Describe how a SQL injection attack works and ways to mitigate one.
Let us take an example of query that provide the name and description for item number 10.
SELECT Name,Description FROM Table
WHERE Number = 10 OR 1=1
since the statement 1 = 1 is always true, the query returns all names and descriptions in the database, even those which we don't want
Mitigation strategy:
1. Use prepared statement with parameterized queries.
2. Use stored procedures.
3. white list input validation
Describe how an SQL command injection attack might work.
An idea is to use the SQL injection attack to turn one SQL statement into two, with the second one being the update or delete statement. In SQL, semicolon (;) is used to separate two SQL statements. Please describe how you can use the login page to get the server run two SQL statements. Try the attack to delete a record from the database, and describe your observation. The login page is based on the SEED labs run on Ubuntu...
Explain the difference between Denial-of-Service and Distributed Denial-of-Service attacks. Why is the latter much more damaging? What is a Man-in-the-Middle attack? Describe how one may be launched. Describe how a SQL injection attack works and ways to mitigate one.
Create a SQL injection attack that will determine the correct field name that holds the user’s surname.
Task 3.2: SQL Injection Attack on UPDATE Statement — modify other people’ password
A security analyst identified an sql injection attack. Which of the following is the first step in remediating the vulnerability? A. implement stored procedures B. implement proper error handling C. implement input validations D. implements a WAF. Please explain. The only two options in my mind are A and C.
Give an example of an SQL injection. How are they typically used? How can they be avoided?
One of the best approach’s to deal with attacks such as SQL, LDAP, and XML injection is what? A. Using type safe languages B. Manual review of code C. Using Emanations D. Adequate parameter validation
A look at how SQL injection is done to simple databases, websites and applications while discussing the regulations and legal ramifications of it?
Most cyber-attacks happen because vulnerabilities in system or application software. Buffer Overflow, SQL Injection, Code/OS Command Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery and Race Conditions are very common vulnerabilities. (Refer to both NIST/DHS and MITRE databases of common vulnerabilities (http://nvd.nist.gov/cwe.cfm; http://cwe.mitre.org/top25/).) For this conference, explain what a specific vulnerability is, describe a famous attack that leveraged it (For example, the Morris worm leveraged the buffer overflow vulnerability), and how it can be prevented/minimized. Your post can either discuss a...