Various Vulnerable in a web app
[-] SQL Injection
- Performed in client applications by modifying the SQL command that is in memory of the client application.
~ cause of
* The absence of the handling of the character - a character quotes' and double minus character - which led to an application can be inserted with SQL commands.
* So a hacker inserts SQL commands into a parameter or a form.
~ Prevention
How to prevent SQL INJECTION
* Limit the length of the input box (if possible), by restricting it in the source code, so the cracker newbies will be confused for a moment to see his input box can not diinject with long command.
* Filter input is entered by the user, especially the use of single quotation marks (Input Validation).
* Turn off or hide error messages coming out of SQL Server is running.
* Turn off the standard amenities such as Stored Procedures, Extended Stored Procedures if possible.
* Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.
[-] Local File Inclusion / LFI - RFI
- Local File Inclusion (also known as LFI) is the process of including files on the server via a web browser. This vulnerability occurs because of a script file to include in the wrong usage and allow directory traversal characters to dilansanakan.
~ Prevention
* Validation variable.
* Php configuration settings back to the server website.
allow_url_include = off
allow_url_fopen = off
magic_quotes_gpc = on
* In include might be added. Become kyq gini,
include (". /" $ _GET [imagefile]. ". php");
purpose so that when we access the files from outside the server then it will be an error because when processing each file into variable page will be added. / in front of him.
[-] XSS / cross site scripting.
- Type of code injection attack (code injection attack) dg insert HTML code client script code to a site other.
- Patching
* Can use strip_tags (), htmlentities (), or htmlspecialchars (). If using strip_tags (), you should not allow any tag because it is very dangerous. In addition, you can use utf8_decode jg () unt prevent hidden code into unicode encoding.
[-] OS Command Injection
- Os command injection is an attack by injecting commands on the server os.
- It may also happen when a website successful and exploitable backdoor sisipin
- Caouse of this is :
safemode: off
php funcions:
exec ()
passthru ()
popen ()
proc_open ()
shell_exec ()
system ()
[-] Dynamic Code Execution
- Dynamic Code Execution attack is to inject php funcions or variable on the server.
- Happens when there is an error in the php.ini configuration:
unknown
php funcions:
eval ()
call_user_func ()
call_user_func_array ()
call_user_method ()
call_user_method_array ()
create_function ()
oke Bye and thaknz :)
Title : Most Danger Web application vulnerabilities
Description : Various Vulnerable in a web app [-] SQL Injection - Performed in client applications by modifying the SQL command that is in memory of...
Description : Various Vulnerable in a web app [-] SQL Injection - Performed in client applications by modifying the SQL command that is in memory of...
nice tutorial..
ReplyDeletethanks for share
if you do not mind can also visit my website
http://mudow.com
http://endtechnews.com
http://lovegadgetnews.com
thanks ^^