Archive for the 'sql' Category
become a hacker with webgoat
Filed under: Information, Injection, LFI, PHP, RFI, XSS, sql, tools | Tags: ajax, flaws, hacking, learn, PHP, security, tutorial, webgoat, websecurity
Comments(0) WebGoat is a insecure web application which is designed to teach web application security concepts.
You can try hacking: Access Control Flaws, Authentication Flaws, Session Management Flaws, Cross-Site Scripting (XSS), Buffer Overflows, Injection Flaws, Improper Error Handling, Insecure Storage, Denial of Service, Insecure Configuration, Web Services and AJAX Security.
There is a “Lesson Plan” a kind of tutorial and in the “Hints Menu” you can view the parameters, cookies, the Code and the solution.
It’s a lot of fun and you learn more about web application security.
Protect your application against SQL injections part 2
Filed under: Injection, PHP, sql | Tags: Database, Injection, mysql, PHP, security, sql, sql-injection
Comments(0) In part 1 we made sure that the value is an integer, but what if a value could be a string?
You have to escape special characters in a string for using in a SQL statement. This means that a single quote (’) get a backslash before (\’).
There are escape functions for each popular database:
Protect your application against SQL injections part 1
Filed under: Injection, PHP, sql | Tags: Database, Injection, mysql, PHP, security, sql, sql-injection
Comments(3) Many applications use a database to store data. Popular products are MySQL, SQLite and PostgreSQL.
A lot websites use a number called ID in the URL to get more information to a dataset like a product or a posting.
The problem of using ID’s is if they aren’t validated, bad guys and girls can spy, change or destroy your database by manipulating the SQL query.
This attack is called SQL injection.
An example to get the field “title” in the row with the value of $_GET['id']
Pixy: XSS and SQLI Scanner for PHP Programs
Filed under: Information, PHP, XSS, sql, tools | Tags: Information, Injection, PHP, scanner, security, sql, sqli, sqlinjection, tools, XSS
Comments(0) Pixy is a free Java program that performs automatic scans of PHP 4 source code, aimed at the detection of Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.
There is also a easy to use webinterface where you can upload your files or paste the code to analyse it.
