Hackers/attackers make use of some known vulnerability—like cross-site scripting—in a Web-based application to bypass access controls such as same origin policy and launch attacks by injecting client-side script into webpages viewed by other users. Thus, by cross-site scripting, an attacker gains elevated access privileges to sensitive page contents, session cookies, etc.
Attacks associated with cookies
Cookies are small text files that are created when the user visits a website. The website uses the cookie to remember who the user is and what activity has been performed by the user recently. The website retrieves the cookie from the hard disk the next time the user visits the same website. In this way, cookies are very helpful as the user doesn’t have to type the same information every time.
However, vulnerability in the browser may allow hackers to access important information stored in these cookies that hackers may use to gain advantage.
All kinds of software that arrive on a user’s computer without permission or awareness of the user, or sometimes with user permission, are known as invasive software. Typical forms of invasive software are adware, spyware, scareware, scumware, theftware and drug dealerware. These software may pollute the user’s screen with ads and popups, send user information, slow down the user’s computer or even cause system crash.
Adware. Adware is designed to advertise a commercial offering. It is commonly acquired when a user downloads freeware or shareware like games. When the user downloads the software, the user has to click through a page of unintelligible legal stuff that includes some kind of copyright and usually permission to install adware along with the software. After downloading the software, the user may start noticing more pop-up windows than usual.
Spyware. Spyware is a software that is more likely engaged in antisocial activities such as sending personal information like passwords, credit card numbers and other confidential corporate information to its creators. Spyware installs itself without the user’s permission and often hides so that it is difficult to find and eradicate it from the system.
One of the threats of spyware is key logging, which enables it to record anything that the user types, including the user’s passwords, credit card number, e-mail messages, chat messages, etc. Some spyware can even spy on the user by exploiting his own webcam.
Scareware. Scareware is a software that creates fear in users by asking them to perform some kind of activity while threatening with the adverse effects of not following the guidelines. Scareware can install malicious software that may steal information, make the system unstable or even crash it.
Other malware. Some other kinds of malware (malicious software) include scumware, drug dealerware and theftware. Scumware is designed to steal traffic and revenue from legitimate websites. Drug dealerware offers free software and then shuts down and demands payments months later when one has presumably become used to it. Theftware hijacks ad-space on webpages, replacing the ads space with its own ads.
Spam is unsolicited junk e-mail that can take the form of advertisements, chain mail, bulk e-mail, threatening or abusive e-mail, etc. Spammers often use tools like ‘harvesters’ that scan the Internet and newsgroup and collect e-mail addresses. Spammers may also buy a list of e-mail addresses from a website that holds user information in its database.
Most of the spams are used for fraudulent advertisements like won-lottery-jackpot announcements, get-rich-quick business opportunities, free gifts and work-at-home schemes. These spams may carry viruses or try to lure the user into providing some personal and financial information including user-ID, password, credit card number, etc.
Some dangerous spams come from worms, not spammers. These generate an infected e-mail from the systems of unsuspecting hosts. Some spams are circulated unknowingly through a common user who passes on chain letters, devotional messages, pleas for medical help, etc. Such type of chain letters or other things promise a large return for small effort and often also threaten bad luck if one breaks the chain.
Denial-of-service attack (DoS), as the name suggests, is a kind of cyber attack that makes a system, network resource, network components, website, or services hosted on reputed and important webservers unavailable temporarily or permanently.
Generally, there are two forms of DoS attacks: those that crash services and those that flood services. In its simplest form, DoS sends a large quantity of communication requests to a targeted resource in order to make the resource busy, saturate or overflow so that it becomes unavailable for a certain period of time or responds so slowly as to be rendered essentially unavailable. Such attacks may consume system resources (such as bandwidth, memory and processor time), disrupt configuration information (such as routing information), disrupt physical network component or even force systems to reset so as to make the system unavailable to its intended users.