Skip to main content

Search Shelves Books Log in

Details

Revision #1

Created 1 year ago by naruzkurai

Updated 1 year ago by naruzkurai

Actions

Revisions

Export

Contained Web File.html
PDF File.pdf
Plain Text File.txt
Markdown File.md

Book Navigation

[Completed] Professional Google Cybersecurity Specialization C5/8; assets, threats, and vulnerabilities
Introduction to Course 5
Course 5 overview
Da'Queshia: My path to cybersecurity
Understand risks, threats, and vulnerabilities
Tri: Life in asset security
Security starts with asset classification
Common classification requirements
The emergence of cloud security
Elements of a security plan
The NIST Cybersecurity Framework
Security guidelines in action
Wrap-up; terms and definitions from course 5, week 1
Welcome to week 2
Security controls
Principle of least privilege
最小権限の原則
The data lifecycle
Information privacy: Regulations and compliance
Heather: The importance of protecting PII
Fundamentals of cryptography
Public key infrastructure PKI
Symmetric and asymmetric encryption
Symmetric and asymmetric encryption
Non-repudiation and hashing
The evolution of hash functions
Access controls and authentication systems
The rise of SSO and MFA
The mechanisms of authorization
Why we audit user activity
Tim: Finding purpose in protecting assets
Identity and access management
Wrap-up; Terms and definitions from Course 5, Week 2
Welcome to week 3
Vulnerability management
Defense in depth strategy
Common vulnerabilities and exposures
The OWASP Top 10
Open source intelligence
Vulnerability assessments
Approaches to vulnerability scanning
The importance of updates
Omad: My learning journey into cybersecurity
Penetration testing
Protect all entry points
Approach cybersecurity with an attacker mindset
Types of threat actors
Niru: Adopt an attacker mindset
Pathways through defenses
Fortify against brute force cyber attacks
Wrap-up; Terms and definitions from Course 5, Week 3
Welcome to week 4; threats and social engeneering
The criminal art of persuasion
Social engineering tactics
Phishing for information
Types of phishing
Malicious software
An introduction to malware
The rise of cryptojacking
Cross-site scripting (XSS)
Exploitable gaps in databases
Prevent injection attacks; SQL injection categories
A proactive approach to security
Chantelle: The value of diversity in cybersecurity
PASTA: The Process for Attack Simulation and Threat Analysis
Traits of an effective threat model
Wrap-up; terms and definitions from course 5, week 4
Terms and definitions from Course 5
Course wrap-up

Books

[Completed] Profession...

Exploitable gaps in da...

Exploitable gaps in databases

Let's keep exploring injection and

attacks by investigating another common type of web based exploit.

The next one we're going to discuss exploits the way websites access

information from databases.

Early in the program, you may have learned about SQL.

You may recall, SQL is a programming language used to create,

interact with, and request information from a database.

SQL is used by most web applications. For example, shopping websites use it a lot.

Imagine the databases of an online clothing store

It likely contains a full inventory of all the items the company sells.

Websites don't normally make users enter the SQL queries manually.

Instead, they use things like menus, images, and

buttons to show users information in a meaningful way.

For example, when an online shopper clicks a button to add a sweater to their cart,

it triggers a SQL query. The query runs in the background where no one can see it.

You'd never know from using the menus and buttons of a website, but

sometimes those back inquiries are vulnerable to injection attacks.

A SQL injection is an attack that executes unexpected queries on a database.

Like cross-site scripting, SQL injection occurs due to a lack of sanitized input.

The injections take place in the area of the website that are designed to accept user input. A common example is the login form to access a site.

One of these forms might trigger a backend SQL statement like this when a user enters their credentials.

Web forms, like this one, are designed to copy user input into the statement exactly as they're written.

The statement then sends a request to the server, which runs the query.

Websites that are vulnerable to SQL injection insert the user's input exactly as it's entered before running the code.

Unfortunately, this is a serious design flaw.

It commonly happens because web developers expect people to use these inputs correctly.

They don't anticipate attackers exploiting them. For example, an attacker might insert additional SQL code.

This could cause the server to run a harmful query of code that it wasn't expecting.

Malicious hackers can target these attack vectors to obtain sensitive information, modify tables and even gain administrative rights to the database.

The best way to defend against SQL injection is code that will sanitize the input.

Developers can write code to search for specific SQL characters.

This gives the server a clearer idea of what inputs to expect.

One way this is done is with prepared statements.

A prepared statement is a coding technique that executes SQL statements before passing them on to the database.

When the user's input is unknown, the best practice is to use these prepared statements.

With just a few extra lines of code, a prepared statement executes the code before passing it on to the server.

This means the code can be validated before performing the query.

Having well written code is one of the keys to preventing SQL injection.

Security teams work with program developers to test applications for these sort of vulnerabilities.

Like a lot of security tasks, it's a team effort.

Injection attacks are just one of many types of web-based exploits that security teams deal with.

We're going to explore how security teams prepare for injection attacks and other kinds of threats.

No Comments

Back to top