Cross-Site Scripting (XSS)

 XSS is where someone (attacker) inject data into system or web application. It is happened
when untrusted source is allowed to inject its own code into web application. XSS normally
allow the attacker to pretend as victim user to carry out same action as the user such as
accessing any of user’s data.

 There are three types of XSS:

o Stored XSS (Persistent XSS/Second-Order XSS)

 Happen when an application receive data from an untrusted source. The
attacker will inject malicious content such as JavaScript code into
application that will be stored permanently into the target application, such
as database.
 The XSS payload will be part of the webpage when victim navigate to the
affected webpage in browser. When the victim views the page in browser,
he/she will end up inadvertently executing the malicious script.

o Reflected XSS (Non-Persistent XSS)

 Happen when an application receive data in HTTP request and includes that
data within the immediate response in unsafe way. If the user visits the URL
construct by attacker, then the attacker’s script will be executing while with
the user’s session. This script can retrieve any data to which user has access.
 For example, the attacker uses phishing emails or other social media to lure
the victims to inadvertently make the request to the server which include
the XSS payload.

o DOM-Based XSS (DOM XSS)

 DOM is Document Object Model.
 Happen when an application contains some client-side JavaScript that
process data from untrusted source in unsafe way (usually by writing data
back to the DOM).
 For example, the web application read data from DOM and delivers it to the
browser. If data is not handling correctly the attacker will inject payload
that will be stored as the part of DOM. The payload will be executed when
data is read back from DOM.
 It is hard to detect DOM XSS since the malicious payload never been upload
to the server.
  Impact of XSS vulnerabilities
o Impersonate and masquerade as the victim user
o Carry out any action that user able to perform
o Capture user login credentials
o Perform virtual defacement of the web site
o Inject trojan functionality into website

 Cross-Site Scripting Prevention Method

o Escaping user input – Ensuring the secure of data taken before rendering it for the
user. Escaping user input prevents key character in the data that receive from being
interpreting as executable code.

o Sanitizing User input – this method ignores the data that have potential executable
characters, changing the user input into acceptable format and ensuring the data
receive cannot be interpreted as executable code.

Figure. 1 Sanitizing User Input turning all script into string

o Input validation – Ensuring the input data following the format and preventing
malicious data from harming a website, database and users. It also helps prevent
user entering or adding unwanted character in the forms.

o CodeIgniter: Change the code inside $config['global_xss_filtering'] = TRUE; in

application/config.php.

SQL Injection
 SQL injection refer to a class of code-injection attacks in which data provided by the
user is included in a SQL query where this attacker will inject SQL query via the input
data from the client to the application. This attacker can submit SQL commands
directly to the database and a successful SQL injection exploit can read sensitive data
from the database and modify them.
 This SQL Injection vulnerable happen when there is insufficient validation of user
input where it is not very well established to escape characters and then did pass them
into SQL statement to the server.

 There are 3 categories of SQL Injection attack:

o In-Band – information is extracted from the identical channel that implemented

for the SQL attack
o Out-of-Band - present where an extracted information is delivered back to the
attacker depending on different channel such as email.
o Inferential – also known as Blind Injection where attacker does not depend on
returning data from the server. However, the attacker main goals are to
reconstruct the data stored in database by attempting different attack and
observe all the possible behavior from the server as well as the web application.

 Injection Mechanism:
o Injection trough user input
o Injection trough cookies
o Injection trough server variables
o Second-Order Injection

 8 Practice to prevent SQL Injection:

o Using Prepared Statement (with Parameterized Queries)
o Using Stored Procedures
o Validating user input
o Limiting privileges
o Hiding info from the error message
o Updating your system
o Keeping database credentials separate and encrypted
o Disabling shell and any other functionalities you don’t need

Figure 2 Using escape Queries to prevent SQL Injection

o Escaping Queries:
 $this->db->escape ()
 $this->db->escape_str ()
 $this->db->escape_like_str ()
Cookies
 Main purpose of a cookie is to identify users and possibly prepare customized Web
pages or to save site login information.
 Cookie is a type of message that is given to a Web Browser by a Web Server
 For example, when you enter web site using cookies, you may ask to fill out a form
providing personal information: like name, email address, and interests. This
information is packaged into a cookie and send to web browser, which then stores the
information for later use. Next time you go to the same web site, your browser will
send the cookie to the web server. The message is sent back to the server each timer
the browser requests page from a server.
 A web server has no memory so the hosted web site you are visiting transfers a cookie
file of the browser on your computer’s hard disk so that the web site can remember
who you are and your preferences.
 This message exchange allows the Web server to use this information to present you
with customized web pages. so, instead of seeing just welcome page, this could also
generate your name on the page.

 Types of Cookies:
o Session Cookie (Transient cookie)
 Cookie that is erased when you close the Web Browser
 Stored in temporary memory and is not retained after the browser is
closed.
 Session cookie do not collect information from computer.
 Typically store information in form of session identification that does
not personally identify user.
o Persistent cookie (Permanent cookie/Stored cookie)
 Stored on hard drive until expires (persistent cookies are set with
expiration dates) or until delete by user
 Use to collect identifying information about user
 For example, collect web surfing behavior or user preference for
specific web site.

 6 Information that cookies store

o Name of cookie
o Value of cookie
o Expiration date of cookie
o Valid path of the cookie
o Valid domain of the cookie
o The need for secure connection
 MALICIOUS COOKIE*
o Cookies can store and track your data
o Track online behavior to build profile activity then if complete they sold your
data