organisational security, Summaries of Computer Security

Download organisational security and more Summaries Computer Security in PDF only on Docsity!

KCIC

LO2.6 Designing & building a

secure website

PRESENTER: Ms JIJILIN CRIMSON

Unit - 10 Website

Design & Development

Recap KCIC

KCIC

Step 1: Query parameterisation

SQL Injection Example KCIC

Search Field

SQL Injection Example- Create a website KCIC

Search Field

● Now I will create a login page named ‘Default.aspx’ to validate the credentials from the ‘Login’ table and if user is valid then redirect to it to the next page named ‘Home.aspx’.

● Add 2 textboxes for UserID & Password respectively and a button for login.

SQL Injection Example- Create a website KCIC

Search Field

● Add 2 namespaces in the .cs file of the ‘Default.aspx’.

● Now add the following code to validate the credentials from the database on click event of Login button.

KCIC

SQL Injection Example- Default Page & login

credentials

Search Field

• Add a new page named ‘Home.aspx’. Here I have not used the TextMode="Password" property in password textbox to show the password.
• I have not used any input validations to explain my example.

It will redirect to next page ‘Home.aspx’ for valid user.

KCIC

SQL Injection Example- Default Page & login

credentials

Search Field

• Now I will perform the SQL injection with some invalid credentials with successful query execution and after that I will redirect to the next page ‘Home.aspx’ as a valid user.
• I will enter a string in both textboxes like the following: ‘ or ‘1’=’
• Now run the page and login with above string in both textboxes.

It will redirect to next page name ‘Home.aspx’ for valid user.

See what happened. This is called SQL injection in the hacking world.

KCIC

SQL Injection Example- Default Page & login

credentials

Search Field

• The reason behind this the parameterized query would not be vulnerable and would instead look for a user id or password which literally matched the entire string.
• The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

As you have seen parameterized didn’t execute the SQL Script

Query Parameterization Example KCIC

Search Field

Secure Password Storage Various Methods KCIC

Just store it like anything else Search Field

Encryption

Irreversible encryption

Irreversible encryption + Salt

Repeated Hashing

Method 1: Just store it like anything else KCIC

● A database with a table consisting of username and password columns, passwords can be stored like this:

● The problem 🡪 It is insecure

username password

john myawesomepassword

Method 3: Irreversible Encryption KCIC

● Use an established hashing algorithm like md5 or sha-1. These hashing algorithms cannot be reversed in theory.

● Every letter of the password with the next letter in the alphabet.

● The problem 🡪 you will find many passwords which are just common words and phrases. Many websites like this one have lookup tables of md5 hashes of common words. This means that if your user set a common word as his password, it can be easily looked up and cracked.

username password

john

3729ad9ab30ed75be1f 2a5f250f07ac

Method 4: Irreversible Encryption + Salt KCIC

● A better alternative is to salt the users password. ● “Salt” is a fancy term that means to add a random string of letters and numbers to a users password, and then hash it. This more or less guarantees that the word is unique and unconventional, and therefore cannot be part of a lookup table.

● The final output you see has two $ symbols, between which the salt used to generate the rest of the hash lies. This is so that we can compare this hash with a user entered password.