Web Security - OWASP - SQL injection & Cross Site Scripting XSS

Security App. web Ivan Ortega Benjamin Porta

A1: SQL Injection SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. Injected SQL commands can alter SQL statement and compromise the security of a web application. SQL injection is considered one of the top 10 web application vulnerabilities of 2007 and 2010

WARNING In its most common form, a SQL injection attack gives access to sensitive information such as social security numbers, credit card numbers or other financial data. SQL injection is one of the most prevalent types of web application security vulnerability.

Reasons Incorrectly filtered escape characters Incorrect type handling ' OR '1'='1' -- ' OR '1'='1' ({ ' OR '1'='1' /* 1;DROP TABLE users

Preventing SQL Injection 1 / 2 ● Adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type and syntax. ● Users with the permission to access the database must have the least privileges. Also, you should always make sure that a database user is created only for a specific application and this user is not able to access other applications.

Preventing SQL Injection 2 / 2 ● Use strongly typed parameterized query APIs with placeholder substitution markers, even when calling stored procedures. ● Show care when using stored procedures can be injectable (such as via the use of exec() or concatenating arguments within the stored procedure).

Environment / Context 1/3 CLIENT SERVER (php) SQLClient send data to server

Environment / Context 2/3 CLIENT SERVER (php) SQL You must verify data before sending them to server

Environment / Context 3/3 CLIENT SERVER (php) SQLData are sent to server (treated with php) and then, they are sent to client SQL can protect from DROP and ALTER if parametrized

Example 1: Injection 1/3 This program is web page link to an SQL database which show the list of movies present in database and allow anyone to add a new entry in database. Movie 1: Normal use case

Example 1: Injection 2/3 But we can easily attack this web page because server doesn't check presence of javascript from inputs added by users. We will show an example of possible attack (injection of javascript code) on this web page. With this attack, each client is affected !!! Movie 1: Attack use case

Example 1: Injection 3/3 To prevent of this kind of attack, we have to block all the javascript which provide from user, to do it, it's very simple, we have to use a specific method from php, strip_tags(). It remove tags "<" and ">" but also tags like "<" and ">" Movie 1: Prevent use case

Example 2: SQL Injection 1/3 This program is a web page link to an SQL database that show the list of users present in database and allow anyone to subscribe. If you are subscribed, you can log in. Movie 2: Normal use case

Example 2: SQL Injection 2/3 The attack consist in connect and steal all personal informations of an user with his login but without his password. It’s simple, a request look like this: $query = "SELECT * FROM user WHERE pseudo='".$p."' AND mdp='".$pass."' "; So attacker can inject a code after his pseudo (' -- ) and the end of the request SQL will be interpreted as: SELECT * FROM user WHERE pseudo='PSEUDO' -- AND mdp='WHATYOUWANT' As you can see, AND mdp='...' is interpreted as a commentary! Movie 2: Attack use case

Example 2: SQL Injection 3/3 To prevent of this kind of attack, use: mysqli_real_escape_string() or bin2hex() $link = mysqli_connect("127.0.0.1", "root", "", "secuweb"); $login = mysqli_real_escape_string($link,$login); $user = $ins->getUserFromPseudoAndPassword($login,$pass); Then, the input string change and replace ' -- to ' -- Movie 2: Prevent use case

Exemple 3: SQL Injection* 1/2 In reality, a lot of problems induced by SQL injection are already fixed. For example in php, you can’t submit multiple request to mysql without using mysqli->multi_query Probably because it is very dangerous. You can modify data, table and also delete them. For this example, mysqli_real_escape_string is deactivated. Movie 3: Multi-request attack

Exemple 3: SQL Injection* 2/2 Allow only what is necessary to an user, it can prevent a lot of actions

About SQL injection Finally, it’s not difficult to prevent from SQL injection, problem provides from webmaster because they don’t check all cases of possible attack. There is a lot of way to secure data inputted like methods quoted before or others as preparation of request with bindParam. FIN de la partie 1

OwaspA3 CrossSiteScripting XSS

CrossSiteScripting 1. What is it? 2. Types of XSS 3. Consequences 4. OWASP Prevention Cheat Sheet 5. Testing my application

What is it? XSS attacks are a type of injection An attacker uses a web application to send malicious scripts which will be executed when the page is built

Types of Cross-Site Scripting Stored XSS (Persistent or Type I) Reflected XSS (Non-Persistent or Type II) DOM Based XSS (Type-0)

Stored XSS Most frequent vulnerabilities sites: where user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. Attacker use this input to inject The injected script is permanently stored on the target servers. The victim then retrieves the malicious script from the server when it requests the stored information.

Reflected XSS The injected script is reflected off the web server, such as response that includes some or all of the input sent to the server as part of the request Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site.

Reflected XSS Then the user click on a malicious link that contain XSS injection as part of request to “trusted site” which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server.

Reflected xss-ExecutingJS ReflectedXSS-Phishing

DOM Based XSS It’s an XSS attack wherein the attack payload is executed as a result of modifying the DOM in the victim’s browser used by the original client side script.

Ihavebeenattacked! Whathappennow?

Consequences The consequences are the same although it changes the type of XSS

Consequences The consequences are the same although it changes the type of XSS ACCESS TO EXECUTE JAVASCRIPT cookies, user files, installation of Trojan horse programs, redirect the user to some other page, modify presentation of content...

Whatcanidoto preventXSSattacks?

owaspPreventionCheatSheet https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting) _Prevention_Cheat_Sheet 7 RULES TO PREVENT XSS “Many organizations may find that allowing only Rule #1 and Rule #2 are sufficient for their needs.”

owaspPreventionCheatSheet RULE#1-HTMLEscapeBeforeInsertingUntrustedDatainto HTMLElementContent <body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body> <div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div> any other normal HTML elements & --> & < --> < > --> > " --> " ' --> '

owaspPreventionCheatSheet RULE#2-AttributeEscapeBeforeInsertingUntrustedData intoHTMLCommonAttributes <div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div> inside UNquoted attribute <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div> inside single quoted attribute <div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div> inside double quoted attribute

owaspPreventionCheatSheet RULE#1-5- EscapeBeforeInsertingUntrustedData intoHTML

owaspPreventionCheatSheet RULE#1-5-EscapeBeforeInsertingUntrustedDataintoHTML HOW CAN I ESCAPE UNTRUSTED DATA?

owaspPreventionCheatSheet RULE#1-5-EscapeBeforeInsertingUntrustedDataintoHTML https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#XSS_Cheat_Sheet

escapinghtmlwithphp Filteringuserinputwithphp

owaspPreventionCheatSheet RULE#6-SanitizeHTMLMarkupwithaLibraryDesignedfor theJob ● HtmlSanitizer - https://github.com/mganss/HtmlSanitizer ● OWASP AntiSamy - https://www.owasp.org/index.php/Category: OWASP_AntiSamy_Project ● PHP Html Purifier - http://htmlpurifier.org/ ● JavaScript/Node.JS Bleach - https://github.com/ecto/bleach ● Python Bleach - https://pypi.python.org/pypi/bleach

owaspPreventionCheatSheet RULE#6-SanitizeHTMLMarkupwithaLibraryDesignedfortheJob HtmlSanitizer - https://github.com/mganss/HtmlSanitizer An open-source .Net library. The HTML is cleaned with a white list approach.

owaspPreventionCheatSheet RULE#7-PreventDOM-basedXSS Testing Tools and Techniques ● The DOMinator Tool - A commercial tool based on the Firefox browser with modified Spidermonkey Javascript engine that helps testers identify and verify DOM based XSS flaws https://dominator.mindedsecurity.com/ ● The DOM XSS Wiki - The start of a Knowledgebase for defining sources of attacker controlled inputs and sinks which could potentially introduce DOM Based XSS issues. http://code. google.com/p/domxsswiki/ ● DOM Snitch - An experimental Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code. From Google. http://code. google.com/p/domsnitch/ Defense Techniques https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

owaspPreventionCheatSheet:RESUME RULE#0-NeverInsertUntrustedDataExceptinAllowedLocations RULE#1-#5:ESCAPEUNTRUSTEDDATA RULE#6-SanitizeHTMLMarkupwithaLibraryDesignedfortheJob RULE#7-PreventDOM-basedXSS

owaspPreventionCheatSheet: BONUSRULES 4 BONUS RULES Bonus Rule #1: Use HTTPOnly cookie flag Bonus Rule #2: Implement Content Security Policy Bonus Rule #3: Use an Auto-Escaping Template System Bonus Rule #4: Use the X-XSS-Protection Response Header

owaspPreventionCheatSheet: BONUSRULES BonusRule#1:UseHTTPOnlycookieflag To help mitigate the impact of an XSS flaw on your site, OWASP also recommends you set the HTTPOnly flag on your session cookie and any custom cookies you have that are not accessed by any Javascript you wrote. PHP JAVA PYTHON

owaspPreventionCheatSheet: BONUSRULES BonusRule#2:ImplementContentSecurityPolicy No execute any inline script if it isn’t declare in CSP whitelist. Whitelists “safe” scripts hosts default-src script-src style-src img-src frame-src OWASP PAGE: https://www.owasp.org/index.php/Content_Security_Policy

owaspPreventionCheatSheet: BONUSRULES BonusRule#3:UseanAuto-EscapingTemplateSystem Many web application frameworks provide automatic contextual escaping functionality such as AngularJS strict contextual escaping.

owaspPreventionCheatSheet: BONUSRULES BonusRule#4:UsetheX-XSS-ProtectionResponseHeader This HTTP response header enables the Cross-site scripting (XSS) filter built into some modern web browsers. Re-enable if the user disable the option for some sites.

Ifinishmywebsite Howcanitestit?

vulnerabilitytest OWASP testing guide: https://www.owasp.org/index. php/Testing_for_Cross_site_scripting Tools ● OWASP CAL9000 - http://www.owasp.org/index.php/Category: OWASP_CAL9000_Project “CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.” It's hosted at: http://sec101.sourceforge.net/CAL9000/ ● PHP Charset Encoder(PCE) - http://yehg.net/encoding ● HackVector(HVR) - http://www.businessinfo.co. uk/labs/hackvertor/hackvertor.php

AccordingtotheWebHackingIncidentDatabase,11.3%ofwebattacksutilizeXSS.(2014)

Iunderstandnothing. questions?

Web Security - OWASP - SQL injection & Cross Site Scripting XSS

More Related Content

What's hot

Viewers also liked

Similar to Web Security - OWASP - SQL injection & Cross Site Scripting XSS

More from Ivan Ortega

Recently uploaded

Web Security - OWASP - SQL injection & Cross Site Scripting XSS