 |
| Mr.Zhu 泰国刷肉粿条汤,那个清澈的汤头,好喝到。。。🤤 |
尝试过各种美食却依然无法满足您的味蕾?
那就来尝尝MR.ZHU Hotpot Noodles吧!他们独家提供的火鍋粿条和泰国刷肉粿条汤,口感鲜美、美味可口,让您回味无穷。
而他们的辣椒更是口感独特,是您品尝不容错过的美食!
我们选用新鲜的食材,加上精心的烹饪技巧,呈现出最纯粹的味道,每一口都是极致享受。
快来MR.ZHU Hotpot Noodles,开启一段独特的美食之旅吧!
YouTube
Location
MR.ZHU Hotpot Noodles火鍋粿条
尝试过各种美食却依然无法满足您的味蕾?
那就来尝尝MR.ZHU Hotpot Noodles吧!他们独家提供的火鍋粿条和泰国刷肉粿条汤,口感鲜美、美味可口,让您回味无穷。
而他们的辣椒更是口感独特,是您品尝不容错过的美食!
我们选用新鲜的食材,加上精心的烹饪技巧,呈现出最纯粹的味道,每一口都是极致享受。
快来MR.ZHU Hotpot Noodles,开启一段独特的美食之旅吧!
YouTube
Location
10 Steps : Stable Diffusion WebUI Most Easy Installation
10 Steps : Stable Diffusion WebUI Most Easy Installation
 |
Step 01 : Click File Step 02 : Click New notebook Step 03 : Rename Your Project Name |
 |
| Step 04 : Paste (ctrl + v) below script here. |
 |
Step 05 : Click Connect Step 06 : Click RAM Disk |
 |
| Step 07 : Change to GPU, Click Save. |
 |
| Step 08 : Click Play Button to RUN. Sit Back and Relax ! |
 |
| Loading ... |
 |
| Step 09 : Open Stable Diffusion WebUI Link. |
 |
| Step 10 : Done ! Stable Diffusion WebUI Cloud Version |
Manually submit Sitemap to search engines
Search engines Bing and Google also allows you to ping them with your new sitemap manually. To do that, you shoudl visit in your browser following URLs:
Google:
https://www.google.com/webmasters/sitemaps/ping?sitemap={URL-of-your-sitemap}
https://www.google.com/webmasters/sitemaps/ping?sitemap=
Google Webmaster Tools
https://www.google.com/webmasters/sitemaps/ping?sitemap=
Google Webmaster Tools
https://www.bing.com/webmaster/
Bing , have to login to webmaster and submit sitemap.
Omron Etherway 3.3.3 Download
Omron Etherway is a free utility communication software that specifically supports Ethernet-based protocols for Omron PLCs. This versatile tool can be used for various functionalities and protocols, such as FINS Ethernet TCP, Toolbus Ethernet UDP and TCP, and Modbus TCP client/server. With Etherway, you can easily and efficiently communicate with your Omron PLCs via Ethernet, making it an essential tool for any industrial automation project. Additionally, the user-friendly interface and intuitive design make it simple to navigate and use, even for those with limited experience in PLC programming and communication.
Omron EtherWay is a free utility communication software designed to support multiple Ethernet-based protocols for Omron PLCs. It is a versatile tool that can be used for various functionalities and protocols such as FINS Ethernet, Ethernet/IP and Modbus TCP/IP client/server. With its user-friendly interface, Omron EtherWay makes it easy to monitor, configure, and troubleshoot Omron PLCs connected through Ethernet networks.
 |
| Multiway Download |
Omron Multiway 10.6 Download
Omron Multiway is a versatile communication software tool that is available for free and supports multiple protocols for Omron PLCs. With support for Sysmac-Way serial, FINS serial, Toolbus Ethernet UDP and TCP, Modbus RTU TCP client/server, ASCII Terminal, Terminal ASC02/11/21/31 unit, Compoway/F-Frame Sniffer (RS232C port), Frame Booster (RS232C/Ethernet UDP), and OPC Client, this software is the ideal solution for various functionalities and protocols. Whether you're looking to streamline your automation processes or simply improve communication between your devices, Omron Multiway is a powerful and flexible tool that can help you achieve your goals. Download it today and start exploring all that it has to offer!
Omron Multiway is a free utility communication software that supports multiple protocols for Omron PLCs. It is a multi-purpose tool that can be used for various functionalities and protocols such as Sysmac-Way serial, FINS serial, Toolbus Ethernet UDP and TCP, Modbus RTU TCP client/Server, ASCII Terminal, Terminal ASC02/11/21/31 unit, Compoway/F- Frame Sniffer (RS232C port), Frame Booster (RS232C/Ethernet UDP), OPC Client.
Omron Multiway v10.6 Download
 |
| Etherway Download |
童话:风和树的故事
风爱上了一棵树,每天轻柔地为树拍打身上的尘埃,亲吻树上的伤痕。
阳光和雨为树提供最好的养料,树也喜欢风,但却从未告诉他。
树希望自己能成为森林里最大的树,却因此憔悴萎靡。
为了让树高兴起来,风决定离开,看看外面的世界,并收集故事讲给树听。
几年后,风带着新鲜的故事回到树的身边,却发现树因为爱上了夜莺而变得更加忧伤。
风和树的故事
他轻柔地为树拍打着身上的尘埃,亲吻那些虫子、鸟儿、野兽们在树身上留下的伤痕。
他还告诉阳光,让阳光多给树一些温暖。
阳光是风的好朋友,他现在和雨是最甜蜜的一对,他们甚至已经有了一个可爱的小女儿——彩虹。他们是如此幸福的一家人,他们都喜欢天真、善良的风。于是,他们给了树最和煦的阳光与最滋润的雨露。
树似乎也爱上了风,但她却从没有跟他说过。因为她还有更重要的事情要做,那就是生长、生长,长成一棵森林里最大的树。
风来的时候,树都会跟他挥手。
风讲故事的时候,树也会煞有介事地点头。
风感觉很幸福。但他不懂树的心事。
“如果我是一棵大树该多好,这样我就能站得最高,就能够看见广阔的世界。”风经常听到树这样叹息。
“为什么非要做一棵大树呢?如果你再长高一点儿,我就不能再亲吻你的额头了。”风喜欢这种平淡的生活。
“你不了解我,你能四处走走,而我站在这里,永远不知道外面的世界还有什么。”
风来的时候,树都会跟他挥手。
风讲故事的时候,树也会煞有介事地点头。
风感觉很幸福。但他不懂树的心事。
“如果我是一棵大树该多好,这样我就能站得最高,就能够看见广阔的世界。”风经常听到树这样叹息。
“为什么非要做一棵大树呢?如果你再长高一点儿,我就不能再亲吻你的额头了。”风喜欢这种平淡的生活。
“你不了解我,你能四处走走,而我站在这里,永远不知道外面的世界还有什么。”
树却一天比一天憔悴,叶片开始枯黄,她每叹一口气,就会落下一片树叶。这让风很心疼。
终于有一天,风决定出发,为树去看看外面的世界,他希望这样树能够高兴起来。
在外面的日子,风过得很艰难,他经过一座又一座城市,吹过一座又一座高山。他的身上沾满了烟囱里排放的黑烟,这让他患上了严重的咳嗽。但是他从不停止,因为他要把整个世界都转上一圈,这样,就有很多新鲜的事情能够讲给亲爱的树。
每一天,风都思念着远方的树,他已经搜集了足够多的故事,于是,他迫不及待地踏上了归程。
终于有一天,风决定出发,为树去看看外面的世界,他希望这样树能够高兴起来。
在外面的日子,风过得很艰难,他经过一座又一座城市,吹过一座又一座高山。他的身上沾满了烟囱里排放的黑烟,这让他患上了严重的咳嗽。但是他从不停止,因为他要把整个世界都转上一圈,这样,就有很多新鲜的事情能够讲给亲爱的树。
每一天,风都思念着远方的树,他已经搜集了足够多的故事,于是,他迫不及待地踏上了归程。
几年过去了,树已经长大,阳光一家给予了她最好的照顾,阳光已经有了很多外孙——露水。他们经常会落在树的身上,在外公的照耀下,让这棵树看上去更加挺拔。
风热烈地亲吻着树,他急切地想要给树讲讲他的旅程,讲讲外面的世界。
而树依旧没有高兴起来,她好像比原来更加忧伤。她躲闪着风,默默地看着远方。露珠在她的身上闪烁,就好像是她的泪水。
风很难过,他不知道发生了什么事情。
树告诉他,他走后,来了一只最英俊的夜莺,他有世界上最动听、最婉转的歌喉。树无可救药地爱上了他。夜莺在树的身上做了一个小窝,住了下来。树已经忘记了她对外面世界的渴望,她不再只想着生长,因为长得太高,夜莺吻她的时候,就会感觉累。
然而,幸福的时光总是短暂的,夜莺开始厌倦这样平凡的生活。
一天,一只麻雀告诉他,在几百里外,有一棵更大更高的树希望跟他结婚,并且许诺,会给他最好的生活。
夜莺犹豫了很久,他的歌声低沉而哀伤。唱得树很心痛。
但是,夜莺还是走了,在一个下雨的早上,树送走了他,她不希望亲爱的夜莺失去他的幸福。
树比从前更加忧郁了,她不再有梦想。偶尔,她也会想念风,但很快,这种想念就被无处可诉的伤痛所湮没了。
“你还有我啊,难道你忘记了,你也曾经爱过我啊!”风呜咽着,他一直认为树只爱他,因为他们一起长大,一起度过那段甜蜜的少年时光。
“你让我怎么说呢?风,我们确实曾经拥有过一段纯真美好的岁月。但是他,我们毕竟一起生活过。”树的话,让风心碎。
RAD Studio 10.2 + Python4Delphi
if you find this error while compile your exe,
[dcc32 Error] VarPyth.pas(185): E2037 Declaration of 'DispInvoke' differs from previous declaration
procedure DispInvoke(Dest: PVarData; const Source: TVarData;
CallDesc: PCallDesc; Params: Pointer); override;
change to
procedure DispInvoke(Dest: PVarData; const Source: TVarData;
CallDesc: PCallDesc; Params: Pointer); overload;
[dcc32 Error] VarPyth.pas(185): E2037 Declaration of 'DispInvoke' differs from previous declaration
procedure DispInvoke(Dest: PVarData; const Source: TVarData;
CallDesc: PCallDesc; Params: Pointer); override;
change to
procedure DispInvoke(Dest: PVarData; const Source: TVarData;
CallDesc: PCallDesc; Params: Pointer); overload;
Dokuwiki parse_ini_file replacement functions
Add the r_parse_ini_file function , and replace all 3 /lib/exe/css.php parse_ini_file to r_parse_ini_file !
Release 2018-04-22 "Greebo"
- Change to inc/StyleUtils.php
Add the r_parse_ini_file function , and replace all 3 /inc/StyleUtils.php parse_ini_file to $this->r_parse_ini_file !
Release 2018-04-22 "Greebo"
- Change to inc/StyleUtils.php
Add the r_parse_ini_file function , and replace all 3 /inc/StyleUtils.php parse_ini_file to $this->r_parse_ini_file !
Python For the Beginner
Class Room 01
http://learnpythonthehardway.org/book/
PDF Download
Class Room 02a
https://pymotw.com/2/index.html
Class Room 02b
https://pymotw.com/3/
http://learnpythonthehardway.org/book/
PDF Download
Class Room 02a
https://pymotw.com/2/index.html
Class Room 02b
https://pymotw.com/3/
Web Security
Do you know that one website is hacked every 5 seconds and also 63% of website owners don’t know that they are hacked. You might be the next or you are already a victim. Protecting user and business critical information is the first job of a developer. This post will help you to survive the cyber war.
In this post we will see the ways by which a hacker can hack your website and also how you can stop your website from getting hacked. Let’s get started.
Methods to hack a website are divided into two categories. First category includes hacking a website by manipulating the data sources and the second category includes hacking the platform on which the website runs.
Many website are poorly written which fails to handles manipulated data and ultimately the website gets hacked.
By the platform we mean Operating System, DNS Servers, Network, Web Server, Server Language, FTP, SSH, SSL etc., on which the website runs. If any of this things are hacked than your website is hacked.
Attacks that are carried out by manipulating data source can be prevented by following simple principles and mechanisms. The below pictures shows how to securely process input and display data.
Its not limited to this. You can create more security layers to protect your and users critical information.
Its the job of third party companies to protect their software and hardware on top of which our website runs. But still we can do a lot to secure our website from platform based attacks. The below picture shows some common things you need to carry put to protect your website from platform based attacks.
There are a lot more things you can do to prevent these kinds of attacks.
Now on we will look at some common ways by which by which hackers hack websites. All examples and theory I show on this post are valid for web server as apache and server language as php And next to valid for other technologies.
A hacker can submit manipulated data to the server which can sometimes trigger error messages if server scripts fail to handle this kinds of data manipulation. This error messages leak information like directory names, server name, software version and a lot of other things.
Let’s see an example of this kind of poorly written scripts:
index.php
Now when you run this script you will get this error.
This error leaks a lot of information. Some information it leaks are
Website runs on windows operation system
Web server is wamp
File system path to the index.php file
Now hacker can gather this information and try to exploit these software’s to hack our website.
The best solution to this problem is to log errors instead of displaying errors. So that only the administrators can see the errors and hacker don’t get any information.
There are many ways to disable error displaying and enabling error logging.
First method:
php.ini
Second method:
.htaccess
Third method:
index.php
Now when we see our errors in log we will know that there is no validation check for this variable and we will rectify our mistake by modifying the script. To prevent this kids of errors we can do simple validation as shows below.
index.php
***Always disable error display and enable error logging for production use. From now on I will assume that you have disabled error displaying.
HTTP Response headers can also leak a lot of information about our website which can be used by hackers to hack our website.
HTTP Response Headers which leak information are:
Server: This header leaks OS name, web server name, server language name, versions and some other things.
X-Powered-By: This header leaks the name and version of server side language.
This information is very critical and can be used by the hacker to hack your website.
We can stop web server from leaking this information by changing some variable values in httpd.conf and php.ini files.
httpd.conf
php.ini
Never depend on client side validation. Hackers can easily bypass it and can do a lot of things to hack your website.
Lets see a demo of how to break client side validation and hack a website.
index.php
This script looks absolutely fine and works well. But a attacker can easily inspect the HTML source code And remove “required” field and change “email” type to “text”. Now the the HTML code on client side will look something like this
Now the hacker can insert any random text in the email field and submit it instead of inserting a email address. Something like this:
And now hacker has broken your validation layers and can insert random text which you don’t want and now your website is vulnerable to spams. We can also do very powerful things like XSS attacks. We will learn more about XSS attacks in later sections.
We can prevent such attacks by validating the form data on server side also. Here we can change the code to this
SQL injection is a technique where hackers can inject SQL commands into an SQL statements, via data sources.
Let’s see an example:
index.php
The above code is vulnerable to SQL injection. A user can append an SQL code inside the email or message field and hack your website.
This is an example sql code a hacker can inject:
Now when the form is submitted the server will execute this SQL statement.
which will result in deleting the whole contacts table. So your website is hacked.
SQL injection attacks can be stopped by validating data, escaping data and running SQL code at low privilege. If we would have executed the above sql statement at low privilege than it wouldn’t have been able to delete the table. So we can change the script to this
Always remember to validate(string format and data type) and escape data And run SQL code at low privilege level.
OS injection is a technique where hackers can run OS command on server by injecting command to data sources.
Let’s see an example in which a website allows user to find ip of a domain name.
index.php
The above script is vulnerable to OS injection. A hacker can execute multiple other commands on server in this way
Now submitting this form will display all folders and files of the parent directory of the web root directory. In this way a hacker can execute almost any command and destroy your web site.
This kind of attacks can be prevented by data validation and running commands on server scripts with least privilege.
So we can change the script to this
Code Injection is a technique by which a hacker can execute code on the web server by injecting code to the data sources.
Let’s see an example of this:
index.php
The above script takes two numbers and creates a php code string and passing it to eval() for execution. The above script is vulnerable to code injection. A hacker can inject any php code and make it execute on the server.
This is how a hacker can inject code:
Now when the form is submitted all the information about your server is leaked.
You can prevent this kinds of code injection attacks by preventing use of eval() or validating the data. So we can change the script to this
Its always better to avoid use of eval().
File inclusion is a technique by where a hacker can runs a remote or local script on the web server.
Let’s see an example of this:
index.php
The above code works fine by including a script related to the theme color of web site. But a hacker can easily exploit it and run any code on web server.
A hacker can inspect the html source code and pass value for color as .htaccess. Below picture shows a simple exploit of the above code
Now when the form is submitted the web page will display our .htaccess configuration file. Similarly you can change the value to any remote file link or local file link which will cause its execution.
This can be prevented by data validation. So we can change our script to this
Always be careful and validate data before using include(), file_get_contents() and require() in php to prevent file inclusion attacks.
XSS (Cross Site Scripting) is a technique by which a hacker injects client-side script into Web pages viewed by other users. This kinds of attacks are very common and needs to be dealt properly.
Let’s see an example of this kind of attacks:
index.php
A hacker can easily exploit this script and cause a code to run on client side. Putting script code or html source code inside the comment field will lead to XSS attack. Below image shows how a hacker can exploit it.
Now once this form is submitted, anyone who visits the site will see a alert box with a message “Hacked!!!”.
This kinds of attacks can be prevented by escaping the stored output. So we can change the script to this:
CSRF (Cross Site Request Forgery) is a type of attack in which requests from user are sent to servers without the user knowing about it.
This kinds of attack are very popular in the internet. Let’s look at an example of this kinds of attacks.
index.php
money_transfer.php
The above code uses cookie to check if the user is logged in or not. If user is logged in then the money transfer is done. This scripts are vulnerable to CSRF attacks. A hacker can embed the above form in any website and send the link to the users and forcing some way to click on it. If the cookie is present then the money will be transfer to the hackers account.
Let’s see how this can be done (assume that user is logged in into bank website):
http://hackersite.com/earnmoney.html
This page link can be send to a user who is using bank website. And if the user clicks on the submit button on hackers website the given amount will be transferred which will lead to a disaster. So websites should’t depend on cookies to do critical things.
There are many ways to prevent such kinds of attacks. We will see the best and popular ones.
This kinds of attacks can be prevented by using HTTP Referer header, extra verification step or using special token
Lets see all the above preventing methods.
Preventing CSRF using HTTP Referer
Some browser allow to change HTTP Referer while requesting a link and also there are many other ways to change or break HTTP referer. So this method should be used along with other methods.
Preventing CSRF using special tokens
Every user will have a random secret token assigned to them whenever they make a request for the form and the token will be encrypted and hidden in the form. This token can only be used once and a new token is generated for every user for every new request for the form. And this token will have a expiry time of few minutes. While submitting the form, the form must have the user secret token. There is no way a hacker can find out the secret token of a user so cross site form submissions will not work.
There are many other factors that can be considered while generating this kind of tokens, this method is an simple and full proved way.
Extra Validation
You can use some extra validation steps before transfer money. These steps can be CAPTCHA validation, Re-Authentication (of password), DOB, mobile message verification etc.
By combining the above three methods we can get the best security possible against CSRF attacks.
Session Fixation is a hacking technique by which a hacker can hijack a valid user session. There are many ways to hijack user sessions. Sometimes this happens by mistake or sometimes knowingly.
When cookies are disabled by browser, php passes session ids via GET. This is very dangerous. As you can sometime by mistake send this URL (URL containing session id) to a friend and he will hijacks your session by mistake. To prevent this kind of mistake session hijacking you can disable the passing of session id via GET.
This can be done in php.ini file.
php.ini
A hacker can steal your session id by intercepting traffic between user browser and web server. To prevent this you need to encrypt your website communication with server via SSL. So the hacker cannot steal it. A hacker can also hijack session by XSS attack. So preventing XSS attacks will also prevent session fixation.
Always regenerate session id on every request to the website so that a hijacked session id (if hacker has already hijacked in some other way) will become invalid. You can regenerate session id by using this function
You need to destroy the existing session whenever user logs out of your website.
These are some ways by which you can protect your website from session fixation.
Clickjacking is a technique by which a attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.
Let’s see the steps used by a hacker to achieve clickjacking:
Hacker creates a web page with some buttons on it aligned same as your website.
Loads your website inside a iframe.
Places the iframe on top of his web page.
Make the iframe transparent.
Now you won’t be able to see your website but it lies on top of hacker’s web page.
Users clicking on buttons will think that they are clicking on the normal visible web page buttons. But actually they are click on your website buttons.
This can be prevented by disallowing your website to be viewed inside a iFrame.
You need to insert this response header inside your httpd.conf file.
or you can insert this response header in your .htaccess file
You can also add this X-FRAME-OPTIONS header using PHP or any other server side language.
This is how you can prevent clickjacking.
This attack comes under platform based attacks. DOS is a technique by which a hacker consumes all the server resources so that users cannot access the site or the site will become slow. This is done basically by flooding your server with large number of requests.
To prevent this kind of attacks you can use services like cloudflare which provide DOS security to websites. Many hosting services also provide DOS security.
Man-in-the- middle attack is a method by which a hacker can intercept traffic between you and your website And also your website and your users.
Traffic between you and your website can be protected by the use of SSH instead of FTP.
Traffic between your users and website can be protected by using HTTPS instead of HTTP.
Conclusion
In this post I tried to cover all common types of attacks and ways to to prevent them. I will keep updating this post as new techniques arrives. Thanks for reading this post. “Like and Share”
Credit to here
In this post we will see the ways by which a hacker can hack your website and also how you can stop your website from getting hacked. Let’s get started.
Categorization of hacking methods
Methods to hack a website are divided into two categories. First category includes hacking a website by manipulating the data sources and the second category includes hacking the platform on which the website runs.
Many website are poorly written which fails to handles manipulated data and ultimately the website gets hacked.
By the platform we mean Operating System, DNS Servers, Network, Web Server, Server Language, FTP, SSH, SSL etc., on which the website runs. If any of this things are hacked than your website is hacked.
Preventing data source Attacks
Attacks that are carried out by manipulating data source can be prevented by following simple principles and mechanisms. The below pictures shows how to securely process input and display data.
Its not limited to this. You can create more security layers to protect your and users critical information.
Preventing platform based attacks
Its the job of third party companies to protect their software and hardware on top of which our website runs. But still we can do a lot to secure our website from platform based attacks. The below picture shows some common things you need to carry put to protect your website from platform based attacks.
There are a lot more things you can do to prevent these kinds of attacks.
Now on we will look at some common ways by which by which hackers hack websites. All examples and theory I show on this post are valid for web server as apache and server language as php And next to valid for other technologies.
Error Reporting Attacks
A hacker can submit manipulated data to the server which can sometimes trigger error messages if server scripts fail to handle this kinds of data manipulation. This error messages leak information like directory names, server name, software version and a lot of other things.
Let’s see an example of this kind of poorly written scripts:
index.php
Now when you run this script you will get this error.
Website runs on windows operation system
Web server is wamp
File system path to the index.php file
Now hacker can gather this information and try to exploit these software’s to hack our website.
The best solution to this problem is to log errors instead of displaying errors. So that only the administrators can see the errors and hacker don’t get any information.
There are many ways to disable error displaying and enabling error logging.
First method:
php.ini
Second method:
.htaccess
Third method:
index.php
Now when we see our errors in log we will know that there is no validation check for this variable and we will rectify our mistake by modifying the script. To prevent this kids of errors we can do simple validation as shows below.
index.php
***Always disable error display and enable error logging for production use. From now on I will assume that you have disabled error displaying.
HTTP Response Information Leakage Attack
HTTP Response headers can also leak a lot of information about our website which can be used by hackers to hack our website.
HTTP Response Headers which leak information are:
Server: This header leaks OS name, web server name, server language name, versions and some other things.
X-Powered-By: This header leaks the name and version of server side language.
This information is very critical and can be used by the hacker to hack your website.
We can stop web server from leaking this information by changing some variable values in httpd.conf and php.ini files.
httpd.conf
php.ini
Client Side Validation Attacks
Never depend on client side validation. Hackers can easily bypass it and can do a lot of things to hack your website.
Lets see a demo of how to break client side validation and hack a website.
index.php
This script looks absolutely fine and works well. But a attacker can easily inspect the HTML source code And remove “required” field and change “email” type to “text”. Now the the HTML code on client side will look something like this
Now the hacker can insert any random text in the email field and submit it instead of inserting a email address. Something like this:
And now hacker has broken your validation layers and can insert random text which you don’t want and now your website is vulnerable to spams. We can also do very powerful things like XSS attacks. We will learn more about XSS attacks in later sections.
We can prevent such attacks by validating the form data on server side also. Here we can change the code to this
SQL Injection
SQL injection is a technique where hackers can inject SQL commands into an SQL statements, via data sources.
Let’s see an example:
index.php
The above code is vulnerable to SQL injection. A user can append an SQL code inside the email or message field and hack your website.
This is an example sql code a hacker can inject:
Now when the form is submitted the server will execute this SQL statement.
which will result in deleting the whole contacts table. So your website is hacked.
SQL injection attacks can be stopped by validating data, escaping data and running SQL code at low privilege. If we would have executed the above sql statement at low privilege than it wouldn’t have been able to delete the table. So we can change the script to this
Always remember to validate(string format and data type) and escape data And run SQL code at low privilege level.
OS Injection
OS injection is a technique where hackers can run OS command on server by injecting command to data sources.
Let’s see an example in which a website allows user to find ip of a domain name.
index.php
The above script is vulnerable to OS injection. A hacker can execute multiple other commands on server in this way
Now submitting this form will display all folders and files of the parent directory of the web root directory. In this way a hacker can execute almost any command and destroy your web site.
This kind of attacks can be prevented by data validation and running commands on server scripts with least privilege.
So we can change the script to this
Code Injections
Code Injection is a technique by which a hacker can execute code on the web server by injecting code to the data sources.
Let’s see an example of this:
index.php
The above script takes two numbers and creates a php code string and passing it to eval() for execution. The above script is vulnerable to code injection. A hacker can inject any php code and make it execute on the server.
This is how a hacker can inject code:
Now when the form is submitted all the information about your server is leaked.
You can prevent this kinds of code injection attacks by preventing use of eval() or validating the data. So we can change the script to this
Its always better to avoid use of eval().
File Inclusion
File inclusion is a technique by where a hacker can runs a remote or local script on the web server.
Let’s see an example of this:
index.php
The above code works fine by including a script related to the theme color of web site. But a hacker can easily exploit it and run any code on web server.
A hacker can inspect the html source code and pass value for color as .htaccess. Below picture shows a simple exploit of the above code
Now when the form is submitted the web page will display our .htaccess configuration file. Similarly you can change the value to any remote file link or local file link which will cause its execution.
This can be prevented by data validation. So we can change our script to this
Always be careful and validate data before using include(), file_get_contents() and require() in php to prevent file inclusion attacks.
XSS
XSS (Cross Site Scripting) is a technique by which a hacker injects client-side script into Web pages viewed by other users. This kinds of attacks are very common and needs to be dealt properly.
Let’s see an example of this kind of attacks:
index.php
A hacker can easily exploit this script and cause a code to run on client side. Putting script code or html source code inside the comment field will lead to XSS attack. Below image shows how a hacker can exploit it.
Now once this form is submitted, anyone who visits the site will see a alert box with a message “Hacked!!!”.
This kinds of attacks can be prevented by escaping the stored output. So we can change the script to this:
CSRF
CSRF (Cross Site Request Forgery) is a type of attack in which requests from user are sent to servers without the user knowing about it.
This kinds of attack are very popular in the internet. Let’s look at an example of this kinds of attacks.
index.php
money_transfer.php
The above code uses cookie to check if the user is logged in or not. If user is logged in then the money transfer is done. This scripts are vulnerable to CSRF attacks. A hacker can embed the above form in any website and send the link to the users and forcing some way to click on it. If the cookie is present then the money will be transfer to the hackers account.
Let’s see how this can be done (assume that user is logged in into bank website):
http://hackersite.com/earnmoney.html
This page link can be send to a user who is using bank website. And if the user clicks on the submit button on hackers website the given amount will be transferred which will lead to a disaster. So websites should’t depend on cookies to do critical things.
There are many ways to prevent such kinds of attacks. We will see the best and popular ones.
This kinds of attacks can be prevented by using HTTP Referer header, extra verification step or using special token
Lets see all the above preventing methods.
Preventing CSRF using HTTP Referer
Some browser allow to change HTTP Referer while requesting a link and also there are many other ways to change or break HTTP referer. So this method should be used along with other methods.
Preventing CSRF using special tokens
Every user will have a random secret token assigned to them whenever they make a request for the form and the token will be encrypted and hidden in the form. This token can only be used once and a new token is generated for every user for every new request for the form. And this token will have a expiry time of few minutes. While submitting the form, the form must have the user secret token. There is no way a hacker can find out the secret token of a user so cross site form submissions will not work.
There are many other factors that can be considered while generating this kind of tokens, this method is an simple and full proved way.
Extra Validation
You can use some extra validation steps before transfer money. These steps can be CAPTCHA validation, Re-Authentication (of password), DOB, mobile message verification etc.
By combining the above three methods we can get the best security possible against CSRF attacks.
Session Fixation
Session Fixation is a hacking technique by which a hacker can hijack a valid user session. There are many ways to hijack user sessions. Sometimes this happens by mistake or sometimes knowingly.
When cookies are disabled by browser, php passes session ids via GET. This is very dangerous. As you can sometime by mistake send this URL (URL containing session id) to a friend and he will hijacks your session by mistake. To prevent this kind of mistake session hijacking you can disable the passing of session id via GET.
This can be done in php.ini file.
php.ini
A hacker can steal your session id by intercepting traffic between user browser and web server. To prevent this you need to encrypt your website communication with server via SSL. So the hacker cannot steal it. A hacker can also hijack session by XSS attack. So preventing XSS attacks will also prevent session fixation.
Always regenerate session id on every request to the website so that a hijacked session id (if hacker has already hijacked in some other way) will become invalid. You can regenerate session id by using this function
You need to destroy the existing session whenever user logs out of your website.
These are some ways by which you can protect your website from session fixation.
Clickjacking
Clickjacking is a technique by which a attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.
Let’s see the steps used by a hacker to achieve clickjacking:
Hacker creates a web page with some buttons on it aligned same as your website.
Loads your website inside a iframe.
Places the iframe on top of his web page.
Make the iframe transparent.
Now you won’t be able to see your website but it lies on top of hacker’s web page.
Users clicking on buttons will think that they are clicking on the normal visible web page buttons. But actually they are click on your website buttons.
This can be prevented by disallowing your website to be viewed inside a iFrame.
You need to insert this response header inside your httpd.conf file.
or you can insert this response header in your .htaccess file
You can also add this X-FRAME-OPTIONS header using PHP or any other server side language.
This is how you can prevent clickjacking.
Denial of Service Attack
This attack comes under platform based attacks. DOS is a technique by which a hacker consumes all the server resources so that users cannot access the site or the site will become slow. This is done basically by flooding your server with large number of requests.
To prevent this kind of attacks you can use services like cloudflare which provide DOS security to websites. Many hosting services also provide DOS security.
Man-in-the-middle attack
Man-in-the- middle attack is a method by which a hacker can intercept traffic between you and your website And also your website and your users.
Traffic between you and your website can be protected by the use of SSH instead of FTP.
Traffic between your users and website can be protected by using HTTPS instead of HTTP.
Conclusion
In this post I tried to cover all common types of attacks and ways to to prevent them. I will keep updating this post as new techniques arrives. Thanks for reading this post. “Like and Share”
Credit to here
Subscribe to:
Posts (Atom)