F. Glossary

Many of the definitions below are taken from the OWASP glossary (https://www.owasp.org/index.php/Category:Glossary) and the NIST Glossary of Key Information Security Terms, NISTIR 7298, revision 2 (http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf). Definitions taken from these documents contain links to the source document in the title of the glossary term.



Application programming interface. For Web and mobile applications, this is a network-facing interface that the application can use to request user-specific information from the application's servers.

Authentication cookie

See session token.



A data object that binds information about a person or some other entity to a public key. The binding is generally done using a digital signature from a trusted third party (a certification authority).

Certification authority

An entity that manages digital certificates -- i.e., issues and revokes.


Data in its encrypted form.


Data exchanged between an http server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use.

Cross-site scripting

A class of problems resulting from insufficient input validation where one user can add content to a Web site that can be malicious when viewed by other users of the Web site. For example, one might post to a message board that accepts arbitrary HTML and include a malicious code item.


Eavesdropping attack

Any attack on a data connection wherein one simply records or views data instead of tampering with the connection.


Conversion of plain text to cipher text through the use of a cryptographic algorithm.


To successfully leverage a security vulnerability to gain unauthorized access to a system or its contents.


The ease with which a given vulnerability can successfully be exploited.


Hash function

A function that maps a string of arbitrary length to a fixed size value in a deterministic manner. Such a function may or may not have cryptographic applications.


Hypertext Transport Protocol, the network-messaging protocol commonly used for transmission of requests and responses (including Web pages and data) between browser and mobile applications and their servers.


Secure http, or http sent over a secure link to protect the authenticity, privacy, and security of the information being transmitted.



The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Intercepting proxy

See proxy.

Internet protocol

Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks.



A standard name used to define the network name of the host computer to programs running on that computer. In other words "this computer." For example, setting the IP address in a proxy program to localhost tells it to monitor that computer's network interface. This can also be represented with the default address ""


Man-in-the-middle attack

An eavesdropping attack wherein a client's communication with a server is proxied by an attacker. Generally, the implication is that the client performs a cryptographic key exchange with an entity and fails to authenticate that entity, thus allowing an attacker to look like a valid server.


See man-in-the-middle attack.



A digital form of social engineering that uses authentic-looking -- but bogus -- emails to request information from users or direct them to a fake Web site that requests information.


Intelligible data that has meaning and can be understood without the application of decryption.


A program that acts as an intermediary between a user's applications and the Internet. In security testing, a proxy can be used to examine and modify the requests and responses between an application and its servers.


Remote attack

A remote attack can be exploited without access to a user's network traffic. For example, an API that provides user information without checking that the requestor has access rights for the information makes a remote attack possible.



Data that can be public but is used to prevent precomputation attacks.

Secure Socket Layer

A popular protocol for establishing secure channels over a reliable transport, utilizing a standard X.509 public key infrastructure for authenticating machines. This protocol has evolved into the TLS protocol, but the term "SSL" is often used to generically refer to both.

Session token

A value that represents a user's identity during his or her session. Typically the user provides some form of credentials (e.g., username, password, possibly a one-time token value from a second authentication factor), and the server returns a token value that represents the user's identity. In Web applications, this token is often returned in a cookie. The client application includes the session token with each request, enabling the server to associate each request with the same user, role, and session.

Session hijack

An attack that takes over a session belonging to another user. This is typically accomplished through acquiring the user's session-token cookie and installing it in an attacker's browser. Also known as a sidejack.


See session hijack.


Attacks where data is read off a network while in transit without modifying or destroying the data.

See also eavesdropping attack.

Social engineering

A general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious.


The practice of falsifying data to masquerade as a legitimate resource or entity.


See Secure Socket Layer.

SSL certificate spoofing

An attack that provides an SSL certificate from an untrusted source in an attempt to gain access to encrypted SSL communications. Problems in a mobile application's certificate verification can allow this attack to succeed.



See Transport Layer Security.

Transport Layer Security

The successor to SSL, a protocol for establishing secure channels over a reliable transport, using a standard X.509 public key infrastructure for authenticating machines. The protocol is standardized by the Internet Engineering Task Force (IETF).

See also Secure Socket Layer.



Uniform resource locator, another term for a site's "Web address" specifying how to find it on the Internet. For example: "https://www.graphite.org" is a URL.



A security weakness in a system or application. A vulnerability creates an opportunity for an exploit that can impact an application and its users by compromising the system or its contents.