Imperva Blog|Login|中文Deutsch日本語

Videos

Year: 2014 2013 2012 2011 2010 2009 2008 All Hide Descriptions
Selected Tag: Web Application Security | Show All
Blocking Malicious Attacks Using SQL Injection Signature Evasion

Blocking Malicious Attacks Using SQL Injection Signature Evasion


This video demonstration is focused on a more advanced SQL Injection technique called "signature evasion." As the name implies, these techniques allow SQL Injection attacks to be conducted while avoiding detection by security controls that rely on signatures.

Tags: Attack Method, SQL Injection, Signature Evasion, Web Application Security, Database Security

Play Video  
Detecting XSS Scripting (Cross-Site Scripting)

Detecting XSS Scripting (Cross-Site Scripting)


This video should be viewed following the Script Injection video demonstration. Cross-site scripting ('XSS' or 'CSS') is an attack that takes advantage of a Web site vulnerability in which the site displays content that includes un-sanitized user-provided data. For example, an attacker might place a hyperlink with an embedded malicious script into an online discussion forum. That purpose of the malicious script is to attack other forum users who happen to select the hyperlink. For example it could copy user cookies and then send those cookies to the attacker.

Tags: Attack Method, XSS, Cross-site scripting, CSS, Web Application Security, Database Security

Play Video  
Direct Database Access SQL Injection (Database Hacking)

Direct Database Access SQL Injection (Database Hacking)


SQL injection is usually a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application. In this example, the database is attacked directly by a non-privileged user through direct interaction with the database - not through a Web application.

Tags: Attack Method, Direct Database Access SQL Injection, SQL Injection, Web Application Security, Database Security

Play Video  
Identifying & Blocking Blindfolded SQL Injection

Identifying & Blocking Blindfolded SQL Injection


This video demonstration is focused on a more advanced SQL Injection technique called "Blindfolded SQL Injection." These techniques are useful when attacking a system that doesn't display robust error messages. Note that error messages are helpful to attackers in SQL Injection attacks because they can reveal valuable information about the target.

Tags: Attack Method, SQL Injection, Blindfolded SQL Injection, Web Application Security, Database Security

Play Video  
Identifying Database Privilege Abuse by Malicious Insiders

Identifying Database Privilege Abuse by Malicious Insiders


This example of database privilege abuse relates to direct database attacks without Web applications. A malicious insider can decompile a fat desktop Java client to glean credential information allowing him to directly access the database with elevated privileges. Using the application's credentials for database access, not his own, he could operate with the privileges granted to the Java application.

Tags: Attack Method, Insider Threats, Privilege Abuse, Web Application Security, Database Security

Play Video  
Recognizing Web Application Parameter Tampering

Recognizing Web Application Parameter Tampering


This video demonstration explores ways an attacker can modify parameters within a Web application. Parameter tampering is a simple attack targeting the application business logic. This attack takes advantage of the fact that many programmers rely on hidden or fixed fields (such as a hidden tag in a form or a parameter in a URL) as the only security measure for certain operations. Attackers can easily modify these parameters to bypass the security mechanisms that rely on them.

Tags: Attack Method, Parameter Tampering, Web Application Security, Database Security

Play Video  
Session Hijacking - Bypassing Web Application Security

Session Hijacking - Bypassing Web Application Security


Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.

Tags: Attack Method, Session Hijacking, Web Application Security, Database Security

Play Video  
Understanding & Preventing SQL Injection - Part I

Understanding & Preventing SQL Injection - Part I


This is the first of three video demonstrations on basic SQL Injection techniques. SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.

Tags: Attack Method, SQL Injection, Web Application Security, Database Security

Play Video  
Understanding & Preventing SQL Injection - Part II

Understanding & Preventing SQL Injection - Part II


This is the second of three video demonstrations on basic SQL Injection techniques. SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.

Tags: Attack Method, SQL Injection, Web Application Security, Database Security

Play Video  
Understanding & Preventing SQL Injection - Part III

Understanding & Preventing SQL Injection - Part III


This is the third of three video demonstrations on basic SQL Injection techniques. SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.

Tags: Attack Method, SQL Injection, Web Application Security, Database Security

Play Video  
Understanding Script Injection

Understanding Script Injection


This video should be viewed as a prerequisite to the XSS video demonstration. Script Injection is a form of Web application attack where the victim Web server is tricked into running the attackers script/code.

Tags: Attack Method, Script Injection, Web Application Security, Database Security

Play Video  
Using Cookie Poisoning to Bypass Security Mechanisms

Using Cookie Poisoning to Bypass Security Mechanisms


This video demonstration illustrates cookie poisoning attacks. Cookie poisoning attacks involve the modification of the contents of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal his identity.

Tags: Attack Method, Cookie Poisoning, Web Application Security, Database Security

Play Video  
Selected Tag: Web Application Security | Show All