![Page 1: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/1.jpg)
Exploiting Vulnerabilities: SQLi, XSS, XXE, File
Injection January 2019
![Page 2: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/2.jpg)
Ko Ranginui kei rungaKo Papatuanuku kei raroKo nga tangata kei waenganui Tihei wā Mauri Ora!
Ranginui (Sky Father) is abovePapatuanuku (Earth Mother) is belowTheir children in between (That’s us)I sneeze to life! (Behold there is life)
![Page 3: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/3.jpg)
Ko Rangitoto te MaungaKo Motuihunga te MotuKo Hauraki te Moana Ko Pupuke te RotoKo Burman te WakaKo Ngati Pakeha te IwiKo Wakanui te Marae Nō Pushpay ahauKo David ahauTēnā koutou,Tēnā koutou,Tēnā tātou katoa,
Rangitoto is the mountainMotuihe is the islandThe Hauraki Gulf is the seaLake Pupuke is the lakeI arrived on the BurmanMy iwi (tribe) is pakeha My gathering place is WakanuiI am part of PushpayI am DavidGreetings to youGreetings to youGreetings to us all
![Page 4: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/4.jpg)
XSS
![Page 5: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/5.jpg)
XSS
Where user data is echoed verbatim on a page
What if the user data includes content such as<script>alert(‘hello world’)</script>
![Page 6: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/6.jpg)
Persistent XSS
DEMO
![Page 7: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/7.jpg)
Persistent XSS
Modern frameworks make it quite difficult to output verbatim (Html.Raw, dangerouslySetInnerHTML, etc)
Make sure when using these methods that they don’t contain user data
![Page 8: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/8.jpg)
Persistent XSS
XSS Mitigations● Context sensitive auto escaping● Strict Content Security Policy (CSP)
![Page 9: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/9.jpg)
CSRF
Browsers send CookiesCookies control Authentication
If we can trick the browser into sending a request, it will include the authentication cookie
![Page 10: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/10.jpg)
CSRF
DEMO
![Page 11: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/11.jpg)
CSRF
Requires active mitigation
Usually through a form value (token) that must also be present for data-manipulation requests
Modern frameworks will come with a built-in way to do this
![Page 12: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/12.jpg)
CSRF
You also need to protect Ajax endpoints
![Page 13: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/13.jpg)
Reflected XSS + CSRF
Combining Multiple Low Severity Issues gives high severity issues
![Page 14: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/14.jpg)
Reflected XSS + CSRF
DEMO
![Page 15: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/15.jpg)
Reflected XSS + CSRF
XSS Mitigations● Context sensitive auto
escaping● Strict Content Security
Policy
CSRF Mitigations● Token Based
![Page 16: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/16.jpg)
XXE
● Xml eXternal Entity
![Page 17: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/17.jpg)
XXE
DEMO
![Page 18: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/18.jpg)
XXE
XXE Mitigations● Disable DTD
![Page 19: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/19.jpg)
File Injection
![Page 20: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/20.jpg)
File Injection
DEMO
![Page 21: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/21.jpg)
File Injection - Mitigation
● Don’t persist user supplied name● Don’t serve directly ● Do serve off alternate domain
![Page 22: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/22.jpg)
SQLi
https://xkcd.com/327/
![Page 23: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/23.jpg)
SQLi
InjectionWhere a command is built by interpolating user data
SQL InjectionWhere a SQL query is built by interpolating user data
![Page 24: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/24.jpg)
SQLi
eg
var query = $“SELECT id, name FROM USERS WHERE name LIKE ‘%{ username }%’”;
![Page 25: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/25.jpg)
SQLi
You’d know if someone dropped your database...
![Page 26: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/26.jpg)
SQLi
DEMO
![Page 27: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/27.jpg)
SQLi
This made use of the error page
Even without an error page, SQLMAP can use timing to extract data
![Page 28: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/28.jpg)
SQLi
Would you know if it happened to you?
![Page 29: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/29.jpg)
SQLi
Modern ORMs will mostly protect you from this
When you need to run direct SQL queries, parameterize
![Page 30: Exploiting Vulnerabilities: SQLi, XSS, XXE, File Injection · 2/22/2019 · Greetings to you Greetings to you ... us all. XSS. XSS Where user data is echoed verbatim on a page What](https://reader034.vdocuments.us/reader034/viewer/2022050814/60104282810373322c4caa27/html5/thumbnails/30.jpg)
Questions?
● I thought we needed more stock photos.