Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
Talk Outline:-
A) Reflective-(Non-Persistent Cross-site Scripting)
- What is Reflective Cross-site scripting.
- Testing for Reflected Cross site scripting
How to Test
- Black Box testing
- Bypass XSS filters
- Gray Box testing
Tools
Defending Against Reflective Cross-site scripting.
Examples of Reflective Cross-Site Scripting Attacks.
B) Stored -(Persistent Cross-site Scripting)
What is Stored Cross-site scripting.
How to Test
- Black Box testing
- Gray Box testing
Tools
Defending Against Stored Cross-site scripting.
Examples of Stored Cross-Site Scripting Attacks.
This presentation covers the Cross site scripting attacks and defences in web applications, this talk was delivered as part of OWASP Hyderabad Chapter meet. Comments and suggestions are welcome.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
Talk Outline:-
A) Reflective-(Non-Persistent Cross-site Scripting)
- What is Reflective Cross-site scripting.
- Testing for Reflected Cross site scripting
How to Test
- Black Box testing
- Bypass XSS filters
- Gray Box testing
Tools
Defending Against Reflective Cross-site scripting.
Examples of Reflective Cross-Site Scripting Attacks.
B) Stored -(Persistent Cross-site Scripting)
What is Stored Cross-site scripting.
How to Test
- Black Box testing
- Gray Box testing
Tools
Defending Against Stored Cross-site scripting.
Examples of Stored Cross-Site Scripting Attacks.
This presentation covers the Cross site scripting attacks and defences in web applications, this talk was delivered as part of OWASP Hyderabad Chapter meet. Comments and suggestions are welcome.
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser.
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
Introduction
Impact of XSS attacks
Types of XSS attacks
Detection of XSS attacks
Prevention of XSS attacks
At client side
At Server-side
Conclusion
References
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
One of the most typical web application security vulnerabilities Cross-Site Scripting (XSS). What does it mean to Developer?
How they are important? What should we keep in mind? How could we prevent this to some extend as Developer? How Attackers proceed? Many mores..
Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures.
A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser.
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
Introduction
Impact of XSS attacks
Types of XSS attacks
Detection of XSS attacks
Prevention of XSS attacks
At client side
At Server-side
Conclusion
References
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
One of the most typical web application security vulnerabilities Cross-Site Scripting (XSS). What does it mean to Developer?
How they are important? What should we keep in mind? How could we prevent this to some extend as Developer? How Attackers proceed? Many mores..
Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures.
A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
Study of Cross-Site Scripting Attacks and Their CountermeasuresEditor IJCATR
In present-day time, most of the associations are making use of web services for improved services to their
clients. With the upturn in count of web users, there is a considerable hike in the web attacks. Thus, security becomes
the dominant matter in web applications. The disparate kind of vulnerabilities resulted in the disparate types of attacks.
The attackers may take benefit of these vulnerabilities and can misuse the data in the database. Study indicates that
more than 80% of the web applications are vulnerable to cross-site scripting (XSS) attacks. XSS is one of the fatal
attacks & it has been practiced over the maximum number of well-known search engines and social sites. In this paper,
we have considered XSS attacks, its types and different methods employed to resist these attacks with their
corresponding limitations. Additionally, we have discussed the proposed approach for countering XSS attack and how
this approach is superior to others.
logout.php Session Data after Logout Username Email . $_.docxsmile790243
logout.php
Session Data after Logout
Username Email " . $_SESSION['appusername'] . "
" .
"" . $_SESSION['appemail'] . "
";
?>
ZAP Scanning Report for loginAuthReport.odt
ZAP Scanning Report
Summary of Alerts
Risk Level
Number of Alerts
High
2
Medium
1
Low
5
Informational
3
Alert Detail
High (Warning)
Cross Site Scripting (Reflected)
Description
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.
There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.
URL
http://localhost/week4/authcheck.php
Parameter
username
Attack
</td><script>alert(1);</script><td>
Solution
Phase ...
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
“Are you one of them, who thinks that Cross-Site Scripting is just for some errors or pop-ups on the screen?” Yes?? Then today in this article, you’ll see how an XSS suffering web-page is not only responsible for the defacement of the web-application but also, it could disrupt a visitor’s privacy by sharing the login credentials or his authenticated cookies to an attacker without his/her concern.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
The Complete Questionnaires About FirewallVishal Kumar
Hello Guys, here are the answers to the most frequently asked questions in an interview about Network firewalls. you will get here the answers of all the Firewall related Question asked in the interview.
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)Vishal Kumar
Pretty Good privacy. we will discuss in this document about the E-mail security protocol number 2 which is PGP, you will learn about the working of PGP, PGP Algorithms, PGP Key Rings, PGP Certificates and about the Web Trust in PGP.
This document will make you understand the basic issues related to E-mail like, Spamming, Bombing, Malware, Email Spoofing and Email Bankruptcy, etc. after that you will learn about the first Email security protocol Privacy Enhanced Mail (PEM), step-by-step working of PEM.
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitVishal Kumar
This Document will show you how get the privileges through exploiting the vulnerabilities using the Metasploit in Kali Linux. this will help a pen-tester to examine the security level of a system.
Auditing System Password Using L0phtcrackVishal Kumar
The objective of this presentation is to help peoples to learn how to use L0htCrack tool to attain and crack the user password from any Windows Machine.
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsVishal Kumar
This Lab will show you how to dump the Windows protected password storage SAM file using the tool pwdump7 and then crack the hash with an hash cracker tool that is Ophcrack and extract the plain-text password.
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
In this presentation we will learn about the Record Protocol, Alert Protocol, Closing and Resuming SSL Connections and Attacks on SSL.
The Part - 1 cab be founded at : https://www.slideshare.net/vishalkumar245/fundamental-of-secure-socket-layer-ssl-part-1
The Fundamental of Electronic Mail (E-mail)Vishal Kumar
This document contain the complete information about the Electronic mail. you will learn the basic structure and flow of email message, the Header and response codes, etc.
Fundamental of Secure Socket Layer (SSl) | Part - 1Vishal Kumar
"The Fundamental of SSL" it is the first part of this Topic in which we covered covers the deep understanding of Secure Socket Layer, its position in the TCP/IP suit, its sub protocols and the working or Handshake Protocol.
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
"The Fundamental of SSL" it is the first part of this Topic in which we covered covers the deep understanding of Secure Socket Layer, its position in the TCP/IP suit, its sub protocols and the working or Handshake Protocol.
The presentation is contains the Overview of the Hawkeye Malware. you will find the execution working flow and how this malware spread across the network inside this presentation
Exploiting parameter tempering attack in web applicationVishal Kumar
Web Parameter Tampering attack involve the manipulation of parameter exchanged between a client and a server to modify application data such as user credentials and permissions, prices, and product quantities.
Web Site Mirroring creates a replica of an existing site. It allows you to download a website to a local directory, analyze all directories HTML, Images, Flash, Videos, and other files from the server on your computer.
Collecting email from the target domain using the harvesterVishal Kumar
The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
2. CROSS SITE SCRIPTING
Outline
Introduction to XSS
Conditions for Cross site scripting
Cross site scripting – Risk and Damage
Types of XSS
Defending against Cross site scripting
Practice
3. CROSS SITE SCRIPTING
Cross-site scripting (XSS) is a code injection attack that allows an attac
ker to execute malicious JavaScript in another user's browser.
The attacker does not directly target his victim. Instead, he exploits a v
ulnerability in a website that the victim visits, in order to get the websit
e to deliver the malicious JavaScript for him. To the victim's browser, t
he malicious JavaScript appears to be a legitimate part of the website, a
nd the website has thus acted as an unintentional accomplice to the atta
cker.
1. Introduction to XSS
SattirxSecurity Preferred
4. CROSS SITE SCRIPTING
Scripting: Web Browsers can execute commands
Embedded in HTML page
Supports different languages (JavaScript, VBScript, ActiveX, etc.)
Most prominent: JavaScript
“Cross-Site” means: Foreign script sent via a server to a client
Attacker makes Web-Server deliver malicious script code
Malicious script is executed in Client’s Web Browser
Attack:
Steal Access Credentials, Denial-of-Service, Modify Web pages
Execute any command at the client machine
1. Introduction to XSS
SattirxSecurity Preferred
5. CROSS SITE SCRIPTING
2. CONDITIONS FOR CROSS-SITE SCRIPTING
A Web application accepts user input:
Many web application accept the inputs from the user like search string,
The input is used to create dynamic content
The input is insufficiently validated
SattirxSecurity Preferred
6. Cross-Site Scripting
3. Risk Involve in Cross-Site Scripting
Denial-of-Service
Crash Users 'Browser, Pop-Up-Floodding, Redirection
Access to authentication credentials for Web application
Cookies, Username and Password
Normal users (Personal data, Business data, Misuse of account)
High privileged users (Control over Web application, web server and database)
Access to User`s machine
Use ActiveX objects to control machine
Upload local data to attacker`s machine
Spoil public image of company
SattirxSecurity Preferred
7. CROSS SITE SCRIPTING
4. Types of Cross Site Scripting - XSS
While the goal of an XSS attack is always to execute malicious JavaScript in the victim's
browser, there are few fundamentally different ways of achieving that goal. XSS attacks
are often divided into three types:
1. Persistent or Stored XSS, where the malicious string originates from the website's d
atabase.
2. Reflected XSS, where the malicious string originates from the victim's request.
3. DOM-based XSS, where the vulnerability is in the client-side code rather than the se
rver-side code.
SattirxSecurity Preferred
9. CROSS SITE SCRIPTING
4.1 Persistent or Stored XSS
1. The attacker uses one of the website's forms to insert a malicious string into the web
site's database.
2. The victim requests a page from the website.
3. The website includes the malicious string from the database in the response and sends
it to the victim.
4. The victim's browser executes the malicious script inside the response, sending the vi
ctim's cookies to the attacker's server.
SattirxSecurity Preferred
10. CROSS SITE SCRIPTING
4.2 Reflected XSS
In a reflected XSS attack, the malicious string is part of the victim's request to the website. T
he website then includes this malicious string in the response sent back to the user. The diagra
m below illustrates this scenario:
SattirxSecurity Preferred
11. CROSS SITE SCRIPTING
4.2 Reflected XSS
1. The attacker crafts a URL containing a malicious string and sends it to the victim.
2. The victim is tricked by the attacker into requesting the URL from the website.
3. The website includes the malicious string from the URL in the response.
4. The victim's browser executes the malicious script inside the response, sending the victim's
cookies to the attacker's server.
SattirxSecurity Preferred
12. CROSS SITE SCRIPTING
4.3. DOM-based XSS
DOM-based XSS is a variant of both persistent and reflected XSS. In a DOM-based XSS attack, the
malicious string is not actually parsed by the victim's browser until the website's legitimate JavaScript i
s executed. The diagram below illustrates this scenario for a reflected XSS attack:
SattirxSecurity Preferred
13. CROSS SITE SCRIPTING
4.3. DOM-based XSS
1. The attacker crafts a URL containing a malicious string and sends it to the victim.
2. The victim is tricked by the attacker into requesting the URL from the website.
3. The website receives the request, but does not include the malicious string in the response.
4. The victim's browser executes the legitimate script inside the response, causing the malicio
us script to be inserted into the page.
5. The victim's browser executes the malicious script inserted into the page, sending the victi
m's cookies to the attacker's server.
SattirxSecurity Preferred
14. CROSS SITE SCRIPTING
5. Defending against Cross site scripting
Recall that an XSS attack is a type of code injection: user input is mistakenly interpreted as mali
cious program code. In order to prevent this type of code injection, secure input handling is need
ed. For a web developer, there are two fundamentally different ways of performing secure input
handling:
1. Encoding, which escapes the user input so that the browser interprets it only as data, not as
code.
1. Validation, which filters the user input so that the browser interprets it as code without mal
icious commands.
SattirxSecurity Preferred
15. CROSS SITE SCRIPTING
5. Defending against Cross site scripting
While these are fundamentally different methods of preventing XSS, they share several commo
n features that are important to understand when using either of them:
Context: Secure input handling needs to be performed differently depending on where in a p
age the user input is inserted.
Inbound/outbound: Secure input handling can be performed either when your website receiv
es the input (inbound) or right before your website inserts the input into a page (outbound).
Client/server: Secure input handling can be performed either on the client-side or on the se
rver-side, both of which are needed under different circumstances.
SattirxSecurity Preferred
16. CROSS SITE SCRIPTING
5.1. Encoding
Encoding is the act of escaping user input so that the browser interprets it only as data, not as
code. The most recognizable type of encoding in web development is HTML escaping, which conv
erts characters like < and > into < and >, respectively.
The following pseudocode is an example of how user input could be encoded using HTML escapin
g and then inserted into a page by a server-side script:
If the user input were the string <script>...</script>, the resulting HTML would be as follows:
SattirxSecurity Preferred
17. CROSS SITE SCRIPTING
5.1. Encoding
Because all characters with special meaning have been escaped, the browser will not parse any p
art of the user input as HTML.
SattirxSecurity Preferred
18. CROSS SITE SCRIPTING
5.2. Validation
Validation is the act of filtering user input so that all malicious parts of it are removed, without
necessarily removing all code in it. One of the most recognizable types of validation in web devel
opment is allowing some HTML elements (such as <em> and <strong>) but disallowing others (such
as <script>).
There are two main characteristics of validation that differ between implementations:
Classification strategyUser: input can be classified using either blacklisting or whitelisting.
Validation outcomeUser: input identified as malicious can either be rejected or sanitized.
19. SQL Injection
Outline
Introduction to SQL Injection
How SQL Injection Work
What’s the worst an attacker can do with SQLi?
Types of SQL Injection
Prevention against SQL Injection
Practice
20. SQL Injection
1. Introduction to SQL Injection
SQL Injection (SQLi) refers to an injection attack wherein an attacker can ex
ecute malicious SQL statements (also commonly referred to as a malicious payl
oad) that control a web application’s database server (also commonly referred
to as a Relational Database Management System – RDBMS). Since an SQL Inje
ction vulnerability could possibly affect any website or web application that ma
kes use of an SQL-based database, the vulnerability is one of the oldest, most
prevalent and most dangerous of web application vulnerabilities.
By leveraging an SQL Injection vulnerability, given the right circumstances, an
attacker can use it to bypass a web application’s authentication and
SattirxSecurity Preferred
21. SQL Injection
1. Introduction to SQL Injection
authorization mechanisms and retrieve the contents of an entire database. SQL Injection can al
so be used to add, modify and delete records in a database, affecting data integrity.
To such an extent, SQL Injection can provide an attacker with unauthorized access to sensitive
data including, customer data, personally identifiable information (PII), trade secrets, intellectu
al property and other sensitive information.
SattirxSecurity Preferred
22. SQL Injection
2. How SQL Injection works
In order to run malicious SQL queries against a database server, an attacker must first find an i
nput within the web application that is included inside of an SQL query.
In order for an SQL Injection attack to take place, the vulnerable website needs to directly inc
lude user input within an SQL statement. An attacker can then insert a payload that will be inclu
ded as part of the SQL query and run against the database server.
The following server-side pseudo-code is used to authenticate users to the web application.
SattirxSecurity Preferred
23. SQL Injection
2. How SQL Injection works
The above script is a simple example of authenticating a user with a username and a password ag
ainst a database with a table named users, and a username and password column.
SattirxSecurity Preferred
24. SQL Injection
2. How SQL Injection works
The above script is vulnerable to SQL Injection because an attacker could submit malicious inpu
t in such a way that would alter the SQL statement being executed by the database server.
A simple example of an SQL Injection payload could be something as simple as setting the passw
ord field to password’ OR 1=1.
This would result in the following SQL query being run against the database server.
SattirxSecurity Preferred
25. SQL Injection
2. How SQL Injection works
Once the query executes, the result is returned to the application to be processed, resulting in
an authentication bypass. In the event of authentication bypass being possible, the application w
ill most likely log the attacker in with the first account from the query result — the first accou
nt in a database is usually of an administrative user.
26. SQL Injection
3. What’s the worst an attacker can do with SQL?
SQL is a programming language designed for managing data stored in an RDBMS, therefore SQL can
be used to access, modify and delete data. Furthermore, in specific cases, an RDBMS could also run
commands on the operating system from an SQL statement.
Keeping the above in mind, when considering the following, it’s easier to understand how lucrative a s
uccessful SQL Injection attack can be for an attacker.
An attacker can use SQL Injection to bypass authentication or even impersonate specific users.
One of SQL’s primary functions is to select data based on a query and output the result of that
query. An SQL Injection vulnerability could allow the complete disclosure of data residing on a
database server.
SattirxSecurity Preferred
27. SQL Injection
3. What’s the worst an attacker can do with SQL?
Since web applications use SQL to alter data within a database, an attacker could use SQL
Injection to alter data stored in a database. Altering data affects data integrity and could
cause repudiation issues, for instance, issues such as voiding transactions, altering balances
and other records.
SQL is used to delete records from a database. An attacker could use an SQL Injection vuln
erability to delete data from a database. Even if an appropriate backup strategy is employed,
deletion of data could affect an application’s availability until the database is restored.
Some database servers are configured (intentional or otherwise) to allow arbitrary executio
n of operating system commands on the database server. Given the right conditions, an attac
ker could use SQL Injection as the initial vector in an attack of an internal network that sits
behind a firewall.
SattirxSecurity Preferred
28. SQL Injection
4. Types of SQL Injection (SQLi)
SQL Injection can be used in a range of ways to cause serious problems. By levering SQL Inject
ion, an attacker could bypass authentication, access, modify and delete data within a database.
SQL Injection can be classified into three major categories –
1. In-band SQLi,
Error-based SQLi
Union-based SQLi.
2. Inferential SQLi and
Blind-boolean-based SQLi
Blind-time-based SQLi
3. Out-of-band SQLi
SattirxSecurity Preferred
29. SQL Injection
4.1. In-band SQL injection (Classic SQLi)
In-band SQL Injection is the most common and easy-to-exploit of SQL Injection attacks. In-ban
d SQL Injection occurs when an attacker is able to use the same communication channel to both l
aunch the attack and gather results.
The two most common types of in-band SQL Injection are Error-based SQLi and Union-based
SQLi.
Error-based SQL injection
Error-based SQLi is an in-band SQL Injection technique that relies on error messages thr
own by the database server to obtain information about the structure of the database. In
some cases, error-based SQL injection alone is enough for an attacker to enumerate an ent
ire database. While errors are very useful during the development phase of a web applicati
on, they should be disabled on a live site, or logged to a file with restricted access instead.
SattirxSecurity Preferred
30. SQL Injection
4.1. In-band SQL injection (Classic SQLi)
Union-based SQL injection
Union-based SQLi is an in-band SQL injection technique that leverages the
UNION SQL operator to combine the results of two or more SELECT statem
ents into a single result which is then returned as part of the HTTP response.
SattirxSecurity Preferred
31. SQL Injection
4.2. Inferential SQLi (Blind SQLi)
Inferential SQL Injection, unlike in-band SQLi, may take longer for an attacker to exploit, how
ever, it is just as dangerous as any other form of SQL Injection. In an inferential SQLi attack,
no data is actually transferred via the web application and the attacker would not be able to see
the result of an attack in-band (which is why such attacks are commonly referred to as “blin
d SQL Injection attacks”). Instead, an attacker is able to reconstruct the database structu
re by sending payloads, observing the web application’s response and the resulting behavior of
the database server.
The two types of inferential SQL Injection are Blind-boolean-based SQLi and Blind-time-bas
ed SQLi.
SattirxSecurity Preferred
32. SQL Injection
4.2. Inferential SQLi (Blind SQLi)
Boolean-based (content-based) Blind SQLi
Boolean-based SQL Injection is an inferential SQL Injection technique that relies
on sending an SQL query to the database which forces the application to return a di
fferent result depending on whether the query returns a TRUE or FALSE result.
Depending on the result, the content within the HTTP response will change, or rema
in the same. This allows an attacker to infer if the payload used returned true or f
alse, even though no data from the database is returned. This attack is typically
slow (especially on large databases) since an attacker would need to enumerate a da
tabase, character by character.
SattirxSecurity Preferred
33. SQL Injection
4.2. Inferential SQLi (Blind SQLi)
Time-based Blind SQLi
Time-based SQL Injection is an inferential SQL Injection technique that relies on
sending an SQL query to the database which forces the database to wait for a spec
ified amount of time (in seconds) before responding. The response time will indicate
to the attacker whether the result of the query is TRUE or FALSE.
Depending on the result, an HTTP response will be returned with a delay, or returne
d immediately. This allows an attacker to infer if the payload used returned true or
false, even though no data from the database is returned. This attack is typically sl
ow (especially on large databases) since an attacker would need to enumerate a data
base character by character.
SattirxSecurity Preferred
34. SQL Injection
4.3. Out-of-band SQL Injection
Out-of-band SQL Injection is not very common, mostly because it depends on features being en
abled on the database server being used by the web application. Out-of-band SQL Injection occ
urs when an attacker is unable to use the same channel to launch the attack and gather results.
Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques,
especially if the server responses are not very stable (making an inferential time-based attack u
nreliable).
SattirxSecurity Preferred
35. SQL Injection
5. What Can Be Done to Prevent SQL Injection Attacks?
The most important precautions are data sanitization and validation, which should already be in
place. Sanitization usually involves running any submitted data through a function (such as MyS
QL's mysql_real_escape_string() function) to ensure that any dangerous characters (like " ' ") a
re not passed to a SQL query in data.
Validation: Validation is slightly different, in that it attempts to ensure that the data submitte
d is in the form that is expected, the length of a piece of data submitted is not longer than the
maximum expected length.
But sanitization and validation are far from the whole story. Here are ten ways you can help pre
vent or mitigate SQL injection attacks:
SattirxSecurity Preferred
36. SQL Injection
5. What Can Be Done to Prevent SQL Injection Attacks?
Trust no-one: Assume all user-submitted data is evil and validate and sanitize everything.
Don't use dynamic SQL when it can be avoided: used prepared statements, parameterize
d queries or stored procedures instead whenever possible.
Update and patch: vulnerabilities in applications and databases that hackers can exploit usin
g SQL injection are regularly discovered, so it's vital to apply patches and updates as soon a
s practical.
Firewall: Consider a web application firewall (WAF) – either software or appliance based – to
help filter out malicious data. A WAF can be particularly useful to provide some security pro
tection against a particular new vulnerability before a patch is available.
SattirxSecurity Preferred
37. SQL Injection
5. What Can Be Done to Prevent SQL Injection Attacks?
Use appropriate privileges: don't connect to your database using an account with admin-leve
l privileges unless there is some compelling reason to do so. Using a limited access account is
far safer, and can limit what a hacker is able to do.
Keep your secrets secret: Assume that your application is not secure and act accordingly b
y encrypting or hashing passwords and other confidential data including connection strings.
Don't divulge more information than you need to: hackers can learn a great deal about dat
abase architecture from error messages, so ensure that they display minimal information. Us
e the "RemoteOnly" customErrors mode (or equivalent) to display verbose error messages on
the local machine while ensuring that an external hacker gets nothing more than the fact tha
t his actions resulted in an unhandled error.
SattirxSecurity Preferred