Week 11 Summary

SQL injection is a SQL vulnerability in the database that allows certain queries to be typed in or exploited to reveal the contents of the database. One way of doing this is going into a user input page and typing ” any’ 1=1#; ” which would tell the database, if 1=1, then reveal the database contents. One can tamper with the URL if the URL reveals the user input, and put SQL queries in the URL, such as “order by 1” to test how many rows or entries are in the database.

Some SQL injection tools are Tamper Data and Cookie functions. One can find the cookie session for the logins, and as long as the user is logged in, you can use the cookie session pasted into the URL to catch the login session. Tamper Data is if the code will not allow you to tamper with the input. Tamper Data, on Mozilla Firefox or Iceweasel will allow you to modify the input type to test for SQL vulnerabilities or gain database contents.

SQL Map will automate most SQL attacks for you, test if the website is vulnerable, and run the SQL injection attack on, returning the results.

News article:

Canada wants to hack its own trucks to find vulnerabilities.
http://www.popularmechanics.com/military/research/a18071/the-canadian-military-wants-to-hack-their-own-trucksbefore-someone-else-does/