Transcript What is SQL Injection?

Injection Attacks by Example
SQL Injection and XSS
Adam Forsythe
Thomas Hollingsworth
Outline
• OWASP
• Injection:
▫ Define
▫ Attacks
▫ Preventions
• Cross-Site Scripting:
▫ Define
▫ Attacks
▫ Preventions
Open Web Application Security Project
(OWASP)
• The Open Web Application Security Project (OWASP) is an
open community dedicated to enabling organizations to
develop, purchase, and maintain applications that can be
trusted.
• OWASP Top 10 Application Security Risk – 2013
• #1 Injection
• #3 Cross-Site Scripting (XSS)
SQL Injection
•
SQL injection attacks are a type of injection attack, in which
SQL commands are injected into data-plane input in order to
effect the execution of predefined SQL commands.
•
Consists of insertion or "injection" of a SQL query via the
input data from the client to the application
•
A successful SQL injection exploit can:
•
•
•
•
•
Read sensitive data from the database
Modify database data (Insert/Update/Delete)
Execute administration operations on the database (such as
shutdown the DBMS)
Recover the content of a given file present on the DBMS file
system
In some cases issue commands to the operating system.
Attacks
• Injection can result in:
• Data loss or corruption
• Lack of accountability or denial of access
• Can lead to complete host takeover
• All data can be stolen, modified, or deleted
Preventions
• Preventing injection requires keeping untrusted data separate
from commands and queries.
• Types of Preventions:
1. Use a safe API which avoids the use of the interpreter
entirely or provides a parameterized interface.
2. Carefully escape special characters using the specific
escape syntax for that interpreter.
3. Positive or “white list” input validation, but this is not a
complete defense as many applications require special
characters in their input.
Cross-Site Scripting (XSS)
• XSS flaws occur whenever an application takes untrusted data
and sends it to a web browser without proper validation or
escaping.
• XSS allows attackers to:
• Execute scripts in the victim’s browser which can hijack
user sessions
• Deface web sites
• Redirect the user to malicious sites
Attacks
• Attackers can execute scripts in a victim’s browser:
• To hijack user sessions
• Deface web sites
• Insert hostile content
• Redirect users
• Hijack the user’s browser using malware
Preventions
• Preventing XSS requires keeping untrusted data separate
from active browser content.
• Types of Preventions:
1. Encoding – Escaping any character a user enters before
displaying it
2. Whitelisting – Only allow certain characters (e.g. A-Z and
0-9) to be entered
3. Blacklisting – Not allowing a user to enter sequences such
as <script> or <and>
References
•
•
•
•
•
•
•
https://www.owasp.org/index.php/Top_10
https://www.owasp.org/index.php/SQL_Injection
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
http://www.unixwiz.net/techtips/sql-injection.html
https://www.owasp.org/index.php/Testing_for_Cross_site_scripting
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
http://msdn.microsoft.com/en-us/library/a2a4yykt(v=vs.85).aspx