web security - owasp - sql injection & cross site scripting xss
TRANSCRIPT
Security App. webIvan Ortega
Benjamin Porta
A1: SQL Injection
SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.Injected SQL commands can alter SQL statement and compromise the security of a web application.SQL injection is considered one of the top 10 web application vulnerabilities of 2007 and 2010
WARNINGIn its most common form, a SQL injection attack gives access to sensitive information such as social security numbers, credit card numbers or other financial data. SQL injection is one of the most prevalent types of web application security vulnerability.
Reasons
Incorrectly filtered escape characters
Incorrect type handling
' OR '1'='1' --' OR '1'='1' ({' OR '1'='1' /*
1;DROP TABLE users
Preventing SQL Injection 1 / 2
● Adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type and syntax.
● Users with the permission to access the database must have the least privileges. Also, you should always make sure that a database user is created only for a specific application and this user is not able to access other applications.
Preventing SQL Injection 2 / 2
● Use strongly typed parameterized query APIs with placeholder substitution markers, even when calling stored procedures.
● Show care when using stored procedures can be injectable (such as via the use of exec() or concatenating arguments within the stored procedure).
Environment / Context 1/3
CLIENT
SERVER (php)
SQLClient send data to server
Environment / Context 2/3
CLIENT
SERVER (php)
SQL
You must verify data before sending them to server
Environment / Context 3/3
CLIENT
SERVER (php)
SQLData are sent to server (treated with php) and then, they are sent to client
SQL can protect from DROP and ALTER if parametrized
Example 1: Injection 1/3
This program is web page link to an SQL database which show the list of movies present in database and allow anyone to add a new entry in database.
Movie 1: Normal use case
Example 1: Injection 2/3
But we can easily attack this web page because server doesn't check presence of javascript from inputs added by users. We will show an example of possible attack (injection of javascript code) on this web page.With this attack, each client is affected !!!
Movie 1: Attack use case
Example 1: Injection 3/3
To prevent of this kind of attack, we have to block all the javascript which provide from user, to do it, it's very simple, we have to use a specific method from php, strip_tags(). It remove tags "<" and ">" but also tags like "<" and ">"
Movie 1: Prevent use case
Example 2: SQL Injection 1/3
This program is a web page link to an SQL database that show the list of users present in database and allow anyone to subscribe. If you are subscribed, you can log in.
Movie 2: Normal use case
Example 2: SQL Injection 2/3
The attack consist in connect and steal all personal informations of an user with his login but without his password. It’s simple, a request look like this:$query = "SELECT * FROM user WHERE pseudo='".$p."' AND mdp='".$pass."' ";
So attacker can inject a code after his pseudo (' -- ) and the end of the request SQL will be interpreted as: SELECT * FROM user WHERE pseudo='PSEUDO' -- AND mdp='WHATYOUWANT'As you can see, AND mdp='...' is interpreted as a commentary!
Movie 2: Attack use case
Example 2: SQL Injection 3/3To prevent of this kind of attack, use:
mysqli_real_escape_string() or bin2hex()
$link = mysqli_connect("127.0.0.1", "root", "", "secuweb");$login = mysqli_real_escape_string($link,$login);$user = $ins->getUserFromPseudoAndPassword($login,$pass);
Then, the input string change and replace ' -- to \' -- Movie 2: Prevent use case
Exemple 3: SQL Injection* 1/2
In reality, a lot of problems induced by SQL injection are already fixed. For example in php, you can’t submit multiple request to mysql without using mysqli->multi_query
Probably because it is very dangerous. You can modify data, table and also delete them.
For this example, mysqli_real_escape_stringis deactivated.
Movie 3: Multi-request attack
Exemple 3: SQL Injection* 2/2
Allow only what is necessary to an user, it can prevent a lot of actions
About SQL injectionFinally, it’s not difficult to prevent from SQL injection, problem provides from webmaster because they don’t check all cases of possible attack. There is a lot of way to secure data inputted like methods quoted before or others as preparation of request with bindParam.
FIN de la partie 1
Owasp A3Cross Site Scripting
XSS
Cross Site Scripting
1. What is it?2. Types of XSS3. Consequences4. OWASP Prevention Cheat
Sheet5. Testing my application
Cross Site Scripting
1. What is it?2. Types of XSS3. Consequences4. OWASP Prevention Cheat
Sheet5. Testing my application
What is it?
XSS attacks are a type ofinjection
An attacker uses a web application to send malicious scripts which will be executed when the page is built
How can i inject code?
Cross Site Scripting
1. What is it?2. Types of XSS3. Consequences4. OWASP Prevention Cheat
Sheet5. Testing my application
Types of Cross-Site Scripting
Stored XSS (Persistent or Type I)
Reflected XSS (Non-Persistent or Type II)
DOM Based XSS (Type-0)
Stored XSSMost frequent vulnerabilities sites: where user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc.Attacker use this input to inject
The injected script is permanently stored on the target servers.
The victim then retrieves the malicious script from the server when it requests the stored information.
Stored XSS
Reflected XSS The injected script is reflected off the web server, such as response that includes some or all of the input sent to the server as part of the request
Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site.
Reflected XSS Then the user click on a malicious link that contain XSS injection as part of request to “trusted site” which reflects the attack back to the user’s browser.
The browser then executes the code because it came from a "trusted" server.
Reflected xss-Executing JSReflected XSS-Phishing
DOM Based XSS
It’s an XSS attack wherein the attack payload is executed as a result of modifying the DOM in the victim’s browser used by the original client side script.
I have been attacked!What happen now?
Cross Site Scripting
1. What is it?2. Types of XSS3. Consequences4. OWASP Prevention Cheat
Sheet5. Testing my application
ConsequencesThe consequences are the same although it
changes the type of XSS
ConsequencesThe consequences are the same although it
changes the type of XSS
ACCESS TO EXECUTE JAVASCRIPT
cookies, user files, installation of Trojan horse programs, redirect the user to some other page, modify presentation of content...
What can i do to prevent XSS attacks?
Cross Site Scripting
1. What is it?2. Types of XSS3. Consequences4. OWASP Prevention Cheat
Sheet5. Testing my application
owasp Prevention Cheat Sheethttps://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
7 RULES TO PREVENT XSS
“Many organizations may find that allowing only Rule #1 and Rule #2 are sufficient for their needs.”
owasp Prevention Cheat Sheet
RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body> <div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div> any other normal HTML elements
& --> & < --> < > --> > " --> " ' --> '
owasp Prevention Cheat Sheet
RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes<div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div> inside UNquoted attribute <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div> inside single quoted attribute <div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div> inside double quoted attribute
owasp Prevention Cheat Sheet
RULE #1-5 - Escape Before Inserting Untrusted Data into HTML
owasp Prevention Cheat Sheet
RULE #1-5 - Escape Before Inserting Untrusted Data into HTMLHOW CAN I ESCAPE UNTRUSTED DATA?
owasp Prevention Cheat Sheet
RULE #1-5 - Escape Before Inserting Untrusted Data into HTML
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#XSS_Cheat_Sheet
escaping html with php Filtering user input with php
owasp Prevention Cheat Sheet
RULE #6 - Sanitize HTML Markup with a Library Designed for the Job● HtmlSanitizer - https://github.com/mganss/HtmlSanitizer● OWASP AntiSamy - https://www.owasp.org/index.php/Category:
OWASP_AntiSamy_Project● PHP Html Purifier - http://htmlpurifier.org/● JavaScript/Node.JS Bleach - https://github.com/ecto/bleach● Python Bleach - https://pypi.python.org/pypi/bleach
owasp Prevention Cheat SheetRULE #6 - Sanitize HTML Markup with a Library Designed for the JobHtmlSanitizer - https://github.com/mganss/HtmlSanitizerAn open-source .Net library. The HTML is cleaned with a white list approach.
owasp Prevention Cheat SheetRULE #7 - Prevent DOM-based XSSTesting Tools and Techniques
● The DOMinator Tool - A commercial tool based on the Firefox browser with modified Spidermonkey Javascript engine that helps testers identify and verify DOM based XSS flaws https://dominator.mindedsecurity.com/
● The DOM XSS Wiki - The start of a Knowledgebase for defining sources of attacker controlled inputs and sinks which could potentially introduce DOM Based XSS issues. http://code.google.com/p/domxsswiki/
● DOM Snitch - An experimental Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code. From Google. http://code.google.com/p/domsnitch/
Defense Techniqueshttps://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
owasp Prevention Cheat Sheet: RESUMERULE #0 - Never Insert Untrusted Data Except in Allowed Locations
RULE #1 - #5: ESCAPE UNTRUSTED DATA
RULE #6 - Sanitize HTML Markup with a Library Designed for the Job
RULE #7 - Prevent DOM-based XSS
owasp Prevention Cheat Sheet: BONUS RULES
4 BONUS RULESBonus Rule #1: Use HTTPOnly cookie flag
Bonus Rule #2: Implement Content Security Policy
Bonus Rule #3: Use an Auto-Escaping Template System
Bonus Rule #4: Use the X-XSS-Protection Response Header
owasp Prevention Cheat Sheet: BONUS RULESBonus Rule #1: Use HTTPOnly cookie flagTo help mitigate the impact of an XSS flaw on your site, OWASP also recommends you set the HTTPOnly flag on your session cookie and any custom cookies you have that are not accessed by any Javascript you wrote.
PHP
JAVA
PYTHON
owasp Prevention Cheat Sheet: BONUS RULESBonus Rule #2: Implement Content Security PolicyNo execute any inline script if it isn’t declare in CSP whitelist.
Whitelists “safe” scripts hosts
default-srcscript-srcstyle-srcimg-srcframe-src
OWASP PAGE: https://www.owasp.org/index.php/Content_Security_Policy
owasp Prevention Cheat Sheet: BONUS RULES
Bonus Rule #3: Use an Auto-Escaping Template SystemMany web application frameworks provide automatic contextual escaping functionality such as AngularJS
strict contextual escaping.
owasp Prevention Cheat Sheet: BONUS RULES
Bonus Rule #4: Use the X-XSS-Protection Response Header
This HTTP response header enables the Cross-site scripting (XSS) filter built into some modern web browsers.
Re-enable if the user disable the option for some sites.
I finish my websiteHow can i test it?
Cross Site Scripting
1. What is it?2. Types of XSS3. Consequences4. OWASP Prevention Cheat
Sheet5. Testing my application
vulnerability testOWASP testing guide: https://www.owasp.org/index.php/Testing_for_Cross_site_scripting
Tools● OWASP CAL9000 - http://www.owasp.org/index.php/Category:
OWASP_CAL9000_Project“CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.”
It's hosted at: http://sec101.sourceforge.net/CAL9000/
● PHP Charset Encoder(PCE) - http://yehg.net/encoding● HackVector(HVR) - http://www.businessinfo.co.
uk/labs/hackvertor/hackvertor.php
This attack...Exist?
According to the Web Hacking Incident Database, 11.3% of web attacks utilize XSS.(2014)
I understand nothing.questions?