Business People Club

Search All Topics !

How bad guys hack into websites?

0 like 0 dislike
206 views
Posted by Octopixy
How hackers hack websites? and how to protect my website?

Your comment

Your name to display (optional):
Privacy: Your email address will only be used for sending these notifications.
Anti-spam verification:
To avoid this verification in future, please log in or register.

2 Comments

0 like 0 dislike
commented by Dragonig
SQL Injection is one of the most common security vulnerabilities on the web. Here I'll try to explain in detail this kind of vulnerabilities with examples of bugs in PHP and possible solutions.

If you are not so confident with programming languages and web technologies you may be wondering what SQL stay for. Well, it's an acronym for Structured Query Language (pronounced "sequel"). It's "de facto" the standard language to access and manipulate data in databases.

Nowadays most websites rely on a database (usually MySQL) to store and access data.

Our example will be a common login form. Internet surfers see those login forms every day, you put your username and password in and then the server checks the credentials you supplied. Ok, that's simple, but what happens exactly on the server when he checks your credentials?

The client (or user) sends to the server two strings, the username and the password.

Usually the server will have a database with a table where the user's data are stored. This table has at least two columns, one to store the username and one for the password. When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this:

SELECT * FROM users WHERE username='SUPPLIED_USER' AND password='SUPPLIED_PASS'

For those of you who are not familiar with the SQL language, in SQL the ' character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user.

In this example we see that the username and password supplied are inserted into the query between the ' and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied).

Now, what happens if a user types a ' character into the username or password field? Well, by putting only a ' into the username field and living the password field blank, the query would become:

SELECT * FROM users WHERE username=''' AND password=''

This would trigger an error, since the database engine would consider the end of the string at the second ' and then it would trigger a parsing error at the third ' character. Let's now what would happen if we would send this input data:

Username: ' OR 'a'='a
Password: ' OR 'a'='a

The query would become
SELECT * FROM users WHERE username='' OR 'a'='a' AND password='' OR 'a'='a'

Since a is always equal to a, this query will return all the rows from the table users and the server will "think" we supplied him with valid credentials and let as in - the SQL injection was successful :).

Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table:

CREATE TABLE users (
username VARCHAR(128),
password VARCHAR(128),
email VARCHAR(128))

There's a single row in that table with data:

username: testuser
password: testing
email: testuser@testing.com

To check the credentials I made the following query in the PHP code:

$query="select username, password from users where username='".$user."' and password='".$pass."'";

The server is also configured to print out errors triggered by MySQL (this is useful for debugging, but should be avoided on a production server).

So, last time I showed you how SQL injection basically works. Now I'll show you how can we make more complex queries and how to use the MySQL error messages to get more information about the database structure.

Lets get started! So, if we put just an ' character in the username field we get an error message like
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' and password=''' at line 1

That's because the query became

select username, password from users where username=''' and password=''
What happens now if we try to put into the username field a string like ' or user='abc ?
The query becomes

select username, password from users where username='' or user='abc ' and password=''

And this give us the error message
Unknown column 'user' in 'where clause'

That's fine! Using these error messages we can guess the columns in the table. We can try to put in the username field ' or email=' and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with ' or email='testuser@testing.com in both the username and password fields and our query becomes

select username, password from users where username='' or email='testuser@testing.com' and password='' or email='testuser@testing.com'

which is a valid query and if that email address exists in the table we will successfully login!

You can also use the error messages to guess the table name. Since in SQL you can use the table.column notation, you can try to put in the username field ' or user.test=' and you will see an error message like
Unknown table 'user' in where clause

Fine! Let's try with ' or users.test=' and we have
Unknown column 'users.test' in 'where clause'

so logically there's a table named users :).

Basically, if the server is configured to give out the error messages, you can use them to enumerate the database structure and then you may be able to use these informations in an attack.
0 like 0 dislike
commented by SnailMail
Intrusion Prevention solutions detect and eliminate content-based threats from email, viruses, worms, intrusions, etc. in real time without degrading network performance. They detect and eliminate the most damaging, content-based threats from email and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance.

Today's global information infrastructure faces possible huge financial losses caused by ineffective Intrusion Prevention. Among the most vulnerable technologies are Providers of VoIP, video teleconferencing and data over cellular networks. While these providers have integrated into their products, the need for new Intrusion Prevention solutions is constant. Here are some of the area in which Intrusion Prevention offers effective solutions.

Instant Messaging - Intrusion Prevention
The real-time, interactive nature of Instant Messaging makes it a valuable tool for business partners, customers and fellow employees. The breach of security opportunities created by the use of IM must be managed for given its postion as a widely accepted business communications tool.  

Real Time Vulnerability - Intrusion Prevention
Real Time Vulnerability Protection Suite breaks away from the reactive method of chasing attacks after they happen to eliminating and protecting vulnerabilities on your systems. By protecting against known and unknown vulnerabilities, you can ensure data reliablity and sercurity.

Network Infrastructure - Intrusion Prevention
Intrusion Prevention protect the network infrastructure to carry on your business without disruption. Enterprise level solutions offer effectevie network intrusion prevention solutions (IPS) within the context of your company's comprehensive security policy.

Email - Intrusion Prevention
Financial Companies, manufactures, retailers, etc. use intrusion prevention to scan messages and attachments for viruses. Together with "preemptive" email security approach, effective intrusion prevention offers the best protection from spam and virus attacks.  

Application Level Attacks - Intrusion Prevention
A successful denial of service attack can put a corporate website off line for hours or more. Intrusion Prevention products offer the best protection against application level attacks and secure all networked applications, users and server resources.

Large Enterprises - Intrusion Prevention
Large Enterprises with widely dispersed Carrier & Data Center Networks need specially built high-performance security gateway Intrusion Prevention with proven firewall and IPSec VPN to deliver scalable network and application level security. Intrusion prevention protects the enterprise against the seemingly insignificant worm, virus, trojan, etc. that can topple its network.

Related posts

0 like 0 dislike
1 Comment 119 views
How to Create Lucrative Websites?

How to Create Lucrative Websites?

Posted by AfternoonFay
0 like 0 dislike
0 comments 204 views
Online Turnkey Sites – Good and Bad

You have decided to open a site online, but are not sure where to start. This brings us to the subject of the online turnkey ... understand what you can and cannot do before committing to a system.

Posted by TwinNut
0 like 0 dislike
0 comments 191 views
Making Money On Forgotten Websites

A forgotten website is a site you may have created a few years ago that seemed like a great idea. Unfortunately, like many big ... few thousand dollars to your net income at the end of the year.

Posted by FatKomodoDragon
0 like 0 dislike
0 comments 104 views
Keeping Your Website's Content Relevant

Visitors and search engines love content-rich web sites, but just having a lot of content on your web site is not enough. It ... search engines should be kept in mind when creating web site content.

Posted by HairyMagpie
0 like 0 dislike
0 comments 93 views
3 Proven Techniques for Improving Your Website’s Usability

The number one factor that makes or breaks your website is whether or not people can use it. This is typically referred to as your ... face it - no one reads a 20-page usability report from cove

Posted by Explorer
0 like 0 dislike
1 Comment 159 views
Do Small Businesses need websites?

as a small business owner, should i have a website?

Posted by LovableStorm
0 like 0 dislike
0 comments 137 views
Turn Your Web Site into a Lead Generation Machine

With a few simple steps, you can turn your web site into a lead generation machine. Here's how: Hook - Get your audience ... lead generation tools in the world won't help you get new clients.

Posted by Sassassin
0 like 0 dislike
0 comments 130 views
Disaster Preparedness For Your Small Business: How To "Weather" Any Storm

In the event of a potential disaster, do you have a business continuity plan for your employees and your business? Are you backing up ... the right data is being copied and that it can be restored.

Posted by MagicalCyborg
0 like 0 dislike
0 comments 171 views
Problems With Spam? Learn How To Treat It

The first step in your antispam campaign may well be to understand spam and how it works. Spam is usually defined as unsolicited e-mail ... ." Wrong! They're spammers and you're now on their list.

Posted by AmazingKitty
0 like 0 dislike
0 comments 249 views
The Warning signs of Online Fraud and How to avoid it

The number may seem grim for Web-based commerce. In 2004 in the Unites States alone, computer users logged in more than 207,000 ... you're doing it in a mall or on the information superhighway.

Posted by Dragonig
0 like 0 dislike
0 comments 113 views
Avoiding the Scams: How to Find a Business Opportunity That is Right for You

It is heartbreaking to me that so many women with big dreams get knocked down by ruthless business opportunists who take ... a business opportunity that will be both fulfilling and profitable.

Posted by Finderpros
0 like 0 dislike
1 Comment 280 views
is my computer really safe? how to find out?

is my computer really safe? What should i know?

Posted by HistoryYak
0 like 0 dislike
1 Comment 134 views
How And Why To Wipe Disk Drives ?

How And Why To Wipe Disk Drives ?

Posted by Richard S.
0 like 0 dislike
1 Comment 147 views
How Adware And Spyware Can Harm Your Computer ?

How Adware And Spyware Can Harm Your Computer?

Posted by DopeyPotato
0 like 0 dislike
1 Comment 139 views
How to protect yourself when using public pc?

How to protect yourself when using public pc?

Posted by Dragonig
0 like 0 dislike
1 Comment 165 views
How to protect yourself online?

How to protect yourself online?

Posted by FlamboyantChomper
0 like 0 dislike
1 Comment 127 views
How to know if my identity has been stolen?

How to know if my identity has been stolen?

Posted by Sumogre
0 like 0 dislike
1 Comment 154 views
How to avoid home business scams?

How to avoid home business scams?

Posted by UncleRhino
0 like 0 dislike
1 Comment 119 views
How to protect my customers?

As a business owner how should i protect my customers?

Posted by Octopuppy
0 like 0 dislike
1 Comment 127 views
How Anti Spam Software Works?

How anti spam software can help me protect my stuff?

Posted by HarmlessRose
0 like 0 dislike
1 Comment 121 views
How to know if my computer is really safe?

Tips to find out weather my computer is safe?

Posted by Richard S.
0 like 0 dislike
1 Comment 191 views
How to protect my computer from viruses?

What are the ways to protect my computer from viruses?

Posted by GardenParrot
0 like 0 dislike
1 Comment 145 views
How to avoid identity theft?

How to protect my identity from thieves?

Posted by CandidApricot
0 like 0 dislike
1 Comment 119 views
How to back up and secure my digital items?

How to protect and backup my digital life?

Posted by TwinNut
0 like 0 dislike
1 Comment 117 views
How cctv can help my business?

I am planning to install cctv cameras. Just want to know how it can help my business?

Posted by FoolishJaguar
0 like 0 dislike
0 comments 190 views
How To Fully Automate Your Website So You Don’t Waste Time Working

So you don't have a way of managing all of the customer responses coming through your inbox? I can relate, please let me share ... when a customer assesses you and your site faster than you realize.

Posted by Knighthawk
0 like 0 dislike
0 comments 134 views
How To Increase Traffic To Your Website: Increasing Sales With More Traffic

When all is said and done, the marketing principles that apply in the brick and mortar world have similar applications in ... You will enjoy true online business success today and tomorrow.

Posted by GardenParrot
0 like 0 dislike
0 comments 96 views
what are seo contests and how to rank better in SEO Contests

The keyword is totally unique in the eyes of the search engines, and there are strong rules in these contests. Some of the ... can make sure that your webpage tops the search engine result pages.

Posted by DopeyPotato
0 like 0 dislike
1 Comment 153 views
How To Build A Funny Videos Website?

How To Build A Funny Videos Website?

Posted by VirtualAssassin
0 like 0 dislike
1 Comment 200 views
How should you host your business ecommerce website?

How should I host my business ecommerce website?

Posted by Explorer
0 like 0 dislike
1 Comment 232 views
How to Choose A Domain Name That Floods Traffic To Your Website?

How to Choose A Domain Name That Floods Traffic To Your Website?

Posted by Madept
0 like 0 dislike
1 Comment 228 views
How to build a great website?

How to build a great website?

Posted by Oystrich
0 like 0 dislike
1 Comment 297 views
how to promote my website for free?

I am building new website and how can i promote it? any tips?

Posted by VoyageHooper
0 like 0 dislike
1 Comment 172 views
How to write web design agreement or contract?

Any tips on writing web design contracts and agreements?

Posted by Camella
0 like 0 dislike
1 Comment 224 views
How to get web traffic cheap and instant?

How to get cheap web traffic ?

Posted by AfternoonFay
0 like 0 dislike
1 Comment 280 views
How to get more visitors to my site?

I just created small blog and i want to know how can i get more visitors to my site?

Posted by GraveGrass
0 like 0 dislike
1 Comment 160 views
How to change font size in wordpress website?

I want to change font size in my wordpress website?

Posted by Octopuppy
0 like 0 dislike
1 Comment 197 views
How to promote my website?

How to promote my website?

Posted by Dingopher
0 like 0 dislike
1 Comment 190 views
How to redirect 404 page error page visitor to the home page of my site?

I want redirect 404 page visitor to the home page of my website

Posted by HairySeahorse
0 like 0 dislike
1 Comment 169 views
How to embed youtube video on my website?

I want to embed youtube video on my website. How can i do that?

Posted by MagicalCyborg
0 like 0 dislike
1 Comment 180 views
How to get best wordpress theme for my website?

I am looking for best free wordpress theme for my website?

Posted by VirtualAssassin
0 like 0 dislike
1 Comment 99 views
How to Choose A Domain Name That Floods Traffic To Your Website?

How to Choose A Domain Name That Floods Traffic To Your Website?

Posted by SwiftHeroine
0 like 0 dislike
1 Comment 116 views
How to change a domain name?

How to change a domain name?

Posted by MysteryWasp
0 like 0 dislike
1 Comment 112 views
How to combine colors of your website?

How to combine colors of your website?

Posted by BeautifulWolf
0 like 0 dislike
1 Comment 137 views

online business.png

Connect with us:
...