How to defence attacks like SQL inject, XSS, CSRF:
There are lots ways. on way we could do is Input validation.
In PHP, there are lots of functions protecting from these attacks.
// retrieve form data
$username = sqlite_escape_string(htmlentities($_POST['username']));
$password = sqlite_escape_string(htmlentities($_POST['password']));
Showing posts with label SQL injection. Show all posts
Showing posts with label SQL injection. Show all posts
Tuesday, March 1, 2011
Web application security
PHP code
PHP code is execute at the server side, Apache understands the PHP code, after the execution, it will give result of client side. If you run $wget login.php, the login.php will execute at server, and generate the result and pass it to the wget tool. SQL injection
e.g. by pass the login authenticationThis is the PHP code of checking if username and passpword is correct
function checkuser($username, $password)
{
$db = "/home/fz2135/sqlite/cs4180";
$handle = sqlite_open($db) or die("cannot open db");
$query = "select * from userinfo where userinfo.password = '$passwordhash' AND username ='$username';";
$result= sqlite_query($handle, $query) or die("die in query");
sqlite_close($handle);
if(sqlite_num_rows($result) > 0)
return true;
else
return false;
}
{
$db = "/home/fz2135/sqlite/cs4180";
$handle = sqlite_open($db) or die("cannot open db");
$query = "select * from userinfo where userinfo.password = '$passwordhash' AND username ='$username';";
$result= sqlite_query($handle, $query) or die("die in query");
sqlite_close($handle);
if(sqlite_num_rows($result) > 0)
return true;
else
return false;
}
If I put uername as: user1' or '1=1
and password as random string
I could bypass the login authentication, but user1 need to be a valid username
Cross-site-scripting (XSS)
e.g. we could inject a java script on the posted message. Post following message:<scirpt>alert("XSS")</script>Arbitrary Code Execution
For eample, the vulnerable website allow you add attachment, like pictures. For this case, you could upload a php file, which Apache server could understand it. In the php file, you could use shell_exec() function
$output= shell_exec('cp ../../login.php login.txt');
echo $output."<br>";
echo $output."<br>";
Cross-Site Request Forgery (CSRF)
You found: if Alice transfer 100 dollars to Bob by using URL
GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1
Then you could create a html link, and let Alice to click on:
<a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a>
Then you will get 100000 dollars money into your account
more info:
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
- The Open Web Application Security Project (OWASP),
"Top 10 web application vulnerabilities".
http://www.owasp.org/index.php/Top_10_2007
- milw0rm, "Finding vulnerabilities in PHP scripts".
http://www.milw0rm.com/papers/381
Subscribe to:
Posts (Atom)