The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to clarify the language used within the community.



Abuse of Functionality: An attack technique that uses the features and functionality of a web site to consume, defraud, or circumvent the site셲 access controls. See also 쏡enial of Service.

ActiveX controls: A program, called a 쐁ontrol, developed using ActiveX controls technologies. ActiveX controls controls can be downloaded and executed within technology-enabled Web browsers. ActiveX controls is a set of rules for how applications should share information. ActiveX controls controls can be developed in C, C++, Visual Basic, and Java. See also 쏪ava, 쏪ava Applets, 쏪avaScript, 쏻eb Browser.

AJAX: AJAX stands for Asynchronous JavaScript and XML. This browser based technology allows a website to perform additional resource requests without refreshing the user page by utilizing the XMLHttpRequest Javascript object.

Anti-Automation: Security measure that prevents automated programs from exercising web site functionality by administering the Turing Test to a user, which only a human could pass. See also 쏺isual Verification.

Application Server: A software server, normally using HTTP, which has the ability to execute dynamic web applications. Also known a middleware, this piece of software is normally installed on or near the web server where it can be called upon. See also 쏻eb Application, 쏻eb Server.

Authentication: The process of verifying the identity or location of a user, service or application. Authentication is performed using at least one of three mechanisms: 쐓omething you have, 쐓omething you know or 쐓omething you are. The authenticating application may provide different services based on the location, access method, time of day, etc. See also 쏧nsufficient Authentication.

Authorization: The determination of what resources a user, service or application has permission to access. Accessible resources can be URL셲, files, directories, servlets, databases, execution paths, etc. See also 쏧nsufficient Authorization.

Backup File Disclosure: (Obsolete) See 쏱redictable File Location.

Basic Authentication: A simple form of client-side authentication supported in HTTP. The http-client sends a request header to the web server containing a Base64 encoded username and password. If the username/password combination is valid, the web server grants the client access to the requested resource. See also 쏛uthentication, 쏧nsufficient Authentication.

Brute Force: An automated process of trial and error used to guess the 쐓ecret protecting a system. Examples of these secrets include usernames, passwords or cryptographic keys. See also 쏛uthentication, 쏧nsufficient Authentication, 쏱assword Recover System, 쏻eak Password Recovery Validation.

Buffer Overflow: An exploitation technique that alters the flow of an application by overwriting parts of memory. Buffer Overflows are a common cause of malfunctioning software. If the data written into a buffer exceeds its size, adjacent memory space will be corrupted and normally produce a fault. An attacker may be able to utilize a buffer overflow situation to alter an application's process flow. Overfilling the buffer and rewriting memory-stack pointers could be used to execute arbitrary operating-system commands.
Share
Related Documents
  1. Security Strategies Alert (943)
  2. [Ebook] Practical Applications for Security Testing (5088)
  3. Web Security Testing Blog (1322)
  4. Creating a Web security testing policy (1908)
  5. Building web application security into your development process (1599)
  6. Security Testing for Web Application (2087)
  7. [Video] seNetsparker - A free web app security testing tool (946)
  8. [Webinar] Are You Ready for DO-178C and Emerging Security-Critical Standards? (1298)
  9. [Free] skipfish : web application security reconnaissance tool. (2354)
  10. Security Focus : Newsletter Archive (1684)
  11. [Ebook] Exploiting Software How to Break Code (3341)
  12. How to Test Application Security Web and Desktop Application Security Testing Techniques (3526)
  13. [Ebook] Practical Unix & Internet Security, 3rd Edition (4216)
  14. [Ebook] Internet Security: A Jumpstart for Systems Administrators and IT Managers (3622)
  15. [Free] Watcher : testing tool and passive vulnerability scanner (2137)
  16. What is a Security stress testing? (2039)
  17. [Free] SiteDigger : vulnerabilities, errors, configuration issues, proprietary information, and interesting security testing tool (5152)
  18. [PodCast] Security Testing (104M) (1012)
  19. Network Penetration Testing (1879)
  20. Security Acts - the Magazine for IT Security (set 2) (921)