Security Testing

Showing posts with label defend. Show all posts
Showing posts with label defend. Show all posts

Thursday, July 5, 2018

SQL Injection

Nowadays SQL injection is a common attack that use malicious SQL injection code for database manipulation to access information.
                                                                                OR
When exploiting SQL injection, the web application display error message from the database. Database complaining that the query syntax is incorrect.
                                                                                OR
Gain the unauthorized access to the website through the SQL Injection and take the information.


How to exploit:-
EX
Take a simple username (admin) and password we choose
‘ OR ‘a’=’a
From users WHERE user=’admin’ AND password=’ ‘ OR ’a’=’a’
‘a’ = ‘a is a true value
Let's analyze
Username=’admin’ AND Password=’’ OR ‘a’=’a’
Means username password true
Use Burp suite tool and inject the customize attack through Intruder
Here we introduce some SQL attack.
 or 1=1
or 1=1--
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'# ………….etc

How to Fix:-

1.       Use stored procedure
2.       Use parameterize query
3.       Limit database permission and privilege
4.       Avoid display database error directly to the user

5.       Use the regular expression to identify the text block and sql statements
Posted by at No comments:
Labels: , , , , , , , , , , , , , ,

Wednesday, June 6, 2018

Clickjacking Attack and Prevention

Clickjacking:-
This type of attack requires an attacker to use javascript. Attacker insists a user perform an undesired action by clicking on a concealed link. The attacker loads another page on it in a transparent layer.
                                                                                                OR
The attacker hijacks the click event of their page and routing them to another page.
<HTML>
                <head>
                                <title>click</title>
                </head>
                <body>
                <p>website vulnerable clickjacking</p>
                <iframe src=”url” width=”500” height=”500”></iframe>
                </body>
</HTML>


Defend:-
Use clear click functionality in No script. You can use the relaxed setting but make sure you can enable the clear click. This prevents the clickjacking attacks.

Server-side: Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers
The two most popular are X-Frame-Options: Deny and X-Frame-Options: SameOrigin.


Client-side: Most commonly use frame busting code typically consists of a "conditional statement" and a "counter-action" statement. The aim of this technique is to prevent a site from functioning when it is loaded inside a frame.
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)