hi-tec 2011 sql injection. client’s browser http or https web server apache or iis html forms cgi...

HI-TEC 2011HI-TEC 2011SQL InjectionSQL Injection

Client’s Browser

HT

TP

or HT

TP

S

Web Server

Apache or IIS

HTML Forms

CGI Scripts

Database

SQL Server or

Oracle or

MySQL

ODBC or

OLE DB

Or ADO

Common Web Application Common Web Application Vulnerabilities Vulnerabilities

Common Web Application Common Web Application VulnerabilitiesVulnerabilities

Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)

SQL InjectionSQL Injection

Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS) Attacks Cross-Site Scripting (XSS) Attacks

One user injects code that attacks another userOne user injects code that attacks another user

Common on guestbooks, comment pages, Common on guestbooks, comment pages, forums, etc.forums, etc.

Caused by failure to filter out HTML tagsCaused by failure to filter out HTML tags– These characters < > " &These characters < > " &– Also watch out for hex-encoded versionsAlso watch out for hex-encoded versions

%3c instead of <%3c instead of <

%3e instead of >%3e instead of >

%22 instead of "%22 instead of "

Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)

One client posts active content, with One client posts active content, with <script> tags or other programming <script> tags or other programming contentcontent

When another client reads the When another client reads the messages, the scripts are executed messages, the scripts are executed in his or her browserin his or her browser

One user attacks another user, using One user attacks another user, using the vulnerable Web application as a the vulnerable Web application as a weaponweapon

66

<script>alert("XSS vulnerability!")</script><script>alert("XSS vulnerability!")</script> <script>alert(document.cookie)</script><script>alert(document.cookie)</script> <script>window.location="http://www.ccsf.edu"</script><script>window.location="http://www.ccsf.edu"</script>

77

XSS Scripting EffectsXSS Scripting Effects

Steal another user's authentication Steal another user's authentication cookiecookie– Hijack sessionHijack session

Harvest stored passwords from the Harvest stored passwords from the target's browsertarget's browser

Take over machine through browser Take over machine through browser vulnerabilityvulnerability

Redirect WebpageRedirect Webpage

Many, many other evil things…Many, many other evil things…88

Common XSS Payloads Common XSS Payloads

See link Ch 12z06See link Ch 12z06

Cross-Site Scripting Cross-Site Scripting Countermeasures Countermeasures

Filter out < > ( ) # & and the variants of themFilter out < > ( ) # & and the variants of themHTML-encode output, so a character like < HTML-encode output, so a character like < becomes &lt; -- that will stop scripts from runningbecomes &lt; -- that will stop scripts from runningIn IE 6 SP1 or later, an application can set In IE 6 SP1 or later, an application can set HttpOnly Cookies, which prevents them from HttpOnly Cookies, which prevents them from being accessed by scriptsbeing accessed by scripts

Analyze your applications for XSS vulnerabilitiesAnalyze your applications for XSS vulnerabilities– Fix the errors you findFix the errors you find

Common Web Application Common Web Application Vulnerabilities Vulnerabilities

SQL Injection SQL Injection

SQL Injection ComicSQL Injection Comic

xkcd.org – a great comicxkcd.org – a great comic

Link Ch 11iLink Ch 11i

SQL Injection ExampleSQL Injection Example

HTML form collects HTML form collects namename and and pwpwSQL then uses those fields:SQL then uses those fields:

SELECT * FROM customerSELECT * FROM customerWHERE username = WHERE username = ‘‘name' AND password = name' AND password = ‘‘pw'pw'

If a hacker enters a name of If a hacker enters a name of ’’ OR 1=1 --OR 1=1 --

The SQL becomes:The SQL becomes:SELECT * FROM customerSELECT * FROM customerWHERE username = WHERE username = ‘’‘’ OR 1=1 --' AND password OR 1=1 --' AND password = = ‘‘pwpw‘‘

Which is always true, and returns all the recordsWhich is always true, and returns all the records

HackThisSiteHackThisSite

WebGoat DemoWebGoat Demo

Web App Vulnerability Scanner Web App Vulnerability Scanner

Finding Vulnerable Web Apps with Finding Vulnerable Web Apps with Google Google

Inurl:SELECT%20FROMInurl:SELECT%20FROM

Expensive Commercial ToolsExpensive Commercial Tools

HP WebInspect and Security ToolkitHP WebInspect and Security Toolkit

Rational AppScanRational AppScan

Cenzic HailstormCenzic Hailstorm

Cenzic HailstormCenzic Hailstorm

Highly rated commercial Web applicaion vulnerability Highly rated commercial Web applicaion vulnerability scannerscanner– Links Ch 11o, 11pLinks Ch 11o, 11p

Other Web VulnerabilitiesOther Web Vulnerabilities

NiktoNikto

Tamper Data DemoTamper Data Demo

Vulnerable Message BoardVulnerable Message Board

Acts like a proxy serverActs like a proxy server

You can see POST data and alter itYou can see POST data and alter it

This will defeat client-side validationThis will defeat client-side validation

Cold CallsCold Calls