Presentation is loading. Please wait.

Presentation is loading. Please wait.

PREVENTING INJECTION ATTACKS.

Published byAldous Campbell Modified over 8 years ago

Similar presentations

Presentation on theme: "PREVENTING INJECTION ATTACKS."— Presentation transcript:

1 http://www.flickr.com/photos/torkildr/3462607995/ PREVENTING INJECTION ATTACKS

2 Some key web security concerns Logging of URLs Impersonation Autocomplete Man-in-the-middle Bots and denial-of-service Theft of data – Encrypting data yourself – Hashing passwords Injection attacks (this lecture) Cross-site forgery (next lecture) Covered in last lecture

3 Injection attacks Injection: Inserting something into your code that does not belong there Major threat to confidentiality, integrity, and availability Probably the most common mistake in web apps is leaving the door open to injection

4 Structure of an injection attack Receive data from outside your system – User, another server, … anything you don’t control Your system stores the data – Variable, session, database, file, … anywhere Your system uses the data – Print on web page, insert into SQL, … anything, without taking precautions against evil data Evil events transpire…

5 Example: SQL injection attack DO NOT COPY-PASTE THIS CODE mysql_query("update mytable set mycolumn = '". $_RESULT["param"]. "'") Evil user sends param = "x'; drop table mytable;" Your silly program executes… update mytable set mycolumn = 'x'; drop table mytable; Poof, no more table.

6 Preventing SQL injection attack Option #1: Validate all inputs, reject evil inputs – Regexps work pretty well on numbers Option #2: Use mysql_real_escape – Works pretty well for strings Option #3: Use prepared statements – No need to concatenate

7 Example: HTML/JS injection attack DO NOT COPY-PASTE THIS CODE // $sid is current user's confidential student id // let's make a system for sending tweets to students $rs = mysql_query("select msg from tweets where sid=".$sid); $nrows=mysql_numrows($rs); echo " Tweets for you, student ".$sid." "; for ($i = 0; $i < $nrows; $i++) { echo mysql_result($rs,$i,"msg"). " "; } But some evil person has sent this evil tweet: message equal to var sid = $("h1").text(); document.write(" "); What happens: This script gets written into the list of tweets. The current user's browser runs this nasty little script. The script generates an IMG tag, with src attribute including the student's confidential ID. The browser dutifully sends this confidential data to www.myevilserver.com

8 Example: HTML/JS injection attack DO NOT COPY-PASTE THIS CODE Or, suppose our evil person has sent this evil tweet: message equal to What happens: This script gets written into the list of tweets. The current user's browser runs this nasty little script DIRECTLY off of the other server – Also known as "cross-site scripting attack" (XSS) – Can also be accomplished with an – Continue attack in same manner as before…

9 But oh, the evils of "cross-site scripting" can be bad in so many ways Potential consequences of cross-site scripting – Stealing data from the page Confidentiality fail – Submitting forms on the user's behalf E.g., by clicking buttons on the page: integrity fail – Downloading code to the user's computer E.g., by taking advantage of unpatched security holes in the user's browser

10 You don't believe that browsers are vulnerable? The flaws are legion – http://tinyurl.com/ie-cve-flaws – http://tinyurl.com/chrome-cve-flaws – http://tinyurl.com/firefox-cve-flaws There are plenty of sites ready and waiting to download nasty code to your laptop – Be very careful where you surf on the web

11 And once Dr. Evil has taken over the user's computer… Install a virus that reads everything on the user's computer – Including credit card numbers and passwords Then tells your user's computer to attack other computers – Making your user's computer into a bot And encrypts your data – Requiring you to pay a ransom And finally deletes everything on the machine – Leaving a smoldering ruin

12 Example from real life http://www.securityweek.com/nbc-cleans- site-after-citadel-compromise

13 Even the FBI is getting into the act http://www.infosecurity- magazine.com/news/fbi-used- drivebydownloads-tor/

14 And how about the server? http://www.theregister.co.uk/ 2016/02/24/line_break_ep_4/

15 "The History of SQL Injection, the Hack That Will Never Go Away" http://motherboard.vice.com/read/the-history-of-sql- injection-the-hack-that-will-never-go-away

16 And be careful whose code you copy- paste, or libraries you use http://www.tomsguide.com/us/driveby- download,news-18329.html

17 Summary of what happens when you don't protect your users 1.Evil person puts SCRIPT or IFRAME tags into data used by your site (e.g., tweet database) 2.Your site sends the data in HTML/JS to some other unsuspecting user 3.The user's browser executes the SCRIPT or IFRAME tags 4.The SCRIPT or IFRAME tags make the browser execute JS from some evil site 5.The evil site's JS hacks the user's computer 6.The user's computer is totally compromised

18 Preventing HTML/JS injection (including XSS attacks) The fix is very simple: Do not write any special html characters to the browser unless you know for absolutely certain that they are safe – Use htmlspecialchars() when you need to generate HTML (not JS) from questionable strings – htmlspecialchars($str) converts < to < (and has other effects on other characters)

19 Preventing SQL injection The fix is very simple: Do not use any data in your SQL without escaping and/or validating it first. – Use prepared statements whenever practical – Validate inputs that you feel the need to concatenate with your SQL statements

20 Strategy for fighting injection attacks This always works for all injection attacks of any sort whatsoever (e.g., SQL, HTML, JS): Clean all data before you use it Example: – Prepared statements escape values in SQL – Clean with htmlspecialchars before using in HTML

21 Alternate option for preventing injection In addition, you might want to Clean data just after arrival Example: – Clean all data after reading it from database, from another server, from users, from files, from anywhere

22 Clean data just after arrival… Not always easy When data arrives, you don't always know how it will eventually be used So you don't know exactly how it needs to be cleaned – Are you trying to remove apostrophes ' because it's going to be used in SQL? – Or are you trying to remove open brackets < because it's going to be used in HTML/JS?

23 Common scenario: Posting data from the client to the server (form submission) Validation on the client – Help the user to find and fix mistakes fast Validation on the server – Protect your database when you save the data

24 Ultra-simple client-side validation function isValid(frm) { var str = frm.myint.value; var rv = /^\-?[0-9]+$/.test(str); if (!rv) alert("myint should be an int."); return rv; } Enter an int:

25 Simple validation with jQuery function isValid(frm) { var str = frm.myint.value; var rv = /^\-?[0-9]+$/.test(str); $("#err").text(rv ? "" : "myint should be an int."); return rv; } Enter an int:

26 Declarative validation with jQuery $(document).ready(function() { $("#frm").validate(); }); Some text: Some email: Some int:

27 jquery.validate.js Currently available from – http://jqueryjs.googlecode.com/svn-history/r6243/trunk/plugins/validate/jquery.validate.js Supported validation classes – required: This field is required – remote: Please fix this field – email: Please enter a valid email address – url: Please enter a valid URL – date: Please enter a valid date – number: Please enter a valid number – digits: Please enter only digits, – creditcard: Please enter a valid credit card number – equalTo: Please enter the same value again – accept: Please enter a value with a valid extension – maxlength: Max # characters allowed – minlength: Min # characters allowed – max: Max number value allowed – min: Min number value allowed

28 Validation on the server $team = isset($_REQUEST["team"]) ? $_REQUEST["team"] : ""; if (!preg_match('/^[0-9]+$/', $team)) echo 'Invalid input.'; else { // assuming you have a phobia about prepared statements $sql = "select pname from player where tid = ". $team; $result = $mysqli->query($sql); … }

29 If you want to write your own jQuery validation plugin, you may need these APIs $("#elementid").val() – Retrieves the value of some HTML form element $(" ").insertAfter("#elementid") – Creates a span and inserts it after someNode $("#elementid").bind('change', jsFunction); – Registers jsFunction to be called on a change event, such as function jsFunction() {alert($(this).text());} $("#myspan").show() and.hide() – Makes an element visible or invisible $(".myclass").each(someFunction) – Runs someFunction on each item in wrapped set $("div.myclass").get(0) – Gets the first actual DOM node (unwrapped) in the wrapped set

30 Bottom line Always clean data before use – Don't assume data have ever been cleaned before Clean data – Before you use data for SQL statements – Before you use data to generate HTML/JS – Before you use data to call other servers – ETC

31 Final little puzzler DO NOT COPY-PASTE THIS CODE What is the problem & how would you fix it? $rs = mysql_query("select msg from tweets where sid=".$sid); $nrows=mysql_numrows($rs); if ($nrows > 0) { echo " alert('The last tweet to you was "; echo htmlspecialchars(mysql_result($rs,0,"msg")); echo "'); "; }

32 Final little puzzler Hint: Sometimes you need a little more than just the default htmlspecialchars() behavior. Check the htmlspecialchars() documentation to learn more about why. http://php.net/manual/en/function.htmlspecialchars.php

Download ppt "PREVENTING INJECTION ATTACKS."

Similar presentations

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Forms, Validation Week 7 INFM 603. Announcements Try placing today’s example in htdocs (XAMPP). This will allow you to execute examples that rely on PHP.

Forms, Validation Week 7 INFM 603. Announcements Try placing today’s example in htdocs (XAMPP). This will allow you to execute examples that rely on PHP.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Client-Side programming with JavaScript 3

Client-Side programming with JavaScript 3
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
PHP Security.

PHP Security.
JavaScript Form Validation

JavaScript Form Validation
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
INTERNET APPLICATION DEVELOPMENT For More visit:

INTERNET APPLICATION DEVELOPMENT For More visit:
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google