SQL Injection and XSS Adam Forsythe Thomas Hollingsworth Outline OWASP Injection Define Attacks Preventions CrossSite Scripting Define Attacks Preventions Open Web Application Security Project ID: 535068
Download Presentation The PPT/PDF document "Injection Attacks by Example" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Injection Attacks by Example
SQL Injection and XSS
Adam Forsythe
Thomas HollingsworthSlide2
Outline
OWASP
Injection:
Define
Attacks
Preventions
Cross-Site Scripting:
Define
Attacks
PreventionsSlide3
Open Web Application Security Project
(OWASP)
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.
OWASP Top 10 Application Security Risk – 2013
#1 Injection
#3 Cross-Site Scripting (XSS)Slide4
SQL Injection
SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
Consists of insertion or "injection" of a SQL query via the input data from the client to the application
A successful SQL injection exploit can:
Read sensitive data from the database
Modify database data (Insert/Update/Delete)
Execute administration operations on the database (such as shutdown the DBMS)
Recover the content of a given file present on the DBMS file system
In some cases issue commands to the operating system.Slide5
Attacks
Injection can result in:
Data loss or corruption
Lack of accountability or denial of access
Can lead to complete host takeover
All data can
be stolen, modified, or
deletedSlide6
Preventions
Preventing
injection requires keeping untrusted data separate from commands and queries.
Types of Preventions:
Use a
safe API which avoids the use of the interpreter entirely or provides a parameterized
interface.
Carefully
escape special characters using the specific escape syntax for that interpreter.
Positive
or “white list” input
validation,
but
this is
not a complete defense as many applications require special characters in their input. Slide7
Cross-Site Scripting (XSS)
XSS
flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping.
XSS
allows attackers
to:
Execute
scripts in the victim’s browser which can hijack user
sessions
Deface web sites
Redirect
the user to malicious
sitesSlide8
Attacks
Attackers
can execute scripts in a victim’s
browser:
To
hijack user
sessions
Deface
web
sitesInsert hostile content
Redirect users
Hijack
the user’s browser using malware Slide9
Preventions
Preventing
XSS requires keeping untrusted data separate from active browser content
.
Types of Preventions:
Encoding – Escaping any character a user enters before displaying it
Whitelisting – Only allow certain characters (e.g. A-Z and 0-9) to be entered
Blacklisting – Not allowing a user to enter sequences such as <script> or <and>Slide10
References
https://www.owasp.org/index.php/Top_10
https://www.owasp.org/index.php/SQL_Injection
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
http://www.unixwiz.net/techtips/sql-injection.html
https://www.owasp.org/index.php/Testing_for_Cross_site_scripting
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
http://msdn.microsoft.com/en-us/library/a2a4yykt(v=vs.85).aspx