Cyper Security

Assessment Worksheet

Performing a Web Site and Database Attack by Exploiting Identified

Vulnerabilities

Overview

In this lab, you performed simple tests to verify a cross-site scripting (XSS) exploit and an SQL injection attack using the Damn Vulnerable Web Application (DVWA), a tool left intentionally vulnerable to aid security professionals in learning about Web security. You used a Web browser and some simple command strings to identify the IP target host and its known vulnerabilities, and then attacked the Web application and Web server using cross-site scripting (XSS) and SQL injection to exploit the sample Web application running on that server.

Lab Assessment Questions & Answers

1. Why is it critical to perform a penetration test on a Web application and a Web server prior to production implementation?

It’s always best to conduct an initial penetration and security check on all server side software, prior to going live, because it allows most of the bugs and kinks to be worked out and most security holes to be patched, before it’s introduced to the vicious wild wild web (WWW)

2. What is a cross-site scripting attack? Explain in your own words.

It is a computer security vulnerability typically found in web applications that enables attacks to inject client side script into web pages viewed by others.

Allows client side injecting of malicious script to effect server side functionality or exploit holes.

3. What is a reflective cross-site scripting attack?

A reflective attack allows the web application to generate a response providing un-sanitized data from the client scripts.

4. Which Web application attack is more likely to extract privacy data elements out of a database?

Numeric variance, nulling and character scrambling.

5. What security countermeasures could be used to monitor your production SQL databases against injection attacks?

Monitoring changes and logs for abnormalities, such as unusual entry times,...