Last week we’ve talked about preventing cross-site scripting (XSS): a vulnerability that stems from an attacker’s ability to inject malicious code into the client-side of an application.
This week we’re going to talk about SQL injection attacks: whilst XSS affect the client-side of an application, SQLi affect its backend.
At the core, a SQL injection vulnerability is present whenever an application injects untrusted (anything the application receives from the outside — usually user input data) input into a SQL query in such a way that the data is interpreted as being part of the query logic.
Applications are just a wrapper around some data: truth is in the data and access, interpretation and control of it is in the application. …
Cross-site scripting is one of the most common and popular web attacks.
It allows an attacker to inject client-side code into web applications screens that are then viewed by the victims.
Consequences and impact can vary depending on the type of attacks and context in which the attack is launched.
XSS can be classified as:
Let’s suppose we have the following PHP code - PHP just to pick (a legible) one:
Textbook XSS: The victim opens a link that looks…
There’s always a lot of debate in regards to how to safely store passwords and what algorithm to use: MD5, SHA1, SHA256, PBKDF2, Bcrypt, Scrypt, Argon2, plaintext??
So I tried to analyse and summarise the most recent and reasonable choices: Scrypt, Bcrypt and Argon2. …and yes, MD5, SHA1, SHA256 are not suitable for storing passwords! 😉
In 2015, I’ve published ‘Password Hashing: PBKDF2, Scrypt, Bcrypt’ intended as an extended reply to a friend’s question.
Summarily saying that:
Attackers have usually different and more specialised (powerful) hardware than ours;
Attackers use specialized hardware because it can be tailored to the algorithm, the different hardware architecture allows certain algorithm to run faster than on non-specialised hardware (CPU) and - overall - certain algorithms can be…