1
00:00:14,680 --> 00:00:21,220
Let us start with the most important part in Web application testing, that is a skill injection.

2
00:00:21,820 --> 00:00:28,530
In this lecture, we learn an overview to what is a skill injection with advanced technology.

3
00:00:28,840 --> 00:00:32,020
Modern society has accomplished many unthinkable goals.

4
00:00:32,440 --> 00:00:36,310
However, as technology develops, so does the risk increases.

5
00:00:36,940 --> 00:00:42,450
Same is the case with Web applications to these applications are fraught with vulnerabilities.

6
00:00:43,060 --> 00:00:50,620
Since 2003, a SQL injection has remained in the Web's top 10 list of application security risks that

7
00:00:50,620 --> 00:00:52,030
companies are wrestling with.

8
00:00:52,940 --> 00:00:59,840
So what is a skill in attack, a skill in addiction, also called a skill eye, is an injection attack

9
00:00:59,840 --> 00:01:05,690
when an attacker executes malicious ESKIL statements to control a Web applications database server,

10
00:01:06,050 --> 00:01:09,910
thereby accessing, modifying and deleting unauthorized data.

11
00:01:10,670 --> 00:01:17,040
In the early days of the Internet, building websites was a simple process, like no JavaScript, no

12
00:01:17,080 --> 00:01:19,030
Sears's and only a few images.

13
00:01:19,580 --> 00:01:25,550
But as the websites gained popularity, the need for more advanced technology and dynamic websites grew.

14
00:01:26,520 --> 00:01:34,140
This led to development of side scripting languages like GSP and HP, we started storing user input

15
00:01:34,140 --> 00:01:36,370
and content in databases like my skill.

16
00:01:36,720 --> 00:01:42,840
My skill became the most popular and standardized language for accessing and manipulating databases.

17
00:01:43,590 --> 00:01:50,160
However, hackers found new ways to leverage the loopholes present in the insecure technology and SQL

18
00:01:50,160 --> 00:01:56,040
injection attack is one of the most popular ways of targeting databases and SQL injection targets.

19
00:01:56,040 --> 00:02:03,420
The databases using specifically crafted SQL statements systems in unexpected and undesired things.

20
00:02:04,080 --> 00:02:06,670
So why is a skill injection so dangerous?

21
00:02:07,440 --> 00:02:12,150
There are a lot of things an attacker can do when exploding, and it's a good indication on a terrible

22
00:02:12,150 --> 00:02:12,650
website.

23
00:02:13,140 --> 00:02:18,690
But leveraging and SQL injection vulnerability, given the right circumstances and attacker can do the

24
00:02:18,690 --> 00:02:25,050
following things like bypass web applications, authorization mechanisms and extract sensitive information

25
00:02:25,920 --> 00:02:26,370
easily.

26
00:02:26,370 --> 00:02:32,700
Control application behavior that is based on the data in the database, inject further malicious code

27
00:02:32,700 --> 00:02:40,680
to be executed using user access applications and modify and delete data, corrupting the database and

28
00:02:40,680 --> 00:02:42,660
making the application unusable.

29
00:02:43,610 --> 00:02:49,080
Enumerate the authentication details of a user registered on the website and use the data in attacks

30
00:02:49,080 --> 00:02:49,890
on other sites.

31
00:02:50,640 --> 00:02:56,220
It all depends on the capability of the attacker, but sometimes and SQL injection can lead to a complete

32
00:02:56,220 --> 00:02:58,470
takeover of the database and web application.

33
00:02:59,340 --> 00:03:01,890
So how does a skill injection attack works?

34
00:03:02,550 --> 00:03:08,040
A developer usually finds in a school query to perform some database action necessary for the application

35
00:03:08,040 --> 00:03:08,620
to function.

36
00:03:09,390 --> 00:03:15,060
This query has one or two arguments so that only desired records are written when the value for the

37
00:03:15,240 --> 00:03:23,760
argument is provided by the user and ESKIL attack plays out in two stages research an attack in the

38
00:03:23,760 --> 00:03:30,480
research phase and I could use some random, unexpected values for the argument, observes how the application

39
00:03:30,480 --> 00:03:31,050
responds.

40
00:03:31,050 --> 00:03:38,190
And besides an attack attempt in the attack phase here, attacker provides carefully crafted value for

41
00:03:38,190 --> 00:03:38,910
the argument.

42
00:03:39,360 --> 00:03:44,940
The application will interpret the value part of an ESKIL come on, rather than merely data.

43
00:03:45,390 --> 00:03:49,610
The database then executes the self-command as modified by the attacker.

44
00:03:49,830 --> 00:03:54,120
In the next video, we will learn different types of skill in addiction attacks.