HI-TEC 2011HI-TEC 2011SQL InjectionSQL Injection
Client’s Browser
HT
TP
or HT
TP
S
Web Server
Apache or IIS
HTML Forms
CGI Scripts
Database
SQL Server or
Oracle or
MySQL
ODBC or
OLE DB
Or ADO
Common Web Application Common Web Application Vulnerabilities Vulnerabilities
Common Web Application Common Web Application VulnerabilitiesVulnerabilities
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
SQL InjectionSQL Injection
Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS) Attacks Cross-Site Scripting (XSS) Attacks
One user injects code that attacks another userOne user injects code that attacks another user
Common on guestbooks, comment pages, Common on guestbooks, comment pages, forums, etc.forums, etc.
Caused by failure to filter out HTML tagsCaused by failure to filter out HTML tags– These characters < > " &These characters < > " &– Also watch out for hex-encoded versionsAlso watch out for hex-encoded versions
%3c instead of <%3c instead of <
%3e instead of >%3e instead of >
%22 instead of "%22 instead of "
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
One client posts active content, with One client posts active content, with <script> tags or other programming <script> tags or other programming contentcontent
When another client reads the When another client reads the messages, the scripts are executed messages, the scripts are executed in his or her browserin his or her browser
One user attacks another user, using One user attacks another user, using the vulnerable Web application as a the vulnerable Web application as a weaponweapon
66
<script>alert("XSS vulnerability!")</script><script>alert("XSS vulnerability!")</script> <script>alert(document.cookie)</script><script>alert(document.cookie)</script> <script>window.location="http://www.ccsf.edu"</script><script>window.location="http://www.ccsf.edu"</script>
77
XSS Scripting EffectsXSS Scripting Effects
Steal another user's authentication Steal another user's authentication cookiecookie– Hijack sessionHijack session
Harvest stored passwords from the Harvest stored passwords from the target's browsertarget's browser
Take over machine through browser Take over machine through browser vulnerabilityvulnerability
Redirect WebpageRedirect Webpage
Many, many other evil things…Many, many other evil things…88
Common XSS Payloads Common XSS Payloads
See link Ch 12z06See link Ch 12z06
Cross-Site Scripting Cross-Site Scripting Countermeasures Countermeasures
Filter out < > ( ) # & and the variants of themFilter out < > ( ) # & and the variants of themHTML-encode output, so a character like < HTML-encode output, so a character like < becomes < -- that will stop scripts from runningbecomes < -- that will stop scripts from runningIn IE 6 SP1 or later, an application can set In IE 6 SP1 or later, an application can set HttpOnly Cookies, which prevents them from HttpOnly Cookies, which prevents them from being accessed by scriptsbeing accessed by scripts
Analyze your applications for XSS vulnerabilitiesAnalyze your applications for XSS vulnerabilities– Fix the errors you findFix the errors you find
Common Web Application Common Web Application Vulnerabilities Vulnerabilities
SQL Injection SQL Injection
SQL Injection ComicSQL Injection Comic
xkcd.org – a great comicxkcd.org – a great comic
Link Ch 11iLink Ch 11i
SQL Injection ExampleSQL Injection Example
HTML form collects HTML form collects namename and and pwpwSQL then uses those fields:SQL then uses those fields:
SELECT * FROM customerSELECT * FROM customerWHERE username = WHERE username = ‘‘name' AND password = name' AND password = ‘‘pw'pw'
If a hacker enters a name of If a hacker enters a name of ’’ OR 1=1 --OR 1=1 --
The SQL becomes:The SQL becomes:SELECT * FROM customerSELECT * FROM customerWHERE username = WHERE username = ‘’‘’ OR 1=1 --' AND password OR 1=1 --' AND password = = ‘‘pwpw‘‘
Which is always true, and returns all the recordsWhich is always true, and returns all the records
HackThisSiteHackThisSite
WebGoat DemoWebGoat Demo
Web App Vulnerability Scanner Web App Vulnerability Scanner
Finding Vulnerable Web Apps with Finding Vulnerable Web Apps with Google Google
Inurl:SELECT%20FROMInurl:SELECT%20FROM
Expensive Commercial ToolsExpensive Commercial Tools
HP WebInspect and Security ToolkitHP WebInspect and Security Toolkit
Rational AppScanRational AppScan
Cenzic HailstormCenzic Hailstorm
Cenzic HailstormCenzic Hailstorm
Highly rated commercial Web applicaion vulnerability Highly rated commercial Web applicaion vulnerability scannerscanner– Links Ch 11o, 11pLinks Ch 11o, 11p
Other Web VulnerabilitiesOther Web Vulnerabilities
NiktoNikto
Tamper Data DemoTamper Data Demo
Vulnerable Message BoardVulnerable Message Board
Acts like a proxy serverActs like a proxy server
You can see POST data and alter itYou can see POST data and alter it
This will defeat client-side validationThis will defeat client-side validation
Cold CallsCold Calls
