Uploaded byskyhawk133
PPT, PDF3,654 views

Protecting Your Web Site From SQL Injection & XSS

The document discusses the threats of SQL injection and cross-site scripting (XSS) vulnerabilities in web applications, including examples of attacks and their potential impacts such as unauthorized access, data loss, and identity theft. It offers strategies for preventing these attacks, including input sanitization, use of parameterized statements, secure cookies, and installing application firewalls. The author emphasizes the importance of proactive security measures and user education to mitigate these risks.

Downloaded 280 times
Protecting Your Web Site From SQL Injection & XSS This year, over 500,000 web pages were defaced by a malicious SQL Injection… Chris Kenworthy </dream.in.code>® August 27, 2008
SQL Injections
What is SQL?  Structured Query Language  Used to retrieve and manage data in relational databases  Chances are your organization is using SQL  Example: SELECT firstName, lastName FROM users WHERE userID = ‘chris’;
What is a SQL Injection?  A common security vulnerability  Occurs when unfiltered input is executed  Easily prevented  Example of Vulnerability: http://www.example.com/login.php?UserID=chris SELECT firstName, lastName FROM users WHERE userID = ‘” + $UserID + “’
Example of an Attack  Original Query: SELECT firstName, lastName FROM users WHERE userID = ‘” + $UserID + “’;  Set $UserID to: nobody’ OR ‘a’ = ‘a  Result: SELECT firstName, lastName FROM users WHERE userID = ‘nobody’ OR ‘a’ = ‘a’;
The Impact  Query always returns true  Attacker authenticates as first user in database  Possible Impacts:  False authentication  Permissions escalation  Information disclosure  Identity theft  More…
Example of an Attack  Original Query: SELECT firstName, lastName FROM users WHERE userID=‘” + $UserID + “’;  Set $UserID to: x’; DROP TABLE users; --  Result: SELECT firstName, lastName FROM users WHERE userID=‘x’; DROP TABLE users;--’;
The Impact  Attacker deletes entire users table!  Possible Impacts:  Loss of data  Data manipulation  Data insertion  Virus/Malware distribution  Total database destruction  More…
Preventing SQL Injection  Sanitize the input  Enforce data types (i.e. numeric, string, etc.)  Use parameterized statements  Use stored procedures  Limit permissions  Install an application firewall (my favorite)  Apache: mod_security (w/ Core Rules)  IIS: URLScan 3.0 (Beta)
Cross Site Scripting
What is XSS?  XSS (Cross Site Scripting)  Allows execution of arbitrary code  Often involves tricking the end user  Over 70% of web sites may be vulnerable  Example: <<SCRIPT>alert("XSS");//<</SCRIPT>
How Does XSS Work?  Scenario 1:  You get an email with a URL that looks like this: http://www.domain.com/index.php?userid =%3C%3C%53%43%52%49%50%54%3E%61%6C%65%72%7  You click it and the web page outputs the userid variable resulting in this:
How Does XSS Work?  Scenario 2:  There is a comment form on a web page. You paste this string in to the form: <<SCRIPT>alert("XSS");//<</SCRIPT>  Now every user that visits that page will see this:
Why Does It Work?  Inputs are displayed as HTML instead of character entities:  Cookies are not secured  Sessions can be hijacked
The Impact of XSS  Identify Theft  Malware  Session Hijacking  User impersonation  Redirection  Misinformation
Preventing XSS Attacks  Convert all inputs to HTML character entities before outputting to the screen  Secure cookies using the httpOnly attribute  Associate sessions with IP addresses  Install an application firewall (again, my favorite)  Educate users!  Don’t click links in emails you don’t recognize  Don’t fill out forms from links in emails
Resources  Scrawlr – Find SQL injection vulnerabilities in your site  Mod_security – Web application firewall (Apache)  URLScan – Web application firewall (IIS)  XSS Examples
Closing Thoughts  If you have a web site, you will be attacked  Don’t trust developers to secure their code  Use an application firewall if possible  Be proactive
Questions? Comic from XKCD: http://xkcd.com/327/

More Related Content

PPTX
Cross Site Scripting (XSS)
byBarrel Software
 
PPT
Cross site scripting (xss)
byManish Kumar
 
PPTX
Owasp Top 10 A3: Cross Site Scripting (XSS)
byMichael Hendrickx
 
PPTX
Cross Site Scripting
byAli Mattash
 
ODP
XSS
byHrishikesh Mishra
 
PPTX
Secure Code Warrior - Local storage
bySecure Code Warrior
 
PPTX
Cross-Site Scripting (XSS)
byDaniel Tumser
 
PPTX
Cross site scripting XSS
byRonan Dunne, CEH, SSCP
 
Cross Site Scripting (XSS)
byBarrel Software
 
Cross site scripting (xss)
byManish Kumar
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
byMichael Hendrickx
 
Cross Site Scripting
byAli Mattash
 
XSS
byHrishikesh Mishra
 
Secure Code Warrior - Local storage
bySecure Code Warrior
 
Cross-Site Scripting (XSS)
byDaniel Tumser
 
Cross site scripting XSS
byRonan Dunne, CEH, SSCP
 

What's hot

PDF
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
bySandeep Kumbhar
 
PPT
Web security presentation
byJohn Staveley
 
PDF
Xss 101 by-sai-shanthan
byRaghunath G
 
PPTX
Web application attacks
byhruth
 
PPTX
Web application attack Presentation
byKhoa Nguyen
 
PPTX
Secure Code Warrior - Authentication
bySecure Code Warrior
 
PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
PPTX
Secure Code Warrior - Cross site scripting
bySecure Code Warrior
 
PDF
Common Web Application Attacks
byAhmed Sherif
 
PDF
The Cross Site Scripting Guide
byDaisuke_Dan
 
PDF
AJAX Security - LAC2016
byJulia Logan a.k.a. IrishWonder
 
PPTX
Secure Code Warrior - Remote file inclusion
bySecure Code Warrior
 
PPTX
Xss (cross site scripting)
byvinayh.vaghamshi _
 
PPTX
Secure Code Warrior - Cookies and sessions
bySecure Code Warrior
 
PPTX
Secure Code Warrior - Unrestricted file upload
bySecure Code Warrior
 
PDF
XSS-Alert-Pentration testing tool
byArjun Jain
 
PDF
Web Security 101
byMichael Peters
 
PDF
2013 OWASP Top 10
bybilcorry
 
PPTX
Securing the Web @DevDay Da Nang 2018
bySumanth Damarla
 
PPTX
ECrime presentation - A few bits about malware
byMichael Hendrickx
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
bySandeep Kumbhar
 
Web security presentation
byJohn Staveley
 
Xss 101 by-sai-shanthan
byRaghunath G
 
Web application attacks
byhruth
 
Web application attack Presentation
byKhoa Nguyen
 
Secure Code Warrior - Authentication
bySecure Code Warrior
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
Secure Code Warrior - Cross site scripting
bySecure Code Warrior
 
Common Web Application Attacks
byAhmed Sherif
 
The Cross Site Scripting Guide
byDaisuke_Dan
 
AJAX Security - LAC2016
byJulia Logan a.k.a. IrishWonder
 
Secure Code Warrior - Remote file inclusion
bySecure Code Warrior
 
Xss (cross site scripting)
byvinayh.vaghamshi _
 
Secure Code Warrior - Cookies and sessions
bySecure Code Warrior
 
Secure Code Warrior - Unrestricted file upload
bySecure Code Warrior
 
XSS-Alert-Pentration testing tool
byArjun Jain
 
Web Security 101
byMichael Peters
 
2013 OWASP Top 10
bybilcorry
 
Securing the Web @DevDay Da Nang 2018
bySumanth Damarla
 
ECrime presentation - A few bits about malware
byMichael Hendrickx
 

Similar to Protecting Your Web Site From SQL Injection & XSS

PDF
Sql Injection and XSS
byMike Crabb
 
PPT
Web security 2010
byAlok Babu
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
PDF
sql-inj_attack.pdf
byssuser07cf8b
 
PDF
XSS And SQL Injection Vulnerabilities
byMindfire Solutions
 
PPTX
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
PPT
Xss talk, attack and defense
byPrakashchand Suthar
 
PPTX
SQL INJECTION
byAnoop T
 
PPTX
Web application security part 01
byPrachi Gulihar
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
byVishal Kumar
 
PPTX
Sql injection
byNuruzzaman Milon
 
PDF
XSS and SQL injection workshop steps
byvodQA
 
PPTX
Simple web security
by裕夫 傅
 
PDF
Ch 9 Attacking Data Stores (Part 2)
bySam Bowne
 
PPTX
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
PPTX
Greensql2007
byKaustav Sengupta
 
PPTX
Code injection and green sql
byKaustav Sengupta
 
PDF
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
PPSX
Web application security
bywww.netgains.org
 
PDF
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
Sql Injection and XSS
byMike Crabb
 
Web security 2010
byAlok Babu
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
sql-inj_attack.pdf
byssuser07cf8b
 
XSS And SQL Injection Vulnerabilities
byMindfire Solutions
 
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
Xss talk, attack and defense
byPrakashchand Suthar
 
SQL INJECTION
byAnoop T
 
Web application security part 01
byPrachi Gulihar
 
Deep understanding on Cross-Site Scripting and SQL Injection
byVishal Kumar
 
Sql injection
byNuruzzaman Milon
 
XSS and SQL injection workshop steps
byvodQA
 
Simple web security
by裕夫 傅
 
Ch 9 Attacking Data Stores (Part 2)
bySam Bowne
 
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
Greensql2007
byKaustav Sengupta
 
Code injection and green sql
byKaustav Sengupta
 
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
Web application security
bywww.netgains.org
 
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 

Recently uploaded

PDF
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
PDF
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
PDF
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
PDF
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
PPTX
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
PDF
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 

Protecting Your Web Site From SQL Injection & XSS

  • 1.
    Protecting Your WebSite From SQL Injection & XSS This year, over 500,000 web pages were defaced by a malicious SQL Injection… Chris Kenworthy </dream.in.code>® August 27, 2008
  • 2.
  • 3.
    What is SQL? Structured Query Language  Used to retrieve and manage data in relational databases  Chances are your organization is using SQL  Example: SELECT firstName, lastName FROM users WHERE userID = ‘chris’;
  • 4.
    What is aSQL Injection?  A common security vulnerability  Occurs when unfiltered input is executed  Easily prevented  Example of Vulnerability: http://www.example.com/login.php?UserID=chris SELECT firstName, lastName FROM users WHERE userID = ‘” + $UserID + “’
  • 5.
    Example of anAttack  Original Query: SELECT firstName, lastName FROM users WHERE userID = ‘” + $UserID + “’;  Set $UserID to: nobody’ OR ‘a’ = ‘a  Result: SELECT firstName, lastName FROM users WHERE userID = ‘nobody’ OR ‘a’ = ‘a’;
  • 6.
    The Impact  Queryalways returns true  Attacker authenticates as first user in database  Possible Impacts:  False authentication  Permissions escalation  Information disclosure  Identity theft  More…
  • 7.
    Example of anAttack  Original Query: SELECT firstName, lastName FROM users WHERE userID=‘” + $UserID + “’;  Set $UserID to: x’; DROP TABLE users; --  Result: SELECT firstName, lastName FROM users WHERE userID=‘x’; DROP TABLE users;--’;
  • 8.
    The Impact  Attackerdeletes entire users table!  Possible Impacts:  Loss of data  Data manipulation  Data insertion  Virus/Malware distribution  Total database destruction  More…
  • 9.
    Preventing SQL Injection Sanitize the input  Enforce data types (i.e. numeric, string, etc.)  Use parameterized statements  Use stored procedures  Limit permissions  Install an application firewall (my favorite)  Apache: mod_security (w/ Core Rules)  IIS: URLScan 3.0 (Beta)
  • 10.
  • 11.
    What is XSS? XSS (Cross Site Scripting)  Allows execution of arbitrary code  Often involves tricking the end user  Over 70% of web sites may be vulnerable  Example: <<SCRIPT>alert("XSS");//<</SCRIPT>
  • 12.
    How Does XSSWork?  Scenario 1:  You get an email with a URL that looks like this: http://www.domain.com/index.php?userid =%3C%3C%53%43%52%49%50%54%3E%61%6C%65%72%7  You click it and the web page outputs the userid variable resulting in this:
  • 13.
    How Does XSSWork?  Scenario 2:  There is a comment form on a web page. You paste this string in to the form: <<SCRIPT>alert("XSS");//<</SCRIPT>  Now every user that visits that page will see this:
  • 14.
    Why Does ItWork?  Inputs are displayed as HTML instead of character entities:  Cookies are not secured  Sessions can be hijacked
  • 15.
    The Impact ofXSS  Identify Theft  Malware  Session Hijacking  User impersonation  Redirection  Misinformation
  • 16.
    Preventing XSS Attacks Convert all inputs to HTML character entities before outputting to the screen  Secure cookies using the httpOnly attribute  Associate sessions with IP addresses  Install an application firewall (again, my favorite)  Educate users!  Don’t click links in emails you don’t recognize  Don’t fill out forms from links in emails
  • 17.
    Resources  Scrawlr –Find SQL injection vulnerabilities in your site  Mod_security – Web application firewall (Apache)  URLScan – Web application firewall (IIS)  XSS Examples
  • 18.
    Closing Thoughts  Ifyou have a web site, you will be attacked  Don’t trust developers to secure their code  Use an application firewall if possible  Be proactive
  • 19.
    Questions? Comic from XKCD:http://xkcd.com/327/