Computer Security Fundamentals

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

Computer Security Fundamentals
Understand Database Security Concepts
The Collections Keeper A collections management system Brian J. Mullen.
Introduction The concept of “SQL Injection”
1 Chapter 12 Working With Access 2000 on the Internet.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Chapter Extension 6 Using Microsoft Access © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
MIS2502: Data Analytics MySQL and SQL Workbench David Schuff
E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
SJSU CS157B Dr. Lee1  2004 Jenny Mitchell Two Useful Tools You Can’t Live Without by Jenny Mitchell SJSU CS157B Section PHP and MySQL.
A Guide to SQL, Eighth Edition Chapter Three Creating Tables.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Server Side Programming ASP1 Server Side Programming Database Integration (cont.) Internet Systems Design.
Concepts of Database Management Seventh Edition
10 Adding Interactivity to a Web Site Section 10.1 Define scripting Summarize interactivity design guidelines Identify scripting languages Compare common.
Web Server Administration Chapter 7 Installing and Testing a Programming Environment.
Tutorial 7 Creating Forms. Objectives Session 7.1 – Create an HTML form – Insert fields for text – Add labels for form elements – Create radio buttons.
1 Working with MS SQL Server Textbook Chapter 14.
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting MySQL – Inserting Data.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Web Server Administration Chapter 7 Installing and Testing a Programming Environment.
Security Considerations Steve Perry
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
NMD202 Web Scripting Week5. What we will cover today PHP & MySQL Displaying Dynamic Pages Exercises Modifying Data PHP Exercises Assignment 1.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
ASP. ASP is a powerful tool for making dynamic and interactive Web pages An ASP file can contain text, HTML tags and scripts. Scripts in an ASP file are.
Database Connectivity and Server-Side Scripting Chapter 12.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
1 Working with MS SQL Server Beginning ASP.NET in C# and VB Chapter 12.
MYSQL AND MYSQL WORKBENCH MIS2502 Data Analytics.
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
PHP is a server scripting language, and a powerful tool for making dynamic and interactive Web pages. PHP is a widely-used, free, and efficient alternative.
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Computer Security Fundamentals
Group 18: Chris Hood Brett Poche
Tonga Institute of Higher Education IT 141: Information Systems
Introduction to Dynamic Web Programming
World Wide Web policy.
© 2016, Mike Murach & Associates, Inc.
Unix System Administration
Introduction to Web programming
Web Design and Development
Chapter 19 PHP Part III Credits: Parts of the slides are based on slides created by textbook authors, P.J. Deitel and H. M. Deitel by Prentice Hall ©
mysql and mysql workbench
BASIC PHP and MYSQL Edward S. Flores.
Database Driven Websites
ISC440: Web Programming 2 Server-side Scripting PHP 3
Web Systems Development (CSC-215)
PHP: Security issues FdSc Module 109 Server side scripting and
Tonga Institute of Higher Education IT 141: Information Systems
Exploring Microsoft® Access® 2016 Series Editor Mary Anne Poatsy
Chapter 13 Security Methods Part 3.
Lecture 2 - SQL Injection
MIS2502: Data Analytics MySQL and SQL Workbench
Tonga Institute of Higher Education IT 141: Information Systems
Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment
Web Application Development Using PHP
Presentation transcript:

Computer Security Fundamentals by Chuck Easttom Chapter 6 Techniques Used by Hackers-2

Cain and Abel © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

SQL Injection One of the most common attacks Depends on knowledge of SQL Basics are easy Versatile and can do a lot more than many realize © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

What Is SQL? A relational database contains one or more tables identified each by a name. Tables contain records (rows) with data. For example, the following table is called "users" and contains data distributed in rows and columns: SQL (Structured Query Language) uses commands like such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others. Example: SELECT * FROM tblUsers WHERE USERNAME = ‘admin’ © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

More on SQL Web sites are written in some programming language such as PHP, ASP, JSP, ASP.net. Those programming languages have their own syntax (NOT SQL). So programmers put the SQL into their code in strings. So lets say you type your username into a text field called txtUsername and your password into a text field called txtPassword. The code in their program has to put SQL statements into a string and append whatever you entered in those two text fields. It will look something like this: string sSQLstatement; sSQLstatement = “SELECT * FROM tblUSERS WHERE UserName = ‘ “ + txtUsername.Text +’” + “ AND Password = ‘” + txtPassword.Text +”’”; so the string will contain ‘SELECT * FROM tblUSERS WHERE UserName =‘admin’ AND Password = ‘password’’; However whatever you type in, gets put into the text field. © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

SQL Script Injection ' or ‘1' =‘1 OR ' or 'a' ='a Single quote added to password: Add the following to the username box and the password: ' or ‘1' =‘1 OR ' or 'a' ='a Also try password’ or (1=1) Or people try anything' OR 'x'='x or people try password:’1=1- - Try using double quote (") if single quote (') is not working © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

What Does This Cause? Well you would have had ‘SELECT * FROM tblUSERS WHERE UserName =‘admin’ AND Password = ‘password’’; Instead you have ‘SELECT * FROM tblUSERS WHERE UserName =‘' or ‘1' =‘1 ’ AND Password = ‘' or ‘1' =‘1 ’’; So now it says to get all entries from table = tblUsers if the username is ‘’ (blank) OR IF 1 =1. And if password = ‘’ (blank) OR IF 1=1! © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

Cross Site Scripting An attacker injects client-side script into web pages viewed by other users. The term cross-site scripting originally referred to the act of loading the attacked, third-party web application from an unrelated attack site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain Essentially you enter scripts into an area that other users interact with. So that when they go to that part of the site, you have your own script run, rather than the intended Web site functionality. This can include redirecting them. © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

OphCrack- How It Works Download OphCrack and burn the image to a CD. Put the CD in the target computer and boot through CD. It boots as Linux, grabs the Windows password file, and then uses cracking tools to crack that file and produces a text file with username and passwords. You cannot even consider yourself a hacker without this tool in your toolkit. © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

Malware Creation GUI tools Batch Files Writing your own © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

Malware Creation © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

Other Attacks Pass the hash Scripts © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

Pen Testing NIST 800-115 National Security Agency Information Assessment Methodology PCI Penetration Testing Standard © 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.