Session based on SQL injection
Brief description: SQL injection is the most dangerous
attack for the web application; there are many different websites that are
vulnerable to SQL injection. There are different variants for SQL injection,
such as a simple injection of SQL, blind injection of SQL and injection of SQL
based on cookies. As you already know the basic idea about cookies and their
importance, cookies represent a session and usually count in the attack of
scripts between sites (XSS) but what the injection of SQL based on cookies is.
In this article we will discuss cookies or session-based SQL injection attack.
Did you say a "cookie"?
A cookie, also known as an HTTP cookie, web cookie or
browser cookie, is used for a source website to send status information to a
user's browser and for the browser to return status information to the
originating site. The state information can be used for authentication,
identification of a user session, user preferences, and content of the shopping
cart or anything else that can be achieved through the storage of text data.
Cookies are not software. They cannot be programmed, they
cannot contain viruses and they cannot install malware on the host computer.
However, spyware can use them to track user browsing activities, a major
privacy concern that prompted European and US lawmakers to take action. Hackers
can also steal cookies to gain access to the victim's web account. [One]
Where can I find my cookies?
Here is a way to get your cookies stored using your browser.
This method is applied for Mozilla Firefox:
1. On the Tools menu, select Options. If the menu bar is
hidden, press Alt to make it visible.
2. At the top of the window that appears, click Privacy.
4. To modify the configuration, from the drop-down menu
under "History", select Use custom settings for history. Then enable
or disable the configuration by checking or selecting the boxes next to each
configuration:
To allow sites to set cookies on your computer, select
Accept cookies from sites. To specify which sites are always or never allowed
to use cookies, click Exceptions.
To accept third-party cookies, check Accept third-party
cookies. In the drop-down menu next to "Keep up:", select the period
of time you want to keep cookies on your computer.
To see the cookies stored on your computer, click Show
cookies.... In the window that appears, you can see the cookies on your
computer, search for cookies and delete any or all of the cookies listed.
To specify how the browser should erase the private data it
stores, check Clear history when Firefox is closed. Then, click on Settings ...
You can specify the items that will be deleted when you close Firefox.
4. Click OK until you return to the Firefox window.
To delete all cookies, on the Tools menu, select Clear
Recent History ... Mark the items you want to delete and then click Clear Now.
Are you talking about a Cookie Poisoning attack?
The attacks of poisoning of cookies involve the modification
of the content of a cookie (personal information stored in the computer of a
user of the Web) to avoid the security mechanisms. Through attacks of poisoning
cookies, attackers can obtain unauthorized information about another user and
steal their identity.
The poisoning of cookies is a technique known mainly to
achieve the impersonation and breach of privacy by manipulating session
cookies, which maintain the identity of the client. By forging these cookies,
an attacker can pose as a valid client, and thus obtain information and perform
actions on behalf of the victim. The ability to falsify such session cookies
(or, more generally, session tokens) is due to the fact that tokens are not
generated securely. [4]
Variables of the cookie as vector of SQL injections:
SQL injection overview
An SQL injection attack consists of the insertion or
"injection" of an SQL query through the client's input data to the
application. A successful SQL injection exploit can read confidential data from
the database, modify data from the database (Insert / Update / Delete), execute
administration operations in the database (such as closing the DBMS), recover
the content of a certain file present in the DBMS System file and in some cases
issue commands to the operating system. SQL injection attacks are a type of
injection attack
If you want to get secure then please visit: Web development
services
Comments
Post a Comment