9/14/2007

Web Security - XSS and SQL Injection

============================================================
XSS/CSS(Cross Site Scripting)

XSS lies in the fact that web application can receive user input data and send them to client browsers to render it. Since web browser can execute javascript, theoretically, web application user can write code that could be executed on other users' client machines - this is the root cause of all XSS attacks.

How to get user input script code run in other users' browsers?
1. js url protocol - use "javascript://your_script_code_here" as link destination
2. script tag - use plain script blocks:
3. element event - use "onload=your_script_here" like code in html docs

What's the potential harms of XSS?
1. Cookie theft, XSS code can be "document.cookie"
2. Session cheat, use user's cookie data to access original site's service as a legal and logged in user
3. Phishing, lead user browser to access unintensional web urls

How to avoid XSS attack?
1. Restrict data format of user input value, do client/server side checking/validating
2. Do HTML encoding/escaping/filtering before writing strings to http response as web page content to client browser
3. Bind session with user IP
4. Disable script execution, safe but will limit the functionalities of web application

[Reference]
XSS FAQ and a chs version

XSS cheat sheet

Perl&XSS

XSS online tool

Case Studies (1, 2)

============================================================

Sql Injection

Sql Injection is a web attacking technique, in which attackers write sql codes into user input value, and wich will be used by application(most likely, web based) logic to execute sql statement in databases. The result is that attacker can write code to be executed by your DBMS. This may change your application logic(bypass authentication), harm your data(drop tables) and expose critical information(dump server file to client).

The basic practices to solve this problem are:
1. Check/Validate user input data, trim dangerous content
2. Prefer sql parameter and store procedure rather than dynamically composing sql statement literally
3. Grant minimal permission to web application account in DBMS
4. Avoid disclosing database error information

SQL Server Book Online - SQL Injection

ASP.Net Best Practices - Protect from SQL Injection

Practices to Avoid SQL Injection

Web App Security - best practices from Microsoft

Case Studies (1, 2, 3)

SQL Injection Cheat Sheet

============================================================

General Web Security Reference

http://www.webhackingexposed.com/tools.html

http://www.cgisecurity.com

Sql Security

============================================================

No comments: