Injection Attacks by Example SQL Injection and XSS
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth
Outline • OWASP • Injection: ▫ Define ▫ Attacks ▫ Preventions • Cross-Site Scripting: ▫ Define ▫ Attacks ▫ Preventions
Open Web Application Security Project (OWASP) • The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. • OWASP Top 10 Application Security Risk – 2013 • #1 Injection • #3 Cross-Site Scripting (XSS)
SQL Injection • SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. • Consists of insertion or "injection" of a SQL query via the input data from the client to the application • A successful SQL injection exploit can: • • • Read sensitive data from the database Modify database data (Insert/Update/Delete) Execute administration operations on the database (such as shutdown the DBMS) Recover the content of a given file present on the DBMS file system In some cases issue commands to the operating system.
Attacks • Injection can result in: • Data loss or corruption • Lack of accountability or denial of access • Can lead to complete host takeover • All data can be stolen, modified, or deleted
Preventions • Preventing injection requires keeping untrusted data separate from commands and queries. • Types of Preventions: 1. Use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. 2. Carefully escape special characters using the specific escape syntax for that interpreter. 3. Positive or “white list” input validation, but this is not a complete defense as many applications require special characters in their input.
Cross-Site Scripting (XSS) • XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. • XSS allows attackers to: • Execute scripts in the victim’s browser which can hijack user sessions • Deface web sites • Redirect the user to malicious sites
Attacks • Attackers can execute scripts in a victim’s browser: • To hijack user sessions • Deface web sites • Insert hostile content • Redirect users • Hijack the user’s browser using malware
Preventions • Preventing XSS requires keeping untrusted data separate from active browser content. • Types of Preventions: 1. Encoding – Escaping any character a user enters before displaying it 2. Whitelisting – Only allow certain characters (e. g. A-Z and 0 -9) to be entered 3. Blacklisting – Not allowing a user to enter sequences such as <script> or <and>
References • • https: //www. owasp. org/index. php/Top_10 https: //www. owasp. org/index. php/SQL_Injection_Prevention_Cheat_Sheet http: //www. unixwiz. net/techtips/sql-injection. html https: //www. owasp. org/index. php/Testing_for_Cross_site_scripting https: //www. owasp. org/index. php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet http: //msdn. microsoft. com/en-us/library/a 2 a 4 yykt(v=vs. 85). aspx
- Slides: 10