IT With All

April 4, 2021

Ethical Hacking – Cross-Site Scripting and SQL Injection

Ethical Hacking – Cross-Site Scripting

Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user’s browser.

The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim’s browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash, but the most used XSS is malicious JavaScript.

These attacks also can gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising and create DoS attacks.

Types of XSS Attacks

XSS attacks are often divided into three types −

● Persistent XSS, where the malicious string originates from the website’s database.

● Reflected XSS, where the malicious string originates from the victim’s request.

● DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.

Quick Tip

To prevent XSS attacks, keep the following points in mind −

● Check and validate all the form fields like hidden forms, headers, cookies, query strings.

● Implement a stringent security policy. Set character limitation in the input fields.

Ethical Hacking – SQL Injection

SQL injection is a set of SQL commands that are placed in a URL string or in data structures in order to retrieve a response that we want from the databases that are connected with the web applications. This type of attacks generally takes place on web pages developed using PHP or ASP.NET.

An SQL injection attack can be done with the following intentions −

● To dump the whole database of a system,

● To modify the content of the databases, or

● To perform different queries that are not allowed by the application.

This type of attack works when the applications don’t validate the inputs properly, before passing them to an SQL statement. Injections are normally placed put in address bars, search fields, or data fields.

The easiest way to detect if a web application is vulnerable to an SQL injection attack is to use the ” ‘ ” character in a string and see if you get any error.

Quick Tips

To prevent your web application from SQL injection attacks, you should keep the following points in mind −

● Unchecked user-input to database should not be allowed to pass through the application GUI.

● Every variable that passes into the application should be sanitized and validated.

● The user input which is passed into the database should be quoted.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

Top Ethical Hacking Courses In Nepal

A New Perspective on Robots and How They Will Shape Humanity

Buy The Slimmest Smartphone Vivo V21 (5G)

POPULAR CATEGORY

RELATED ARTICLESMORE FROM AUTHOR

what’s new vs GPT-4 / o-series

AI-Enhanced Browsing with Edge

Copying Codes Might Be Vulnerable