SQL Injection / XSS / CSRF Flashcards
What is XSS?
XSS is cross-site scripting attacks where there is an inclusion of script code in the HTML content of a webpage displayed by a user’s browser. The script code could be JavaScript, ActiveX, VBScript, Flash, or just about any client-side scripting language supported by a user’s browser. To support some categories of Web applications, script code may need to access data associated with other pages currently displayed by the user’s browser.
What is CSRF?
Cross site request forgery where the attacker forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
What is the XSS reflection vulnerability?
The attacker includes the malicious script content in data supplied to a site. If this content is subsequently displayed to other users without sufficient checking, they will execute the script assuming it is trusted to access any data associated with that site.
Give an example of an XSS attack:
website with commenting feature
comment post request doesn’t check the contents of comment string which contains malicious script code
If this text were saved by a guestbook application, then when viewed it displays a little text and then executes the JavaScript code
Malicious code is then rendered on a trusted website and can fire on a certain event
How do you prevent XSS?
You must check for programming inputs and sanitize inputs
XSS attacks illustrate a failure to correctly handle both program input and program output. The failure to check and validate the input results in potentially dangerous data values being saved by the program.
Take the following steps:
Validate input syntax
- check for only printable characters and nothing else
- use regular expressions to check for expected formats
- preventing all types of HTML and scripting
- using canonicalization (one standard input format)
Input Fuzzing
- uses randomly generated data as inputs to a program. The range of inputs that may be explored is very large.
What is SQL Injection?
SQLi is an attack that exploits a security vulnerability occurring in the database layer of an application (such as queries). Using SQL injection, the attacker can extract or manipulate the Web application’s data. The attack is viable when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed, and thereby unexpectedly executed.
What are the steps in a typical SQL Injection attack?
- Hacker finds a vulnerability in a custom Web application and injects an SQL command to a database by sending the command to the Web server. The command is injected into traffic that will be accepted by the firewall.
- The Web server receives the malicious code and sends it to the Web application server.
- The Web application server receives the malicious code from the Web server and sends it to the database server.
- The database server executes the malicious code on the database. The database returns data from credit cards table.
- The Web application server dynamically generates a page with data including credit card details from the database.
- The Web server sends the credit card details to the hacker.
How does a SQL Injection attack typically work?
by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the attacker terminates the injected string with a comment mark “–”. Subsequent text is ignored at execution time.
What are the avenues and types of SQL Injection attacks?
User input: In this case, attackers inject SQL commands by providing suitably crafted user input.
Server variables: Server variables are a collection of variables that contain HTTP headers, network protocol headers, and environmental variables. Web applications use these server variables in a variety of ways, such as logging usage statistics and identifying browsing trends. If these variables are logged to a database without sanitization, this could create an SQL injection vulnerability.
Second-order injection: Second-order injection occurs when incomplete prevention mechanisms against SQL injection attacks are in place. In second-order injection, a malicious user could rely on data already present in the system or database to trigger an SQL injection attack, so when the attack occurs, the input that modifies the query to cause an attack does not come from the user, but from within the system itself.
Cookies -> When a client returns to a Web application, cookies can be used to restore the client’s state information. Because the client has control over cookies, an attacker could alter cookies such that when the application server builds an SQL query based on the cookie’s content, the structure and function of the query is modified.
Physical user input: SQL injection is possible by supplying user input that constructs an attack outside the realm of Web requests. This user-input could take the form of conventional barcodes, RFID tags, or even paper forms which are scanned using optical character recognition and passed to a database management system.
What are the 3 categories of attacks?
A. Inband - uses the same communication channel for injecting SQL code and retrieving results
B. Inferential - there is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the website/database server.
C. Out of band - data are retrieved using a different channel (e.g., an e-mail with the results of the query is generated and sent to the tester). This can be used when there are limitations on information retrieval, but outbound connectivity from the database server is lax.
Types of inband attacks:
Tautology - This form of attack injects code in one or more conditional statements so they always evaluate to true.
End-of-line comment - The injected code effectively disables the password check (because of the comment indicator –) and turns the entire WHERE clause into a tautology
Piggybacked queries - he attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request.
Types of inference attacks:
Illegal/logically incorrect queries: This attack lets an attacker gather important information about the type and structure of the backend database of a Web application
Blind SQL injection: Blind SQL injection allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker. The attacker asks the server true/false questions.
What are some countermeasures for SQL injections?
Manual defensive coding practices: A common vulnerability exploited by SQLi attacks is insufficient input validation. The straightforward solution for eliminating these vulnerabilities is to apply suitable defensive coding practices.
Parameterized query insertion: This approach attempts to prevent SQLi by allowing the application developer to more accurately specify the structure of an SQL query, and pass the value parameters to it separately such that any unsanitary user input is not allowed to modify the query structure.
SQL DOM: SQL DOM is a set of classes that enables automated data type validation and escaping [MCCL05]. This approach uses encapsulation of database queries to provide a safe and reliable way to access databases.
What are some of the detection methods?
Signature-based: This technique attempts to match specific attack patterns. Such an approach must be constantly updated and may not work against self-modifying attacks.
Anomaly-based: This approach attempts to define normal behavior then detect behavior patterns outside the normal range. A number of approaches have been used.
Code analysis: Code analysis techniques involve the use of a test suite to detect SQLi vulnerabilities
