protecting your web sitefrom sql injection & xss
DESCRIPTION
The UNM Information Architects and the UNM Arts LAB invite you to to a presentation by ABQ Web Geeks' own Chris Kenworthy at the UNM SUB this Wednesday the 27th of August.Chris will be discussing SQL Injection and Cross Site Scripting Vulnerabilities.These types of attacks against websites are both common and potentially devastating. Chris will bring us up to speed on them and give us some tips on how to prevent them.Please mark your calendars for Wednesday, August 27 from 10:00 - 11:30 at the UNM Student Union Building, Lobo Rooms A & B.TRANSCRIPT
This year, over 500,000 web pages were defaced by a malicious SQL Injection…
Protecting Your Web SiteProtecting Your Web SiteFrom SQL Injection & XSSFrom SQL Injection & XSS
Chris Kenworthy</dream.in.code>®
August 27, 2008
SQL Injections
What is SQL?Structured Query LanguageUsed to retrieve and manage data in
relational databasesChances are your organization is using SQLExample:
SELECT firstName, lastNameFROM usersWHERE userID = ‘chris’;
What is a SQL Injection?A common security vulnerabilityOccurs when unfiltered input is executedEasily preventedExample of Vulnerability:
http://www.example.com/login.php?UserID=chris
SELECT firstName, lastNameFROM usersWHERE userID = ‘” + $UserID + “’
Example of an AttackOriginal Query:SELECT firstName, lastNameFROM usersWHERE userID = ‘” + $UserID + “’;
Set $UserID to: nobody’ OR ‘a’ = ‘a
Result:SELECT firstName, lastNameFROM usersWHERE userID = ‘nobody’ OR ‘a’ = ‘a’;
The ImpactQuery always returns trueAttacker authenticates as first user in
database
Possible Impacts:False authenticationPermissions escalationInformation disclosureIdentity theftMore…
Example of an AttackOriginal Query:SELECT firstName, lastNameFROM usersWHERE userID=‘” + $UserID + “’;
Set $UserID to: x’; DROP TABLE users; --
Result:SELECT firstName, lastNameFROM usersWHERE userID=‘x’; DROP TABLE users;--’;
The ImpactAttacker deletes entire users table!
Possible Impacts:Loss of dataData manipulationData insertionVirus/Malware distributionTotal database destructionMore…
Preventing SQL InjectionSanitize the input
Enforce data types (i.e. numeric, string, etc.)Use parameterized statementsUse stored proceduresLimit permissionsInstall an application firewall (my favorite)
Apache: mod_security (w/ Core Rules)IIS: URLScan 3.0 (Beta)
Cross Site Scripting
What is XSS?XSS (Cross Site Scripting)Allows execution of arbitrary codeOften involves tricking the end userOver 70% of web sites may be vulnerableExample:<<SCRIPT>alert("XSS");//<</SCRIPT>
How Does XSS Work?Scenario 1:
You get an email with a URL that looks like this: http://www.domain.com/index.php?userid=%3C%3C%53%43%52%49%50%54%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3B%2F%2F%3C%3C%2F%53%43%52%49%50%54%3E
You click it and the web page outputs the userid variable resulting in this:
How Does XSS Work?Scenario 2:
There is a comment form on a web page. You paste this string in to the form:<<SCRIPT>alert("XSS");//<</SCRIPT>
Now every user that visits that page will see this:
Why Does It Work?Inputs are displayed as HTML instead of
character entities:
Cookies are not securedSessions can be hijacked
The Impact of XSSIdentify TheftMalwareSession Hijacking
User impersonationRedirectionMisinformation
Preventing XSS AttacksConvert all inputs to HTML character
entities before outputting to the screenSecure cookies using the httpOnly attributeAssociate sessions with IP addressesInstall an application firewall (again, my
favorite)Educate users!
Don’t click links in emails you don’t recognizeDon’t fill out forms from links in emails
Resources Scrawlr – Find SQL injection vulnerabilities in your site
Mod_security – Web application firewall (Apache)
URLScan – Web application firewall (IIS)
XSS Examples
Closing ThoughtsIf you have a web site, you will be attacked
Don’t trust developers to secure their code
Use an application firewall if possible
Be proactive
Questions?
Comic from XKCD: http://xkcd.com/327/