Part 7 Lab Solution

Video Activity

This lesson offers participants a lab and solution for a streamed sequel injection using the 1 = 1 attack which allows coders to view all the information in the table when a command is given.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Description

This lesson offers participants a lab and solution for a streamed sequel injection using the 1 = 1 attack which allows coders to view all the information in the table when a command is given.

Video Transcription
00:04
Hello and welcome to the Cyber Aires Secure coding course my name Miss anywhere, and this is AWAS Top 10 for 2013. A one injection lab in Solution.
00:19
This is the video solution for string sequel injection, so that's in your injection flaws
00:27
String sequel injection. So it says the form below allows the user to view their credit card number.
00:34
Try to inject a sequel string that results in all the credit card numbers being displayed.
00:41
Now because we know that Smith
00:43
is a valid value, we can use that to our advantage and basically
00:52
place in here
00:54
something that is valid.
00:58
Terminate that sequel. Try to perform our one equals one attack.
01:04
Now, since we're dealing with people's names, we're not goingto work with numbers. So instead, we just switched around to be letters
01:15
so we'll just try something like B
01:19
equals
01:21
be
01:25
And there we have it. So now we're able to actually view
01:30
all of the contents for
01:34
for this table
01:37
This'll table is user data.
01:40
Now it says
01:42
now that you have successfully performed a sequel injection, try the same type of attack on a perimeter rise query.
01:51
I don't really know why they put this in here. I guess it's kind of a trick question. But
01:59
a parameter rise query that's done properly using bind variables or, if you want to think of it as a store procedure with buying variables,
02:08
means that sequel injection will be prevented so it actually neutralizes
02:15
the parameter that is sent in. So even if we were to perform,
02:22
ah, a sequel injection
02:24
into a perimeter rise query. The database would not execute the statement, as as it does for us here,
02:36
So, uh, so that basically ends this lesson.
Up Next
Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By