The debug messages of dbms when left enabled are very useful to an attacker Because this information disclosure brings a lot of useful data.
Consist in changing the parameter encoded in the URL, but that is not the problem itself, the problem is that whether i change that value, the site should not allow me to see other pages. Example: changing patient id and seeing the page of another patient.
If the user is already logged in, it doesn't make sense to specify its id on the URL. Also if the parameter is used for a SQL query, i can make a SQL injection.
Another example would be appending
%2f..%2f..%2f..%2fetc/passwd
If the webserver has a vulnerability I could be able to read an arbitrary file on disk.
It is really important not to store the passwords in clear on the server, but even if someone stole a list with hashes of the password. The attacker could compare the list to a precomputed list of hashes, and do a sort of bruteforce attack but with the work done offline and before time.
A common trick to avoid this is salting, and consists as a hashing the password together with a number used only once (called nonce in crypto)
Another good measure is using slower hashing function, so that bruteforcing becomes harder.
In summary normal people:
The reset password procedure is itself an alternative autenthication measure. this procedure use a reset link which can be used only once, and this way it is tamper evident, so i know if it has been compromised.
Another way is to send an email to the register address whenever an important information is changed in the account, so at least we know.
The weak point of this procedure is the email account, if someone breaks through the email account you use for registering, it can reset the passwords of your social networks and other.
If the compromised account is the one of a trade journalist, and a fake tweet is made about a great trade operation.
This can cause great consequences, because people will trade according to the news, sometmes even if it's not confirmed And so it becomes a self realizing prophecy
Or for example a video shared by an important sport athlete would be spread very fast.
Why do sites use security questions? they are not meant to authenticate the user but to prevent An unlimited number of reset requests, making a denial of service.
Regarding account locking it can be target of reverse bruteforcing such as trying the most used passwords on all the different accounts of the website.
Locking the accounts turns the problem of bruteforcing into a possibility of denial of service, because if someone runs a bruteforse everytime the lock expires, i would not be able to access the account anymore.
A good way to avoid this is to use non enumerable user names. Blocking IP address is a good approach but it can block entire group of users that use the same IP behind NAT.
Adding an exponentially increasing delay for a specific IP address is another good measure.
We can also use a captcha to avoid widespread use of scripting.
Were meant initially for user customization of websites, a lot of years ago. They are a code that allows the site to recognize you whenever you connect again.
The nasty side of this is when they are used by advertisement and tracking websites. They are a code that allows the site to recognize you whenever you connect again.
The nasty side of this is when they are used by advertisement and tracking websites. And if a cookie is stolen, it is as valuable as username and password.
To create multiple sessions unique identifiers are used. Often the websites are using a session from which you can never log out and every time you visit the website, you are presented the last page you were the last time. This is done to gather the greatest data possible, because that's their business.
Facebook sells data so the app is the most streamlined possible, and creation of events or so is easy, because all these things brings money to facebook.
The essence of the problem is that using web technology we need to mix code(e.g. HTML) and data (e.g. the blog comment)