AS Watson

1.SQL INJECTION:
Usage -Temp: mail= [email protected]

Password= administrator’—

IMPACT: an attacker can spoof identity; expose, tamper, destroy, or make

existing data unavailable; become the Administrator of the database server
SOLUTION:
1. Use user authentication to validate input and define input field
characteristics.
2. Restrict user access privileges to limit database access.
3. Avoid using system administrator accounts.

How it works
An attacker can inject SQL control characters and command keywords into an
application's input field, which is then used to query the database.
what it can impact
SQL injection can lead to the unauthorized viewing of user lists, the deletion of
tables, and the loss of customer trust.
Results,
This website has no SQL vulnerability

2.SQL HIDDEN DATA RETRIVAL:

where you can modify a SQL query to return additional results. Subverting
application logic, where you can change a query to interfere with the
application's logic. UNION attacks, where you can retrieve data from different
database tables.
Usage- Payloads= admin') or ('1'='1'#
- admin' or '1'='1
-1234 " AND 1=0 UNION ALL SELECT "admin",
"81dc9bdb52d04dc20036dbd8313ed05

Fig-Set payloads in url

Results:

This website has no SQL Hidden data retrieval

vulnerability

3.CLIENT-SIDE VALIDATION:
Client-side validation refers to the process of verifying user input in a
web application on the user's device (usually within their browser)
before the data is submitted to the server.
- Static client-side
- Dynamic client-side
Client-side validation is the process of checking the user input on the
web browser before sending it to the server. It can improve the user
experience, reduce the network traffic, and prevent some common
attacks
• IMPACT: client-side validation is not secure, as it can be easily
bypassed, modified, or disabled by malicious users or hackers.
• SOLUTION: setting the values of Client Validation Enabled &
Unobtrusive JavaScript Enabled keys to true or false.

STATIC CLIENT-SIDE:
Static client-side validation refers to the use of predefined, built-in
mechanisms for validating user inputs in a web form without the need
for dynamic or script-based logic (such as JavaScript).

Fig: Registration page

 Fig: After change the code

Fig: After change the code then refreshing the page

Results,
This website has no static client-side validation vulnerability.
DYNAMIC CLIENT-SIDE:
Dynamic client-side validation: refers to validating user input in
real-time using dynamic logic, typically through JavaScript or
JavaScript libraries. Unlike static client-side validation (which relies
on HTML attributes), dynamic validation can be customized,
allowing for more complex logic, instant feedback, and validation of
user inputs as they type or interact with the form.

Fig: img src of this website

Steps: change the name of pages

 Fig:Change the name of page

Fig: After change the page name and refreshing

Results,
This website has no dynamic client-side validation.
5.SERVER-SIDE INFORMATION DISCLOSURE:
Server-Side Information Disclosure occurs when a web application
unintentionally exposes internal details about its infrastructure, software, or
configurations to users.
Usage- command prompt = curl -i https://www.aswatson.com/

6.HIJACKING:
It's a form of attack where a bad actor steals or manipulates the
session token to gain unauthorized access to information or services.

Fig: click the button of the page

 Fig- After click the button it will change next page
Results,
This website has no hijacking vulnerability.

7.USER ENUMURATION:
Allows an attacker to determine whether a user exists in a particular application.
• IMPACT: Techniques with the purpose of finding valid login credentials such
as usernames.
• SOLUTION: To mitigate this, change the error message to “Incorrect login or
password,” making it impossible for the attacker to infer the existence of a user
in the application.
 Fig: login register email in register page

Fig: the error msg display properly

Results,
This website has no user enumeration vulnerability…
8.WEAK PASSWORD POLICY:
A weak password is short, common, a system default, or something that could
be rapidly guessed by executing a brute force attack using a subset of all
possible passwords, such as words in the dictionary, proper names, and words
based on the user name or common variations on these themes.
Usage-email= [email protected]
Password= cat
Prevent: weak password policy involves implementing strong password
requirements and enforcing security measures to ensure users create secure,
hard-to-guess passwords.

Fig: invalid email/password combination

Results,
This website has no weak password policy vulnerability..

9. NUMERICAL WEAK PASSWORD POLICY:

A numerical weak password policy is a password policy that allows or
Encourages the use of passwords made up solely of numbers (digits).
[email protected]
Password=123456789

Fig- invalid email/password combination

Numerical weak password policy,
Where users are allowed to create passwords that consist only of
digits (such as "123456" or "000000"), organizations must implement
policies that enforce password complexity and security..
Results,
This website has no numerical weak password policy vulnerability…

WEBSITE LOGIN FOR DIFFERENT SEARCH ENGINE:

Creating a website login system that supports different search engines involves
several considerations, including search engine optimization (SEO), user
experience, and security. Below is an overview of how to implement a website
login system that can be indexed and recognized by various search engines.
Usage-URL= https://dashboard.alchemy.com/