Frequent Ask questions about web security

Session Credential:
A Session ID tracks a user’s session, or perhaps just his current session, as he traverse the web site. Session  is an string of data provided by the web server, normally stored within a cookie or URL, which identifies a user and authorizes them to perform various actions.

SSI Injection:
A server-side exploit technique that allows an attacker to send code into a web application, which will be executed by the web server.

What is SQL injection or SQL poisoning?
SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn’t properly filter out dangerous characters. SQL or Structured Query Language, originally developed by IBM is now an ANSI and ISO standard. SQL injection or SQL poisoning as it is called is a method of attack by which an attacker can input simple SQL commands and construct SQL queries harmful for the host system. Most of the databases in use allow SQL to access data from database. In case an user input is used to form a query without proper checking of the input, an attacker may try to form a SQL query by well-crafted inputs. For eg. : If a developer is doing something like : “SELECT user from table_user where user = ‘” + user_name + ” ‘ and password = ‘” + password + “‘” an attacker can input : ‘ OR 1 == 1 — The last two characters (i.e. double dash) will comment out whatever follows the last ‘1’ in the input. Now, as 1==1 is an ‘OR’ condition and always true the user can login no matter what password he enters.
There are two commonly known methods to indentify and exploit SQL injection attacks — SQL injection and blind SQL injection: SQL injection : This method is to identify the existence of SQL injection vulnerability by looking at the error messages output-ed during an attack. However, when the error messages shown are not explicit, the attacker may try the ‘blind SQL injection attack’ to find out if a vulnerability exists at all or not.

What is clickjacking?
Clickjacking is a way of tricking the user to click on an unsuspicious link or button. Clickjacking  might be done with the intention of obtaining confidential information. The user might click on an unsuspicious button or a link which might trigger a script. The attacker can steal important information and or take control over the computer.

Virus?
Virus is a computer virus written programatically to destroy computer system or damage to information stored in storage system. Virus can copy itself and infect a computer. The term “virus” is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability.

Malware, short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior.

Adware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up.

Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect.

What is a trojan-horse?
Trojan-horse is an harmful computer program in the disguise of a harmless one. It normally keeps hiding in some executable file and the moment the executable is run, the trojan gets itself installed in the victim’s machine.

What is Net-Bios attack?
It is an old way of attacking an unsuspecting user who has file/printer sharing turned on. A simple command like net view shows up all the directories/files that the target user has shared on his computer system.

What is a badware?
As per stopbadware.com, an application can be called badware if :
1. It tries to act deceptively
2. It engages in potential harmful behavior for the user without disclosing the consequences in simple non-technical language and obtaining the permission of the user.

What is domain grabbing?
Domain-grabbing s a mini-industry in today’s date. The term ‘domain grabbing’ refers to the act of obtaining popular expiring domains. There are services offered over the internet which allows an individual to specify a domain name he wants to register (an existing domain name) and the very second it expires, such services registers the domain by the name of the concerned individual. Some of the leading sites offering such services are SnapNames.com, NameWinner.com, ExpireFish.com, domain.com.

What is cyber squatting?

One of the best examples of cyber squatting was the domain name ‘wallstreet.com’. ‘wallstreet.com’ was registered in 1994 for just $70 and sold for one million dollars in 1999! You can find a lot of examples like this. There is always a fierce competition amongst some netizens to register the most popular domain names and then sell them off at a profit. Cyber-squatting is the act of grabbing popular domain names before they can be regisered by the legitimate user.

To counter this menace of cyber squatting, the U.S government passed the Anti-Cybersquatting Consumer Protection Act in 1999, which enables trademark holders to claim civil damages upto a hundred thousand dollars from cybersquatters that register their trade names or similar-sounding names as domain names.

Author Info

Shah Alom

Hi, This is Mohammad Shah Alom, My passion is Programming & Web Development. I am Founder of Micro Solutions Bangladesh. My Facebook profile shahalom1983 & Twitter Profile shahalom_83