Servers maintain user sessions. Those sessions contain user-specific information. When a user’s session is active at the server, he/she does not need to authenticate upon visiting the portal. This scenario can be exploited by an attacker. In case the access is gained to a user’s machine, then an infiltrator can access the user’s data stored on the server, inflicting damage, subsequently. Read More…

Allowing users to set weak passwords is not ideal. A weak password can be guessed easily, leading to access gain. Applications must enforce a strong password policy to avoid access by illegitimate users. Setting a hard password makes it difficult to guess, reducing the possibility of password theft. Read More…

Enabling the auto-complete feature fills up data into form fields, automatically. A few data items amongst that data could be sensitive, though. In case a person with malicious intent gains access to a user’s browser, he/she can obtain sensitive the information auto-populated by the browser. Read More…

The malpractice of getting users to perform a different activity than intended is known as clickjacking. Such activities are used for malicious purposes like stealing money from a user’s bank account etc. Attackers make use of a user interface element called iframe for carrying out such activity. Using iframe allows one webpage to be displayed within another. Read More…

Many applications allow users to log in from multiple machines, simultaneously. This facility is convenient for users but can lead to a security breach. A person who gains access to the session URL and other device-specific information can gain access to the application using that information. Read More…