The Yenepoya Institute of Arts, Science, Commerce and

Management (YIASCM)

Course: BSc (Forensic Science) (Data Analytics and Cyber Security) With IBM

Subject: Ethical Hacking and Digital Forensics(BFC602)

UNIT-2 , PART-1
Subject In-Charge: Mrs. Jamuna K M

1
 Objective
• At the end of this session the leaner will able
to understand
 Web application vulnerabilities
 Application coding errors
 SQL injection into Back-end Databases
• Summary
• Reference
 Web application vulnerabilities
• Web application vulnerabilities refer to
security weaknesses or flaws that are present
in a web application's design or
implementation that can be exploited by
attackers.
 some web application vulnerabilities

1. Cross-Site Scripting (XSS):

 XSS attacks occur when an attacker injects
malicious code into a web page, which is then
executed by the user's browser.
 This can lead to the theft of sensitive data
such as login credentials or personal
information.
2. SQL Injection (SQLi):
 SQLi attacks occur when an attacker injects
malicious SQL statements into a web
application's database through input fields.
 This can lead to unauthorized access to
sensitive data or even the entire database.
3. Cross-Site Request Forgery (CSRF):
 CSRF attacks occur when an attacker tricks a
user into performing an action on a website
without their knowledge or consent.
 This can lead to unauthorized changes to the
user's account or even to the website itself.
4. Broken Authentication and Session Management:
 If authentication and session management are
not implemented correctly, attackers can exploit
weaknesses to gain unauthorized access to user
accounts and sensitive data.
5. Insufficient Authorization and Access Control:
 This vulnerability allows attackers to access
parts of a web application they should not be
able to access.
 It can also lead to privilege escalation, allowing
attackers to gain higher levels of access than
they should have.
6. Security Misconfiguration:
 This vulnerability occurs when web application
components are not configured securely,
leaving them open to attacks.
 Common examples include using default
passwords or leaving debug information
enabled.
7. Insecure Cryptographic Storage:
 If sensitive data is not encrypted properly,
attackers can easily gain access to it.
 This can lead to identity theft, financial fraud,
or other types of cybercrime.
8. File Inclusion Vulnerabilities:
 These vulnerabilities allow attackers to
execute arbitrary code on a server by
exploiting weakly implemented file inclusion
mechanisms.
 This can lead to data loss, system crashes, or
even full server compromise.
• To protect against web application
vulnerabilities, developers must follow secure
coding practices, such as input validation,
using prepared statements, and implementing
secure session management.
• Additionally, regular security testing and code
reviews can help detect and mitigate
vulnerabilities before they can be exploited.
 Application coding errors
• Application coding errors refer to mistakes or
bugs in the code of an application that prevent
it from functioning as intended.
• These errors can range from simple syntax
mistakes to more complex logical errors that
are difficult to detect and fix.
 Some application coding errors
1. Types of coding errors: There are several types of coding
errors that can occur in an application, including syntax
errors, logical errors, runtime errors, and semantic
errors.
2. Causes of coding errors: Coding errors can be caused by
a variety of factors, including human error, incorrect
assumptions, lack of testing, and inadequate
documentation.
3. Impact of coding errors: Coding errors can have a
significant impact on the performance, functionality, and
security of an application. They can cause crashes, data
loss, security breaches, and other serious problems.
4. Debugging techniques: There are several techniques that
developers can use to debug coding errors, including
logging, breakpoint debugging, and code review.
5. Prevention of coding errors: The best way to prevent
coding errors is to follow best practices for coding, such as
using a consistent coding style, writing clear and concise
code, and thoroughly testing the application.
6. Importance of code quality: Ensuring code quality is
critical to the success of any software project. Poor code
quality can lead to delays, increased costs, and decreased
user satisfaction.
7. Continuous improvement: Developers should strive for
continuous improvement in their coding practices. This can
be achieved through ongoing learning and training, as well
as regular code reviews and refactoring.
• Overall, application coding errors are a
common challenge that developers face in
software development.
• However, by following best practices for
coding and debugging, developers can
minimize the impact of these errors and
deliver high-quality applications to their users.
 SQL injection into Back-end Databases
• SQL injection is a type of attack where an
attacker can inject malicious SQL code into a
back-end database, bypassing the
application's normal security measures.
• This can allow an attacker to steal, modify, or
delete sensitive data.
some SQL injection into back-end databases

1. SQL injection attacks can be prevented by using

prepared statements or parameterized queries.
These are programming techniques that allow
developers to pass user input to the database
without allowing it to be interpreted as SQL code.
2. One common technique used by attackers is to
use the "union" operator to combine data from
different tables. This can allow an attacker to
retrieve data that they shouldn't have access to.
3. Another technique is to use the "or" operator to bypass
authentication. For example, an attacker could inject code
that would allow them to log in without a valid username
and password.
4. SQL injection attacks can also be used to modify or delete
data in the database. This can be particularly dangerous in
systems that handle sensitive or critical data.
5. To prevent SQL injection attacks, it is important to sanitize
all user input and validate it before it is passed to the
database. Additionally, the database should be configured
with strict permissions to limit the types of queries that can
be executed.
6. Regular security audits and vulnerability scans can also
help identify and address SQL injection vulnerabilities before
they can be exploited by attackers.
• Overall, SQL injection attacks can be a serious
threat to the security of back-end databases.
• By taking steps to prevent these attacks and
regularly testing for vulnerabilities, developers
can help ensure the security of their systems
and the sensitive data they contain.
 Summary
• Web application vulnerabilities can pose a
significant security risk to online applications.
• Two common types of vulnerabilities are
application coding errors and SQL injection attacks
into back-end databases.
• In order to ensure the security of web
applications, it is important for developers to be
aware of these vulnerabilities and take steps to
prevent them through proper coding practices
and security measures.
 Home work Questions
1. How can organizations ensure that their web
applications are secure and free from
vulnerabilities caused by coding errors, both
during development and after deployment?
2. What are some common misconceptions
about coding errors and web application
vulnerabilities, and how can these
misconceptions be addressed?
 References
• Kimberly Graves, "Certified Ethical Hacker",
Wiley India Pvt Ltd, 2010.
• Patrick Engebretson, “The Basics of Hacking
and Penetration Testing” Ethical Hacking and
Penetration Testing Made Easy, Syngress
Media, Second Revised Edition, 2013.
• Thomas Mathew, "Ethical Hacking", OSB
publishers, 2003.