1. By Sean Rose and Erik Hazzard

2.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain unauthorized access to database information.

3.  SQL is a programming language used for accessing and managing information that is stored in a database.  Web applications send SQL commands in the form of strings to the database.

4.  When using SQL injection, a user attempts to manipulate the command string sent to database by the web application to gain unauthorized access.  It has been used many times by malicious users to gain access to private information.

5.  A website may have the following code: ◦ statement = "SELECT * FROM users WHERE name = '" + userName + "';“  A malicious user may enter the following string into the web form that assigns the variable userName: ◦ hax' or 'this'='this

6.  This will result in the following code: ◦ SELECT * FROM users WHERE name = 'hax' OR 'this'='this';  Because 'this'='this' is always true, the command will force the selection of a valid user name when sent to the database.

7.  First, only allow only good input, such as letters, numbers, and –  Then, disallow all known bad input such as “--”, “select”, “insert”, “update”, and “drop” which have special meanings within SQL.  If a string input by the user does not meet the requirement, reject it. Do not attempt to create an acceptable input from bad input.

8.  However, such preventions should be handled by the web server instead of locally by the user's system.  Failing to do so can result in the user simply removing the prevention code and then proceeding to input what ever they want into the form.

9.  On April 13, 2008, Sexual and Violent Offender Registry of Oklahoma shut down its site for a 'routine maintenance' after being informed that 10,597 social security numbers from sex offenders had been downloaded by SQL injection

10. Cross Site Scripting (XSS)‏  What ◦ Attacks primarily in websites that compromise the 'same-origin' policy of client-side scripting languages  Why ◦ Why not?  3 Types of XSS attacks

11. Why is XSS an issue  Popular ◦ Even more popular than buffer overflow attacks ◦ Has affected Google, Facebook, and TJMaxx  Easy ◦ Many websites are unprotected and remain as such, developers tend to be lazy ◦ Only basic knowledge is required to perform attacks  Ramifications ◦ Identity theft

12. Types of XSS Attacks  Type 0 – DOM Based ◦ Local Attacks  Type 1 – Non-Persistent ◦ Occur when server side pages are generated from client side input ◦ Most popular attacks  Type 2 – Persistent ◦ Malicious data (e.g. Javascript) stored on web server ◦ Most potentially harmful attacks ◦ Focus of this presentation

13. Persistent (Type 2) Attacks  Server stores client input ◦ Server trusting client input (BAD)‏  Occurs when ◦ 1. User enters data to a web application ◦ 2. Data is stored persistently on the web server ◦ 3. The data is displayed to a user  Example ◦ Forums ◦ Craig's list

14. Persistent (Type 2) Attacks  Step 1. Steal cookies ◦ Malicious Javascript is stored on a server then executed when a client views a web page, stealing the client's cookie  Step 2.... ◦ The bad guy finds out the user's session information from the cookie  Step 3. Profit ◦ Using the stolen session information, the hacker can masquerade as the user, accessing everything the user could – e.g. Stored Credit Card info

15. Protection  Avoiding XSS ◦ Protecting yourself is difficult. Disabling Javascript is not always the best option ◦ Be paranoid  XSS is largely a server side problem  Responsibility Lies with Developer ◦ When developing an application ◦ 1. Don't trust user input ◦ 2. Filter user input ◦ 3. Don't trust the filtered input

16. Questions 