Question

ALL THE QUESTIONS BELOW ARE BASED ON CYBER SECURITY COURSE. SO PLEASE ASN THE QUESTION. THE NAME OF THE TOPIC IS "DATABASE AND DATA CENTER SECURITY"

Le Q4 Then there isa Piggyback attack a 4 Select the record of the studen whase, name is Robert close cade.; then drop table ar some other quary ;- so that a piggy backing attachs. Come and How do you minimize the chance of this Tous things, bud ritornos 4 you must do input validation © Parameterize quarry - Instad of couting full querry you must write the Quarry with place holder and Plug in the Parameters later on aftor imput Validation has been done to Attache

In Database and Data Center Security. What is Piggybacking attack?

A) Give real life example?

B) Give one SQL code example of Piggybacking attack?

C) How do you minimize the chances of this attack?

Answer 1

Answer

Hi you can read a lot of things about the piggyback attack, here i am giving answer based on the question you have asked.

a) Piggybacking is method that combine the data frame and ACK(acknoledgement) .Actually it is used in bidirectional commnunication for efficiently optimize the network communication. In piggyback or tailgate attack, I will explain with one example.

     You, and Your friend are coming in the public area, and you have only privillege to enter the private area in the bank.But When the door is open you entered in the private area , your friend have no privilege to enter that area. He followed you and enter the room before closing that door. He has no privillege but he used your privilege as a mask. This is actually happening in the piggybacking attack.

please refer to the internet you will get a lots of stuff.

b) As a pentester,In the above question I understand that,This is the one kind of sql injection. You can see sql injection are different type,(inband(classic),inferntial(blind),out-of-band). For more details about sql injection refer internet. The attackers usually inject malicious queries into HTTP requests in the user input area.

In the above problem It is about a Piggy-Backed Queries. That means if the attacker find a vulnerability that means sql injection. Attacker will use sqlmap or another tool for automate the attack.If attacker got any issue. He will first check what type of attack can be possible here. At that time attacker will check if it support stacked-query. Actually staked-query is the piggy-baked query.

I will explain clearly,

Here i got an injection point , /seach?id=1 , Then i put `'` single qoute it will give sql error. So next we try union based atack here for finding the columns in the table for find the injection point. In piggy-backed query is conducted as follows. We found an users table by using union method in the database.

Then following is the sql query for drop table in that remote database.

/search?id=1;drop table users-- -

This is actually happening in piggy-backed qury, we have only privilege to access the data with id=1.But we perform a malformed injection held there. So our good request carry our bad request.

any doubt please comment and search internet.

c) To avoid this issue. We can use proper validation in client side and server side. If you opening a public entry point please take proper validation there. don't construct queries with user input,and also update with latest technologies. regularly check the application which connected backend. Use advanced and latest firewalls. You can search internet for more details.

Any doubt please comment and upvote too...This is the simple explanationa about your question..Please refer internet for more details .

Thanks in advance