hi-tec 2011 sql injection. client’s browser http or https web server apache or iis html forms cgi...
TRANSCRIPT
![Page 1: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/1.jpg)
HI-TEC 2011HI-TEC 2011SQL InjectionSQL Injection
![Page 2: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/2.jpg)
Client’s Browser
HT
TP
or HT
TP
S
Web Server
Apache or IIS
HTML Forms
CGI Scripts
Database
SQL Server or
Oracle or
MySQL
ODBC or
OLE DB
Or ADO
![Page 3: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/3.jpg)
Common Web Application Common Web Application Vulnerabilities Vulnerabilities
![Page 4: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/4.jpg)
Common Web Application Common Web Application VulnerabilitiesVulnerabilities
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
SQL InjectionSQL Injection
Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF)
![Page 5: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/5.jpg)
Cross-Site Scripting (XSS) Attacks Cross-Site Scripting (XSS) Attacks
One user injects code that attacks another userOne user injects code that attacks another user
Common on guestbooks, comment pages, Common on guestbooks, comment pages, forums, etc.forums, etc.
Caused by failure to filter out HTML tagsCaused by failure to filter out HTML tags– These characters < > " &These characters < > " &– Also watch out for hex-encoded versionsAlso watch out for hex-encoded versions
%3c instead of <%3c instead of <
%3e instead of >%3e instead of >
%22 instead of "%22 instead of "
![Page 6: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/6.jpg)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
One client posts active content, with One client posts active content, with <script> tags or other programming <script> tags or other programming contentcontent
When another client reads the When another client reads the messages, the scripts are executed messages, the scripts are executed in his or her browserin his or her browser
One user attacks another user, using One user attacks another user, using the vulnerable Web application as a the vulnerable Web application as a weaponweapon
66
![Page 7: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/7.jpg)
<script>alert("XSS vulnerability!")</script><script>alert("XSS vulnerability!")</script> <script>alert(document.cookie)</script><script>alert(document.cookie)</script> <script>window.location="http://www.ccsf.edu"</script><script>window.location="http://www.ccsf.edu"</script>
77
![Page 8: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/8.jpg)
XSS Scripting EffectsXSS Scripting Effects
Steal another user's authentication Steal another user's authentication cookiecookie– Hijack sessionHijack session
Harvest stored passwords from the Harvest stored passwords from the target's browsertarget's browser
Take over machine through browser Take over machine through browser vulnerabilityvulnerability
Redirect WebpageRedirect Webpage
Many, many other evil things…Many, many other evil things…88
![Page 9: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/9.jpg)
Common XSS Payloads Common XSS Payloads
See link Ch 12z06See link Ch 12z06
![Page 10: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/10.jpg)
Cross-Site Scripting Cross-Site Scripting Countermeasures Countermeasures
Filter out < > ( ) # & and the variants of themFilter out < > ( ) # & and the variants of themHTML-encode output, so a character like < HTML-encode output, so a character like < becomes < -- that will stop scripts from runningbecomes < -- that will stop scripts from runningIn IE 6 SP1 or later, an application can set In IE 6 SP1 or later, an application can set HttpOnly Cookies, which prevents them from HttpOnly Cookies, which prevents them from being accessed by scriptsbeing accessed by scripts
Analyze your applications for XSS vulnerabilitiesAnalyze your applications for XSS vulnerabilities– Fix the errors you findFix the errors you find
![Page 11: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/11.jpg)
Common Web Application Common Web Application Vulnerabilities Vulnerabilities
SQL Injection SQL Injection
![Page 12: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/12.jpg)
SQL Injection ComicSQL Injection Comic
xkcd.org – a great comicxkcd.org – a great comic
Link Ch 11iLink Ch 11i
![Page 13: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/13.jpg)
SQL Injection ExampleSQL Injection Example
HTML form collects HTML form collects namename and and pwpwSQL then uses those fields:SQL then uses those fields:
SELECT * FROM customerSELECT * FROM customerWHERE username = WHERE username = ‘‘name' AND password = name' AND password = ‘‘pw'pw'
If a hacker enters a name of If a hacker enters a name of ’’ OR 1=1 --OR 1=1 --
The SQL becomes:The SQL becomes:SELECT * FROM customerSELECT * FROM customerWHERE username = WHERE username = ‘’‘’ OR 1=1 --' AND password OR 1=1 --' AND password = = ‘‘pwpw‘‘
Which is always true, and returns all the recordsWhich is always true, and returns all the records
![Page 14: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/14.jpg)
HackThisSiteHackThisSite
![Page 15: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/15.jpg)
WebGoat DemoWebGoat Demo
![Page 16: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/16.jpg)
Web App Vulnerability Scanner Web App Vulnerability Scanner
![Page 17: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/17.jpg)
Finding Vulnerable Web Apps with Finding Vulnerable Web Apps with Google Google
Inurl:SELECT%20FROMInurl:SELECT%20FROM
![Page 18: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/18.jpg)
Expensive Commercial ToolsExpensive Commercial Tools
HP WebInspect and Security ToolkitHP WebInspect and Security Toolkit
Rational AppScanRational AppScan
Cenzic HailstormCenzic Hailstorm
![Page 19: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/19.jpg)
Cenzic HailstormCenzic Hailstorm
Highly rated commercial Web applicaion vulnerability Highly rated commercial Web applicaion vulnerability scannerscanner– Links Ch 11o, 11pLinks Ch 11o, 11p
![Page 20: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/20.jpg)
Other Web VulnerabilitiesOther Web Vulnerabilities
![Page 21: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/21.jpg)
NiktoNikto
![Page 22: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/22.jpg)
Tamper Data DemoTamper Data Demo
Vulnerable Message BoardVulnerable Message Board
![Page 23: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/23.jpg)
Acts like a proxy serverActs like a proxy server
You can see POST data and alter itYou can see POST data and alter it
This will defeat client-side validationThis will defeat client-side validation
![Page 24: HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC](https://reader031.vdocuments.us/reader031/viewer/2022021100/551b921b550346942b8b50c8/html5/thumbnails/24.jpg)
Cold CallsCold Calls