Information Systems Security : 6th International Conference, ICISS 2010, Gandhinagar, India, December 17-19, 2010 / / edited by Somesh Jha, Anish Mathuria
(Visualizza in formato marc)
(Visualizza in BIBFRAME)
| Titolo: |
Information Systems Security : 6th International Conference, ICISS 2010, Gandhinagar, India, December 17-19, 2010 / / edited by Somesh Jha, Anish Mathuria
|
| Pubblicazione: | Berlin, Heidelberg : , : Springer Berlin Heidelberg : , : Imprint : Springer, , 2010 |
| Edizione: | 1st ed. 2010. |
| Descrizione fisica: | 1 online resource (XIV, 261 p. 60 illus.) |
| Disciplina: | 004.6 |
| Soggetto topico: | Computer networks |
| User interfaces (Computer systems) | |
| Human-computer interaction | |
| Data protection | |
| Information storage and retrieval systems | |
| Electronic data processing - Management | |
| Biometric identification | |
| Computer Communication Networks | |
| User Interfaces and Human Computer Interaction | |
| Data and Information Security | |
| Information Storage and Retrieval | |
| IT Operations | |
| Biometrics | |
| Altri autori: |
JhaSomesh
MathuriaAnish <1967->
|
| Note generali: | Bibliographic Level Mode of Issuance: Monograph |
| Nota di bibliografia: | Includes bibliographical references and index. |
| Sommario/riassunto: | 2.1 Web Application Vulnerabilities Many web application vulnerabilities havebeenwell documented andthemi- gation methods havealso beenintroduced [1]. The most common cause ofthose vulnerabilities isthe insu'cient input validation. Any data originated from o- side of the program code, forexample input data provided by user through a web form, shouldalwaysbeconsidered malicious andmustbesanitized before use.SQLInjection, Remote code execution orCross-site Scriptingarethe very common vulnerabilities ofthattype [3]. Below isabrief introduction toSQL- jection vulnerability though the security testingmethodpresented in thispaper is not limited toit. SQLinjectionvulnerabilityallowsanattackertoillegallymanipulatedatabase byinjectingmalicious SQL codes into the values of input parameters of http requests sentto the victim web site. 1: Fig.1. An example of a program written in PHP which contains SQL Injection v- nerability Figure 1 showsaprogram that uses the database query function mysql query togetuserinformationcorrespondingtothe userspeci'edby the GETinput- rameterusername andthen printtheresultto the clientbrowser.Anormalhttp request with the input parameter username looks like "http://example.com/ index.php'username=bob". The dynamically created database query at line2 is "SELECT * FROM users WHERE username='bob' AND usertype='user'". Thisprogram is vulnerabletoSQLInjection attacks because mysql query uses the input value of username without sanitizingmalicious codes. A malicious code can be a stringthatcontains SQL symbols ork- words.Ifan attacker sendarequest with SQL code ('alice'-') - jected "http://example.com/index.php'username=alice'-", the query becomes "SELECT* FROM users WHERE username='alice'--' AND usertype='user'". |
| Titolo autorizzato: | Information Systems Security |
| ISBN: | 3-642-17714-X |
| Formato: | Materiale a stampa  |
| Livello bibliografico | Monografia |
| Lingua di pubblicazione: | Inglese |
| Record Nr.: | 9910483281003321 |
| Lo trovi qui: | Univ. Federico II |
| Opac: | Controlla la disponibilità qui |
Serie:
Security and Cryptology, . 2946-1863 ; ; 6503