Presentation is loading. Please wait.

Presentation is loading. Please wait.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Published byPrimrose Weaver Modified over 9 years ago

Similar presentations

Presentation on theme: "Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth."— Presentation transcript:

1 Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth

2 Outline OWASP Injection: ▫Define ▫Attacks ▫Preventions Cross-Site Scripting: ▫Define ▫Attacks ▫Preventions

3 Open Web Application Security Project (OWASP) The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP Top 10 Application Security Risk – 2013 #1 Injection #3 Cross-Site Scripting (XSS)

4 SQL Injection SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. Consists of insertion or "injection" of a SQL query via the input data from the client to the application A successful SQL injection exploit can: Read sensitive data from the database Modify database data (Insert/Update/Delete) Execute administration operations on the database (such as shutdown the DBMS) Recover the content of a given file present on the DBMS file system In some cases issue commands to the operating system.

5 Attacks Injection can result in: Data loss or corruption Lack of accountability or denial of access Can lead to complete host takeover All data can be stolen, modified, or deleted

6 Preventions Preventing injection requires keeping untrusted data separate from commands and queries. Types of Preventions: 1.Use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. 2.Carefully escape special characters using the specific escape syntax for that interpreter. 3.Positive or “white list” input validation, but this is not a complete defense as many applications require special characters in their input.

7 Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to: Execute scripts in the victim’s browser which can hijack user sessions Deface web sites Redirect the user to malicious sites

8 Attacks Attackers can execute scripts in a victim’s browser: To hijack user sessions Deface web sites Insert hostile content Redirect users Hijack the user’s browser using malware

9 Preventions Preventing XSS requires keeping untrusted data separate from active browser content. Types of Preventions: 1.Encoding – Escaping any character a user enters before displaying it 2.Whitelisting – Only allow certain characters (e.g. A-Z and 0-9) to be entered 3.Blacklisting – Not allowing a user to enter sequences such as or

10 References https://www.owasp.org/index.php/Top_10 https://www.owasp.org/index.php/SQL_Injection https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet http://www.unixwiz.net/techtips/sql-injection.html https://www.owasp.org/index.php/Testing_for_Cross_site_scripting https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet http://msdn.microsoft.com/en-us/library/a2a4yykt(v=vs.85).aspx

Download ppt "Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth."

Similar presentations

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Expert System Approach on Web Vulnerability Analysis 20103272 / Jong Heon, PARK 20103616 / Hyun Woo, CHO CS548 Advanced Information Security Term Project.

Expert System Approach on Web Vulnerability Analysis / Jong Heon, PARK / Hyun Woo, CHO CS548 Advanced Information Security Term Project.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Similar presentations

Ads by Google