Professional Documents
Culture Documents
Securing Web Application
Securing Web Application
2
SQL CODE INJECTION
So far most of the example we used were hard-code
examples.
Ex:
“insert into student values (45,’samer’,’IT’,89)”
These examples were simple, straight forward, but at the
same time unrealistic.
Real world examples are not hard-coded, i.e. users
specify the values for the SQL statements
Ex:
“insert into student values (‘ “ . $name. “ ’, ‘ ” . $major.“ ‘,“ .$average. “);”;
This kind of coding open the door for a very dangerous type of attacks
called SQL Code Injection 3
SQL CODE INJECTION (CONT..)
SQL injection is the process of passing SQL code into an
application, in a way that was not intended or anticipated
by the application developer.
This may be possible because of the poor design of the
application, and it affects only applications that use SQL
string building techniques to create a command with
user-supplied values.
Consider the following Sql statement
“Delete from students where id=“.$id. “;”;
4
SQL CODE INJECTION (CONT..)
Now, what happened in the user entered instead of the id
the following: 1 or 1 = 1
This results in the where condition of the SQL statement
to be true for all rows.
This way the application will delete all the records of the
table student.
5
CONSIDER ANOTHER EXAMPLE
<?php
$name = $_POST[‘username’];
$pwd = $_POST[‘password’];
7
HOW TO DEFEND AGAINST ATTACKS
Restrict the use of some special characters like ‘ and “
Restrict the level of messages exposed to the user,
remember handling exceptions, always provide
customized and simple error messages to the users
Still, the best solution to prevent SQL Code Injection
attacks is to use validate the data entered by the user.
8
HOW TO DEFEND AGAINST ATTACKS
(CONT..)
If the user it to enter a numeric value validate that using:
is_numeric($id); function
Also use the mysql function:
mysql_real_escape_String($data);
This functions escapes the special characters used to build the
SQL-statement.
For examle: “ ‘ \n \t \
9
XSS: CROSS SITE SCRIPTING
Most Web sites today add dynamic content to a Web
page making the experience for the user more enjoyable.
Dynamic content is content generated by some server
process, which when delivered can behave and display
differently to the user depending upon their settings and
needs.
Dynamic Web sites have a threat that static Web sites
don't, called "cross-site scripting," also known as "XSS."
10
Cross Site Scripting is passing code by the attacker to the
client to be executed on his machine.
The attacker uses html forms in the web application to
pass code (html and JavaScript) to the server.
The Server receives the sent data (code) and save it.
11
XSS: TYPICAL EXAMPLE
Your website has a form to submit comments
The attacker makes advantage of the comment form and
writes in the comment box some JavaScript code to steal the
users information
The attacker submits the form, the data from the form is sent
back to the server and saved in the database.
Now, you and other users request the page which contains the
users comments, including the attacker malicious comment.
Your browser receives data from the server and interpret the
code in the attacker comments.
The result: your sensitive information like session ID, cookie
and username/password are stolen and sent back to the 12
attacker.
HOW TO DEFEND AGAINST XSS
ATTACKS?
Validate the user input.
Use htmlspecialchars($string) function
13
JUST REMEMBER
Basically, to be safe, at the least remember the following
rules:
14
REFERENCES
W3schools.com
Php.net
15