Injection and X-site Scripting Attacks

Geoffrey Dunn

Mister Pink

What is an Injection attack?

• Running SQL your script did not intend
• Running other commands you did not intent

We will get to how later. But basically the attacker is running commands on your webserver through security holes in your php script!

What is Cross Site Scripting?

• Running Javascript or similar code on a client's web browser that you and the client did not put there

This gives that 3rd party access to cookies or the ability to run website commands as if it was the victim user

The Injection Attack

<?php
$result = mysql_query("SELECT * FROM users WHERE name='$name' AND pass=MD5('$pass')");
?>

How would someone attack this?

Never trust data the client gives you

• pass=' OR 1=1; DROP TABLE users
• pass=' OR name='admin'
• pass=' OR 1=1; executeshell('rm -rf /')

How can we protect it?

• $pass = mysql_escape_string($pass);
• $pageNumber = intval($pageNumber);

Simple data checks can help greatly

Are injection attacks only SQL?

• No
• If you allow a user to enter header informaiton for an email
• eg:

  $subject="Hi\nBCC: hacked@example.com";

• Or system commands are at risk
• $result = system("finger $user");
• $user = "gdunn; rm -rf /";

The Cross Site Script

• Please enter your homepage:

How might someone attack this?

Never trust data the client gives you

• example.com" onmouseover="http://hacked.com/nasty.js
• javascript:http://hacked.com/nasty.js

How can we protect it?

• echo htmlspecialchars($url)
• if (!preg_match($email_pattern, $email)) die("Error!");
• Do not allow user uploaded flash

The basics

• use mysql_escape_string or addslashes
• use htmlspecialchars
• validate data as much as possible (learn regular expressions!)

Hopefully in the future this will all be easier with tools like Pear::Validate

Stay safe

Thank you