is hashing?
This attack involves injecting malicious scripts into a trusted website, which then execute in a victim's browser.
What is Cross-Site Scripting (XSS)?
The term for a vulnerability that has not been publicly disclosed nor is it known to the vendor.
What is a zero-day vulnerability?
This four-letter mechanism tells a browser to allow a web application running at one origin to access resources from a different origin.
What is CORS? (Cross origin resource sharing)
This attack uses large lists of already breached username/password pairs to log into different services, hoping users reused their credentials.
What is credential stuffing?
This type of encryption uses two different keys: one for encrypting (public) and one for decrypting (private).
What is asymmetric encryption (or public-key cryptography)?
A vulnerability that tricks a server into making a request on the attacker's behalf, often used to scan internal networks or query cloud metadata services.
What is Server-Side Request Forgery (SSRF)?
This type of phishing attack is highly targeted against a specific individual, group, or organization, often using personalized information to appear legitimate.
What is spear phishing?
This complex policy stored in an http header, often configured with directives like script-src and object-src, whitelists the sources of content a browser is allowed to load.
What is the Content Security Policy?
This XML-based open standard is commonly used for enterprise Single Sign-On (SSO), allowing an identity provider to pass authentication "assertions" to a service provider.
What is SAML?
A random piece of data added to a password before hashing to protect against rainbow table attacks.
What is a salt?
An attack where a user is tricked into clicking a transparent or disguised element that performs an action on another site.
What is clickjacking?
This term, derived from a typo of "owned," is slang for completely compromising or gaining control of a target system or person.
What is pwned?
Discovered in 2010, this sophisticated computer worm targeted SCADA industrial control systems and spread via infected USB drives to sabotage a nuclear program.
What is Stuxnet?
An open standard for access delegation, commonly used to grant websites or applications access to your information on other websites without giving them the passwords.
What is OAUTH?
This process uses a private key to sign a message, providing integrity, authentication, and non-repudiation (proving the sender sent it).
What is a digital signature?
An attack where an attacker crafts a request that causes a malicious response to be saved in a CDN or proxy, which is then served to all other users.
What is Web Cache Poisoning?
A stealthy, well-funded, and often state-sponsored hacking group that plays the "long game," focusing on espionage or strategic disruption.
What is an APT? (Advanced Persistent Threat)
This type of attack exploits the small window of time between a "check" (like if (balance > amount)) and the "action" (like balance -= amount), allowing an attacker to bypass the check by sending multiple requests simultaneously.
What is a race condition attack?