Running Head: Scanning And Interpretation Of The Findings CSS 332 1

Name of the student

Number of the students
Name of Institution
Scanning And Interpretation Of The Findings CSS 332 2

SQL injection refers to the introduction of unwanted structured query language (SQL)

code into a database, often to gain access to data that should not be publicly available (Fang et

al., 2018). Examples of such data or information include private client information or

proprietary corporate data.

Examples

New York tourism website: Expired credit card information leaked when hackers

accessed a server storing the information. SQL injection was the method of attack in the

internet breach that exposed 110,000 credit card numbers. Around 300 people in New

Hampshire were affected by the assault, and a programmer eventually discovered the

unapproved script that had been placed into the server.

Yahoo password breach: The hacker group D33Ds Company said the passwords for

less than five percent of the 450,000 Yahoo accounts that were compromised were safe.

Yahoo has not explained why the SQL Injection vulnerability was not fixed prior to its

discovery by hackers or how it was first implemented.

Several measures may be taken to avoid SQL injection. However, using prepared

statements is the most efficient (also called parameterized queries). In order to detect

malicious code injection, the database server compiles the SQL statement before execution

when using prepared statements (Fang et al., 2018). The following PHP code snippet

exemplifies a prepared statement:

$stmt = $db->prepare ("INSERT INTO users (username, password) VALUES (?, ?)");

$stmt->bind_param("ss", $username, $password);

$stmt->execute ();
Scanning And Interpretation Of The Findings CSS 332 3

Fang et al. (2018) show that to avoid SQL injection, it is recommended that all user

input be escaped before being used in a SQL query. While not as safe as utilizing prepared

statements, this approach may be useful in various situations. For an example of escaping user

input in PHP, see the code below:

$username = mysqli_real_escape_string($db, $_POST['username']); $password =

my

Cross-site scripting: Web applications often include the security flaw known as

cross-site scripting (XSS). With XSS, attackers may place harmful scripts on legitimate

websites. The browser runs the malicious code when the page is viewed. A mirrored attack is

one of the most popular forms of cross-site scripting (Kamal et al., 2017). Attackers utilize

web forms or other user input mechanisms to introduce malicious scripts onto targeted

websites. After being mirrored back to the user's browser, the script is finally run. Since a

reflected attack requires user interaction to succeed, it is generally considered less harmful

than a persistent (or stored) XSS attack. Kamal et al. (2017) show that even so, users might be

tricked into exposing private information or doing undesirable activities (such as clicking a

malicious link) through mirrored attacks. Because they do not rely on the user's participation,

persistent (or stored) XSS assaults are even more harmful than reflected attacks. When a

malicious script is injected into a web page and saved by the web server, this is known as a

"script injection attack." A harmful script is run when other visitors access the website.

Examples:

eBay data breach: Several advertisements for low-priced iPhones had malicious

JavaScript injected into them, presumably by hackers who had exploited a well-known

security flaw. If you clicked on one of them, you would have been sent to what looked like
Scanning And Interpretation Of The Findings CSS 332 4

eBay's sign-in page. A well-known security expert, Graham Cluley, has warned internet users

to be wary of seemingly too good to be genuine deals on used goods (Kamal et al., 2017).

British airway data theft: Card skimming is a method used by hackers to steal credit

card information from insecure online payment systems. Users using mobile apps and desktop

browsers were hit by this assault (Kamal et al., 2017).

Cross-site scripting may be protected against in many ways:

The most popular and efficient strategy for preventing XSS is input validation. It is

essential to check every user input before putting it on the website. Deleting or escaping any

characters that might be exploited to insert harmful code is essential.

CSP: This security mechanism allows you to control which resources are trusted to

provide page content. This may be used to safeguard a page from having harmful code

injected into it from elsewhere (Kamal et al., 2017).

Sanitizing HTML entails stripping it of potentially harmful code before it has been

used to create a web page. A library like Google Caja may be used for this purpose.

Code example: <script type="text/javascript"> // XSS safe JavaScript code here

</script>
Scanning And Interpretation Of The Findings CSS 332 5

References

Fang, Y., Peng, J., Liu, L., & Huang, C. (2018, March). WOVSQLI: Detection of SQL

injection behaviors using word vector and LSTM. Proceedings of the 2nd international

conference on cryptography, security, and privacy (pp. 170–174).

Kamal, P., Abuhussein, A., & Shiva, S. (2017). Identifying and scoring vulnerability in

SCADA environments. In Future Technologies Conference (FTC) (Vol. 2017, pp. 845–857).