BooksRock.com: Information Systems Security: 6th International Conference, Iciss 2010, Gandhinagar, India, December 17-19, 2010: Somesh Jha

Information Systems Security: 6th International Conference, Iciss 2010, Gandhinagar, India, December 17-19, 2010 2010 Edition Contributor(s): Jha, Somesh (Editor), Mathuria, Anish (Editor)
	ISBN: 3642177131 ISBN-13: 9783642177132 Publisher: Springer OUR PRICE: $52.24 Product Type: Paperback - Other Formats Published: December 2010 Qty: Temporarily out of stock - Will ship within 2 to 5 weeks

Additional Information

BISAC Categories:
- Computers | Security - Networking
- Computers | System Administration - Storage & Retrieval
- Computers | Information Technology

Dewey: 004.6

Physical Information: 0.6" H x 6.1" W x 9.2" (0.92 lbs) 261 pages

Descriptions, Reviews, Etc.

Publisher Description:
2.1 Web Application Vulnerabilities Many web application vulnerabilities havebeenwell documented andthemi- gation methods havealso beenintroduced 1]. The most common cause ofthose vulnerabilities isthe insu?cient input validation. Any data originated from o- side of the program code, forexample input data provided by user through a web form, shouldalwaysbeconsidered malicious andmustbesanitized before use.SQLInjection, Remote code execution orCross-site Scriptingarethe very common vulnerabilities ofthattype 3]. Below isabrief introduction toSQL- jection vulnerability though the security testingmethodpresented in thispaper is not limited toit. SQLinjectionvulnerabilityallowsanattackertoillegallymanipulatedatabase byinjectingmalicious SQL codes into the values of input parameters of http requests sentto the victim web site. 1: Fig.1. An example of a program written in PHP which contains SQL Injection v- nerability Figure 1 showsaprogram that uses the database query function mysql query togetuserinformationcorrespondingtothe userspeci?edby the GETinput- rameterusername andthen printtheresultto the clientbrowser.Anormalhttp request with the input parameter username looks like http: //example.com/ index.php?username=bob . The dynamically created database query at line2 is SELECT * FROM users WHERE username= bob AND usertype= user . Thisprogram is vulnerabletoSQLInjection attacks because mysql query uses the input value of username without sanitizingmalicious codes. A malicious code can be a stringthatcontains SQL symbols ork- words.Ifan attacker sendarequest with SQL code ( alice ) - jected http: //example.com/index.php?username=alice, the query becomes SELECT* FROM users WHERE username= alice -- AND usertype= user ."

BooksRock.com - Kids Books At Amazing Low Prices!