2. The Content
• Sensitive Data Exposure.
• Security Misconfiguration.
• SQL Injection (Blind)
• Insecure Direct Object Reference
• Cross Site Scripting
• Denial of Service
Information System Security 2
5. SQL Injection
• Can be achieved when sending unreliable data to the
interpreter as a part of a command or a query.
• Malicious data of the attacker can fool the interpreter
to:
1. Execute banned orders.
2. Access data without authority .
3. Harm the content of the database.
Information System Security 5
7. SQL Injection Prevention
• Escape String :
1. mysqli_real_escape_string()
2. Addslashes()
• Example:
x’ or ‘x’=‘x’ –
When mysqli_real_escape_string is applied
x’ or ’x’=’x’ --
Information System Security 7
8. Insecure Direct Object Reference
• The insecure gap of direct object reference comes up
when the programmer expose the references to
internal components such as files, folders, or
database keys.
• Without access control tools and other methods of
protection, the hacker can manipulate these
references to reach the data without proper authority.
Information System Security 8
10. Insecure Direct Object Reference Prevention
• Never expose application or database internal details
to public.
• Hide system objects with ambiguous names and do
encryption to values.
• Use sessions instead of cookies alone.
Information System Security 10
11. Cross Site Scripting
• Programming gaps appear across the site when the
application receives non reliable data and sends it to
the browser without checking or overcoming
(escaping).
• Programming gaps across the site allow the attacker
to implement “scripts” in the browser of the victim,
which may lead to:
1. The theft of the user’s session.
2. Distortion of the website.
3. Redirect the user to other malicious sites.
Information System Security 11
13. Cross Site Scripting Prevention
• Contextual Encoding:
1. HTML Encoding.
2. JavaScript Encoding.
3. CSS Encoding.
Information System Security 13
14. Denial Of Service
• One of the methods used to inundate the special
service of the database or the application with a
stream of requests, leading to deprive the real users
from the service.
• This attack can be achieved with the tool
slowhttptest.
Information System Security 14
16. Denial of Service Prevention
• Firewall.
• Cloud Mitigation Provider DDoS attack Detection and
Monitoring.
• Flow-Based Monitoring (PLXfbm) .
• service monitors netflow on your router.
Information System Security 16