Protecting Your Web Site From SQL Injection & XSS

5,257 views

Published on

The UNM Information Architects and the UNM Arts LAB invite you to to a presentation by ABQ Web Geeks' own Chris Kenworthy at the UNM SUB this Wednesday the 27th of August.
Chris will be discussing SQL Injection and Cross Site Scripting Vulnerabilities.

These types of attacks against websites are both common and potentially devastating. Chris will bring us up to speed on them and give us some tips on how to prevent them.

Please mark your calendars for Wednesday, August 27 from 10:00 - 11:30 at the UNM Student Union Building, Lobo Rooms A & B.

Published in: Technology, Education, Sports
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,257
On SlideShare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
272
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Protecting Your Web Site From SQL Injection & XSS

  1. 1. Protecting Your Web Site From SQL Injection & XSS This year, over 500,000 web pages were defaced by a malicious SQL Injection… Chris Kenworthy </dream.in.code>® August 27, 2008
  2. 2. SQL Injections
  3. 3. What is SQL?  Structured Query Language  Used to retrieve and manage data in relational databases  Chances are your organization is using SQL  Example: SELECT firstName, lastName FROM users WHERE userID = ‘chris’;
  4. 4. What is a SQL Injection?  A common security vulnerability  Occurs when unfiltered input is executed  Easily prevented  Example of Vulnerability: http://www.example.com/login.php?UserID=chris SELECT firstName, lastName FROM users WHERE userID = ‘” + $UserID + “’
  5. 5. Example of an Attack  Original Query: SELECT firstName, lastName FROM users WHERE userID = ‘” + $UserID + “’;  Set $UserID to: nobody’ OR ‘a’ = ‘a  Result: SELECT firstName, lastName FROM users WHERE userID = ‘nobody’ OR ‘a’ = ‘a’;
  6. 6. The Impact  Query always returns true  Attacker authenticates as first user in database  Possible Impacts:  False authentication  Permissions escalation  Information disclosure  Identity theft  More…
  7. 7. Example of an Attack  Original Query: SELECT firstName, lastName FROM users WHERE userID=‘” + $UserID + “’;  Set $UserID to: x’; DROP TABLE users; --  Result: SELECT firstName, lastName FROM users WHERE userID=‘x’; DROP TABLE users;--’;
  8. 8. The Impact  Attacker deletes entire users table!  Possible Impacts:  Loss of data  Data manipulation  Data insertion  Virus/Malware distribution  Total database destruction  More…
  9. 9. Preventing SQL Injection  Sanitize the input  Enforce data types (i.e. numeric, string, etc.)  Use parameterized statements  Use stored procedures  Limit permissions  Install an application firewall (my favorite)  Apache: mod_security (w/ Core Rules)  IIS: URLScan 3.0 (Beta)
  10. 10. Cross Site Scripting
  11. 11. What is XSS?  XSS (Cross Site Scripting)  Allows execution of arbitrary code  Often involves tricking the end user  Over 70% of web sites may be vulnerable  Example: <<SCRIPT>alert("XSS");//<</SCRIPT>
  12. 12. How Does XSS Work?  Scenario 1:  You get an email with a URL that looks like this: http://www.domain.com/index.php?userid =%3C%3C%53%43%52%49%50%54%3E%61%6C%65%72%7  You click it and the web page outputs the userid variable resulting in this:
  13. 13. How Does XSS Work?  Scenario 2:  There is a comment form on a web page. You paste this string in to the form: <<SCRIPT>alert("XSS");//<</SCRIPT>  Now every user that visits that page will see this:
  14. 14. Why Does It Work?  Inputs are displayed as HTML instead of character entities:  Cookies are not secured  Sessions can be hijacked
  15. 15. The Impact of XSS  Identify Theft  Malware  Session Hijacking  User impersonation  Redirection  Misinformation
  16. 16. Preventing XSS Attacks  Convert all inputs to HTML character entities before outputting to the screen  Secure cookies using the httpOnly attribute  Associate sessions with IP addresses  Install an application firewall (again, my favorite)  Educate users!  Don’t click links in emails you don’t recognize  Don’t fill out forms from links in emails
  17. 17. Resources  Scrawlr – Find SQL injection vulnerabilities in your site  Mod_security – Web application firewall (Apache)  URLScan – Web application firewall (IIS)  XSS Examples
  18. 18. Closing Thoughts  If you have a web site, you will be attacked  Don’t trust developers to secure their code  Use an application firewall if possible  Be proactive
  19. 19. Questions? Comic from XKCD: http://xkcd.com/327/

×