As a web developer, surely we have heard and known of the two concepts XSS and SQL Injection, right? But most probably just stopped at listening and applied to the code to avoid these two problems in the project. Now I would like to film a detailed demo so everyone can have a clearer view of it. How to exploit it and what it can do if we are not careful. Let’s start reviewing the concept and demo video again.
Demo in this article is done in an ideal environment (made to be exploited). The actual environment may be different, harder and not as easy as what is in the video.
XSS
XSS ( Cross Site Scripting ) is a type of attack that allows a hacker to insert malicious scripts (usually Javascript or HTML) into the website and will be executed on the user’s side (in the user’s browser).
Regarding concepts and exploits, we can search online. There are many articles introducing it. So I just rewrote the basic concept of XSS. Now let’s get into the demo video:
|
|
<span class="token keyword">function</span> <span class="token function">escapeHTML</span> <span class="token punctuation">(</span> string <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token keyword">return</span> string <span class="token punctuation">.</span> <span class="token function">replace</span> <span class="token punctuation">(</span> <span class="token string">"<"</span> <span class="token punctuation">,</span> <span class="token string">"&lt;"</span> <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">replace</span> <span class="token punctuation">(</span> <span class="token string">">"</span> <span class="token punctuation">,</span> <span class="token string">"&gt;"</span> <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">replace</span> <span class="token punctuation">(</span> <span class="token string">"""</span> <span class="token punctuation">,</span> <span class="token string">"&quot;"</span> <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">replace</span> <span class="token punctuation">(</span> <span class="token string">"'"</span> <span class="token punctuation">,</span> <span class="token string">"&apos;"</span> <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">replace</span> <span class="token punctuation">(</span> <span class="token string">"{"</span> <span class="token punctuation">,</span> <span class="token string">"&lcub"</span> <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">replace</span> <span class="token punctuation">(</span> <span class="token string">"}"</span> <span class="token punctuation">,</span> <span class="token string">"&rcub"</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> |
SQL Injection
SQL injection is a technique that allows attackers to take advantage of the vulnerability of checking input data in web applications and error messages returned by the database management system to inject. and executing illegal SQL statements. SQL injection can allow attackers to perform operations, delete, insert, update, etc. on the database of an application, even the server on which the application is running. SQL injection is commonly known as an attacker on web applications whose data is managed by database management systems such as SQL Server, MySQL, Oracle, DB2, Sysbase, etc.
Source: Wiki
In this demo I use SQLMap basic to exploit. In fact, if we want to exploit better, we have to use more advanced options (but I can only use basic only) ). To do this demo, I did not escape user input before making the query. Let’s wacth together:
The simplest SQL Injection precautions are always to escape user input before executing the query. Depending on the language and framework you use it, there will be different mechanisms.
Cookies and Session
This part is bonus, not related to the article
The concept of Cookies and Sessions you can search online. I will not introduce anymore. In this part, I will always show you a demo of what you can do when there is someone’s Session.
I have logged out the Github account so you don’t need to enter the user_session to try to log in to your account again.
Fortunately, these Cookies are difficult to read in JavaScript (in the case of XSS stealing) when they are marked as HttpOnly .
If one cookie is HttpOnly, it cannot be accessed by client JavaScript, which means hackers cannot read the cookie value and send it to his own server, not even know whether this cookie exist.
Epilogue
This is the end of my article. It may seem short, but I hope it is enough to give everyone a more detailed look at the concepts that are often mentioned. The writing is based on limited knowledge. There is nothing wrong with asking everyone to gently give me suggestions (because the boy is vulnerable to heavy words !
Cordially greet and to win !