1. Introduction
Numerous web applications are vulnerable to attack because of unsecure code. Common attacks are SQL injection and XSS. The aim of this project is to identify vulnerabilities in source code, then attack the vulnerabilities, and finally, fix the errors to make the code secure. The input fields in the register and login pages of a basic web application will be used to demonstrate the attacks used. The attacks used in the report are SQL injection and XSS. SQL injection will be fixed using PHP Data Objects (PDO) prepared statements and the XSS vulnerabilities will be fixed using htlmentities.
The report also contains screenshots that will aid the readers overall understanding.
2. Code Vulnerable to SQL Injection
The index page contains one line of code that's vulnerable to SQL injection. The vulnerable code is :
$checklogin = mysql_query("SELECT * FROM users WHERE Username = '".$username."' AND Password = '".$password."'");
The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user. The interpreter will execute the command based on the inputs received for the username and password fields. The code is not filtered for escape characters and the query is then passed into a SQL statement. The single and double quotes and the concatenation allow SQL injection. The code is vulnerable to SQL injection because the user is free to input anything they want in the form fields. A well crafted query string can manipulate the back-end database and log the user in even if they've not registered. Amending the query string can potentially delete or modify records in the database.
A static code analyzer specifically for PHP code is RIPS. RIPS is one of the best tools to scan for vu...
... middle of paper ...
... execute malicious code on the end users systems. Web pages that pass data to a back-end database are vulnerable to this type of attack. Common examples are login forms with usernames and passwords.
A scan for XSS vulnerbilities in RIPS reveals a total of 15 vulnerabilities. (See Figure 3-1 below).
Figure 3-1 XSS vulnerabilities RIPS.
RIPS returns a number of false positives and should only be used as a guide to aid in finding XSS vulnerabilities. The code on the register page that vulnerable to XSS are the variables username and email. The password variable is not vulnerable becuase it's hashed with MD5. The vulnerable code is :
$username = $_POST['username'] & $email = $_POST['email'].
POST is a little safer than GET because the parameters are not stored in browser history or in web server logs. The variable email on the index page is also vulnerable.
His wife would bad mouth him and yell at him, but Rip wouldn't do much
A developer for Aim Higher College is creating a Web server form for submission of calendar events to the College’s event calendar. First let’s look into the type of the attacks the web server would be vulnerable to. The website server can fall into the wrong hands and face xss attacks where the attacker steals important information of the client and reduces the speed of the network and also sends large volume...
Rip is viewed in the town as a person who helped everyone with anything, except his own family- “…he was a simple ...
CVSS, or Common Vulnerability Scoring System, provides a method for assessing and prioritizing previously unknown vulnerabilities in an application’s code that have been identified for IT management to address (Scarfone & Mell, 2007). CCSS, or Common Configuration Scoring System, is based off of using similar metrics to CVSS but is focused on known vulnerabilities based upon decisions regarding security configurations of the program.
In light of the discovery that Slippery Slope’s application server has been compromised for some time now, the first step we will need to take is to isolate the server from the web server and database server. Keeping the server online any longer could potentially exacerbate the situation. The responsibility of this rests with Mike, as he is responsible for all the servers we have. Additionally, he’ll be required to take an image of the server in question so that we can conduct the necessary analysis to determine the root cause of this occurrence. Since taking the server offline would result in the website being brought down, we would require Jill to put up a page when users access our site, informing them that our services are temporarily unavailable due to technical issues. As it has been found that the credentials to access the database server were embedded in the application server code, it is quite possible that the data we have stored has
proclaims, "Sure enough! it is Rip Van Winkle -- it is himself." (Page 411) After her identification is
Privacy and security issues have become one of the top concerns among computer users in today’s market. It has become a game of survival of the fittest in protection of your security. The only true way to defend yourself is knowledge. You should prepare your self against hackers, spammers and potential system crashing viruses and web bugs. Lets focus on how you can protect yourselves from the would be thieves.
One main issue of the story was one of identity, especially at this time in history. Rip was having difficulty finding himself throughout the story. His wife constantly nagged at him probably all in good reason. His farm was fading away. He was lazy and unproductive. He underwent many emotional changes throughout the story. He didn't appreciate what he had, and before he could even blink it was gone. Life is too short to not appreciate everything in it and enjoy it to the fullest.
“Rip Van Winkle” is set during the reign of King George the Third in a small village near the Catskill Mountains. Rip, the protagonist, states his residence is “a little village of great antiquity,” (page 62). In the opening of the story, the village where Rip held residence was remote and of great age. Villagers did not expand and can be described as complacent. Upon Rip’s return to the village after a mystical event, Rip is perplexed to see that the only thing recognizable is the natural surrounding features of the Catskill Mountains. The small village was now “larger and more populous. There were rows of houses which he had never seen before, and those which had been his familiar haunts had disappeared,” (page
Web Design is a field that has been around for only thirty years, but has evolved drastically throughout that time. HTML has changed much, and new scripting languages such as CSS and JavaScript to name two, have arisen to help tackle the challenge that web development can be. From basic text pages to fully interactive sites, the world of web development has made significant leaps consistently throughout its short lifetime.
"God knows,--[God is the only person at this time who knows what/who Rip is. Rip doesn't know, his son doesn't know, nobody knows except God himself]--" exclaimed he, at his wit's end; "I'm not myself-I'm somebody else-that's me yonder-no-that's somebody else, got into my shoes--[He sees that he has passed along his traits to his son, and his son has taken over Rip's identity and habits. We "grow" into other's shoes]-- -I was myself last night, but I fell asleep on the mountain, and they've changed my gun, and every thing's changed, and I'...
The purpose of this paper is to analyze the security of UNIX. Considerations shall be given regarding generalized security aspects of a typical UNIX system. The ultimate scope of the following presentation shall remain within the boundaries of a few of the more critical UNIX security aspects. Of particular note will be discussion regarding standard user access, root access, file system security, and internet access precautions. This will not focus on specific measures used to implement security, but rather will investigate both pros and cons typical of a UNIX installation. Finally, a brief description of UNIX security versus other operating systems will be noted.
When Rip awakens after a two decade slumber he is unaware of how much the world around him has changed. When Rip arrives to the town his only the only thing he is worrying about is the lecture he will be receiving from Dame “he dreaded to meet his wife” (Irving 86). Rip arrives in the town shocked when he finds the image of King George III replaced by George Washington. As Rip proceeds through the neighborhood that he once knew, he becomes confused and unable to comprehend the current government which he is now living under, so much that he is baffled when he is questioned by towns’ people as to “which side he voted?” (Irving 89). Although there were still plenty of loyalist around at the time of Rips awakening “The revolution awoke the fire within the American Spirit and the townspeople became alive with anticipation of their new government” (Freeman). Rip is now having to adapt to these patriotic
Another command added to this code will make it so that if the user enters the wrong password the code will send them to a site of the scripts designers choice. Java Script is also a popular language for making simple interactive games like bridge and peg games. These codes can provide hours of fun! Java Script is used mainly on pages that need to allow users to enter information or choose from options on the page.
...a malicious site where the malicious code like the activex control can be downloaded on to the users system. This infects the users computer.