The UNM Information Architects and the UNM Arts LAB invite you to to a presentation by ABQ Web Geeks' own Chris Kenworthy at the UNM SUB this Wednesday the 27th of August.
Chris will be discussing SQL Injection and Cross Site Scripting Vulnerabilities.
These types of attacks against websites are both common and potentially devastating. Chris will bring us up to speed on them and give us some tips on how to prevent them.
Please mark your calendars for Wednesday, August 27 from 10:00 - 11:30 at the UNM Student Union Building, Lobo Rooms A & B.
1. Protecting Your Web Site
From SQL Injection & XSS
This year, over 500,000 web pages were
defaced by a malicious SQL Injection…
Chris Kenworthy
</dream.in.code>®
August 27, 2008
3. What is SQL?
Structured Query Language
Used to retrieve and manage data in
relational databases
Chances are your organization is using SQL
Example:
SELECT firstName, lastName
FROM users
WHERE userID = ‘chris’;
4. What is a SQL Injection?
A common security vulnerability
Occurs when unfiltered input is executed
Easily prevented
Example of Vulnerability:
http://www.example.com/login.php?UserID=chris
SELECT firstName, lastName
FROM users
WHERE userID = ‘” + $UserID + “’
5. Example of an Attack
Original Query:
SELECT firstName, lastName
FROM users
WHERE userID = ‘” + $UserID + “’;
Set $UserID to: nobody’ OR ‘a’ = ‘a
Result:
SELECT firstName, lastName
FROM users
WHERE userID = ‘nobody’ OR ‘a’ = ‘a’;
6. The Impact
Query always returns true
Attacker authenticates as first user in
database
Possible Impacts:
False authentication
Permissions escalation
Information disclosure
Identity theft
More…
7. Example of an Attack
Original Query:
SELECT firstName, lastName
FROM users
WHERE userID=‘” + $UserID + “’;
Set $UserID to: x’; DROP TABLE users; --
Result:
SELECT firstName, lastName
FROM users
WHERE userID=‘x’; DROP TABLE users;--’;
8. The Impact
Attacker deletes entire users table!
Possible Impacts:
Loss of data
Data manipulation
Data insertion
Virus/Malware distribution
Total database destruction
More…
9. Preventing SQL Injection
Sanitize the input
Enforce data types (i.e. numeric, string, etc.)
Use parameterized statements
Use stored procedures
Limit permissions
Install an application firewall (my favorite)
Apache: mod_security (w/ Core Rules)
IIS: URLScan 3.0 (Beta)
11. What is XSS?
XSS (Cross Site Scripting)
Allows execution of arbitrary code
Often involves tricking the end user
Over 70% of web sites may be vulnerable
Example:
<<SCRIPT>alert("XSS");//<</SCRIPT>
12. How Does XSS Work?
Scenario 1:
You get an email with a URL that looks like
this:
http://www.domain.com/index.php?userid
=%3C%3C%53%43%52%49%50%54%3E%61%6C%65%72%7
You click it and the web page outputs the
userid variable resulting in this:
13. How Does XSS Work?
Scenario 2:
There is a comment form on a web page. You
paste this string in to the form:
<<SCRIPT>alert("XSS");//<</SCRIPT>
Now every user that visits that page will see
this:
14. Why Does It Work?
Inputs are displayed as HTML instead of
character entities:
Cookies are not secured
Sessions can be hijacked
15. The Impact of XSS
Identify Theft
Malware
Session Hijacking
User impersonation
Redirection
Misinformation
16. Preventing XSS Attacks
Convert all inputs to HTML character
entities before outputting to the screen
Secure cookies using the httpOnly attribute
Associate sessions with IP addresses
Install an application firewall (again, my
favorite)
Educate users!
Don’t click links in emails you don’t recognize
Don’t fill out forms from links in emails
17. Resources
Scrawlr – Find SQL injection vulnerabilities in your site
Mod_security – Web application firewall (Apache)
URLScan – Web application firewall (IIS)
XSS Examples
18. Closing Thoughts
If you have a web site, you will be
attacked
Don’t trust developers to secure their code
Use an application firewall if possible
Be proactive