XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users. There are three main types: stored XSS injects scripts into stored data like forums; reflected XSS uses malicious links; DOM-based XSS modifies the DOM. Successful XSS can steal users' cookies and passwords, hijack sessions, deface websites, and distribute malware. Developers can prevent XSS by escaping untrusted data, using safe templating systems, and implementing a content security policy.
2. A1: SQL Injection
SQL injection is a technique where malicious users can
inject SQL commands into an SQL statement, via web page
input.
Injected SQL commands can alter SQL statement and
compromise the security of a web application.
SQL injection is considered one of the top 10 web
application vulnerabilities of 2007 and 2010
3. WARNING
In its most common form, a SQL injection attack gives
access to sensitive information such as social
security numbers, credit card numbers or other
financial data. SQL injection is one of the most
prevalent types of web application security
vulnerability.
5. Preventing SQL Injection 1 / 2
● Adopt an input validation technique in which user
input is authenticated against a set of defined
rules for length, type and syntax.
● Users with the permission to access the database
must have the least privileges. Also, you should
always make sure that a database user is created
only for a specific application and this user is
not able to access other applications.
6. Preventing SQL Injection 2 / 2
● Use strongly typed parameterized query APIs
with placeholder substitution markers, even
when calling stored procedures.
● Show care when using stored procedures can be
injectable (such as via the use of exec() or
concatenating arguments within the stored
procedure).
8. Environment / Context 2/3
CLIENT
SERVER
(php)
SQL
You must verify
data before
sending them to
server
9. Environment / Context 3/3
CLIENT
SERVER
(php)
SQLData are sent to server
(treated with php) and then,
they are sent to client
SQL can protect from
DROP and ALTER if
parametrized
10. Example 1: Injection 1/3
This program is web page link to an SQL
database which show the list of movies
present in database and allow anyone to add a
new entry in database.
Movie 1: Normal use case
11. Example 1: Injection 2/3
But we can easily attack this web page because
server doesn't check presence of javascript from
inputs added by users. We will show an example of
possible attack (injection of javascript code) on
this web page.
With this attack, each client is affected !!!
Movie 1: Attack use case
12. Example 1: Injection 3/3
To prevent of this kind of attack, we have to
block all the javascript which provide from
user, to do it, it's very simple, we have to
use a specific method from php, strip_tags().
It remove tags "<" and ">" but also tags like
"<" and ">"
Movie 1: Prevent use case
13. Example 2: SQL Injection 1/3
This program is a web page link to an SQL
database that show the list of users present
in database and allow anyone to subscribe. If
you are subscribed, you can log in.
Movie 2: Normal use case
14. Example 2: SQL Injection 2/3
The attack consist in connect and steal all personal informations of
an user with his login but without his password. It’s simple, a
request look like this:
$query = "SELECT * FROM user WHERE pseudo='".$p."' AND
mdp='".$pass."' ";
So attacker can inject a code after his pseudo (' -- ) and the end
of the request SQL will be interpreted as:
SELECT * FROM user WHERE pseudo='PSEUDO' -- AND mdp='WHATYOUWANT'
As you can see, AND mdp='...' is interpreted as a commentary!
Movie 2: Attack use case
15. Example 2: SQL Injection 3/3
To prevent of this kind of attack, use:
mysqli_real_escape_string() or bin2hex()
$link = mysqli_connect("127.0.0.1", "root", "", "secuweb");
$login = mysqli_real_escape_string($link,$login);
$user = $ins->getUserFromPseudoAndPassword($login,$pass);
Then, the input string change and replace ' -- to ' --
Movie 2: Prevent use case
16. Exemple 3: SQL Injection* 1/2
In reality, a lot of problems induced by SQL injection
are already fixed. For example in php, you can’t submit
multiple request to mysql without using mysqli->multi_query
Probably because it is very dangerous. You can modify data,
table and also delete them.
For this example, mysqli_real_escape_string
is deactivated.
Movie 3: Multi-request attack
17. Exemple 3: SQL Injection* 2/2
Allow only what is
necessary to an user, it
can prevent a lot of
actions
18. About SQL injection
Finally, it’s not difficult to prevent from SQL
injection, problem provides from webmaster because
they don’t check all cases of possible attack. There
is a lot of way to secure data inputted like methods
quoted before or others as preparation of request with
bindParam.
FIN de la partie 1
20. CrossSiteScripting
1. What is it?
2. Types of XSS
3. Consequences
4. OWASP Prevention Cheat
Sheet
5. Testing my application
21. CrossSiteScripting
1. What is it?
2. Types of XSS
3. Consequences
4. OWASP Prevention Cheat
Sheet
5. Testing my application
22. What is it?
XSS attacks are a type of
injection
An attacker uses a web application to send malicious scripts
which will be executed when the page is built
24. CrossSiteScripting
1. What is it?
2. Types of XSS
3. Consequences
4. OWASP Prevention Cheat
Sheet
5. Testing my application
25. Types of Cross-Site Scripting
Stored XSS (Persistent or Type I)
Reflected XSS (Non-Persistent or Type II)
DOM Based XSS (Type-0)
26. Stored XSS
Most frequent vulnerabilities sites: where user input is
stored on the target server, such as in a database, in a
message forum, visitor log, comment field, etc.
Attacker use this input to inject
The injected script is permanently stored on the target
servers.
The victim then retrieves the malicious script from the
server when it requests the stored information.
29. Reflected XSS
The injected script is reflected off the web server, such as
response that includes some or all of the input sent to the
server as part of the request
Reflected attacks are delivered to victims via another
route, such as in an e-mail message, or on some other web
site.
30. Reflected XSS
Then the user click on a malicious link that contain XSS
injection as part of request to “trusted site” which
reflects the attack back to the user’s browser.
The browser then executes the code because it came from a
"trusted" server.
33. DOM Based XSS
It’s an XSS attack wherein the attack payload is executed as
a result of modifying the DOM in the victim’s browser used
by the original client side script.
38. Consequences
The consequences are the same although it
changes the type of XSS
ACCESS TO EXECUTE JAVASCRIPT
cookies, user files, installation of Trojan
horse programs, redirect the user to some
other page, modify presentation of content...
50. owaspPreventionCheatSheet
RULE#7-PreventDOM-basedXSS
Testing Tools and Techniques
● The DOMinator Tool - A commercial tool based on the Firefox browser with modified
Spidermonkey Javascript engine that helps testers identify and verify DOM based XSS flaws
https://dominator.mindedsecurity.com/
● The DOM XSS Wiki - The start of a Knowledgebase for defining sources of attacker
controlled inputs and sinks which could potentially introduce DOM Based XSS issues. http://code.
google.com/p/domxsswiki/
● DOM Snitch - An experimental Chrome extension that enables developers and testers to
identify insecure practices commonly found in client-side code. From Google. http://code.
google.com/p/domsnitch/
Defense Techniques
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet