A: SQL Injection is an attack on databases with a web server front-end. The issue involves the application not properly 'sanitizing' input data. By submitting a carefully crafted response the attacker is able to gain unauthorized access to the database. This access can take various forms including read access, the ability to change data and can also be used in some cases to completely compromise the entire database server.
A: You must ensure that ALL input data is properly verified and only the specific data requested is passed to the web application. For example, if the user is asked for a ZIP code only accept the digits 0-9 and perhaps a dash to be input. Check for the proper length and format of each data input field. Don't forget input areas such as search fields, "Contact Us" forms, etc.
A: Blind SQL Injection is a variation on the standard SQL Injection attack. Blind SQL Injection attacks occur when a web application is vulnerable to SQL Injection but does not display results to the attacker. This type of attack usually takes longer and requires different tools to perform. The use of parameterized statements can help prevent this type of attack.
A: XSS is a web application vulnerability that allows attackers to inject malicious code into the local machine of a user browsing the insecure web application. The attacker will create a phishing email that contains a link to a vulnerable web site. Inside the link will be special commands, often including application code such as Javascript. When the user clicks on the link the special code is sent to the vulnerable web site which echoes back the code to the local user's web browser. Depending on the contents of the special code various attacks can be performed on the local user's PC. Stealing cookies and downloading malware and viruses are often performed via this attack.
A: Whether or not XSS attacks can be completely eliminated might be open for debate. However, just like SQL Injection, XSS vulnerabilities can be greatly reduced by properly sanitizing input data. Only allow the specific input data requested. Some times this is not enough to prevent XSS attacks. Proper cookie security is another issue that needs to be addressed. Click here for a reference to other techniques for preventing XSS attacks.
A:
|