Concept of Social Engineering Attacks and Cross-Site Scripting

Last updated on Nov 16 2021
Praveen Chandra

Table of Contents

Concept of Social Engineering Attacks and Cross-Site Scripting

Let us try to understand the concept of Social Engineering attacks through some examples.

Example 1

You must have noticed old company documents being thrown into dustbins as garbage. These documents might contain sensitive information such as Names, Phone Numbers, Account Numbers, Social Security Numbers, Addresses, etc. Many companies still use carbon paper in their fax machines and once the roll is over, its carbon goes into dustbin which may have traces of sensitive data. Although it sounds improbable, but attackers can easily retrieve information from the company dumpsters by pilfering through the garbage.

Example 2

An attacker may befriend a company personnel and establish good relationship with him over a period of time. This relationship can be established online through social networks, chatting rooms, or offline at a coffee table, in a playground, or through any other means. The attacker takes the office personnel in confidence and finally digs out the required sensitive information without giving a clue.

Example 3

A social engineer may pretend to be an employee or a valid user or an VIP by faking an identification card or simply by convincing employees of his position in the company. Such an attacker can gain physical access to restricted areas, thus providing further opportunities for attacks.

Example 4

It happens in most of the cases that an attacker might be around you and can do shoulder surfing while you are typing sensitive information like user ID and password, account PIN, etc.

Phishing Attack

A phishing attack is a computer-based social engineering, where an attacker crafts an email that appears legitimate. Such emails have the same look and feel as those received from the original site, but they might contain links to fake websites. If you are not smart enough, then you will type your user ID and password and will try to login which will result in failure and by that time, the attacker will have your ID and password to attack your original account.

Quick Fix

• You should enforce a good security policy in your organization and conduct required trainings to make all the employees aware of the possible Social Engineering attacks and their consequences.
• Document shredding should be a mandatory activity in your company.
• Make double sure that any links that you receive in your email is coming from authentic sources and that they point to correct websites. Otherwise you might end up as a victim of Phishing.
• Be professional and never share your ID and password with anybody else in any case.

Ethical Hacking – Cross-Site Scripting

Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user’s browser.
The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim’s browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash, but the most used XSS is malicious JavaScript.
These attacks also can gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising and create DoS attacks.

Example

Let’s take an example to understand how it works. We have a vulnerable webpage that we got by the metasploitable machine. Now we will test the field that is highlighted in red arrow for XSS.

qlik sense 12
qlik sense

First of all, we make a simple alert script

<script> 
alert(‘I am Vulnerable’) 
</script>

It will produce the following output −

qlik sense 11
qlik sense

Types of XSS Attacks

XSS attacks are often divided into three types −
Persistent XSS, where the malicious string originates from the website’s database.
Reflected XSS, where the malicious string originates from the victim’s request.
DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.
Generally, cross-site scripting is found by vulnerability scanners so that you don’t have to do all the manual job by putting a JavaScript on it like

<script> 
alert('XSS') 
</script>

Burp Suite and acunetix are considered as the best vulnerability scanners.

Quick Tip

To prevent XSS attacks, keep the following points in mind −
• Check and validate all the form fields like hidden forms, headers, cookies, query strings.
• Implement a stringent security policy. Set character limitation in the input fields.
So, this brings us to the end of blog. This Tecklearn ‘Concept of Social Engineering Attacks and Cross-Site Scripting’ blog helps you with commonly asked questions if you are looking out for a job in Qlik Sense BI. If you wish to learn Qlik Sense and build a career in Business Intelligence domain, then check out our interactive, Qlik Sense Certification Training, that comes with 24*7 support to guide you throughout your learning period. Please find the link for course details:

https://www.tecklearn.com/course/qlik-sense-certification-training/

Qlik Sense Certification Training

About the Course

Qlik Sense is a revolutionary Business Analytics tool to come from the Qlik stables. It provides powerful self-service analytics that are readily deployable through interactive and personalized dashboards, data visualization techniques and insightful reports. By the end of this Qlik Sense online training, you will be able to perform key skills of the self-service BI tool – Qlik Sense, such as self-service analytics, write data load scripts, data discovery, create dashboards, develop and share apps, create reports, and design and build data visualizations. All these skills will enable you to clear the Qlik Sense certification exam.

Why should you take Qlik Sense Training?

• The average annual pay for a Qlik Sense Professional is $101,871. -Indeed.com.
• HSBC, Alstom, Chrysler, Citibank, Accenture and many other MNC’s worldwide use Qlik Sense BI and it has a market share of around 5% globally.
• By the end of 2020, the market is expected to touch USD 22.8 billion as modern BI and analytics continue to expand more rapidly, Gartner said in a report.

What you will Learn in this Course?

Introduction and Installation of Qlik Sense
• Need for self-service Business Intelligence/Business Analytics
• Installation of Qlik Sense and Qlik Sense Desktop
Qlik Sense Features
• Qlik Data indexing engine
• Data dimensions relationships
• Types of Data Loading
• Types of Concatenation
Data Modelling
• Qlik Sense data architecture
• Understanding QVD layer
• Converting QlikView files to Qlik Sense files
• Incremental Load
• Scripting
• Create Master Calendar
Advance Data Modelling
• Qualify and unqualify
• Joins
• Keep
• Cross Table
• Let Vs Set
• Calendar Table Creation
Qlik Sense Enterprise
• Various Functions
• Create QVD Files
• Read Data for QVD Files
• Create QVD’s
• Create Tier 2 Qlik Sense App
Data Visualization
• Expressions
• Variables
• Extensions
• Data Visualization
Set Analysis
• Set analysis in Qlik Sense
• Use set expression like identifiers, operators, modifiers and comparative analysis
Advance Set Analysis
• Deploy comparison sets and perform point-in-time analysis
Qlik Sense Storytelling
• Storytelling feature of Qlik Sense
• Create a story and playback the story
Qlik Sense Visualization
• Qlik Sense Charts
• Advanced Charts
• Creating Dashboards
• Real Life Examples
Security
• Security aspects of Qlik Sense
• Security rules

Got a question for us? Please mention it in the comments section and we will get back to you.

 

0 responses on "Concept of Social Engineering Attacks and Cross-Site Scripting"

Leave a Message

Your email address will not be published. Required fields are marked *