Question

Al Zainab Jewelries promotes discounts to the public who purchase gold for above 100 OMR. Customers...

Al Zainab Jewelries promotes discounts to the public who purchase gold for above 100 OMR. Customers who purchased gold more than 100 OMR received emails from the jewelry shop stating to enter the purchase details along with personnel details. Many users have entered their purchase details and other personnel details using the Jewelry shop's official website. Customers did not get any acknowledgment. After receiving complaints from many customers, the administrator suspected that a malicious attack has happened. Consider the above scenario and explain the following questions:

a. Which attack is launched by the attacker in the mentioned above scenario? Explain how it happened? What is the motive of the attack?

b. Write any two preventive measures suggested by the administrator to defend against the mentioned above attack.

c. Write any two immediate actions taken by the administrator in response to the attempted attack.

this question is related to the web application security course, I need the answer with the reference of the website that you search

0 0
Add a comment Improve this question Transcribed image text
Answer #1

The attack is due to a vulnerability in the website of Al Zainab Jewelries that favoured the hacker to send phising mails to the customers. The Open Web Application Security Project, is an international non profit organization dedicated to security of web applications. It lists some vulnerabilities in the website, out of which one of the most common and popular vulnerability is Cross- Site Scripting ( XSS attack). In this type of attack the hacker could send the victim a misleading email with a link containing malicious JavaScript. If the victim clicks on the link, the HTTP request is initiated from the victim's browser and sent to the vulnerable web application. This vulnerability can be exploited to run malicious JavaScript code on a victim’s browser. For example here,the attacker had sent an email to the victim customers that appears to be from the official website of the Jewelry Shop, with a link to that shop’s website. This link could have some malicious JavaScript code tagged onto the end of the url. If the shop’s site is not properly protected against cross-site scripting, then that malicious code will be run in the victim’s web browser when they click on the link. The motive of this kind of attack was to obtain confidential information of the customers. The attacker could also obtain a user’s session cookie, they can impersonate that user, perform actions on behalf of the user, and gain access to the user’s sensitive data.

b). The preventive measure can be:-

The application code should never output data received as input directly to the browser without checking it for any malicious code.

A second way to prevent cross-site scripting attacks is to sanitize user input. Sanitizing data is a strong defense, but should not be used alone to battle XSS attacks.

Use of new scripting languafe such as NodeJS can also help in prevention of the attack.

c). The two immediate response that should be taken by the administrator should be:-

Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

Immediate steps can be to temporarily suspend the website so that no more users can give the input of their information. Moreover the administration should release an official mail asking the customers not to give their personal information if asked by the website.

Please give a positive review if the answer helps you. I'll be glad

Add a comment
Know the answer?
Add Answer to:
Al Zainab Jewelries promotes discounts to the public who purchase gold for above 100 OMR. Customers...
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Not the answer you're looking for? Ask your own homework help question. Our experts will answer your question WITHIN MINUTES for Free.
Similar Homework Help Questions
ADVERTISEMENT
Free Homework Help App
Download From Google Play
Scan Your Homework
to Get Instant Free Answers
Need Online Homework Help?
Ask a Question
Get Answers For Free
Most questions answered within 3 hours.
ADVERTISEMENT
ADVERTISEMENT