CYBR430 Week 8 Lab

.docx

School

Bellevue College *

*We aren’t endorsed by this school

Course

430

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

8

Uploaded by CountDugongPerson1794

Report
Juan Rodriguez CYBR430, Penetration Testing and Incident Response Week 8 Lab – Web Attacks and Accessing Shares Your lab this week has two parts. In part one you will demonstrate a simple SQL injection attack and a XSS attack on a publicly available website developed for this type of training. In Part two you will explore the HAL network shares. Part 1: SQL Injection and XSS Attacks Part 1 of this lab will be done from your test lab or other internet connected computer. The web site we will use for part 1 of the lab is altoromutual.com . You can also access the site at demo.testfire.net . This website has been made available for traicning and testing various product’s effectiveness at identifying and defending against web attacks. You should be sure you have read and understood the sections of your readings listed in Blackboard this week. SQL Injection If you recall from your reading a SQL injection attack takes advantage of an input field not doing input validation. The entry made by the user is constructed in such a way so it is interpreted as SQL and produces results other than what the developer intended. To demonstrate a SQL injection attack we are going to attempt to bypass a login dialog and gain administrator access to a banking website, altoromutual.com. Go to the website altoromutual.com in an internet connected web browser. Click the sign in link on the upper right.
Juan Rodriguez We are going to use a SQL injection to bypass the need to enter a valid password in the dialog box. The SQL code we are going to use is ‘ or 1 = 1 -- This code, when entered into the username field will generally result in the system selecting the first username in its list, usually admin, and then ignoring the requirement for a password. Remember or 1=1 is SQL code which evaluates to ‘or true’ which makes all statements true. You will still have to enter a password in the field but as it never gets checked. Remember, the -- is a comment identifier so everything after is ignored, to include the password check. Provide a screenshot of the login confirmation displayed after your successful SQL injection attack (5 pts).
Juan Rodriguez
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help