DEV Community: Chris Kiser

Common SQL Injections to Watch Out For

Chris Kiser — Sun, 27 Sep 2020 20:46:40 +0000

What is an "Injection"?

Before we start, we need to know what SQL injection(SQLi) is. SQLi is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Most commonly it gives these attackers access to information they are not supposed to have, for example, a password. Sometimes this allows attackers to even interfere with the server to perform a DDoS attack. I will briefly write about three types of attacks which include: Retrieving hidden data, Subverting application logic, and Retrieving data from other database tables.

Retrieving Hidden Data

When retrieving hidden data from an unprotected site you can basically change the URL in order to execute an SQL command that you would not want ran through your database.
For example on a website if you are running a SELECT query for some form of data. The attacker would be able to instead run:

SELECT * FROM tablename WHERE 1=1

Which would just give the attacker access to anything in the table being presented.

Subverting application logic

With this method, the attackers are able to do something to a website that is unwanted. For example, being able to log into an account with only the username.

An example statement that would do this is:

SELECT * FROM users WHERE username = 'administrator'--' AND password = ''

This would return the user whose username is "administrator" and effectively just log them in with no password.

Retrieving data from other database tables.

In cases where the results of an SQL query are returned within the application's responses, the attacker is able to manipulate that in order to make it expose data from other datasets. This is done via the UNION keyword. An attacker could use something along the lines of:

' UNION SELECT username, password FROM users--

This would display the username and password from everyone who is located in the user's category.

LINKS

https://www.w3schools.com/sql/sql_injection.asp
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
https://portswigger.net/web-security/sql-injection
https://owasp.org/www-community/attacks/SQL_Injection

Michigan College is Tracking its Students With a Flawed App -- Is This an Intrusion of Privacy? -- COVID RISK DATA MODELS

Chris Kiser — Mon, 14 Sep 2020 03:48:16 +0000

Here is the article!

Is this Intrusive or Necessary?

In my opinion, a version of this could be used successfully with not as much intrusion as the current app has. So at its current state, I do believe this is too intrusive. I don't think it is right that the college can know exactly where you are at any point, though I do understand why they are doing it like this, I would not want to be tracked in this way myself.

Would I Accept this at my College? (Penn State)

This question is interesting because I am bound to say yes I would accept it at my college. I feel like it doesn't concern me too much to the point where I would end up leaving Penn State in rebellion to the tracking of data. So yes, I would accept this, would I agree with it completely? No, not at all...

Is Privacy of data more Valuable than Safety?

In a sense, the privacy of data is safety. So yes I do think that the privacy of data is more important than a possible outbreak of COVID19, especially when the people being affected would mostly be college students. If there was a data breach and all of this private data got out people could be hurt a lot worse than any other form of harm.

Envision more ethical ways of solving this issue with tech?

A more ethical way for this would be to have a couple of different forms of the app. Don't make it mandatory for everyone to use it, you could make it available for people who deem it necessary and have a less intrusive form of testing and tracking for those who feel violated by the original app.

This "new" app could be just a form of a dashboard, kind of like PSU has. It has all the cases and case numbers for tests distributed but doesn't actually intrude on personal information and privacy.

Extra pictures/videos:

Below you will find updated COVID tuples and ER Diagrams from my last week's post.

COVID Tuples:

Conceptual Risk Factors:

Physical Risk Factors:

Supporting Youtube Video:

Visualizing COVID Risk Through an ER Diagram

Chris Kiser — Sun, 06 Sep 2020 20:31:00 +0000

Like most things in the world, there are different levels of risk for the current pandemic, depending on what is going on in your life, who you are, and who surrounds you.

Today I am showing off a couple of data models I created to show what risks you may or may not have to keep in mind during these weird times.

COVID Risk ER Diagram:

ER Explanation:

Patient, Hospitals, Geographic Location, Risk, Occupation, Behavior/Hobbies. These are all the things I have decided would be important to look out for when it comes to the risk of COVID. Each of these entities connects in a way that makes it easy to see that if you are relating to many of the attributes (Green ovals) in one of the entities you show a risk even without relating to any of the others.

Example Tuples:

Connecting the Diagram with the Tuple:

The ER Diagram directly correlates with the Tuples which will hold the data and information about each subject when data is collected. In theory, there could be an algorithm that takes all the data for each entity and spits out the risk for each subject depending on their personal information.

When designing this diagram I had almost the thought of a flowchart in mind, so if you follow the arrows you should be able to self judge your own risks. I tried to make my diagram in a way that I would be able to understand without too much background of the subject, so hopefully, it makes it simple to understand for you in this format.

Intro to my Professional Self Via The Differences Between SQL and NoSQL

Chris Kiser — Sun, 30 Aug 2020 23:29:49 +0000

Who am I?

Hello, and welcome to my first class assignment for IST 210 at Penn State University!

As you could probably already tell I am a student attending Pennsylvania State University. I am currently a sophomore studying in IST. My plan is to graduate with a degree in Cybersecurity Analysis and Operations.

Carrer plans
As of now, I have no clue what I want to do with my degree, but hey I have until 2023 to figure it out... I am however looking for ideas every single day!

My Brand

currently unknown
At the time of writing this (my first blog post), I don't currently have a brand name/personality thought of. This is something that I may be seen as for the rest of my life, so I want to take my time and really decide how I want to portray myself as I continue my college career and pursue life. So, for now, I will go by Chris.

Differences Between SQL and NoSQL

First off, we have to talk about what SQL and NoSQL are:

SQL :
The Structured Query Language, or SQL, is a domain-specific language, or DSL, used to interact with relational databases and relational data streams.
NoSQL :
NoSQL is a database that facilitates the storage and retrieval of data. Commonly used for applications that require horizontal scaling, like real-time web applications, it relies on a non-SQL low-level query language to store and retrieve data.

There are many differences, but to keep my first post not too long I will briefly mention just a couple of main differences.

Amounts of Adoption

SQL: Widely adopted - basis for several popular procedural extensions.

NoSQL: Less adopted - Has to do with the limitations NoSQL presents.

ACID Transactions (atomicity, consistency, isolation, durability)

SQL: SQL is ideal for situations where databases, regardless of where they sit, need ACID.

NoSQL: Not all NoSQL databases have true ACID transactions.