2. Used in web forms; for example, suppose a
web page asked a user to enter an
employee’s last name and then retrieved and
displayed information about the employee. If
a user were to type in the name Smith, the
following SQL request would be generated:
SELECT * from EmployeeTable WHERE LastName=‘Smith’
3. Examples:
◦ SELECT * from EmployeeTable WHERE LastName=‘Smith’
OR 1=1;--
◦ SELECT * from EmployeeTable WHERE LastName=‘Smith’;
drop table EmployeeTable;--
One can even look at, modify, or delete other
tables
Solution: Programs on servers should sanitize
data before passing them to the database.
Whitelist acceptable characters (e.g.,
alphanumerics) and scrub any other characters
(e.g., quotation marks, semi-colons) either by
deleting them or by substituting an innocuous
replacement (e.g., < for the less-than symbol <)
4. SELECT * from SomeTable WHERE FirstName=‘Robert’); DROP TABLE
Students;-- ;-- comments out the pre-programmed ’); to avoid
syntax errors
5. Three components:
An innocent web site (call it Y) that uses browser
cookies and that reflects user input back to the
user’s browser (e.g., shopping sites that show
the user a summary of the order before placing
it)
A victim who has an account on the
aforementioned web site
An attacker who tricks the victim into clicking on
a link (in an e-mail or on another web site) that
will send them to site Y; the link will include
embedded Javascript
6. Victim clicks on malicious link
Malicious script is sent to web site Y and is
reflected back without being scrubbed.
Malicious code is executed in user’s browser
Malicious code could:
◦ Send all of the user’s cookies for the site to the
attacker
◦ Install a backdoor to the victim’s computer
7. Open Web Application Security Project (OWASP)
periodically updates a top ten list of web
application vulnerabilities
Items chosen based on prevalence, exploitability,
detectability, and impact estimates
According to the site’s introductory page, the
“data spans over 500,000 vulnerabilities across
hundreds of organizations and thousands of
applications.”
As the introductory page warns, don’t stop at ten
8. Free
◦ OWASP’s Nikto
◦ Paros proxy
Commercial
◦ Burp Suite Pro