Web Security Basic: XSS and SQL Injection

Friday, 20/12/2019

Tram Ho

As a web developer, surely we have heard and known of the two concepts XSS and SQL Injection, right? But most probably just stopped at listening and applied to the code to avoid these two problems in the project. Now I would like to film a detailed demo so everyone can have a clearer view of it. How to exploit it and what it can do if we are not careful. Let’s start reviewing the concept and demo video again.

Demo in this article is done in an ideal environment (made to be exploited). The actual environment may be different, harder and not as easy as what is in the video.

XSS

XSS ( Cross Site Scripting ) is a type of attack that allows a hacker to insert malicious scripts (usually Javascript or HTML) into the website and will be executed on the user’s side (in the user’s browser).

Regarding concepts and exploits, we can search online. There are many articles introducing it. So I just rewrote the basic concept of XSS. Now let’s get into the demo video:

The simplest way to prevent XSS is to always escape user-entered data before displaying it. Normally, we only need to care about basic characters such as: <code class="notranslate"><</code> , <code class="notranslate">></code> , <code class="notranslate">"</code> , <code class="notranslate">'</code> , <code class="notranslate">{</code> and <code class="notranslate">}</code> . I will introduce a simple code to escape:<div id="crayon-66293e6db55dc584819082" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"><div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div><div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div><div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> function escapeHTML ( string ) { return string . replace ( "&lt;" , "&amp;lt;" ) . replace ( "&gt;" , "&amp;gt;" ) . replace ( """ , "&amp;quot;" ) . replace ( "'" , "&amp;apos;" ) . replace ( "{" , "&amp;lcub" ) . replace ( "}" , "&amp;rcub" ) ; } </textarea></div><div class="crayon-main" style=""><table class="crayon-table"><tr class="crayon-row"><td class="crayon-nums " data-settings="show"><div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-66293e6db55dc584819082-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-66293e6db55dc584819082-2">2</div><div class="crayon-num" data-line="crayon-66293e6db55dc584819082-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-66293e6db55dc584819082-4">4</div><div class="crayon-num" data-line="crayon-66293e6db55dc584819082-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-66293e6db55dc584819082-6">6</div><div class="crayon-num" data-line="crayon-66293e6db55dc584819082-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-66293e6db55dc584819082-8">8</div><div class="crayon-num" data-line="crayon-66293e6db55dc584819082-9">9</div></div></td><td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-66293e6db55dc584819082-1"><span class="token keyword">function</span> <span class="token function">escapeHTML</span> <span class="token punctuation">(</span> string <span class="token punctuation">)</span> <span class="token punctuation">{</span></div><div class="crayon-line crayon-striped-line" id="crayon-66293e6db55dc584819082-2">    <span class="token keyword">return</span> string <span class="token punctuation">.</span> <span class="token function">replace</span> <span class="token punctuation">(</span> <span class="token string">"&lt;"</span> <span class="token punctuation">,</span> <span class="token string">"&amp;lt;"</span> <span class="token punctuation">)</span></div><div class="crayon-line" id="crayon-66293e6db55dc584819082-3">        <span class="token punctuation">.</span> <span class="token function">replace</span> <span class="token punctuation">(</span> <span class="token string">"&gt;"</span> <span class="token punctuation">,</span> <span class="token string">"&amp;gt;"</span> <span class="token punctuation">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-66293e6db55dc584819082-4">        <span class="token punctuation">.</span> <span class="token function">replace</span> <span class="token punctuation">(</span> <span class="token string">""" token punctuation">, token string">"&amp;quot;" token punctuation">)</div><div class="crayon-line" id="crayon-66293e6db55dc584819082-5">        token punctuation">. token function">replace token punctuation">( token string">"'" token punctuation">, token string">"&amp;apos;" token punctuation">)</div><div class="crayon-line crayon-striped-line" id="crayon-66293e6db55dc584819082-6">        token punctuation">. token function">replace token punctuation">( token string">"{" token punctuation">, token string">"&amp;lcub" token punctuation">)</div><div class="crayon-line" id="crayon-66293e6db55dc584819082-7">        token punctuation">. token function">replace token punctuation">( token string">"}" token punctuation">, token string">"&amp;rcub" token punctuation">) token punctuation">;</div><div class="crayon-line crayon-striped-line" id="crayon-66293e6db55dc584819082-8">token punctuation">}</span></div><div class="crayon-line" id="crayon-66293e6db55dc584819082-9"> </div></div></td></tr></table></div></div><h1> SQL Injection</h1><blockquote> SQL injection is a technique that allows attackers to take advantage of the vulnerability of checking input data in web applications and error messages returned by the database management system to inject. and executing illegal SQL statements. SQL injection can allow attackers to perform operations, delete, insert, update, etc. on the database of an application, even the server on which the application is running. SQL injection is commonly known as an attacker on web applications whose data is managed by database management systems such as SQL Server, MySQL, Oracle, DB2, Sysbase, etc.Source: Wiki</blockquote>In this demo I use SQLMap basic to exploit. In fact, if we want to exploit better, we have to use more advanced options (but I can only use basic only) <img class="lazy lazy-hidden emoji" draggable="false" alt="?" src="//itzone.com.vn/wp-content/plugins/a3-lazy-load/assets/images/lazy_placeholder.gif" data-lazy-type="image" data-src="https://twemoji.maxcdn.com/2/72x72/1f603.png" /><noscript><img class="emoji" draggable="false" alt="?" src="https://twemoji.maxcdn.com/2/72x72/1f603.png" /></noscript> ). To do this demo, I did not escape user input before making the query. Let’s wacth together:  <div class="embed-responsive embed-responsive-16by9"><iframe class="embed-responsive-item" type="text/html" src="https://viblo.asia/embed?url=https://www.youtube.com/watch?v=NSNgK_tbQWg&provider=null" frameborder="0" webkitallowfullscreen="webkitallowfullscreen" mozallowfullscreen="mozallowfullscreen" allowfullscreen="allowfullscreen">

The simplest SQL Injection precautions are always to escape user input before executing the query. Depending on the language and framework you use it, there will be different mechanisms.

Cookies and Session

This part is bonus, not related to the article

The concept of Cookies and Sessions you can search online. I will not introduce anymore. In this part, I will always show you a demo of what you can do when there is someone’s Session.

I have logged out the Github account so you don’t need to enter the user_session to try to log in to your account again.

Fortunately, these Cookies are difficult to read in JavaScript (in the case of XSS stealing) when they are marked as HttpOnly .

If one cookie is HttpOnly, it cannot be accessed by client JavaScript, which means hackers cannot read the cookie value and send it to his own server, not even know whether this cookie exist.

Epilogue

This is the end of my article. It may seem short, but I hope it is enough to give everyone a more detailed look at the concepts that are often mentioned. The writing is based on limited knowledge. There is nothing wrong with asking everyone to gently give me suggestions (because the boy is vulnerable to heavy words !

Cordially greet and to win !

Share the news now

Source : Viblo

Web Security Basic: XSS and SQL Injection

XSS

Cookies and Session

Epilogue

TikTok becomes the second largest social platform in South Africa

The fastest depreciating after 9 months of launch, iPhone 14 Pro Max continues to break the bottom in Vietnam

Beginner's guide to R: Introduction

10 essential SublimeText plugins for JavaScript developers