SQL Injection & Cross Site ScriptingStefano Santomaurosfn.santomauro@gmail.com
Chi sono• Hacker? Macché• Security engineer? Non so cosa sia• Appassionato? Forse• Esperto? Magari!• ???                  ...
Perché questo talk•   Sappiamo da cosa proteggerci?•   Conosciamo il modo in cui difenderci?•   Perché difenderci?•   Quan...
Le vulnerabilità più diffuse sul WEBOWASP Top Ten Project•A1 - Injection (SQLi e XPATHi)•A2 - Cross Site Scripting (XSS)•A...
SQL Injection: cos’è«A SQL injection attack consists ofinsertion or "injection" of a SQL query viathe input data from the ...
SQL Injection: come (1/2)String username =request.getParameter("username");String password =request.getParameter("password...
SQL Injection: come (2/2)select * from users where username = ‘tiziousr’and password = md5(‘tiziopwd’)select * from users ...
SQL Injection: potenzialità«A successful SQL injection exploit can read sensitive datafrom the database, modify database d...
Cross Site Scripting: cos’è«XSS attacks are a type of injection problem, in whichmalicious scripts are injected into the o...
Cross Site Scripting: comeJSP input<input type="text" name="username"/>ServletString username = request.getParameter("user...
Cross Site Scripting: potenzialità«[…] the malicious script can access anycookies, session tokens, or other sensitiveinfor...
DIMOSTRAZIONE…                  Stefano Santomauro           sfn.santomauro@gmail.com
La dimostrazione continua… a casaAdesso sta a voi condurre un attacco di tipo XSS.Scaricate il progetto al link chetrovate...
Conclusioni (1/4)La nostra è stata soltanto una semplice   “simulazione” di un caso reale…                                ...
Conclusioni (2/4)…ma se anche non volete credere a me, spero crediate a questo…                                     Stefan...
Conclusioni (3/4)                           Stefano Santomauro                    sfn.santomauro@gmail.com
Conclusioni (4/4)                           Stefano Santomauro                    sfn.santomauro@gmail.com
Riferimenti• OWASP (https://www.owasp.org/index.php/Main_Page)• md5decrypter (http://www.md5decrypter.co.uk)• Notizia dell...
Upcoming SlideShare
Loading in …5
×

SQL Injection & Cross Site Scripting, by Stefano Santomauro

2,751 views

Published on

Le due vulnerabilità più diffuse sul web. Perché vengono così sottovalutate? Sono davvero così pericolose? Si può contrastarle efficacemente? Simuliamo degli attachi analizzandone potenzialità e possibili soluzioni

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
2,751
On SlideShare
0
From Embeds
0
Number of Embeds
240
Actions
Shares
0
Downloads
28
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • AUTORE
  • SQL Injection & Cross Site Scripting, by Stefano Santomauro

    1. 1. SQL Injection & Cross Site ScriptingStefano Santomaurosfn.santomauro@gmail.com
    2. 2. Chi sono• Hacker? Macché• Security engineer? Non so cosa sia• Appassionato? Forse• Esperto? Magari!• ??? Stefano Santomauro sfn.santomauro@gmail.com
    3. 3. Perché questo talk• Sappiamo da cosa proteggerci?• Conosciamo il modo in cui difenderci?• Perché difenderci?• Quanto costa?• … Stefano Santomauro sfn.santomauro@gmail.com
    4. 4. Le vulnerabilità più diffuse sul WEBOWASP Top Ten Project•A1 - Injection (SQLi e XPATHi)•A2 - Cross Site Scripting (XSS)•A3: Broken Authentication and Session Management•A4: Insecure Direct Object References•A5: Cross-Site Request Forgery (CSRF)•A6: Security Misconfiguration•A7: Insecure Cryptographic Storage•A8: Failure to Restrict URL Access•A9: Insufficient Transport Layer Protection•A10: Unvalidated Redirects and Forwards Stefano Santomauro sfn.santomauro@gmail.com
    5. 5. SQL Injection: cos’è«A SQL injection attack consists ofinsertion or "injection" of a SQL query viathe input data from the client to theapplication»Fonte OWASPhttps://www.owasp.org/index.php/SQL_Injection Stefano Santomauro sfn.santomauro@gmail.com
    6. 6. SQL Injection: come (1/2)String username =request.getParameter("username");String password =request.getParameter("password");String sql = "select * from users whereusername = " +username+" and password =md5(" +password+")"; Stefano Santomauro sfn.santomauro@gmail.com
    7. 7. SQL Injection: come (2/2)select * from users where username = ‘tiziousr’and password = md5(‘tiziopwd’)select * from users where username =‘xxx’ or 1=1 --’ and password = md5(‘tiziopwd’) Commento MySQLSQL eseguitaselect * from users where username = ‘xxx’ or 1=1 Stefano Santomauro sfn.santomauro@gmail.com
    8. 8. SQL Injection: potenzialità«A successful SQL injection exploit can read sensitive datafrom the database, modify database data(Insert/Update/Delete), execute administration operations onthe database (such as shutdown the DBMS), recover thecontent of a given file present on the DBMS file system andin some cases issue commands to the operating system»Fonte OWASPhttps://www.owasp.org/index.php/SQL_Injection Stefano Santomauro sfn.santomauro@gmail.com
    9. 9. Cross Site Scripting: cos’è«XSS attacks are a type of injection problem, in whichmalicious scripts are injected into the otherwise benignand trusted web sites. XSS attacks occur when anattacker uses a web application to send malicious code,generally in the form of a browser side script, to adifferent end user»Fonte OWASPhttps://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Stefano Santomauro sfn.santomauro@gmail.com
    10. 10. Cross Site Scripting: comeJSP input<input type="text" name="username"/>ServletString username = request.getParameter("username");request.setAttribute("username", username);JSP output<span><%=request.getAttribute("username")%></span>HTML output<span><script>alert(123)</script></span> Stefano Santomauro sfn.santomauro@gmail.com
    11. 11. Cross Site Scripting: potenzialità«[…] the malicious script can access anycookies, session tokens, or other sensitiveinformation retained by your browser and usedwith that site. These scripts can even rewrite thecontent of the HTML page»Fonte OWASPhttps://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Stefano Santomauro sfn.santomauro@gmail.com
    12. 12. DIMOSTRAZIONE… Stefano Santomauro sfn.santomauro@gmail.com
    13. 13. La dimostrazione continua… a casaAdesso sta a voi condurre un attacco di tipo XSS.Scaricate il progetto al link chetrovate nei Riferimenti e, dopoaver seguito le istruzioni, provatea trovare le vostre varianti! Stefano Santomauro sfn.santomauro@gmail.com
    14. 14. Conclusioni (1/4)La nostra è stata soltanto una semplice “simulazione” di un caso reale… Stefano Santomauro sfn.santomauro@gmail.com
    15. 15. Conclusioni (2/4)…ma se anche non volete credere a me, spero crediate a questo… Stefano Santomauro sfn.santomauro@gmail.com
    16. 16. Conclusioni (3/4) Stefano Santomauro sfn.santomauro@gmail.com
    17. 17. Conclusioni (4/4) Stefano Santomauro sfn.santomauro@gmail.com
    18. 18. Riferimenti• OWASP (https://www.owasp.org/index.php/Main_Page)• md5decrypter (http://www.md5decrypter.co.uk)• Notizia dell’attacco alla SONY (http://www.itwire.com/business-it-news/security/47605-sony-falls-victim-to-another-simple-sql-injection-atta)• Notizia dell’attacco a Skype (https://superevr.com/blog/2011/xss-in-skype-for-ios/)• OWASP WebGoat (https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project)• DOWNLOAD progetto dimostrativo (http://www.divshare.com/download/17108200-6e1) Stefano Santomauro sfn.santomauro@gmail.com

    ×