Web Application Attacks
- web application attacks must navigate the client-server model
- HTTP is stateless
- meaning each request is independent
- the server does not retain information about the client’s state
- Web applications manage sessions and maintain state using
- cookies
- session IDs
- improper session management is associated with many types of web application attacks
- attacks exploit the web’s inherent trust in requests or scripts that appear to come from valid users or trusted sites