MaXe wrote:How to prevent SQL Injections? According to Skillsoft, strong authentication and bruteforce prevention. (Wtf?) :)
As the right answer is: Sanitize user-input in SQL queries with e.g., mysql_real_escape_string($var); in PHP (aka SDLC / Secure Development LifeCycle), but it doesn't exist in the CEHv6 courseware by Skillsoft, I had to use the possible answers the best way I could.
Explanations to the possible answers and my choices:
- Enforce the use of strong passwords and typing: It's just simply wrong
- Ensure that HTML placeholders in URLs are replaced with symbols: I read this as "encode (sanitize) user-input so < becomes <". The problem is that they don't use the language anyone else use.
- Grant user unlimited login attempts: I knew this would be wrong no matter what.
- Append all quotes sent to clients: This was a bit weird, but I read it as: "Append a backslash to quotes and apostrophes, sent BY clients / users." That, did make sense, even though it does not protect against SQL Injection. (Double-byte characters can bypass this.)
- Limit the allowed number of failed login attempts: I have no idea why this is right, as login attempts has nothing to do with SQL Injection. According to Skillsoft, it does.
As I know you can't have just 1 right in the Skillsoft tests, when it's multi-choice questions, I had to choose at least 2. (Sometimes 3)
When I read my first possible choice of answer again, a few months later, I can see that it can be interpreted as: Replace " with " , and that is of course wrong. :)
The correct answer is clearly only supporting Internet Explorer, so sqlmap doesn't work *I was recently involved in a web app test where everything was completely IE-centric, and none of the common tools worked. Security through inaccessibility...
You can change the user-agent of most tools and thereby fool websites to allow you access anyway, I've used this quite a lot when websites say: "You cannot access this website unless you use Internet Explorer", oh yeah? *Changes user-agent* Oh yes we can! ;D
It sounds a bit crazy about the web app test, but I have seen it on a few sites, often those that are poorly coded, or using ActiveX plugins that won't make the website work without.
The funny thing is IE doesn't follow HTML coding standards anyway, so it's somewhat a joke to make a website specially compatible with only IE, even though many users, unfortunately still use IE.