Once upon a time (in the 1960s), the term ‘hacker’ was used to denote a person particularly skilled in a technical area, usually programming. At the same time, “cracker” was used for people who attacked computer systems. This was a niche usage, and consigned mostly to MIT (where the term hacker originated) and its alumni. As the words spread into the popular vocabulary. their meanings changed subtly. Cracking is now generally used to describe the act of beating a single piece of encryption or security (for example, cracking a password), whereas hacking can refer to either using detailed system knowledge to improve a system (eg, kernel hacking) or gaining access to a computer or data through a method not intended (eg, ‘he used a cracked password to hack into the database’).
Go to XPATH Injection on the left-hand side of the screen.
In this example, we will attack the password field to display more information. The password is checked using an XPATH statement that will return every line that matches both the username and password that the user entered. We can subvert this statement and add an OR clause that always returns true, and so matches every line in the database. Enter the username Mike and the password:
test123′ or ‘a’='a
This is placed within quotes by XPATH, so outer quotes aren’t needed. Since this always evaluates to true, it will return every user. Not all web forms allow you to enter text. Sometimes, you have to select from a predetermined list. This doesn’t mean that they are safe from attack, it just means that hackers have to be a bit more cunning.
Think your website’s safe because you have the latest Apache security patches? Badr FERRASSI shows you how the hackers can still get in.
From social networks to shopping and banking, the web has become a part of our dai;ly lives. But how secure is it? Vulnerabilities in servers are generally Identified and patched quickly, but what about the web applications that run on these servers? What if a hacker could compromise these applications and make them do their bidding? Well, that’s exactly what’s happening on the internet every day. in this tutorial, we will use WebGoat, a demonstration web app, to show you the techniques that these hackers are using because understanding the threat is the first step to protecting yourself from it.
- PHP.net ( http://php.net/ ) is, without doubt, the best resource for information about what’s what in PHP. Unparalleled documentation.
- PHP for Absolute Beginners, written by Jason Lengstorf and published by Apress, is a great book for beginners. It’ll take you from knowing nothing to almost a little bit of everything as you build a blog in PHP. It’s pretty big — 408 pages — but you’ll learn a lot. http://www.apress.com/9781430224730
- PHP Cookbook, 2nd Edition is another great resource. Written by Adam Trachtenberg and David Sklar and published by O’Reilly, this 816-pager covers both basic and advanced material: everything from strings to using and building REST and SOAP web services: http://shop.oreilly.com/product/9780596101015.do. O’Reilly has been kind enough to put the first edition up on the web for free: http://commons.oreilly.com/wiki/index.php/PHP_Cookbook
- PHP Tutorials at Nettuts+: ( http://net.tutsplus.com/category/php/ ) Nettuts+ offers some of the best PHP tutorials around.
- All over the web, there are bunches of great sites with great PHP tutorials. If you’re ever stuck, just do a search, and you’re almost guaranteed to find a solution.
I mentioned a few times that there’s no way we could cover every PHP topic, so here’s a super-short list of topics you might want to look into if you’re interested in pursuing PHP. Don’t forget, you can also learn so much more about the topics we did discuss.
Image Processing (with ImageMagick or other extensions)
Object Oriented PHP
PDO (PHP Data Objects)
SQL Injection Attacks
Mail: sending and receiving via IMAP or POP3, etc.
Internationalization / Localization
PHP on the Command Line