logo

Ways of Attacking a Web Application in PHP: SQL Injection, XSS, Session Hijacking, Directory Traversal, and Remote File Inclusion

Explain 5 security issues associated with PHP applications that are different than the ones presented in the course content by summarizing 5 articles found online or at the ASU Library.

9 Pages1493 Words176 Views
   

Added on  2023-06-14

About This Document

This technical essay discusses the different ways of attacking a web application in PHP, including SQL injection, XSS, session hijacking, directory traversal, and remote file inclusion. It also explains the security measures to secure web-based applications. The essay also includes a PHP code for generating 500 contact details using a loop and a MySQL table creation with a detailed description of the table.

Ways of Attacking a Web Application in PHP: SQL Injection, XSS, Session Hijacking, Directory Traversal, and Remote File Inclusion

Explain 5 security issues associated with PHP applications that are different than the ones presented in the course content by summarizing 5 articles found online or at the ASU Library.

   Added on 2023-06-14

ShareRelated Documents
Part I – Technical Essay
Introduction
All sorts of conservative web applications are built by human and it is quite natural that humans
are prone to commit mistakes. The concept of complete security would remain an unfulfilled dream
since all applications are prone to the risk of being vulnerable. Hence it becomes the profession of
programmers to confirm that the risk is reduced by all means. Defending web application may either be
a simple task or an extremely time consuming task. To overcome any sort of risk faced in web
applications, we have to discuss the few ways of attacking a web application in PHP
SQL Injection
One of the code injection techniques which is involved in attacking data-driven applications is
SQL injection, in which nefarious SQL statements are added into an entry field for implementation. If the
web developers fail to construct data validation or any checking functionality for the ranges of the
website where data from the outside sources can be injected into the website, there is possibility of the
occurrence of attack by hackers. There are chances for the attacker to insert his designed SQL queries in
vulnerable that use data posted by the user to look-up rather in the database (Sharma, 2014).
Cross Site Scripting (XSS)
Sometimes, an attack may get injected the script into the webpage through html form or using
an anchor link tag. This may lead to redirecting us to a phishing page that gathers sensitive information.
The hackers may steal our session identifier so that they might impersonate us and access the web
application. This sort of attack from the hacker is mostly a kind of script injection that is made possible
by mistakenly validating user data. The injected code may be any malicious client-side code. The injected
code is highly valuable to stay away from damaging informations on the web server or execute a
malicious process in the client browser (Fekete, 2013).
Ways of Attacking a Web Application in PHP: SQL Injection, XSS, Session Hijacking, Directory Traversal, and Remote File Inclusion_1
Session Hijacking
Usually, Session IDs are stolen via a XSS attack. Thereby preventing such thefts is doubly
beneficial to us. It is impossible for the Session and cookies to exploit the information which is in the
database server but it may affect the client login data. A session may get started when the user gets into
contact with the Web server. Each session information is stored in Web Server, but Web developer may
store this session information in a cookie for faster retrieval or validation (Shirey, 2013). It may lead to
hacking. These information saved on the server could be availed by transfer the ID with the page
request (Qureshi, 2015). It is advisable to update the session information often or use encrypted session
id
Directory Traversal
Directory Traversal generally denotes the attack in which an authenticated or unauthenticated
user can request and view or execute files that reside external the root directory of a web application, or
outside a directory in which they should be restricted to. The root directory and access other parts of
the file system can take advantage of this vulnerability by an attacker (Prodromou, 2016). This usually
gives the attacker the ability to view controlled files, or run the commands on the server which may lead
to give full rights of the system
Remote File Inclusion
Remote File inclusion is an attack wherein an attacker may add the scripting file into web server.
These script may lead to create/delete/modify the data or file in the web server dynamically. In the
latest version of PHP, we can configure the allow_url_include set to off which is used to restrict the
server file from remote accessing or inclusion of file from the hacker system to the web server (Muscat,
2017).
Ways of Attacking a Web Application in PHP: SQL Injection, XSS, Session Hijacking, Directory Traversal, and Remote File Inclusion_2
Part II – PHP, MySQL, Web-Based Security
Create the following HTML form and
a) Store the information from the form in a file
b) Store the information from the form in a MySQL table
Ref: code.zip
SQL Query to generate 500 contact details using Loop
PHP Code:
<?php
include 'dbconnect.php';
$i=1;
while($i<=500)
{
$fname1='First'.$i;
$lname1='Last'.$i;
$addr1='Addr '.$i;
$state1='FA';
$zip1=45872+$i;
$phone='8989483'.(999-$i);
$email1='xyz@tt.co'.$i;
$sql="insert into contact (FirstName,LastName,Address,State,Zip,Phone,Email) values
(:fname,:lname,:addr,:state,:zip,:phone,:email)";
Ways of Attacking a Web Application in PHP: SQL Injection, XSS, Session Hijacking, Directory Traversal, and Remote File Inclusion_3

End of preview

Want to access all the pages? Upload your documents or become a member.

Related Documents
Contemporary World Application 2022
|10
|541
|10

Cross Site Scripting attacks take place when a specific untrusted
|4
|770
|349

Software Security Assignment
|5
|999
|61

Threat Detection Technique
|6
|1177
|99

System Security : Report
|13
|999
|347

Advanced Network Security: Wireshark Analysis, Web Application Attacks, Cryptography Concepts, Trojan Download Research
|12
|1957
|154