Downloaded 280 times
More Related Content
Similar to Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
- 1. Protecting Your WebSite From SQL Injection & XSS This year, over 500,000 web pages were defaced by a malicious SQL Injection… Chris Kenworthy </dream.in.code>® August 27, 2008
- 2.
- 3. What is SQL? Structured Query Language Used to retrieve and manage data in relational databases Chances are your organization is using SQL Example: SELECT firstName, lastName FROM users WHERE userID = ‘chris’;
- 4. What is aSQL Injection? A common security vulnerability Occurs when unfiltered input is executed Easily prevented Example of Vulnerability: http://www.example.com/login.php?UserID=chris SELECT firstName, lastName FROM users WHERE userID = ‘” + $UserID + “’
- 5. Example of anAttack Original Query: SELECT firstName, lastName FROM users WHERE userID = ‘” + $UserID + “’; Set $UserID to: nobody’ OR ‘a’ = ‘a Result: SELECT firstName, lastName FROM users WHERE userID = ‘nobody’ OR ‘a’ = ‘a’;
- 6. The Impact Queryalways returns true Attacker authenticates as first user in database Possible Impacts: False authentication Permissions escalation Information disclosure Identity theft More…
- 7. Example of anAttack Original Query: SELECT firstName, lastName FROM users WHERE userID=‘” + $UserID + “’; Set $UserID to: x’; DROP TABLE users; -- Result: SELECT firstName, lastName FROM users WHERE userID=‘x’; DROP TABLE users;--’;
- 8. The Impact Attackerdeletes entire users table! Possible Impacts: Loss of data Data manipulation Data insertion Virus/Malware distribution Total database destruction More…
- 9. Preventing SQL Injection Sanitize the input Enforce data types (i.e. numeric, string, etc.) Use parameterized statements Use stored procedures Limit permissions Install an application firewall (my favorite) Apache: mod_security (w/ Core Rules) IIS: URLScan 3.0 (Beta)
- 10.
- 11. What is XSS? XSS (Cross Site Scripting) Allows execution of arbitrary code Often involves tricking the end user Over 70% of web sites may be vulnerable Example: <<SCRIPT>alert("XSS");//<</SCRIPT>
- 12. How Does XSSWork? Scenario 1: You get an email with a URL that looks like this: http://www.domain.com/index.php?userid =%3C%3C%53%43%52%49%50%54%3E%61%6C%65%72%7 You click it and the web page outputs the userid variable resulting in this:
- 13. How Does XSSWork? Scenario 2: There is a comment form on a web page. You paste this string in to the form: <<SCRIPT>alert("XSS");//<</SCRIPT> Now every user that visits that page will see this:
- 14. Why Does ItWork? Inputs are displayed as HTML instead of character entities: Cookies are not secured Sessions can be hijacked
- 15. The Impact ofXSS Identify Theft Malware Session Hijacking User impersonation Redirection Misinformation
- 16. Preventing XSS Attacks Convert all inputs to HTML character entities before outputting to the screen Secure cookies using the httpOnly attribute Associate sessions with IP addresses Install an application firewall (again, my favorite) Educate users! Don’t click links in emails you don’t recognize Don’t fill out forms from links in emails
- 17. Resources Scrawlr –Find SQL injection vulnerabilities in your site Mod_security – Web application firewall (Apache) URLScan – Web application firewall (IIS) XSS Examples
- 18. Closing Thoughts Ifyou have a web site, you will be attacked Don’t trust developers to secure their code Use an application firewall if possible Be proactive
- 19. Questions? Comic from XKCD:http://xkcd.com/327/