Beruflich Dokumente
Kultur Dokumente
2 WEB 2.0
SQL injection
*! !
"! !
++
!
73% of all reported and discovered vulnerability belongs to
web tecnology !!!
"#$
%""
&"'() !
)*+ ,
www.some-target-site.com
SQL Injection is a great potentioal
danger.
This king of attack uses a SQL
sequences from SQL. A Simple
SQL statement can give a data
from database to an attacker. There
is simple reason for that.
Application is made in a way that it
some' OR 1=1 -- does not validate input prior
some' OR 1=1 -- processing. SQL I can performed
from address bar, search form or
login form...
www.some-target-site.com/index.asp?id=some’ OR 1=1--
SELECT * FROM users WHERE
username= some ‘ OR
1=1--AND password=some’ OR 1=1-- SQL
)) - . /
http://www.some-target-site.com/search.php?text=
<script> document.location("http://hackrs-site.com/phishing_login.php")
</script>
JS or VB Script
)!01 )!02- ' # /
CSRF Host
”
hp
www.hackers-site.com client”. CSRF uses “betray the trust
.p
that a website has in its users”.
ut
http://www.webmailserver.com
go
UnliKe XSS, CSRF does not
/lo
Open connection
e.c et
required (but can be) malicious
om
s i t a rg
script to be injected into trusted
er o T
ttp Re
“h h
c = w it
JS or VB Script
g nse
<i spo
sr
Re
m
& $ ) $
S IS = S PE ∪ S PH ∪ S LO
S PE - Personnel Security
Considering the fact that 73% of reported and discovered
recent "intrusions“ into the systems have been made by
S PH - Physical Security failures that happen in web technology and web applications,
this article emphasizes S (Personnel Security).
PE
S LO - Logical Security
& #.
The article tried to give specific instructions to developers,
administrators,final users and managers in order to increase the
number of steps that a malicious user has to pass to reach our
information system
The author also pointed out the things that we need to pay attention
to and gave some recommendations that could be used and
installed into the individual model of development and success of a
"safer" IS
Companies should definitely do the "update" of their documents
called "Security Policy" and "Principles of IS Security".
It is also recommended to do the detailed audit of all information
systems - "penetration testing“...
The most important thing in the whole process is implementation of
IS security measures and policies.