SQL Injection Walkthrough - SQL injection attacks web applications by submitting raw SQL queries as input. Includes what to look for, how to test if a page is vulnerable, how to execute commands remotely, how to see the output of your SQL query, how to get data from the database using ODBC error messages, how to update/insert data into the database, and how to avoid SQL Injection.
ced0750fc6f0dfd8830e55f1c3c127b377e1c9c68ad6037544ff0d4fc23fcfb7
Header Based Exploitation - Web Statistical Software Threats. When people visit your website, certain information is passed from the users web browser to your web server/script. This information contains data such as what browser they are using, the last site visited, the file they requested, and other information. This paper was written to help you understand how an attacker can use these information fields to exploit your web statistics software. Includes info on SSI Tag Insertion, HTML Insertion, and more.
28d2fa4685980f28f5b718d00024231d08243ee32e0bb94551324cd39274d5aa
Best Practices for Secure Web Development is intended as a guideline for developing secure web based applications. Includes basic web security practices, cross-site scripting, PKI, code review, and more.
7c1777b2da1020b5231acda0e2c833637f7afda2f1a49469e972503425b1bc6c
Directory and URL Prediction Vulnerabilities - Many websites, most notably adult-related websites offering pictures and files, leave their data open for others to see. These vulnerabilities often go undetected. This, of course may not be an issue to some, but many of these websites obtain their revenue through their sponsors, banners and membership fees. These types of vulnerabilities bypass sponsors, banners, membership sign-in areas, and most adult verification systems. For lack of better wording I have titled these types of vulnerabilities "Directory and URL Prediction". In reality, this is what it comes down to. There are many methods of exploiting these vulnerabilities, and only a few will be covered in this document. Please keep in mind that the effectiveness of these tactics depends heavily on the ineffectiveness of the website's security and design layout. I know some of you may have known these for years, but many have not. These vulnerabilities still exist today on the Internet.
d8ef59420a33e0a2d9f221128fa959272146d784f7508d8012ab1e9d158382ad
Since the invention of Web browser cookies by Netscape, the claim has always been made that they are anonymous and cannot be associated with any personal information unless someone provides this information. In this write-up, I will present a technique in which browser cookies can be matched to Email addresses without people's knowledge. The technique relies on a security hole that is present in both Microsoft's Internet Explorer browser and Netscape's Navigator browser. This technique can be used, for example, to allow a banner ad company to associate an Email address with a "anonymous" profile that has been created for a person as they surf the Web.
47f14da3aa9f1689692f108845fad8b6b3d627c6b65c81714e5d0d58b19318f8