By Sean Rose and Erik Hazzard

SQL Injection is a technique that exploits security weaknesses of the database layer

of an application in order to gain unauthorized access to database

information.

SQL is a programming language used for accessing and managing information that is stored in a database.

Web applications send SQL commands in the form of strings to the database.

When using SQL injection, a user attempts to manipulate the command string sent to database by the web application to gain unauthorized access.

It has been used many times by malicious users to gain access to private information.

A website may have the following code:◦ statement = "SELECT * FROM users WHERE name

= '" + userName + "';“

A malicious user may enter the following string into the web form that assigns the variable userName:◦ hax' or 'this'='this

This will result in the following code:◦ SELECT * FROM users WHERE name = 'hax' OR

'this'='this';

Because 'this'='this' is always true, the command will force the selection of a valid user name when sent to the database.

First, only allow only good input, such as letters, numbers, and –

Then, disallow all known bad input such as “--”, “select”, “insert”, “update”, and “drop” which have special meanings within SQL.

If a string input by the user does not meet the requirement, reject it. Do not attempt to create an acceptable input from bad input.

However, such preventions should be handled by the web server instead of locally by the user's system.

Failing to do so can result in the user simply removing the prevention code and then proceeding to input what ever they want into the form.

On April 13, 2008, Sexual and Violent Offender Registry of Oklahoma shut down its site for a 'routine maintenance' after being informed that 10,597 social security numbers from sex offenders had been downloaded by SQL injection

Cross Site Scripting (XSS) What

◦ Attacks primarily in websites that compromise the 'same-origin' policy of client-side scripting languages

Why◦ Why not?

3 Types of XSS attacks

Why is XSS an issue Popular

◦ Even more popular than buffer overflow attacks◦ Has affected Google, Facebook, and TJMaxx

Easy◦ Many websites are unprotected and remain as

such, developers tend to be lazy◦ Only basic knowledge is required to perform

attacks Ramifications

◦ Identity theft

Types of XSS Attacks Type 0 – DOM Based

◦ Local Attacks Type 1 – Non-Persistent

◦ Occur when server side pages are generated from client side input

◦ Most popular attacks Type 2 – Persistent

◦ Malicious data (e.g. Javascript) stored on web server

◦ Most potentially harmful attacks◦ Focus of this presentation

Persistent (Type 2) Attacks Server stores client input

◦ Server trusting client input (BAD) Occurs when

◦ 1. User enters data to a web application◦ 2. Data is stored persistently on the web server◦ 3. The data is displayed to a user

Example◦ Forums◦ Craig's list

Persistent (Type 2) Attacks Step 1. Steal cookies

◦ Malicious Javascript is stored on a server then executed when a client views a web page, stealing the client's cookie

Step 2. ...◦ The bad guy finds out the user's session

information from the cookie Step 3. Profit

◦ Using the stolen session information,the hacker can masquerade as the user, accessing everything the user could – e.g. Stored Credit Card info

Protection Avoiding XSS

◦ Protecting yourself is difficult. Disabling Javascript is not always the best option

◦ Be paranoid XSS is largely a server side problem Responsibility Lies with Developer

◦ When developing an application◦ 1. Don't trust user input◦ 2. Filter user input◦ 3. Don't trust the filtered input

Questions