Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SQL Injection & Cross Site ScriptingStefano Santomaurosfn.santomauro@gmail.com
Chi sono• Hacker? Macché• Security engineer? Non so cosa sia• Appassionato? Forse• Esperto? Magari!• ???                  ...
Perché questo talk•   Sappiamo da cosa proteggerci?•   Conosciamo il modo in cui difenderci?•   Perché difenderci?•   Quan...
Le vulnerabilità più diffuse sul WEBOWASP Top Ten Project•A1 - Injection (SQLi e XPATHi)•A2 - Cross Site Scripting (XSS)•A...
SQL Injection: cos’è«A SQL injection attack consists ofinsertion or "injection" of a SQL query viathe input data from the ...
SQL Injection: come (1/2)String username =request.getParameter("username");String password =request.getParameter("password...
SQL Injection: come (2/2)select * from users where username = ‘tiziousr’and password = md5(‘tiziopwd’)select * from users ...
SQL Injection: potenzialità«A successful SQL injection exploit can read sensitive datafrom the database, modify database d...
Cross Site Scripting: cos’è«XSS attacks are a type of injection problem, in whichmalicious scripts are injected into the o...
Cross Site Scripting: comeJSP input<input type="text" name="username"/>ServletString username = request.getParameter("user...
Cross Site Scripting: potenzialità«[…] the malicious script can access anycookies, session tokens, or other sensitiveinfor...
DIMOSTRAZIONE…                  Stefano Santomauro           sfn.santomauro@gmail.com
La dimostrazione continua… a casaAdesso sta a voi condurre un attacco di tipo XSS.Scaricate il progetto al link chetrovate...
Conclusioni (1/4)La nostra è stata soltanto una semplice   “simulazione” di un caso reale…                                ...
Conclusioni (2/4)…ma se anche non volete credere a me, spero crediate a questo…                                     Stefan...
Conclusioni (3/4)                           Stefano Santomauro                    sfn.santomauro@gmail.com
Conclusioni (4/4)                           Stefano Santomauro                    sfn.santomauro@gmail.com
Riferimenti• OWASP (https://www.owasp.org/index.php/Main_Page)• md5decrypter (http://www.md5decrypter.co.uk)• Notizia dell...
Upcoming SlideShare
Loading in …5
×

SQL Injection & Cross Site Scripting, by Stefano Santomauro

2,910 views

Published on

Le due vulnerabilità più diffuse sul web. Perché vengono così sottovalutate? Sono davvero così pericolose? Si può contrastarle efficacemente? Simuliamo degli attachi analizzandone potenzialità e possibili soluzioni

Published in: Technology

SQL Injection & Cross Site Scripting, by Stefano Santomauro

  1. 1. SQL Injection & Cross Site ScriptingStefano Santomaurosfn.santomauro@gmail.com
  2. 2. Chi sono• Hacker? Macché• Security engineer? Non so cosa sia• Appassionato? Forse• Esperto? Magari!• ??? Stefano Santomauro sfn.santomauro@gmail.com
  3. 3. Perché questo talk• Sappiamo da cosa proteggerci?• Conosciamo il modo in cui difenderci?• Perché difenderci?• Quanto costa?• … Stefano Santomauro sfn.santomauro@gmail.com
  4. 4. Le vulnerabilità più diffuse sul WEBOWASP Top Ten Project•A1 - Injection (SQLi e XPATHi)•A2 - Cross Site Scripting (XSS)•A3: Broken Authentication and Session Management•A4: Insecure Direct Object References•A5: Cross-Site Request Forgery (CSRF)•A6: Security Misconfiguration•A7: Insecure Cryptographic Storage•A8: Failure to Restrict URL Access•A9: Insufficient Transport Layer Protection•A10: Unvalidated Redirects and Forwards Stefano Santomauro sfn.santomauro@gmail.com
  5. 5. SQL Injection: cos’è«A SQL injection attack consists ofinsertion or "injection" of a SQL query viathe input data from the client to theapplication»Fonte OWASPhttps://www.owasp.org/index.php/SQL_Injection Stefano Santomauro sfn.santomauro@gmail.com
  6. 6. SQL Injection: come (1/2)String username =request.getParameter("username");String password =request.getParameter("password");String sql = "select * from users whereusername = " +username+" and password =md5(" +password+")"; Stefano Santomauro sfn.santomauro@gmail.com
  7. 7. SQL Injection: come (2/2)select * from users where username = ‘tiziousr’and password = md5(‘tiziopwd’)select * from users where username =‘xxx’ or 1=1 --’ and password = md5(‘tiziopwd’) Commento MySQLSQL eseguitaselect * from users where username = ‘xxx’ or 1=1 Stefano Santomauro sfn.santomauro@gmail.com
  8. 8. SQL Injection: potenzialità«A successful SQL injection exploit can read sensitive datafrom the database, modify database data(Insert/Update/Delete), execute administration operations onthe database (such as shutdown the DBMS), recover thecontent of a given file present on the DBMS file system andin some cases issue commands to the operating system»Fonte OWASPhttps://www.owasp.org/index.php/SQL_Injection Stefano Santomauro sfn.santomauro@gmail.com
  9. 9. Cross Site Scripting: cos’è«XSS attacks are a type of injection problem, in whichmalicious scripts are injected into the otherwise benignand trusted web sites. XSS attacks occur when anattacker uses a web application to send malicious code,generally in the form of a browser side script, to adifferent end user»Fonte OWASPhttps://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Stefano Santomauro sfn.santomauro@gmail.com
  10. 10. Cross Site Scripting: comeJSP input<input type="text" name="username"/>ServletString username = request.getParameter("username");request.setAttribute("username", username);JSP output<span><%=request.getAttribute("username")%></span>HTML output<span><script>alert(123)</script></span> Stefano Santomauro sfn.santomauro@gmail.com
  11. 11. Cross Site Scripting: potenzialità«[…] the malicious script can access anycookies, session tokens, or other sensitiveinformation retained by your browser and usedwith that site. These scripts can even rewrite thecontent of the HTML page»Fonte OWASPhttps://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Stefano Santomauro sfn.santomauro@gmail.com
  12. 12. DIMOSTRAZIONE… Stefano Santomauro sfn.santomauro@gmail.com
  13. 13. La dimostrazione continua… a casaAdesso sta a voi condurre un attacco di tipo XSS.Scaricate il progetto al link chetrovate nei Riferimenti e, dopoaver seguito le istruzioni, provatea trovare le vostre varianti! Stefano Santomauro sfn.santomauro@gmail.com
  14. 14. Conclusioni (1/4)La nostra è stata soltanto una semplice “simulazione” di un caso reale… Stefano Santomauro sfn.santomauro@gmail.com
  15. 15. Conclusioni (2/4)…ma se anche non volete credere a me, spero crediate a questo… Stefano Santomauro sfn.santomauro@gmail.com
  16. 16. Conclusioni (3/4) Stefano Santomauro sfn.santomauro@gmail.com
  17. 17. Conclusioni (4/4) Stefano Santomauro sfn.santomauro@gmail.com
  18. 18. Riferimenti• OWASP (https://www.owasp.org/index.php/Main_Page)• md5decrypter (http://www.md5decrypter.co.uk)• Notizia dell’attacco alla SONY (http://www.itwire.com/business-it-news/security/47605-sony-falls-victim-to-another-simple-sql-injection-atta)• Notizia dell’attacco a Skype (https://superevr.com/blog/2011/xss-in-skype-for-ios/)• OWASP WebGoat (https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project)• DOWNLOAD progetto dimostrativo (http://www.divshare.com/download/17108200-6e1) Stefano Santomauro sfn.santomauro@gmail.com

×