IT395_Eric_Clarkson_Unit_6_Assignment_Complete
docx
keyboard_arrow_up
School
Purdue Global University *
*We aren’t endorsed by this school
Course
395
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
13
Uploaded by BarristerRiverRook47
1
Unit 6 Assignment
IT395 Certified Ethical Hacking II
Eric Clarkson
Purdue Global University
Professor Donald McCracken
October 3, 2023
2
Step 2:
Username: admin
Password: password
On the DVWA Welcome screen click on DVWA Security.
Select “low” and click “Submit.”
The Security Level should now indicate
low.
Click the XSS reflected button. This should now be reflected by the page title.
Put your first name into the textbox and click: “Submit.”
It should reflect back your name below in red text.
Place a screenshot into your lab file.
3
Step 3: In the “What’s your name?” textbox type in <this is a test>
Because there is no error generated by using the tags, you know that you can use scripts on this webpage.
In the “What’s your name?” textbox type in <script>alert(‘vulnerability exposed to firstname’);</script>
For the alert to be raised try Firefox or a different browser if this does not work for you.
Take a screenshot of the alert dialogue box and put in your assignment.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
Step 4:
Click the ‘SQL Injection’ button on the left of the screen.
In the “User ID” textbox type in O’Conner. The idea here is to see how the website handles punctuation.
This should raise an error. This error tells you that the website does not have code to handle special characters.
Click the browser's back button and enter the following in the “User ID” textbox:
’ OR ‘1’ = ‘1
and click “Submit.” There should be a space at the end.
Take a screenshot of the output and place it in your lab document.
5
Answer the question in 20 or more words: What do you think is happening on that last
command?
The command 'OR '1' = '1" demonstrates a SQL injection attack capable of bypassing authentication mechanisms and providing unauthorized access to a database. An attacker can obtain access to sensitive information by inserting this command into a login form and tricking the system into accepting any combination of username and password. To prevent these types of attacks, it is critical to use secure coding techniques and to update software regularly.
6
Step 5:
Determine the database information
Type in the “User ID” textbox:
%' or 0=0 union select null, version() #
Take a screenshot of the version number of the database and paste it in your assignment.
Type in the “User ID” textbox:
%' or 0=0 union select null, user() #
Take a screenshot of the username and paste it into your assignment document.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
7
Type in the “User ID” textbox:
%' or 0=0 union select null, database() #
Take a screenshot of the database name and paste it into your assignment document.
Type in the “User ID” textbox:
%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
Take a screenshot of the tables in the database that pertain to ‘users’ and paste it into your
assignment document.
8
9
Part 2: Questions
What are some ways that black hat hackers could try to obfuscate the SQL commands they are using?
There are various strategies that black hat hackers might use to hide the SQL statements they are using. To hide the commands, one approach is to use various encoding techniques such as base64 encoding or URL encoding. Another strategy is to utilize a technique known as "comment obfuscation," in which they add comments to the SQL code that appear harmless but contain dangerous code. They might also utilize techniques such as string concatenation or dynamic SQL to make the code more intricate to comprehend. Additionally, they may attempt to employ evasion techniques that exploit vulnerabilities in the target system to prevent the SQL commands from being detected. In summary, black hat hackers have a wide range of tools at their disposal to make their SQL commands more challenging to detect and to safeguard themselves from being apprehended.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
10
What are some other Web attacks and how do they work?
As the internet becomes an increasingly crucial component of corporate and personal communication, the possibility of cyber attacks grows. These attacks have become more sophisticated and widespread, posing substantial problems for individuals and businesses. In this write-up, we will look at some of the most frequent forms of web attacks and how they work.
The SQL injection attack is one of the most common types of web attacks. This form of attack involves gaining access to a website's database by exploiting flaws in its programming. SQL injection attacks can be used by hackers to steal important data or even take control of a website. Website owners must ensure that their code is properly sanitized and that data is thoroughly vetted before it is inserted into the database to protect against SQL injection attacks.
The Cross-Site Scripting (XSS) attack is another prevalent web assault. This form of attack involves injecting malicious code into the pages of a website. When unwitting people visit
the site, the code can run and steal sensitive data or take control of the user's browser. Websites must ensure that their code is properly checked and that user input is sanitized before it is shown on the site to prevent XSS attacks.
Phishing attacks are another form of prevalent web attack. Users are duped into revealing
personal information such as passwords or account numbers in these assaults. Phishing attacks
11
can take place via email, social media, or even bogus websites. To avoid phishing attempts, users
must be cautious and carefully verify the legitimacy of any requests for sensitive information.
Finally, Distributed Denial of Service (DDoS) attacks entails flooding the servers of a website with traffic. This can cause the site to slow down or even crash, leaving people unable to
access it. Websites can use techniques like firewalls and content delivery networks (CDNs) to reduce the impact of DDoS attacks.
In conclusion, web attacks pose a substantial risk to both individuals and businesses. We can help safeguard the safety and security of our online activities by learning about the various sorts of assaults and taking proper countermeasures.
12
References
Chickowski, E. (2013, July 5).
New techniques obfuscate, optimize SQL injection attacks
. Dark Reading.
https://www.darkreading.com/database-security/new-techniques-obfuscate-
optimize-sql-injection-attacks
Dahan, M. (2022, November 4).
Top 10 most common web attacks and how to prevent them
. Comparitech.
https://www.comparitech.com/blog/information-security/common-web-
attacks/
Kumar, A. (2022, December 16).
Base64 encoding: What is it? How does it work?
Built In.
https://builtin.com/software-engineering-perspectives/base64-encoding
Lazar, L., & Erez, E. (2018, February 12).
A deep dive into database attacks [Part I]: SQL obfuscation
. Imperva.
https://www.imperva.com/blog/database-attacks-sql-obfuscation/
Mavituna, F. (2023, May 8).
SQL injection cheat sheet
. Invicti.
https://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/
#StackedSamples
Smallwood, D. (2021, January 21).
Hacker pig Latin: A Base64 primer for security analysts
. Dark Reading.
https://www.darkreading.com/edge-articles/hacker-pig-latin-a-base64-
primer-for-security-analysts
Thompson, K. (2023, February 27).
The 10 most common website security attacks (and how to protect yourself)
. Tripwire | Security and Integrity Management Solutions.
https://www.tripwire.com/state-of-security/most-common-website-security-
attacks-and-how-to-protect-yourself
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
13