Showing posts with label Web Technology. Show all posts

Session Cookie Based SQL Injection

Short Description: SQL injection is most dangerous attack for web application, there are a lot of different websites are vulnerable to SQL injection. There are different variant for SQL injection like a simple SQL injection, blind SQL injection and Cookies based SQL injection. As you know the basic idea about cookies and their importance, cookies are represent some session and normally they count in cross site scripting attack (XSS) but what is cookies based SQL injection. In this article we will discuss cookies or session based SQL injection attack. 

Did you say a “Cookie” 

A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user’s browser and for the browser to return the state information to the origin site. The state information can be used for authentication, identification of a user session, user’s preferences, shopping cart contents, or anything else that can be accomplished through storing text data.
Cookies are not software. They cannot be programmed, cannot carry viruses, and cannot install malware on the host computer. However, they can be used by spyware to track user’s browsing activities – a major privacy concern that prompted European and US law makers to take action. Cookies could also be stolen by hackers to gain access to a victim’s web account.[1]


Where can I find my cookies?


Here is one way to get your stored cookies using your browser. This method is applied for Mozilla Firefox:


  1. From the Tools menu, select Options. If the menu bar is hidden, press Alt to make it visible.

  2. At the top of the window that appears, click Privacy.

 4. To modify settings, from the drop-down menu under “History”, select Use custom settings for history. Then enable or disable the settings by checking or unchecking the boxes next to each setting:


  • To allow sites to set cookies on your computer, select Accept cookies from sites. To specify which sites are always or never allowed to use cookies, click Exceptions.
  • To accept third-party cookies, check Accept third-party cookies. In the drop-down menu next to “Keep until:”, select the time period you wish to keep cookies on your computer.
  • To view the cookies stored on your computer, click Show Cookies… . In the window that appears, you can view the cookies on your computer, search for cookies, and remove any or all of the listed cookies.
  • To specify how the browser should clear the private data it stores, check Clear history when Firefox closes. Then, click Settings… . You can specify the items to be cleared when you close Firefox.

  4. Click OK until you return to the Firefox window.

To remove all cookies, from the Tools menu, select Clear recent history… . Check the items you want to clear, and then click Clear Now.



Are you talking about a Cookie Poisoning-like attack?


Cookie Poisoning attacks involve the modification of the contents of a cookie (personal information stored in a Web user’s computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal their identity.
Cookie poisoning is a known technique mainly for achieving impersonation and breach of privacy through manipulation of session cookies, which maintain the identity of the client. By forging these cookies, an attacker can impersonate a valid client, and thus gain information and perform actions on behalf of the victim. The ability to forge such session cookies (or more generally, session tokens) stems from the fact that the tokens are not generated in a secure way.[4]
To sum up, cookie-based SQL Injection is far to be a kind of Cookie Poisoning.

Cookie variables as a vector of SQL Injections:


SQL injection overview

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
All data sent by the browser to a Web application, if used in a SQL query, can be manipulated in order to inject SQL code: GET and POST parameters, cookies and other HTTP headers. Some of these values ​​can be found in the environment variables. The GET and POST parameters are typically entered into HTML forms, they can contain hidden fields, i.e. information that is in form but not shown. GET parameters are contained in the URL and POST parameters are passed as HTTP content. Nowadays, and with the growth of Web 2.0 technologies, the GET and POST requests can also be generated by JavaScript.

Injecting malicious code in cookie:

Unlike other parameters, cookies are not supposed to be handled by users. Outside of session cookies which are (usually) random, cookies may contain data in clear or encoded in hexadecimal, base64, hashes (MD5, SHA1), serialized information. If we can determine the encoding used, we will attempt to inject SQL commands.



 function is_user($user) {

global $prefix, $db, $user_prefix;

if(!is_array($user)) {

        $user = base64_decode($user);

        $user = explode(“:”, $user);

$uid = “$user[0]“;

$pwd = “$user[2]“;

} else {

$uid = “$user[0]“;

$pwd = “$user[2]“;

}

if ($uid != “” AND $pwd != “”) {

    $sql = “SELECT user_password FROM “.$user_prefix.”_users WHERE user_id=’$uid’”;

$result = $db->sql_query($sql);

$row = $db->sql_fetchrow($result);

$pass = $row[user_password];

if($pass == $pwd && $pass != “”) {

return 1;

}

}

return 0;

}

The cookie contains base64 encoded form identifier, a field that is unknown and a password. If we use as a cookie 12345 ‘UNION SELECT’ mypass ‘:: mypass base64 encoded, the SQL query becomes:


  SELECT user_password FROM nk_users WHERE user_id=’12345′ UNION SELECT ‘mypass’

This query returns the password mypass, the same password as we have to provide. So we are connected.

How to inject the code in Cookies?

There are many HTTP interceptors and HTTP editors that can intercept the HTTP request before it is sent to the server. Then the tester can introduce his malicious SQL statement in the cookie field.
It’s like a get/post based SQL Injection, except that certain characters can’t be used. Forexample, ‘;‘ and ‘,‘ are typically treated as delimiters, so they endthe injection if they aren’t URL-encoded.

Conclusion

Cookie variables sometimes are not properly sanitized before being used in SQL query. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code. For the web application audits, cookie variables should be added to the list of parameters to be checked.

For more Updates Visit: amadahmad.blogspot.com


Most Popular Programming Languages, Frameworks, Libraries, And Databases | 2017


Stack Overflow has released its much-anticipated Developer Survey 2017. This year, over 64,000 developers took part in the survey and shared their preferences. The survey revealed that for the fifth time in a row, JavaScript was the most commonly used programming language, followed by SQL and Java.
Stack Overflow is the world’s largest online community for programmers where they can learn languages, share code, and help each other. The website also releases its annual developer survey which gives a pretty solid idea of current programming trends, the work lives of developers, their habits and preferences, etc.
Since 2011, Stack Overflow is conducting this survey each year. This year’s survey is the biggest in Stack Overflow’s history with 64,000 developers taking part. Over the course of next few days, I’ll be telling you about some of the major highlights of this survey.

Most popular programming languages:

For the fifth time in a row, JavaScript has topped the list of the most commonly used programming languages. JavaScript is followed by SQL and Java.
The growth of Python is notable. It has overtaken PHP for the first time in five years. Here’s the list of the most popular programming languages:

Most popular frameworks, libraries:

In this category, Node.js and AngularJS continue to be the most commonly used technologies:

Most popular databases:

For the first time in its survey, Stack Overflow asked the developers what databases they were using. MySQL and SQL Server turned out to be the biggest databases:

For more Updates Visit: amadahmad.blogspot.com

6 Single Letter Programming Languages You Should Know About


Short Description: C and R are one of the most popular single letter programming languages. There are other lesser-known one-letter programming languages that solve specific problems. While F was developed as modern Fortran, K can be used to write elaborate programs in just a few characters. There exist other one letter programming languages like D, J, and M.
A
part from C, other single letter programming languages are aimed at performing specialized tasks. Many of them have a cult following in the developer community, thanks to their ability to solve tricky problems.

Just like C, another popular single letter programming language is R. It’s used to study numbers and create graphs with intricate data. Earlier, R was called S. In this article, I’ll be telling you about some more single letter programming languages. Let’s take a look:

6 Lesser Known Single Letter Programming Languages

D Programming Language

D is an object-oriented multi-paradigm system programming language with C-like syntax and static typing. It was developed by re-engineering C++ programming language. Apart from inheriting the C++ features, this single letter programming language also has some characteristics of other languages like C#, Java, Ruby, and Python. dlang.org

F Programming language

F was developed as modern Fortran. It’s a minimal subset of the language with about one hundred intrinsic procedures. It’s a compiled, modular, numeric programming language that’s designed to work with legacy Fortran 77 code. F was first included in g95 compiler.Fortran.com/F

J Programming language

J is a single letter programming language with a normal character set that offers the power of APL. It’s a high-level, high-performance, general purpose programming language that runs on 32/64-bit Windows/Linux/Mac, iOS, and Android. Its applications include mathematical, statistical, and logical analysis of data. Since 2011, J is free and open source under GPLv3 license. Jsoftware.com

K Programming Language

K is a proprietary language from array processing. Originally developed in 1993, this single letter language is a variant of APL and infuses the elements of Scheme. After its commercialization by Kx Systems, its open source fork Kona came into the picture. K lets one write detailed algorithms to deal with arrays with the help of just a few keystrokes. Kx.com

M Programming Language

M, or alternatively MUMPS (Massachusetts General Hospital Utility Multi-Programming System), is a general purpose programming language. Its key feature is an inbuilt database that enables high-level access to storage, using simple symbolic program variables and subscripted arrays to access the main memory. M uses the same basic syntax to access volatile memory and non-volatile storage, providing a high-performance data access. Today, it’s used in many large hospitals for data processing. MUMPS

P Programming Language

P is Microsoft’s programming language for asynchronous event-driven programming and Internet of Things applications. It’s a domain specific language that compiles to and interoperates with C. Microsoft has used this single letter programming language to implement and validate the USB device driver stack that comes with Windows Phone and Windows 8. Earlier this year, P was open sourced by Redmond. P on GitHu

Network Topology




Network topology is defined by two types — physical topology and the logical topology. While physical topology talks more about the geometry and physical placement of the devices on the same hand, logical topology is more about the way data communication or signalling happens among the devices.

What is Network Topology?

Network topology is the arrangement of the different networking elements like network links, computers, switches, nodes, Wi-Fi access points, laptops and other network devices in a computer network.
There are two types of Network Topologies:
  • Physical Network topology and,
  • Logical Network topology

What is a Physical topology?

A Physical topology defines how all the network devices are connected physically in a computer network. It mostly defines the physical connections among the devices.

What is a Logical topology?

A logical topology defines the logical connectivity of network devices on a computer network. So, it might happen that the devices connected in one type of physical topology might have different underlying logical topology.
If we elaborate more on the physical topology, it is essentially the placement of the various network components in a computer like the placement of the devices, the connection among the devices, installation of the cables etc. On the other hand, logical connection defines how data flows among the devices.
For example, let say there are five devices (A, B, C, D and E) that are connected in a row. This configuration of network devices might look more like a Bus topology. But let’s say device A can directly transmit the data to the device E. That means it looks more like a Circle which a Ring topology logically but a bus topology physically.
We will talk about different kinds of topologies — physical and logical — one by one in the next article. If you want articles on some particular topic, feel free to ask us in comments below.
For more Visit Us: amadahmad.blogspot.com

Brain – The New AI-powered Search Engine That Wants To Replace Google



Brain is the new product from Jerry Yue which is based on an advanced algorithm. Brain will work as a personal virtual assistant for each user by having users input not just a profile of who they are, but what they do and what they want to do in the future.
Jerry Yue who became famous for his last startup, the Chinese food delivery service Benlai.com, is on the way to launch Brain LLC in the US with the help of his young team of engineers from China’s top engineering school in Beijing.

Also Read: What Code Should You Learn In 2016
The engineers at Brain LLC claim that they have developed an advanced algorithm based on artificial intelligence that serves up the most contextually relevant information to a user without the need to go through the search results. One step further, Brain’s Advanced algorithm is already answering questions on Quora with an incredible degree of accuracy.
But, according to Jerry Yue, this is just the beginning. Ultimately, Yue wants his advanced algorithm to serve as a compliment to a users’ own brain.
“At a high level… if Google is a search engine this is an ambition engine,”
— Yue tells.
In the upcoming days, Yue wants ‘Brain’ to be the personal virtual assistant for each user by having users input not just a profile of who they are, but what they do and what they want to do in the future. Based on the user profile, Brain will create a set of data sets and it will combine its data set with a social platform to connect users who share similar interests.
While Yue was building Benlai.com, he spent his spare time tinkering with robotics and programming.
“I’ve been working on this algorithm for more than four years,”
— said Yue.
He has already raised nearly $1.5 million funds from an influential Chinese investor.

Do You Know HTML And CSS? Prove Your Skills By Playing Super Markup World In Your Browser



There’s a new game online that you can play in your browser and dust off your HTML and CSS skills. Play Super Markup World now and use HTML commands to save your friend.
Do you know basic HTML? Is Super Mario Bros one of your favorite games? Assuming that you’ve answered these questions in positive, I’ll tell you about Super Markup World.
This game demands the knowledge of HTML and CSS to move ahead. Unlike Mario games, you don’t get to jump here and there or save the princess. Instead, you need to solve a series of HTML puzzles in the command window to save your friend Pixella.
The game doesn’t feature a solid storyline or thrill of famous games, but it allows you to use coding to extend your platform or create new ones to reach the other side.
The description of the game reads:
Pixel and Pixella live in the Super Markup World which was created by the great architect Markup Polo. On a beautiful sunny day when Pixel and Pixella visited the mountainous region of Divland the evil architect Badacss has collapsed all the mountains! Pixella somehow evaded the disaster using a hyperlink tag. But now Pixel and Pixella are separated! It is up to you, Pixel, to find Pixella and destroy badacss.
If you know some CSS, you can use some clever tricks (find them here) and scripts to make your game easier. Note that at the moment this game is only designed for Chrome and performance in other browsers is terrible.
Give Super Markup World a try and test your HTML and CSS skills. Feel free to share your experience in the comments below.

What Code Should You Learn in 2016?



Why you should learn to code?

Apple Founder Steve Jobs once said in an interview: “I think everybody in this country should learn how to program a computer because it teaches you how to think.”
With the changing environment around us and the inclusion of computers in our personal space, technology and computers are now an integral part of our lives. Learning how to code shouldn’t be looked upon as applied sciences and math because it shows us a path to solve life problems and process our thoughts.

Also Read: 5 Reasons Why You Should Learn To Code
This isn’t just a career making skill, but it’s also an in-demand job skill. If you are proficient in your field and having technical knowledge of your subject, learning how to code can empower you to become different and get more attention.
Learning code is now easier than ever. There are so many free and open platforms waiting for you to come and join them. Considering the fact that the average salary of a computer programmer touched an all-time high of $100,000 last year, learning and mastering a language isn’t a bad idea at all.

What Code Should You Learn?

Today I am sharing an enriching infographics by WhoIs Hosting. This telling you about the multiple choices you face as a beginner. Take a look:
learn to code
          Visit for more :http://amadahmad.blogspot.com

Top 5 Billionaires In The Technology World

It’s time to meet the top five billionaires in the technology world. They are the people who have superpowers to change the world and make it more simple and connected. Their contribution to the human society is priceless.
Let’s take a look at the top five names from the Forbes’ list of the rich people in tech. These billionaires have changed the way how we commute, socialize , shop, and entertain ourselves. Apart from changing the face of the technology world, they have invested their sincere efforts and hard-earned money for the betterment and upliftment of those who are unable to fulfil their daily needs.

Bill Gates:


Wealth: $79.6 billion
Nationality: American
Known For: Microsoft, Bill and Melinda Gates Foundation
Born on October 28, 1955, the multi-billionaire retained the crown of the wealthiest person for 16 times in the Forbes list. It is hard to guess, for a man with so delicate appearance, designed his school seating arrangement systemin such a way that it allowed him to sit next to female students. His family encouraged him to get familiar with coding at an early age and emphasized on competition, there was a reward for each success, no matter how small and a penalty for every failure.
At Lakeside School, he wrote his first code that was a Tic-Tac-Toe using BASIC programming language on a GE computer. He met Paul Allen in 1968, who partnered him in his coding activities and the duo finally created Microsoft in Gates’ garage in 1975. His biggest rival was Steve Jobs, who co-founded Apple in 1977. Two were high achievers, college dropouts, and created billion-dollar companies. Though they were just opposite of each other but they had an indefinable relationship. Gates got emotional when he was asked about Jobs after his death.
He and I, in a sense, grew up together. We were within a year of the same age, and we were kind of naively optimistic and built big companies. And every fantasy we had about creating products and learning new things — we achieved all of it. And most of it as rivals. But we always retained a certain respect and communication, including even when he was sick.
— Gates said in an interview. Most of you might not know, Bill Gates wrote a letter to Steve Jobs when he was in his last days. Steve didn’t read that letter, maybe he already knew what Bill wanted to convey in that piece of paper.
In early Microsoft days, Gates used to remember employees’ licence plates so that he could keep an eye on their attendance. He left his CEO position in the year 2000 and served as the chairman of Microsoft until 2014 when he finally restructured his priority list and became more involved as Co-Chair at Bill and Melinda Gates Foundation to pursue his hobby as a philanthropist. The foundation works for the upliftment of people in poor and underdeveloped countries and provides financial aid to fight dangerous diseases.
Apart from the technology world, he has been a much talked about name on other platforms. He bagged a position in the list of “50 Most Eligible Bachelors” in 1985. He married Melinda French on January 1, 1994, has three kinds Jenifer, Phoebe, and Rory and lives with his family in the 66,000 sq. ft. home known as The Gates’ Mansion.

Larry Ellison:

Wealth: $50 billion
Nationality: American
Known For: Oracle
Born in New York City, he was an adopted child to a Jewish family and we can find him as one of the names in the list of dropout billionaires. Initially, Ellison worked for Ampex Corporation where he was assigned the task to design a database for CIA. In 1977, he started his own company called Software Development Laboratories with two partners and an initial investment of $2000. The company was later renamed to Oracle Systems Corporation after its famous database product Oracle.
Ellison is a licenced pilot and to satisfy his flying passion, he has shelled out some serious amount of cash. His aircraft collection also includes two military jets, SIAI-Marchetti S.211 and MIG-29. The military jet pilot is also a tennis fan and to content his tennis fever, he has bought the ownership of the Indian Wells Tennis Garden and the Indian Wells Masters tournament.
The ex-CEO of Oracle now serves as the Executive Chairman and CTO at an annual $1 paycheck. He has criticized a list of technology executives for violating Oracle’s patent rights. In an interview with Charlie Rose on CBS This Morning, he accused Google and specifically Larry Page, ‘of being evil’. Oracle sued Google for using their patented Java language – which they inherited as a part of Sun Microsystems acquisition – for the development of their Android OS. “I think what they did was absolutely evil which is completely different. And I know their slogan is “Don’t be evil” but, this time, they slipped out.” – He replied when asked about Page. This long gone fight was in the news last month, when Google went to seek court’s permission to press sanctions against an Oracle Lawyer.
Apart from these technology-centric legal battles, Ellison has also filed an off-track lawsuit. Once he filed a case against his neighbours because their acacia and three redwood trees were blocking his view. He actually hired a “tree lawyer” for that purpose.

Jeff Bezos:

Wealth: $47.8 billion
Nationality: American
Known For: Amazon
The technology entrepreneur Jeff Bezos – who wants to send Donald Trump into space – was one of the first investors to the search giant Google, who paid an amount of $250,000. He spent his childhood summer vacations at the ranch where his grandfather lived after taking premature retirement as a regional director of U. S. Atomic Energy Commission. He developed a technical interest at an early age and that reflected through his academic performance. Bezos attained the Bachelor of Science degree in Computer Science and Electrical Engineering from Princeton University.
In 1994, he quit his job and founded a book selling website Amazon, which is now the largest e-commerce company in the world. Back then, the Quill Corp. v. North Dakota US Supreme Court Ruling was announced, that a business must have a physical presence in a state for that state to require it to collect sales taxes. This triggered the idea in Jeff’s mind for which he prepared the business plan while driving from New York to Seattle after kicking his high salary job. It was until the year 2012, Amazon took the advantage of the ruling to edge over its competitors in the retail sector.
Bezos also founded a human spaceflight company Blue Origin which was for the purpose of enabling private human access to space. When he was 18, he wanted to make space hotels, amusement parks and colonies for around 2 to 3 million people who will be in the orbit. His shopping bag also has The Washington Post which he bought in 2013 after paying a cash amount of $250 million.

Mark Zuckerberg:

Wealth: $41.2 billion
Nationality: American
Known For: Facebook
The billionaire Facebook boss whose first business card titled “I’m CEO, bitch”, is also a college dropout and works for an annual paycheck of $1. He started Facebook in his Harvard dorm with his fellow roommates. Initially, the website was confined to the Harvard campus but it was later expanded to nearby colleges and got worldwide recognition in the following years replacing Google’s Orkut from the throne. Even Zuckerberg wouldn’t have thought, his work would go this far.
Zuckerberg has a multilingual proficiency with command over Latin, Hebrew, French, ancient Greek, and most recently Chinese. He was a science geek in his childhood and won several prizes during his school years.
Zuckerberg’s Facebook journey was portrayed in the movie The Social Network released in 2010 – “I just wished that nobody made a movie of me while I was still alive” – Zuckerberg said.
In August 2013, Zuckerberg announced the internet.org initiative which was for the purpose of providing free basic internet services to the technology deprived population of countries like India. However, his initiative – which provided its services through an app called Free Basics – was much criticized for being a challenge to the open internet (net neutrality), as it featured only selected services, though, they were free. Recently, Facebook’s Free Basics app has been banned in India.
Apart from being considered as a Good Guy who wants to connect the world, Zuckerberg has fought legal battles against his Harvard seniors, who claimed that he made them believe he was working for their HarvardConnection.comproject but he used their resources to create Facebook. The lawsuit finally got settled for a $20 million cash payment and 1.2 million common shares transfer.
As a philanthropist, Zuckerberg has supported The Giving Pledge initiative in which he has committed to donate 50% of his wealth to charity over the course of time. Zuckerberg married to Priscilla Chan in 2012, and the couple started the Chan-Zuckerberg initiative. In an open letter to their newborn daughter Max, they announced that they would be transferring 99% (valued at 45 billion at the time of announcement) of their Facebook shares to the Chan-Zuckerberg initiative.

Larry Page:

Worth: $33.4 billion
Nationality: American
Known For: Google, Alphabet
Page was a Ph.D. student (dropped out later on) at Stanford, where he met Sergey Brin who was assigned the task to take new students on a campus tour. The two had argumental clashes all along the tour but they became friends over the time, finally moving ahead to create Google. Well, the two of them still have opinion differences, but they consider it as a positive point and helpful for their growth. That’s quite obvious, even the two sides of a coin aren’t the same but they do contribute to the value of the coin.
His love for technology was visible from his childhood, in fact, he was the first kid in his elementary school to submit a word-processed assignment. Both his mother and father were computer science faculties at the University of Michigan and his home was filled with lots of gadgets and science magazines.
He graduated from the University of Michigan where he used Lego Bricks to make an inkjet printer. The 42-year-old internet entrepreneur currently works as the CEO of the newly incorporated Alphabet which is the parent company to Google and another big projects that were earlier a part of Google. He is a business opportunist, it was at the time when Google was busy coding the payment system for its advertisement service and Larry came to know that users in Uzbekistan were unable to make payments by credit card, as it was not accepted in the country. So, he decided to take goats as a form of payment.
In his initial days at Google, Page was harsh, who often hurt people with his arguments. When he was appointed as the CEO for the second time, he declared a “zero tolerance for fighting” policy as he realised a harmonious environment was a must for the betterment of the company and the employees. He has a rare medical problem known as Hashimoto’s Thyroiditis. In 2013, he announced that his right vocal cord is paralysed and his left vocal cord got paralysed in 1999. This problem ultimately stopped him from attending Google annual meetings.
Page is the owner of a $45 million super luxurious yacht which he bought in 2011. He also bought the properties next to his house in Palo Alto and deconstructed them make a new 6000-sq ft. Ecohouse which has a very low carbon footprint.