SOFTWARE AND APPLICATION SECURITY

Instructions

Validating the entry points of a website is essential, as invalidated input can result in a number of security threats. In this activity, you will analyze one such threat caused by improper input validation.This activity will address module outcome 2. Upon completion of this activity, you will be able to:Explain defensive measures to guard web applications against input attacks. (CO# 6)Respond to the following questions:State how the code below can be subjected to SQL Injection Attack to bypass the login mechanism.try {String sql = "SELECT * FROM employee WHERE username = '" + username.text + "' AND password = '" + pwd.text+ "'"; Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery(sql); }Image of a login screen with a text box, with username, password, and a login buttonThe set of statements above are used for authenticating the user during the login process.Analyze the following SQL statement and state how the hacker can manipulate the given query to access confidential information from the website, such as users details (username, password, credit card details, etc.) from a simple select statement commonly used in the website search text box.Image of a search box for searching products in the websiteSelect * from items where item_name Like itemTextbox.text;Submit your answers in 2 to 3 page of a Word document with 100 words for each answer.Compose your work in a .doc or .docx file type using a word processor (such as Microsoft Word, etc.) and save it frequently to your computer. For those assignments that are not written essays and require uploading images or PowerPoint slides

Answer

Software and application security1.The code can be subjected to SQL Injection Attack to bypass the login mechanism by inserting a single quotation mark on the name field. This results in an error message that will display the code as highlighted below (Oracle.com, 2020). The code itself cannot be used to retrieve the details of the employee. Rather, it prompts the hacker to inject a set of characters that can be used to effectively log in into the system. The error message tells the attacker to insert the correct details. In this case, the attacker would be able to access admin information which is usually.The attacker modifies the SQL by inserting a login message to OR 1=1 in the username field.The modified syntax simply executes the part OR 1=1, ignoring the rest part of the code. That i...
To avoid plagiarism, part of the answer is hidden. Click on the button below to order the full answer.
Order Answer Back
Price Calculator
Manage orders
Why we are Ranked the best
  • Unlimited Revisions
  • Free 24/7 Support and chat
  • Money back guaranteed
  • Low prices with discounts
  • Experienced writers.
  • Free Unlimited support

Hear from our customers

Get a quote Chat with support Find an expert Frequently asked questions