SQL Injection attack

We wanted to see what the effects of SQL Injection attack were on a simple system (of which there are tens of thousands of out there) and Alan (www.astirling.com) designed a very simple logon system running on a local virtual machine to have a go at.

As we had suspected if adequate measures were not taken it was remarkably simple to log in fully by using a very basic attack by simply putting:

a’ or 1=1 or ‘a

into both the username and password boxes!

 

Keep your systems secure and remember to test your login system to destruction! Read all about how the username / password is not necessarily the downfall of a system, it is the ’email me my password’ functionality!! http://www.unixwiz.net/techtips/sql-injection.html

 

Resources

http://en.wikipedia.org/wiki/SQL_injection

 

 

 

Discovering vulnerabilities

We had yet another brilliant evening of programming club last night at the ISArc offices near the Giants Causeway. We learned about common web-based systems attacks and how to counter them in our code. There were many tools to discover open ports, but perhaps none so interesting as mmap.

NMap

NMap is described as a security scanner, and it does exactly that – allowing you to scan your servers to find out what ports are open and then remedy the situation. Ideally a web server will only return port 80 being open.

Download NMap for Windows or Mac or Linux

Once you have downloaded and installed NMap on your Mac, simply open terminal (using another handy shortcut that I learned last night, pressing command and space to open spotlight and then type terminal and press enter)

In terminal, you then type:

 

nmap -v ipaddress

Obviously for security reasons I cant show you our results, but needless to say we found a few ports open that should not have been open (we were looking for only 2 ports open, 80 and 443 ideally), though discovered that the strange ports up near the 50000 range were actually for the dropbox services, so not a major panic after all.

If you know of other tools, or can add details on the Windows way of using NMap, please do comment!