Scribd Logo
Upload

Welcome to Scribd!

  • SQL Injection: Cross-Site Script Attack

    Uploaded by

    Deepak Kumar Deo
    6 views2 pages
    Example shows how the attacker could use an XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run. SQL injection is a security vulnerability that occurs in the database layer of an application.

    Original Description:

    Original Title

    Cross

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Example shows how the attacker could use an XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run. SQL injection is a security vulnerability that occurs in the database layer of an application.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views2 pages

    SQL Injection: Cross-Site Script Attack

    Uploaded by

    Deepak Kumar Deo
    Example shows how the attacker could use an XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run. SQL injection is a security vulnerability that occurs in the database layer of an application.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Cross-site script attack

    The attacker can compromise the session token by using malicious code or programs running at the client-side. The
    example shows how the attacker could use an XSS attack to steal the session token. If an attacker sends a crafted link to
    the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the
    instructions made by the attacker. The example in figure 3 uses an XSS attack to show the cookie value of the current
    session; using the same technique it's possible to create a specific JavaScript code that will send the cookie to the attacker.

    <SCRIPT>alert(document.cookie);</SCRIPT>

    SQL Injection
    SQL injection is a security vulnerability that occurs in the database layer of an application.
    It's better explained with an example. Suppose in a database-backed web site, user enters
    username on a form, and server replies with address. Assume the following code is
    embedded in the server application.

    string username = dom.getForm("username");


    string query = "SELECT address FROM usertable WHERE uname = '"+username+"';"

    database.execute(query);

    If the user types "eddie'; SELECT bankaccount FROM usertable WHERE uname = 'ahnuld'" as
    username, the following SQL statement would be built by the code above:

    SELECT address FROM usertable WHERE uname = 'eddie'; SELECT bankaccount FROM
    usertable WHERE uname = 'ahnuld';

    When sent to the database, this statement would be executed and Arnold's bankaccount
    would be sent to the user. I am sure our governor wouldn't be happy about it.

    You might also like