SQL injections en meer...

1
SQL injections en meer...

• PERU

2
web application vulnerabilities

• Cross Site Scripting (21.5)
• SQL Injection (14)
• PHP includes (9.5)
• Buffer overflows (7.9)

3
SQL injections

• Geen input validation
• Hoe gaat het in zijn werk?
• Voorbeeld code

4
PHP voorbeeld

• wachtwoord _POST'wachtwoord'
• // maak verbinding met DB
• result query("SELECT geheimeinfo FROM tabel
  WHERE
• wachtwoord'wachtwoord'")
• Wat gebeurd er nu wanneer er a' OR '1 wordt
  ingevoerd?

5
Hoe te voorkomen?

• escape de 'wachtwoord' variabele met
  'addslashes' of beter 'mysql_real_escape_string'.
  
• wachtwoord _POST'wachtwoord'
• // maak verbinding met DB
• result query("SELECT geheimeinfo FROM tabel
  WHERE
• wachtwoord'" . mysql_real_escape_string(wachtw
  oord) . "'")

6
Hoe te voorkomen ? (II)

• gebruik prepared statements met de mysqli of de
  PDO Mysql extensies. Bijvoorbeeld (met mysqli)
• wachtwoord _POST'wachtwoord'
• // maak verbinding met DB
• stmt DB-gtprepare("SELECT geheimeinfo FROM
  tabel WHERE wachtwoord ?")
• stmt-gtbind_param("s", wachtwoord)
• stmt-gtbind_result(geheimeinfo)
• if (stmt-gtexecute stmt-gtfetch()) // OK
  else // niet OK
• stmt-gtclose()

7
Validate input!

• Het leek eenvoudig...
• Maar we weten..
• Validate input!
• Probeer niet te detecteren wat incorrect is
• Check of het correct is.
• Artikel IBM

8
XSS

• Cross Site Scripting XSS
• 3 soorten XSS aanvallen
• Dom-Based
• Non-Persistent
• Persistent

9
Een filmpje..

• voorbeeld

10
De plot.

• Mallory posts a message to a social network.
• When Bob reads the message, Mallory's XSS steals
  Bob's cookie.
• Mallory can hijack Bob's session and impersonate
  Bob

11
Dom-Based attack

• Mallory sends the URL of a maliciously
  constructed web page to Alice, using email or
  another mechanism.
• Alice clicks on the link.
• The malicious web page's JavaScript opens a
  vulnerable HTML page installed locally on Alice's
  computer.
• The vulnerable HTML page contains JavaScript
  which executes in Alice's computer's local zone.
• Mallory's malicious script now may run commands
  with the privileges Alice holds on her own
  computer.

12
Non-Persisent

• Alice often visits a particular website, which is
  hosted by Bob. Bob's website allows Alice to log
  in with a username/password pair and store
  sensitive information, such as billing
  information.
• Mallory observes that Bob's website contains a
  reflected XSS vulnerability.
• Mallory crafts a URL to exploit the
  vulnerability, and sends Alice an email, making
  it look as if it came from Bob (i.e., the email
  is spoofed).
• Alice visits the URL provided by Mallory while
  logged into Bob's website.
• The malicious script embedded in the URL executes
  in Alice's browser, as if it came directly from
  Bob's server. The script can be used to email
  Alice's session cookie to Mallory. Mallory can
  then use the session cookie to steal sensitive
  information available to Alice (authentication
  credentials, billing info, etc) without Alice's
  knowledge.

13
Persistent

• Bob hosts a web site which allows users to post
  messages and other content to the site for later
  viewing by other members.
• Mallory notices that Bob's website is vulnerable
  to a type 2 XSS attack.
• Mallory posts a message, controversial in nature,
  which may encourage many other users of the site
  to view it.
• Upon merely viewing the posted message, site
  users' session cookies or other credentials could
  be taken and sent to Mallory's webserver without
  their knowledge.
• Later, Mallory logs in as other site users and
  posts messages on their behalf....

14
Hoe te voorkomen?

• Escaping and filtering
• Input validation
• Cookie security
• Eliminating scripts