Untrusted Data: SQL injection and XSS

Transcript

1. UNTRUSTED DATA SQL INJECTION AND XSS

2. WHAT’S GOING ON TODAY? • About me • SQL injection

   • Cross site scripting attacks (XSS)

3. WARM UP WITH CLIENT-SIDE HACKS • Create an account on

   ringzer0team.com • Try the 1st and 2nd JavaScript challenges • We did we learn: • Security through obscurity alone isn’t any security at all • Security by design • Open security

4. ABOUT ME • Paul McGrath, Head of comparethemarket.com Security Group

   • Raising security awareness • Promote Best Practice • Research • OWASP Top 10 • Training: • Showcases • Hands on sessions • Troy Hunt 2nd – 3rd Feb
5. None

6. WHAT IS UNTRUSTED DATA? • Attributes: • From outside the

   system (usually the user) • Integrity unknown • Intent may be malicious • Data may include attacks such as: • SQL injection • cross site scripting (XSS)

7. SQL INJECTION • Server code: • uName = getRequestString("UserName"); uPass

   = getRequestString("UserPass"); q="SELECT * FROM Users WHERE Name ='" + uName + "' AND Pass ='" + uPass + "'" • Go to ringzer0team.com/challenges and try out the 2nd SQL challenge • And the 3rd SQL challenge!

8. SQL INJECTION - MITIGATION • Mitigation: • Use parameterised sql

   queries • With an ORM check and ensure that it sanitizes untrusted data • Use built in framework methods and techniques, do not write your own sanitisation • Use a restricted privilege database account • Avoid disclosing error information

9. CROSS SITE SCRIPTING (XSS) • Reflected XSS attack • Go

   to hackyourselffirst.troyhunt.com

10. CROSS SITE SCRIPTING (XSS) - MITIGATION • Use output encoding!

    • Reflect to SCREEN the way it was entered, not the markup: • <script>alert(‘xss’)</script> • HTML encode: &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt; • JavaScript encode (hexadecimal): \x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x 78\x73\x73\x27\x29