Website Hacking Techniques and their workarounds

-
Website Hacking Techniques and their workarounds

Cross-site Request Forgery:

Sometimes, hackers make an API call to another website. It is called fake identity or false authorization
To prevent CSRF, we add an input element with type "hidden" and a _token to the value of a 32 character token that is sent by the server to the client in the first response.
After this, the client will send this token in the hidden field every time the client makes HTTP requests to the server
Hence, the server matches the token sent by the client to the token stored by the server at every clientHTTP request, and if it matches, it means , that the cliengt is a genuine client.

For some pages in a website,
We don't want this authorization to take place, hence we disable the token field in the HTTP request for that web page.

SQL Injection:- Sometimes, in a form, which has input fields, the user enters random values like '1'='1' in the textfield
If, on the server
the SQL statement is like

      
 sql = select * from users
       where username=$_POST["username"] and password=$_POST["password"] or $_POST["date"]

Here, if one enters date = <"1" = "1">
It will return true, even if the name or password is fake
htmlspecialchars() function to convert html special charcters to their encoded values and in SQL in the database server,
We use prepared statement like:
    
    sql = "select * from table1
    where name = ? and password = ?
    otr date= ?

Then we bind the parameters values to the question mark
In URLs, the special charcters are encode into encoded charcters
For example

  • <space> is converted to + or %20
  • " is converted %3D
  • ' is converted to %3E and so on

XSS (Cross Site Scripting)

In XSS, hackers type special HTML5 characters like < and > and so on that are interpreted as HTML5 markup and are formatted and sent that spam data to the server
Let us look at an example:

Comments

Post a Comment

Popular posts from this blog

XPath for HTML markup

-
XPath Web Scraping Web Scraping is a technique to traverse the DOM (Document Object Model) of an HTML or an HTTP web page Web Scraping is achieved due to XPath XPath nodes: There are seven kinds of nodes Element - It represents any HTML 5 element. For example, <strong></strong> Attribute - It represents any one attribute of any HTML 5 element in the document object model Text - It represents the text between the opening HTML 5 tag and a closing HTML 5 tag Namespace - It represents the pseudo selector of an HTML 5 element Processing-Instructions Comment - It represents any HTML 5 comment It represents the topmost element of the tree is called the root element. For example, the root element for any HTNL 5 document is HTML The first XPath node is \ which Suppose, I have an HTML5 code snippet as follows: Gaurav Shirodkar Then to ...
Read more

Apache Hadoop | Running MapReduce Jobs

-
Image
Apache Hadoop | Running MapReduce Jobs After setting up your environment and running the HDFS and YARN daemons, we can start working on running MapReduce jobs on our local machine. We need to compile our code, produce a JAR file, move our inputs, and run a MapReduce job on Hadoop. Step 1 - Configure extra environment variables As a preface, it is best to setup some extra environment variables to make running jobs from the CLI quicker and easier. You can name these environment variables anything you want, but we will name them HADOOP_CP and HDFS_LOC to not potentially conlict with other environment variables. Open the Start Menu and type in 'environment' and press enter. A new window with System Properties should open up. Click the Environment Variables button near the bottom right. HADOOP_CP environment variable This is used to compile your Java files. The backticks (eg. `some command here`) do not work on Win...
Read more

Laravel | PHP | Basics | Part 2

-
Image
Learning Laravel through Screenshots Caching Laravel by default supports multiple cache stores like memcached , redis ,etc. To install redis as a cache store, you should use composer install predis/predis predis stands for PHP redis The default port number is 6379 Every Cache store requires a prefix which is stored in the ENV file or in the config/cache.php Following are the cache stores supported by laravel Blade Templates Blade is a templating engine for views in laravel. All the files which are of type blade.php are having the extension .blade.php They are stored in the resources/views directory YOu can create suub-folders in the reosurces/views directory like layouts for all the common UI components lke header , footer, sidebar , navbar, menubar, serach bar, etc. To include the parenet ...
Read more