Protecting Your Web Site
From SQL Injection & XSS
This year, over 500,000 web pages were
defaced by a malicious SQL Injection…
Chris Kenworthy
</dream.in.code>®
August 27, 2008

SQL Injections

What is SQL?
 Structured Query Language
 Used to retrieve and manage data in
relational databases
 Chances are your organization is using SQL
 Example:
SELECT firstName, lastName
FROM users
WHERE userID = ‘chris’;

What is a SQL Injection?
 A common security vulnerability
 Occurs when unfiltered input is executed
 Easily prevented
 Example of Vulnerability:
http://www.example.com/login.php?UserID=chris
SELECT firstName, lastName
FROM users
WHERE userID = ‘” + $UserID + “’

Example of an Attack
 Original Query:
SELECT firstName, lastName
FROM users
WHERE userID = ‘” + $UserID + “’;
 Set $UserID to: nobody’ OR ‘a’ = ‘a
 Result:
SELECT firstName, lastName
FROM users
WHERE userID = ‘nobody’ OR ‘a’ = ‘a’;

The Impact
 Query always returns true
 Attacker authenticates as first user in
database
 Possible Impacts:
 False authentication
 Permissions escalation
 Information disclosure
 Identity theft
 More…

Example of an Attack
 Original Query:
SELECT firstName, lastName
FROM users
WHERE userID=‘” + $UserID + “’;
 Set $UserID to: x’; DROP TABLE users; --
 Result:
SELECT firstName, lastName
FROM users
WHERE userID=‘x’; DROP TABLE users;--’;

The Impact
 Attacker deletes entire users table!
 Possible Impacts:
 Loss of data
 Data manipulation
 Data insertion
 Virus/Malware distribution
 Total database destruction
 More…

Preventing SQL Injection
 Sanitize the input
 Enforce data types (i.e. numeric, string, etc.)
 Use parameterized statements
 Use stored procedures
 Limit permissions
 Install an application firewall (my favorite)
 Apache: mod_security (w/ Core Rules)
 IIS: URLScan 3.0 (Beta)

Cross Site Scripting

What is XSS?
 XSS (Cross Site Scripting)
 Allows execution of arbitrary code
 Often involves tricking the end user
 Over 70% of web sites may be vulnerable
 Example:
<<SCRIPT>alert("XSS");//<</SCRIPT>

How Does XSS Work?
 Scenario 1:
 You get an email with a URL that looks like
this:
http://www.domain.com/index.php?userid
=%3C%3C%53%43%52%49%50%54%3E%61%6C%65%72%7
 You click it and the web page outputs the
userid variable resulting in this:

How Does XSS Work?
 Scenario 2:
 There is a comment form on a web page. You
paste this string in to the form:
<<SCRIPT>alert("XSS");//<</SCRIPT>
 Now every user that visits that page will see
this:

Why Does It Work?
 Inputs are displayed as HTML instead of
character entities:
 Cookies are not secured
 Sessions can be hijacked

The Impact of XSS
 Identify Theft
 Malware
 Session Hijacking
 User impersonation
 Redirection
 Misinformation

Preventing XSS Attacks
 Convert all inputs to HTML character
entities before outputting to the screen
 Secure cookies using the httpOnly attribute
 Associate sessions with IP addresses
 Install an application firewall (again, my
favorite)
 Educate users!
 Don’t click links in emails you don’t recognize
 Don’t fill out forms from links in emails

Resources
 Scrawlr – Find SQL injection vulnerabilities in your site
 Mod_security – Web application firewall (Apache)
 URLScan – Web application firewall (IIS)
 XSS Examples

Closing Thoughts
 If you have a web site, you will be
attacked
 Don’t trust developers to secure their code
 Use an application firewall if possible
 Be proactive

Questions?
Comic from XKCD: http://xkcd.com/327/