A web application consists of front-end and back-end components. The front-end is the user-facing portion of a website, while the back-end includes the application, database, and server that power it. Dynamic websites require a database to store and retrieve information, and have features like inserting, fetching, updating, and deleting data through a control panel. The administrator login page provides access to make changes, and is commonly named variations of "adminlogin" or "administrator". Attackers try to access this page through guessing or searching online to gain unauthorized access. Developers can help prevent this by using unique, non-standard admin page names and strong authentication methods.
AWS Community Day CPH - Three problems of Terraform
How to protect the admin login page from SQL Injection.
1. Web Application
--------------------------------
Website
----------------
A website is platform to present information about a company (or organization), an
individual etc.
Essentially, it is a collection of documents known as webpages that contain information:
images, words, digital media, and alike.
Types of websites
--------------------------------
Static websites: - Static Websites can be defined as those which are not database driven.
They can be developed by basic knowledge of web technologies like HTML and CSS. They
present the information to the users/visitor in the most direct way as it is stored on the web
server. These website do not have any control panel. They are driven through FTP clients
that connect to the host server. A simple example of a static website could be an
organization website providing details about its portfolio, contacts, resources, projects etc.
Dynamic websites: - Dynamic websites can be defined as those that require database to
store and retrieve the information. They have features such as insert new data, fetch data,
update/modify data, and delete data etc. which are not present in the static websites. These
websites have a control panels through which the administrator can make changes as per
the requirement. Some of the most popular enterprise database used are: - Oracle, MySQL,
SQL Server, DB2 etc.
Parts of web application
-----------------------------------------
Front end: It is that part of the web site which a user can see and interact.
Back end: Also called as back-end technology infrastructure consists of an application, a
database and a server. All the data is stored in the database.
SQL (Structured Query Language)
------------------------------------------------
It is a standard programming languages designed to interact with the database.
With the help of SQL the data from the front end is stored into the back-end. Similarly, the
data from the back-end is retrieved and presented at the front-end.
2. Admin Login Page
------------------------------
It is the page where the administrator enters the control panel of the website to make
changes. Generally the link for admin panel are as follows:-
"adminlogin.php" "admin/login.php" "administrator.php" "login/admin.php"
"adminlogin.asp" "admin/login.asp" "adminstrator.asp" "login/admin.asp"
"adminlogin.aspx" "admin/login.aspx" "adminstrator.aspx" "login/admin.aspx"
How to target admin login page?
-----------------------------------------------------
Login with random username and password:-
-----------------------------------------------------------------------
Username =========> hacker
Password ==========>pass1234
LOGIN
3. Simple check deployed behind most of the websites:
----------------------------------------------------------------------------------
if username.text ="xyz" and password.text="pass" then
welcome.show()
else
msgbox("Invalid username or password.")
The above method is highly unsecured since it just checks the conditions to be true, it does
not validate the entered username and password.
-Any true condition can be used to hack into the website.
Example: ‘or’ ‘=’, ‘1=1’ etc.
-It is called condition based matching.
-Secured way can be using Stored Procedure.
Random Attacking
------------------------------
Go to google.com adminlogin.aspx
Target Based Attacking
------------------------------------
google.com: site: target.com admin
google.com: site: target.com adminlogin
How to protect the attack?
-------------------------------------------
Never use traditional name for admin page.
Use page like: xyz@c3r.php
Always use Email or Numeric character as username.
Filter the special character at the client end.
Do have fake messages for hackers.
4. The following script can prevent SQL injection attacks on a web application.
---------------------------------------------------------------------------------------------------------------------
5. Checking the working of the above script.
----------------------------------------------------------------