How to protect against Unexpected Inputs

by Yoko Jelkovich.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on data security  

You are here: Categories » Computers and technology » Data security

When you surf the Internet, you download one of two types of Web pages to your computer: static or dynamic. A static Web page sits on a Web server until a client computer sends a request for it. Once requested, the Web page is then downloaded to the client computer exactly as it was created, where the Web browser then views the page. A static Web page is really nothing more than a brochure or advertisement, and does not allow the true power of the Internet to be expressed. However, a static page is relatively safe from hackers.

In contrast, dynamic Web pages only exist in a partial state before they are requested. Using scripting languages, a Web server actually fills in all the missing parts and creates the Web page before it is sent to the client's computer. This type of dynamic Web page creation allows for database interaction, shopping carts, and customized parts of a Web page, such as colors, names, and formatting layouts.

A search engine Web page, or front end, is a perfect example of dynamic scripting. The basic search engine is nothing more than a small program that queries a database (or more specifically, a table in the database) for any matching information based on the criteria that you have given. For instance, if you want to find out about dogs, you simply type dogs in the text box and hit search.

Most databases are based on the Structured Query Language (SQL). This language is primarily used to manipulate information in a database. Using SQL, you can query, update, add, delete, and perform other actions on data in a few short lines of code.

Here is another common use for database-driven Web sites. Have you ever been required to type in a username or password to access a Web page? Quite often, your entry is compared to a database table, where your user name and password are validated. If there is an account for the entered user name, and the password matches, you will be granted access.

To illustrate, let's take a closer look at the process, as follows:

  1. The user is asked to type in account information.

  2. The user enters the following: 

    User=Tom   Pass=tompass
  3. The entered information is sent to Web server.
  4. An SQL query is created using the entered account information: 
    "SELECT * FROM tblUsers WHERE USER='Tom' and PASS='tompass'"
  5. The database returns the results.
  6. An algorithm is used to determine whether access is permitted.
  7. If results are found, access is enabled, and if no results are found, access is restricted.
  8. The user is either sent into the Web site or sent back to the login page.

This awesome technology can have limitless uses. However, a clever hacker can exploit this technology to access the data without proper authentication. For example, suppose our hacker performed the following steps instead of the previously listed ones.

  1. The hacker is asked to type in account information.

  2. The hacker enters the following: 

    User=' or ''   Pass=' or ''
  3. Entered information is sent to Web server.
  4. A SQL query is created using the entered account information: 
    "SELECT * FROM tblUsers WHERE USER='' or '' and PASS=''or ''
  5. The database returns the results.
  6. An algorithm is used to determine whether access is permitted.
  7. If results are found, access is enabled, and if no results are found, access is restricted.
  8. The hacker gains access because the database returned a list of all users!

As you can see, thanks to the hacker's manipulation of the query on the database, he now has access to the secured Web site.

There are many ways this type of attack can be used. Hackers can delete, insert, update, and view data by tricking the Web server into requesting extra information from a database. Although this does take a solid understanding of the SQL language, many hackers already know it as a result of their work requirements.

Exploiting Web Forms

The previously discussed type of hacking technique can also be used in exploiting Web forms. Quite often, Web-based forms have "hidden" fields that contain information that is sent to a Web server without the client ever seeing it. A recent example is a popular "shopping cart" software program that was found to have hidden fields containing the prices of the items available for purchase online. All a hacker had to do was download the Web page to her computer and edit the hidden Price field to any value she wanted. This new and improved value was then sent to the shopping cart software for processing. If there were no alert humans involved with processing the purchases, the hacker would have no problem cheating an online store out of thousands of dollars.

These are some of the most popular types of malicious exploits on the Internet. Thanks to all the different types of user interfaces and dynamic content on the Internet, hackers are easily finding holes. FTP programs, SQL server programs, remote login programs, scripting languages and even HTML itself all have been found to be vulnerable to unexpected input that results in the disclosure of sensitive information. All it takes is one hacker with a thorough understanding of a software program, or even a script kiddie with a pre-made program that finds the holes, and another host of computer systems can go down in flames.

Share
Leave a comment or ask a question
Total comments: 0

Data security Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Tips on Buying Biometric Locks - The security of your home is essential. You owe it to yourself and your loved ones to make sure you are safe at all times. So, with the development of biometric security locks things h (more...)
3 Signs You Need a Virus Removal Service - Virus and malware infestations are some of the most common computer repair problems that computer owners everywhere deals with. These malicious hijacking attempts of your (more...)
Six Myths about Nulled Scripts, or There's No Such Thing as Free Lunch - Once every so often our customers are asking us how come on some websites our software is sold at a fraction of price or is even free. They further ask how come they have to pay for the software if (more...)
How to protect against Spoofing and Session Hijacking - Spoofing is the term hackers use to describe the act of faking information sent to a computer. This is a broad definition of spoofing, but there are many subtle variations of this attack. Howev (more...)
Online Security on Public Computers - Using public computers can put you at risk for password hackers who use tools such as keystroke logging devices. Find out how to protect yourself from criminals preying on public computers. (more...)
How to Create a Strong Password - Using a password keeper can help you keep your online information more secure by allowing you to create more complex passwords for your Internet accounts without having to remember them. Here a (more...)
How Many Passwords do You Know to Protect Your Computer Privacy - 1.Administrators Password: It is the most common way to lock your computer. But is it the safest way? Mostly, it is the easiest way to lock your computer. How to (more...)
What will be a perfect password - Myth: if it is encrypted, it is secure Truth: if it is not encrypted, it is not secure Before creating a password you should know: ⑴ NO passwo (more...)
How to bypass Windows Password - Forgot or lost windows password? Have been locked out of computer? Do not want to reinstall the computer because there is vital data on your computer? Oh, well, it is not that scar (more...)
UniKey API protection scheme ensures the highest security for software vendors - A question that regularly was come up is whether software could be one hundred percent secured by a dongle, or thought some dongles have been seriously cracked, why most expensive software still us (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.