1.1.1 What is Cybersecurity?
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative.
1.1.3 Session Hijacking
Web-based applications often use sessions to upgrade the client amicable experience for their clients. Usage of different sorts of the session the board does this. Session the executive chips away at the accompanying idea. At some early point in the client cooperation, the server creates a session identifier ID which is sent to the client's program and guarantees that a similar ID is sent back by the program alongside each consequent solicitation. Session IDs are recognizable proof tokens for the clients, and are utilized by the servers to keep up the session information (e.g., factors) (Desmet et al., 2008).
Figure 1.
Capturing user session id
1.1.4 SQL Injection
An SQL injection is a security weakness that occurs within database application layers. It is an act of passing SQL code to web-based interactive applications used in database services. SQL Injection is a web application database utilisation tool. This is achieved by inserting the SQL statements as an input string to access the database unauthorized (Ali et al., 2010).
An SQL injection is a severe weakness that results in a high level of compromise-usually the ability to execute a database query. This is a web-based code attack linking backends to the database and allowing to bypass the firewall. The downside of vulnerable code and inadequate validation of the data is that the attacker executes unauthorized SQL commands.
The interactive database-driven web page focuses on generating HTML content based on user-received feedback. For example, a web page on a news site may display articles related to a specific category, such as Sports, Politics, etc., depending on the value passed through the URL query string (Ghafarian, 2017).
Figure 2.
Attacker hacking through SQL Injections
Figure 3.
Attacker password hacking through SQL Injections
Similarly, the search page would display the results based on the keywords entered by the user in the input box. Generally, the web page receives these inputs through the parameters of the string query URL and/or the form fields. Cookie values and other HTTP headers included in the request are also other input forms and may be used in the logic of the program as required. For example, the news site web page may display articles related to a specific category, such as Sports, Politics, etc., depending on the value passed through the URL query string.
Using this injection technique, the attacker can gain unauthorized access to the restricted areas of the web application and can also retrieve, alter or damage the information in the backend database. In most cases, the attacker's intention is to steal sensitive information, such as credit card details, email addresses, passwords, and other private information, stored in the backend database.