Presentation on theme: "Cross Site Scripting & SQL injection Hakan Tolgay 15.01.2015."— Presentation transcript:
Cross Site Scripting & SQL injection Hakan Tolgay
Input/Output handling – Whats the problem The typical problem in web applications is mixing of data and the malicious code. Input fields of a web application can be exploited by hackers unless required checks are made. Input fields should not be seen as simple text boxes.
XSS – Introduction The target of XSS attack is other users. In the 3rd place of OWASP top 10 security risk list (OWASP top is available in the training materials) Thus, basically Cross Site Scripting is when attackers use vulnerabilities in your web application to distribute malicious scripts to other users (which then run other users web browsers)
Types of XSS Reflected XSS Link in other website or Stored XSS Forum, bulletin board, feedback form DOM Based XSS PDF Adobe Reader, FLASH player
Reflected XSS – DEMO
Stored XSS – DEMO
XSS - Defense What can be done?
Defense - Blacklisting approach Blacklist has items which shouldn’t have Is fast to set up, but can be bypassed more easily by a skilled attacker. Do not use "blacklist" validation to detect XSS in input or to encode output. Searching for and replacing just a few characters (" " and other similar characters or phrases such as “script”) is weak and has been attacked successfully. Even an unchecked “ ” tag is unsafe in some contexts. XSS has a surprising number of variants that make it easy to bypass blacklist validation.
Defense - Whitelisting approach Whitelist has items which should have Whitelisting allows for a much stronger security solution than blacklisting but comes with a steep learning curve. Once mastered, though, whitelisting is very effective at stopping XSS attacks.
Defense - Encoding/Decoding Encoding variable output substitutes HTML markup with alternate representations called entities By using double encoding it’s possible to bypass security filters that only decode user input once.
Defense - Encoding/Decoding - Example alert('XSS') Web application can have a character filter which prohibits characters such as “ ” and “/”, since they are used to perform web application attacks. The attacker could use a double encoding technique to bypass the filter and exploit the client’s session. The encoding process for this Java script is: Finally, the malicious double encoding code is: %253Cscript%253Ealert('XSS')%253C%252Fscript%253E
Defense Never Insert Untrusted Data Except in Allowed Locations in OWASP XSS prevention list rules Check https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
What is SQL Structured Query Language A Language designed for managing data held in databases Examples: SELECT * FROM usersTable WHERE uname = ‘hakan’ SELECT isbn, title, price FROM Book WHERE price > ORDER BY title;
What is SQL – more example SELECT Name, Surnamme FROM Custome WHERE Age > 30; Customer NameSurnameAgeSex LisaBecker37F ErwinVisser31M LaraMartini24F AlanNewman29M Result Set
SQL Injection Sending parameters directly from application to the database server can cause unauthorized queries. #1 at top 10 security risk list
SQL Injection statement = "SELECT * FROM users WHERE name ='" + userName + "'; ' or '1'='1 SELECT * FROM users WHERE name = '' OR '1'='1';
SQL Injection – DEMO
SQL Injection – Blind injection
SQL Injection – Defense Use parameterized queries For Java use PreparedStatement For c# use Parameters.Add Check OWASP SQL injection cheat sheet https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet