Hacking Websites with SQL Injection

KRSP - SQL Injection

Here is an easy to understand video describing how SQL Injections work from Computerphile explained by Tom Scott.

One of the biggest mistake made by newbie web developers is not properly sanitizing data input by users. When creating web forms that allow users to input data into a database you are allowing your web application to interact with the database. If you’re not careful you could give a user the ability to read, write, modify and delete records or even worse delete your entire database.

Another major mistake made by unskilled developers is granting ALL privileges to the database user account that is used by the application to connect to the database. When creating a database account for application interaction use the least privilege model. Only grant the privileges necessary to perform the function required by the application. You wouldn’t use a chainsaw to cut a sandwich in half would you (it sounds cool but trust me it ain’t pretty)?

The video below is a good starting point for those who want a quick breakdown of a SQL Injection. Add what you learn from this video to your security toolbox and continue expanding it.

Share this post

Surveillance cameras on wall

Russia Accuses US of Widespread Apple iPhone Hacking

Russia’s Federal Security Service (FSB) claims to have discovered an elaborate American espionage operation that compromised thousands of iPhones using sophisticated surveillance software. Moscow-based Kaspersky Lab confirmed that several of its employees’ devices were compromised during the operation.

Abstract powerlines

Mandiant Unearths New Malware That Can Sabotage Power Grids

A new strain of malware, dubbed COSMICENERGY, has been discovered that is designed to penetrate and disrupt critical systems in industrial environments. The malware is capable of exploiting an industrial communication protocol called IEC-104 to issue commands to RTUs, which could potentially cause power disruption. There is no evidence that the malware has been used in attacks, but its discovery is a reminder of the threat posed by malicious software to critical infrastructure.