Cyber Range

Common Attack Types

The common attack cyber range will familiarize students with the basic theory and structure of the most popular web application attacks seen today. This range also comes with a vulnerable web application site where users can go beyond our range and work through dozens of different vulnerabilities ranging from the common to more obscure

The labs

Train hands-on

  • Common Attack Types – HTML & SQL Injections

    In this lab you will walkthrough an example of both HTML and SQL injections.

    HTML injections are vulnerabilities created from poor coding techniques and failure to sanitize user input that allow attackers to inject malicious payloads into the website’s HTML code and modify its content. Based on the vulnerability, an attacker can change a few code lines, add entire forms that can then be used to trick users into providing sensitive information or change the website’s entire layout.

    SQL injection is a web security vulnerability that permits an adversary to inject malicious SQL statements in the queries that an application makes to its database. It allows an unauthorized entity to view data to which they should not have access, like other users’ information

  • Common Attack Types – Cross-Site Scripting (XSS)

    Cross-site Scripting (XSS) is a client-side code injection attack. This vulnerability allows the attacker to insert malicious code into a legitimate website and control the victim’s browser or account. An XSS vulnerability arises when web applications take data from users and dynamically include it in web pages without properly validating them. The strength of an XSS vulnerability lies in the fact that the malicious code executes in the context of the victim’s session, allowing the attacker to bypass security restrictions. The damage caused by these types of attacks ranges from the disclosure of the user’s session cookie to website modification or installation of Trojan horse programs. Cross-site scripting can be categorized into three groups:

    ● Reflected XSS attacks

    ● Stored XSS attacks

    ● DOM-based XSS attacks

  • Common Attack Types – Insecure Direct Object Reference (IDOR) & Directory Traversal

    This lab walks a user through an example of Insecure Direct Object Referencing and Directory Traversal

    Insecure direct object reference (IDOR) is a type of access control vulnerability that occurs when an application exposes a direct reference to an internal object. Finding an IDOR allows attackers to enumerate and extract other information.

    Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to access restricted directories on the server. The directories can contain anything from application code and credentials for back-end systems to sensitive operating system files. In case read and write permissions are not correctly set, attackers can modify the files and ultimately take full control of the server.

  • Common Attack Types – File Inclusion & Cross-Site Request Forgery (CSRF)

    In this lab you will learn about File Inclusion and Cross-Site Request Forgery attacks.

    File Inclusion vulnerabilities are caused when unvalidated input parameters are passed to back-end programming functions that access server files. The back end represents the server-side of the application, specifically its code and database. An attacker can change the file name in an HTTP request and include malicious scripts instead. Depending on the script, the attacker can:

    ● Execute code on the server

    ● Perform XSS attacks

    ● Cause a Denial of Service (DOS)

    ● Manipulate data

    ● Access sensitive information

    ……………………………………………………………………………………………………………….

    Cross-site request forgery (CSRF), also known as XSRF, Sea Surf, or Session Riding, is a vulnerability where unauthorized commands are submitted from a user that the web application trusts. The delivery mechanisms for CSRF attacks are similar to those for Reflected XSS. An attacker uses social engineering to trick the victim into sending a forged request to a server. The server does not block the request since it is made from an authenticated user.

No software. No set up. Unlimited access.

Skip the server racks and spin up a realistic environment with one click. lnfosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.

Plans & pricing

  • Infosec Skills Personal

    $299 / year

    • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
    • 100s of hands-on labs in cloud-hosted cyber ranges
    • Custom certification practice exams (e.g., CISSP, Security+)
    • Skill assessments
    • Infosec peer community support
  • Infosec Skills Teams

    $799 per license / year

    • Team administration and reporting
    • Dedicated client success manager
    • Single sign-on (SSO)
      Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
    • Integrations via API
      Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
    • 190+ role-guided learning paths and assessments (e.g., Incident Response)
    • 100s of hands-on labs in cloud-hosted cyber ranges
    • Create and assign custom learning paths
    • Custom certification practice exams (e.g., CISSP, CISA)
    • Optional upgrade: Guarantee team certification with live boot camps

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments

You're in good company

CY

We use Infosec Skills to provide continuous training to our technicians and to prepare them for various certifications. Infosec Skills allows us to create personalized training programs that focus on each of our technicians’ particular roles and see their progress as they take courses. We also, recommend it to clients to make their IT support teams better.

Caleb Yankus

DS

This has been utilized to bridge the skills gap across our cyber team and to aid them as they prepare for their various certifications. It also has provided a nice learning foundation for our various cyber team members to utilize as we continue to find ways for cross-utilization with operations while minimizing the downtime needed to ensure everyone’s knowledge is the same.

Daniel Simpson

IS

We use Infosec Skills to provide base level knowledge for employees. We also use the services to provide in depth learning for employees as they encounter new technologies. If an employee is is assigned to a new project, we can rely on Infosec Skills to provide a rapid concentrated learning environment. This rapid concentrated learning positions our employees for success.

Infosec Skills Teams client