fixed minor spelling mistakes, unified wording
This commit is contained in:
Timur Linden
Nanne Baars
parent
875f0487bd
commit
53c16c8b82
@ -1,8 +1,8 @@
|
||||
== Try It! Using the Console
|
||||
== Try It! Using the console
|
||||
|
||||
Let's try it. Use the console in the dev tools and call the javascript function *webgoat.customjs.phoneHome()*. +
|
||||
Let us try it. Use the console in the dev tools and call the javascript function *webgoat.customjs.phoneHome()*. +
|
||||
You should get a response in the console. Your result should look something like:
|
||||
`phone home said
|
||||
{"lessonCompleted:true, ... ,"output":"phone home response is..."`
|
||||
Paste the random number, after that, in the text field below.
|
||||
(Make sure you got the most recent number, since it's randomly generated each time you call the function)
|
||||
(Make sure you got the most recent number, since it is randomly generated each time you call the function)
|
||||
@ -1,6 +1,6 @@
|
||||
== Try It! Working with the Network Tab
|
||||
== Try It! Working with the Network tab
|
||||
|
||||
In this Assignment you need to find a specific HTTP request and read a randomized number from it.
|
||||
To start click the first button, this wil generate an HTTP Request. Try to find the specific HTTP request.
|
||||
In this assignment you need to find a specific HTTP request and read a randomized number from it.
|
||||
To start click the first button, this wil generate an HTTP request. Try to find the specific HTTP request.
|
||||
The request should contain a field: `magic_num:`
|
||||
Copy the number which is displayed afterwards, into the input field below and click on the check button.
|
||||
@ -1,8 +1,8 @@
|
||||
== The Console tab
|
||||
|
||||
In the console tab you can see anything, which a loaded JavaScript file may have printed out to it.
|
||||
Don't worry if you see something in red. While that is an error, it has probably resolved itself.
|
||||
Through the console tab, it is also possible for you to run your own line of javascript code.
|
||||
Do not worry if you see something in red. While that is an error, it has probably resolved itself.
|
||||
Through the console tab, it is also possible for you to run your own line of JavaScript code.
|
||||
|
||||
Start by clearing console using the shortcut `CTRL+L`.
|
||||
|
||||
@ -12,6 +12,6 @@ The console also allows you to do some basic arithmetic. If you type for example
|
||||
enter the console should display 4.
|
||||
|
||||
Note: You may see an `undefined` in the console. You can safely ignore this statement,
|
||||
it only means, that the JavaScript function you have called did not return anything, therefor `undefined`.
|
||||
it only means, that the JavaScript function you have called did not return anything, therefore `undefined`.
|
||||
|
||||
image::images/ChromeDev_Console_Ex.jpg[DeveloperToolsConsoleExample,500,500,style="lesson-image"]
|
||||
@ -1,19 +1,19 @@
|
||||
== The Elements Tab
|
||||
|
||||
The elements tab allows you to look at the HTML and CSS code, that are used to define and style the Website.
|
||||
The elements tab allows you to look at the HTML and CSS code, that are used to define and style the website.
|
||||
|
||||
=== HTML Source
|
||||
=== HTML source
|
||||
|
||||
If you hover over one line you can see that a part of the website turns blue. That means that
|
||||
this particular HTML line defines this section of the Website.
|
||||
this particular HTML line defines this section of the website.
|
||||
The elements tab allows you to make changes to every single HTML element. For example if you click inside
|
||||
a Paragraph (<p>...</p>) Tag you can edit the content of the website. If you have made your changes and then click enter
|
||||
a paragraph (<p>...</p>) Tag you can edit the content of the website. If you have made your changes and then click enter
|
||||
Chrome will actually update the website to show your edits. You can also change the HTML Tag used,
|
||||
the classes and id's a tag has and much more.
|
||||
|
||||
image::images/ChromeDev_Elements.jpg[DeveloperToolsElements,500,350,style="lesson-image"]
|
||||
|
||||
=== CSS Source
|
||||
=== CSS source
|
||||
|
||||
Underneath the HTML source, you can find information about the CSS which is used to style the
|
||||
Website. Like the HTML, you can also edit the CSS and therefore adjust the styling of the website.
|
||||
|
||||
@ -1 +1 @@
|
||||
cia.title=CIA Triad
|
||||
cia.title=CIA triad
|
||||
|
||||
@ -10,7 +10,7 @@ ClientSideFilteringStage1Complete=Stage 1 completed.
|
||||
ClientSideFilteringStage1Question=What is Neville Bartholomew's salary?
|
||||
ClientSideFilteringStage1SubmitAnswer=Submit Answer
|
||||
ClientSideFilteringStage2Finish=Click here when you believe you have completed the lesson.
|
||||
ClientSideFilteringChoose=Choose Employee
|
||||
ClientSideFilteringChoose=Choose employee
|
||||
ClientSideFilteringHint1=The information displayed when an employee is chosen from the drop down menu is stored on the client side.
|
||||
ClientSideFilteringHint2=Use Firebug to find where the information is stored on the client side.
|
||||
ClientSideFilteringHint3=Examine the hidden table to see if there is anyone listed who is not in the drop down menu.
|
||||
@ -27,6 +27,6 @@ ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO o
|
||||
ClientSideFilteringInstructions2=STAGE 2: Now, fix the problem. Modify the server to only return results that Moe Stooge is allowed to see.
|
||||
ClientSideFiltering.incorrect=This is not the salary from Neville Bartholomew...
|
||||
|
||||
client.side.filtering.free.hint1=Look through the webpage inspect the sources etc
|
||||
client.side.filtering.free.hint1=Look through the web page inspect the sources etc
|
||||
client.side.filtering.free.hint2=Try to see the flow of request from the page to the backend
|
||||
client.side.fiterling.free.hint3=One of the responses contains the answer
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
== Salary manager
|
||||
|
||||
You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information,
|
||||
except the CEO, Neville Bartholomew. Or at least you shouldn't have access to the CEO's information. For this assignment,
|
||||
except the CEO, Neville Bartholomew. Or at least you should not have access to the CEO's information. For this assignment,
|
||||
examine the contents of the page to see what extra information you can find.
|
||||
@ -1,4 +1,4 @@
|
||||
== Client Side Filtering
|
||||
== Client side filtering
|
||||
|
||||
It is always a good practice to send to the client only information which they are supposed
|
||||
to have access to. In this lesson, too much information is being sent to the client, creating
|
||||
|
||||
@ -2,38 +2,38 @@
|
||||
xss.title=Cross Site Scripting
|
||||
xss-stored.title=Cross Site Scripting (stored)
|
||||
xss-mitigation.title=Cross Site Scripting (mitigation)
|
||||
xss-reflected-5a-success-alert=Well done, but alerts aren't very impressive are they? Please continue.
|
||||
xss-reflected-5a-success-console=Well done, but console logs aren't very impressive are they? Please continue.
|
||||
xss-reflected-5a-success-alert=Well done, but alerts are not very impressive are they? Please continue.
|
||||
xss-reflected-5a-success-console=Well done, but console logs are not very impressive are they? Please continue.
|
||||
xss-reflected-5a-failed-wrong-field=Seems like you tried to compromise our shop with an reflected XSS attack.<br/> We do our... "best"... to prevent such attacks. Try again!
|
||||
xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy).
|
||||
xss-reflected-5a-failure=Try again. We do want to see this specific JavaScript (in case you are trying to do something more fancy).
|
||||
xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application.
|
||||
xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right?
|
||||
xss-reflected-5a-hint-3=What information send to the application gets reflected back after being submitted?
|
||||
xss-reflected-5a-hint-4=Just try purchasing something. You want your script to be included in the purchase-confirmation.
|
||||
xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
|
||||
xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it will not execute (because of response type). Try it if you like.</li></ul>
|
||||
xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
|
||||
xss-reflected-6a-failure=Sorry that's not correct. Look at the example again to understand what a valid route looks like. If you're stuck... hints might help.
|
||||
xss-reflected-6a-failure=Sorry that is not correct. Look at the example again to understand what a valid route looks like. If you're stuck... hints might help.
|
||||
xss-reflected-6a-hint-1=To search through the client side code, use the developer tools of your browser. (If you don't know how to use them, check the <i>Developer Tools</i> Lesson in the general category.)
|
||||
xss-reflected-6a-hint-2=Since you are looking for application code, check the WebGoat/js/goatApp folder for a file that could handle the routes.
|
||||
xss-reflected-6a-hint-3=Make sure you add the base route at the start, when submitting your solution.
|
||||
xss-reflected-6a-hint-4=Still didn't find it? Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
|
||||
xss-reflected-6a-hint-4=Still did not find it? Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
|
||||
xss.lesson1.failure=Are you sure? Try using a tab from a different site.
|
||||
xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
|
||||
xss-dom-message-success=Correct, I hope you did not cheat, using the console!
|
||||
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
|
||||
xss-dom-message-hint-1=Open a new tab and navigate to the test-route you just figured out in the previous lesson.
|
||||
xss-dom-message-hint-2=Your url should look something like that http://localhost:8080/WebGoat/start.mvc#REPLACE-WITH-THE-TEST-ROUTE/some_parameters
|
||||
xss-dom-message-hint-3=Note how the parameters you send to the test-route get reflected back to the page. Now add your javascript to it.
|
||||
xss-dom-message-hint-4=You have to use script tags, so your javascript code gets executed when being rendered into the DOM.
|
||||
xss-dom-message-hint-5=Since you're working with an URL, you might have to URL-encode your parameters.
|
||||
xss-dom-message-hint-3=Note how the parameters you send to the test-route get reflected back to the page. Now add your JavaScript to it.
|
||||
xss-dom-message-hint-4=You have to use script tags, so your JavaScript code gets executed when being rendered into the DOM.
|
||||
xss-dom-message-hint-5=Since you are working with an URL, you might have to URL-encode your parameters.
|
||||
xss-dom-message-hint-6=Replace '/' with '%2F' in your URL parameters.
|
||||
xss-stored-comment-success=It appears your payload should invoke the function. To tell for sure, you need to capture the value and put it in the form below. Then we will really know.
|
||||
xss-stored-comment-failure=We can't see the payload in your submission, but XSS can be tricky. Look for the call back fired after the comments reload. If you see that and can put the correct value there and put it in, maybe you did succeed.
|
||||
xss-stored-comment-failure=We cannot see the payload in your submission, but XSS can be tricky. Look for the call back fired after the comments reload. If you see that and can put the correct value there and put it in, maybe you did succeed.
|
||||
xss-stored-callback-success=Yes, that is the correct value (note, it will be a different value each time the phoneHome endpoint is called).
|
||||
xss-stored-callback-failure=No, that is not the correct value (note, it will be a different value each time the phoneHome endpoint is called).
|
||||
xss-mitigation-3-hint1=You don't store the user input in this example. Try to encode the user's input right before you place it into the HTML document.
|
||||
xss-mitigation-3-hint1=You do not store the user input in this example. Try to encode the user's input right before you place it into the HTML document.
|
||||
xss-mitigation-3-hint2=Make use of JavaServer Pages Standard Tag Library (JSTL) and JSP Expression Language.
|
||||
xss-mitigation-3-hint3=Take a look at OWASP Java Encoder Project.
|
||||
xss-mitigation-3-hint4=Don't forget to reference the taglibs and choose "e" as prefix.
|
||||
xss-mitigation-3-hint4=Do not forget to reference the tag libs and choose "e" as prefix.
|
||||
xss-mitigation-3-success=You have completed this lesson. Congratulations!
|
||||
xss-mitigation-3-failure=This in not the correct answer. Try again!
|
||||
xss-mitigation-3-no-code=You didn't change anything.
|
||||
xss-mitigation-3-no-code=You did not change anything.
|
||||
@ -2,10 +2,10 @@
|
||||
"questions": [{
|
||||
"text": "Are trusted websites immune to XSS attacks?",
|
||||
"solutions": {
|
||||
"1": "Yes, they're safe because the browser checks the code before executing.",
|
||||
"2": "Yes, because Google has got an algorithm that blocks malicious code.",
|
||||
"3": "No, because the script that's executed will break through the browser's defense algorithm.",
|
||||
"4": "No, because the browser trusts the website if it's acknowledged trusted, then the browser doesn't know that the script is malicious."
|
||||
"1": "Yes they are safe because the browser checks the code before executing.",
|
||||
"2": "Yes because Google has got an algorithm that blocks malicious code.",
|
||||
"3": "No because the script that is executed will break through the defense algorithm of the browser.",
|
||||
"4": "No because the browser trusts the website if it is acknowledged trusted, then the browser does not know that the script is malicious."
|
||||
}
|
||||
}, {
|
||||
"text": "When do XSS attacks occur?",
|
||||
@ -13,14 +13,14 @@
|
||||
"1": "Data enters a web application through a trusted source.",
|
||||
"2": "Data enters a browser application through the website.",
|
||||
"3": "The data is included in dynamic content that is sent to a web user without being validated for malicious content.",
|
||||
"4": "The data is excluded in static content, that way it is sent without being validated."
|
||||
"4": "The data is excluded in static content that way it is sent without being validated."
|
||||
}
|
||||
}, {
|
||||
"text": "What are Stored XSS attacks?",
|
||||
"solutions": {
|
||||
"1": "The script is permanently stored on the server and the victim gets the malicious script when requesting information from the server.",
|
||||
"2": "The script stores itself on the victim's computer and executes locally the malicious code.",
|
||||
"3": "The script stores a virus on the victim's computer. The attacker can perform various actions now.",
|
||||
"2": "The script stores itself on the computer of the victim and executes locally the malicious code.",
|
||||
"3": "The script stores a virus on the computer of the victim. The attacker can perform various actions now.",
|
||||
"4": "The script is stored in the browser and sends information to the attacker."
|
||||
}
|
||||
}, {
|
||||
@ -28,16 +28,16 @@
|
||||
"solutions": {
|
||||
"1": "Reflected attacks reflect malicious code from the database to the web server and then reflect it back to the user.",
|
||||
"2": "They reflect the injected script off the web server. That occurs when input sent to the web server is part of the request.",
|
||||
"3": "Reflected attacks reflect from the server's firewall off to the database where the user requests information from.",
|
||||
"3": "Reflected attacks reflect from the firewall off to the database where the user requests information from.",
|
||||
"4": "Reflected XSS is an attack where the injected script is reflected off the database and web server to the user."
|
||||
}
|
||||
}, {
|
||||
"text": "Is Javascript the only way to perform XSS attacks?",
|
||||
"text": "Is JavaScript the only way to perform XSS attacks?",
|
||||
"solutions": {
|
||||
"1": "Yes, you can only make use of tags through Javascript.",
|
||||
"2": "Yes, otherwise you can't steal cookies.",
|
||||
"3": "No, there's ECMAScript too.",
|
||||
"4": "No, there're many other ways. Like HTML, Flash or any other type of code that the browser executes."
|
||||
"1": "Yes you can only make use of tags through JavaScript.",
|
||||
"2": "Yes otherwise you cannot steal cookies.",
|
||||
"3": "No there is ECMAScript too.",
|
||||
"4": "No there are many other ways. Like HTML, Flash or any other type of code that the browser executes."
|
||||
}
|
||||
}]
|
||||
}
|
||||
@ -7,7 +7,7 @@ you will know learn how you can defend against it.
|
||||
|
||||
* The user will understand the best practices for defending against XSS injection attacks
|
||||
* The user will demonstrate knowledge on:
|
||||
** XSS Mitigation
|
||||
** XSS mitigation
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
== Concept
|
||||
|
||||
After taking a look at Reflected XSS in the previous lesson. We're now gonna take a closer look at another form of Cross Site Scripting Attack: Stored CSS.
|
||||
After taking a look at Reflected XSS in the previous lesson. We are now gonna take a closer look at another form of Cross-Site Scripting Attack: Stored XSS.
|
||||
|
||||
== Goals
|
||||
* The user will learn what Stored XSS is
|
||||
* The user will demonstrate knowledge on:
|
||||
** Stored XSS Injection
|
||||
** Stored XSS injection
|
||||
@ -1,17 +1,17 @@
|
||||
== What is XSS
|
||||
== What is XSS?
|
||||
|
||||
Cross-site script (also commonly known as XSS) is a vulnerability/flaw that combines ...
|
||||
Cross-Site Scripting (also commonly known as XSS) is a vulnerability/flaw that combines ...
|
||||
# the allowance of html/script tags as input that are ...
|
||||
# rendred into a browser without encoding or sanitization
|
||||
# rendered into a browser without encoding or sanitization
|
||||
|
||||
=== Cross site scripting (XSS) is the most prevalent and pernicious web application security issue
|
||||
=== Cross-Site Scripting (XSS) is the most prevalent and pernicious web application security issue
|
||||
|
||||
While there is a simple well-known defense for this attack, there are still many instances of it on the web. In terms of fixing it,
|
||||
coverage of fixes also tends to be a problem. We'll talk more about the defense in a little bit.
|
||||
coverage of fixes also tends to be a problem. We will talk more about the defense in a little bit.
|
||||
|
||||
=== XSS has a significant impact
|
||||
=== XSS has significant impact
|
||||
|
||||
Especially as 'Rich Internet Applications' are more and more common place, privileged function calls linked to via javascript may be compromised.
|
||||
Especially as 'Rich Internet Applications' are more and more common place, privileged function calls linked to via JavaScript may be compromised.
|
||||
And if not properly protected, sensitive data (such as your authentication cookies) can be stolen and used for someone else's purpose.
|
||||
|
||||
|
||||
@ -31,4 +31,4 @@ javascript:alert(document.cookie);
|
||||
== Try It! Using Chrome or Firefox
|
||||
|
||||
* Open a second tab and use the same url as this page you are currently on (or any url within this instance of WebGoat)
|
||||
* Then, in the address bar on each tab, type `javascript:alert(document.cookie);` *NOTE:* If you /cut/paste you'll need to add the `javascript:` back in.
|
||||
* Then, in the address bar on each tab, type `javascript:alert(document.cookie);` *NOTE:* If you /cut/paste you will need to add the `javascript:` back in.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Most Common Locations
|
||||
== Most common locations
|
||||
|
||||
* Search fields that echo a search string back to the user
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Why Should We Care
|
||||
== Why should we care?
|
||||
|
||||
=== XSS attacks may result in
|
||||
* Stealing session cookies
|
||||
@ -15,5 +15,5 @@
|
||||
“>GoodYear recommends buying BridgeStone tires…
|
||||
----
|
||||
|
||||
=== XSS attacks add validity to Phishing attacks
|
||||
=== XSS attacks add validity to phishing attacks
|
||||
* A valid domain is used in the URL
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
* Similar to reflected XSS
|
||||
* Runs with browser privileges inherited from user in browser
|
||||
|
||||
=== Stored or Persistent
|
||||
=== Stored or persistent
|
||||
* Malicious content is stored on the server ( in a database, file system, or other object ) and later displayed to users in a web browser
|
||||
* Social engineering is not required
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Reflected XSS Scenario
|
||||
== Reflected XSS scenario
|
||||
|
||||
* Attacker sends a malicious URL to victim
|
||||
* Victim clicks on the link that loads malicious web page
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Self XSS or Reflected XSS?
|
||||
== Self XSS or reflected XSS?
|
||||
|
||||
You should have been able to execute script with the last example. At this point, it would be considered 'self XSS' though.
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
== Identify Potential for DOM-Based XSS
|
||||
== Identify potential for DOM-Based XSS
|
||||
|
||||
DOM-Based XSS can usually be found by looking for the route configurations in the client-side code.
|
||||
Look for a route that takes inputs that are being 'reflected' to the page.
|
||||
Look for a route that takes inputs that are being "reflected" to the page.
|
||||
|
||||
For this example, you'll want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary javascript library).
|
||||
For this example, you will want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary JavaScript library).
|
||||
Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).
|
||||
|
||||
Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
|
||||
it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is:
|
||||
*start.mvc#lesson/*
|
||||
The *CrossSiteScripting.lesson/9* after that are parameters that are processed by the javascript route handler.
|
||||
The *CrossSiteScripting.lesson/9* after that are parameters that are processed by the JavaScript route handler.
|
||||
|
||||
So, what is the route for the test code that stayed in the app during production?
|
||||
To answer this question, you have to check the javascript source.
|
||||
To answer this question, you have to check the JavaScript source.
|
||||
@ -1,6 +1,6 @@
|
||||
== Try It! DOM-Based XSS
|
||||
|
||||
Some attacks are 'blind'. Fortunately, you have the server running here so you will be able to tell if you are successful.
|
||||
Some attacks are "blind". Fortunately, you have the server running here so you will be able to tell if you are successful.
|
||||
Use the route you just found and see if you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat.
|
||||
The function you want to execute is ...
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
== Stored XSS
|
||||
Stored cross-site scripting is different in that the payload is persisted (stored) as opposed to passed/injected via a link.
|
||||
Stored Cross-Site Scripting is different in that the payload is persisted (stored) as opposed to passed/injected via a link.
|
||||
|
||||
== Stored XSS Scenario
|
||||
* Attacker posts malicious script to a message board
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
See the comments below.
|
||||
|
||||
Add a comment with a javascript payload. Again ... you want to call the _webgoat.customjs.phoneHome_ function.
|
||||
Add a comment with a JavaScript payload. Again ... you want to call the _webgoat.customjs.phoneHome_ function.
|
||||
|
||||
As an attacker (offensive security), keep in mind that most apps are not going to have such a straight-forwardly named compromise.
|
||||
Also, you may have to find a way to load your own javascript dynamically to fully achieve goals of exfiltrating data.
|
||||
Also, you may have to find a way to load your own JavaScript dynamically to fully achieve goals of extracting data.
|
||||
@ -1,12 +1,12 @@
|
||||
== XSS Defense
|
||||
== XSS defense
|
||||
|
||||
|
||||
=== Why?
|
||||
Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in session
|
||||
Hopefully we have covered that by now. Bottom line, you do not want someone else's code running in the context of your users and their logged-in session
|
||||
|
||||
=== What to encode?
|
||||
The basic premise of defending against XSS is *output encoding* any untrusted input that goes to the screen.
|
||||
That may be changing with more sophisticated attacks, but is still the best defense we currently have. *AND* ... *context matters*
|
||||
That may be changing with more sophisticated attacks, but it is still the best defense we currently have. *AND* ... *context matters*
|
||||
|
||||
Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted).
|
||||
Sometimes data is shared across multiple systems and what you think is your data, may not have been created by you/your team.
|
||||
@ -19,9 +19,9 @@ in the client*. Consult your framework/library for me details, but some resource
|
||||
|
||||
* Encode as HTML Entities in HTML Body
|
||||
* Encode as HTML Entities in HTML Attribute
|
||||
* Encode for Javascript if outputting user input to javascript (but think about that ... you're outputting user input into javascript on your page!!)
|
||||
* Encode for JavaScript if outputting user input to JavaScript (but think about that ... you are outputting user input into JavaScript on your page!!)
|
||||
|
||||
*DO NOT* try to blacklist/negative filter on strings like '<script>' and so forth.
|
||||
|
||||
|
||||
...See the next page for some recommended resources and reading on Defending against XSS
|
||||
...See the next page for some recommended resources and reading on defending against XSS
|
||||
@ -1,13 +1,13 @@
|
||||
== What is encoding
|
||||
== What is encoding?
|
||||
|
||||
Not trusting user input means validating data for type, length, format and range whenever it passes through a trust boundary,
|
||||
say from a Web form to an application script, and then encoding it prior to redisplay in a dynamic page.
|
||||
say from a web form to an application script, and then encoding it prior to redisplay in a dynamic page.
|
||||
|
||||
In practice, this means that you need to review every point on your site where user-supplied data is handled and processed and
|
||||
ensure that, before being passed back to the user, any values accepted from the client side are checked, filtered and encoded.
|
||||
|
||||
Client-side validation cannot be relied upon, but user input can be forced down to a minimal alphanumeric set with server-side
|
||||
processing before being used by a Web application in any way.
|
||||
processing before being used by a web application in any way.
|
||||
|
||||
== Escaping
|
||||
|
||||
@ -20,10 +20,10 @@ which will not be interpreted as HTML tags by a browser.
|
||||
|
||||
You need to encode special characters like "<" and ">" before they are redisplayed if they are received from user input.
|
||||
For example, encoding "<" and ">" ensures a browser will display <script> but not execute it.
|
||||
In conjunction to encoding, it is important that your webpages always define their character set so the browser won't interpret
|
||||
In conjunction to encoding, it is important that your web pages always define their character set so the browser will not interpret
|
||||
special character encodings from other character sets.
|
||||
|
||||
Cross-site scripting attacks usually occur when you manage to sneak a script (usually javascript) onto someone else's website, where
|
||||
Cross site scripting attacks usually occur when you manage to sneak a script (usually javascript) onto someone else's website, where
|
||||
it can run maliciously.
|
||||
|
||||
=== Relevant XML/HTML special characters
|
||||
|
||||
@ -60,7 +60,7 @@ But what happens if someone uses this link:
|
||||
http://hostname.com/mywebapp/main.jsp?first_name=<script>alert("XSS Test")</script>
|
||||
----
|
||||
|
||||
=== It's your turn!
|
||||
=== It is your turn!
|
||||
|
||||
Try to prevent this kind of XSS by escaping the url parameters in the JSP file:
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
== XSS Defense Resources
|
||||
== XSS defense resources
|
||||
|
||||
=== Java OWASP Encoder
|
||||
Do not be bothered by the incubator status on this project, use it if you are doing Java Web Apps and want to defend against XSS, use this
|
||||
Do not be bothered by the incubator status on this project, use it if you are doing Java web apps and want to defend against XSS, use this
|
||||
link: https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
|
||||
|
||||
=== General XSS prevention Cheat Sheet
|
||||
@ -16,15 +16,15 @@ link https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
||||
|
||||
=== Javascript Framework Specifics
|
||||
|
||||
Encoding in the client can be tricky. Here are somre resources to help with that. If you don't see your framework below (e.g. Ember, React, ???) and would like to contribute or suggest something ...
|
||||
stop by https://github.com/WebGoat/WebGoat and file an issue (preferably with some recommendations/links) or fork and submit a PR.
|
||||
Encoding in the client can be tricky. Here are some resources to help with that. If you do not see your framework below (e.g. Ember, React, ???) and would like to contribute or suggest something ...
|
||||
stop by https://github.com/WebGoat/WebGoat and file an issue (preferably with some recommendations/links) or fork and submit a pull request.
|
||||
|
||||
==== jQuery
|
||||
be aware if you are using something like ...
|
||||
|
||||
_$selector.html(userInputHere)_,
|
||||
|
||||
...you are in danger. If you want to use that, ensure you are doing someting more like:
|
||||
...you are in danger. If you want to use that, ensure you are doing something more like:
|
||||
|
||||
_$selector.html(someEncodeHtmlMethod(userInputHere))_
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ This lesson describes what Cross-Site Scripting (XSS) is and how it can be used
|
||||
* The user should have a basic understanding of what XSS is and how it works
|
||||
* The user will learn what Reflected XSS is
|
||||
* The user will demonstrate knowledge on:
|
||||
** Reflected XSS Injection
|
||||
** DOM-based XSS Injection
|
||||
** Reflected XSS injection
|
||||
** DOM-based XSS injection
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1 +1 @@
|
||||
Now it's time for a quiz! It's recommended to check the OWASP Cross Site Scripting explanations https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). Answer all questions correctly to complete the assignment.
|
||||
Now it is time for a quiz! It is recommended to check the OWASP Cross-Site Scripting explanations https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) . Answer all questions correctly to complete the assignment.
|
||||
@ -18,48 +18,48 @@ SqlStringInjectionHint2-3=Use ' instead of " when comparing two strings.
|
||||
SqlStringInjectionHint2-4=Pay attention to case sensitivity when comparing two strings.
|
||||
|
||||
SqlStringInjectionHint3-1=Try the UPDATE statement
|
||||
SqlStringInjectionHint3-2=UPDATE tablename SET columnname=value WHERE condition;
|
||||
SqlStringInjectionHint3-2=UPDATE table name SET column name=value WHERE condition;
|
||||
|
||||
SqlStringInjectionHint4-1=ALTER TABLE alters the structure of an existing database
|
||||
SqlStringInjectionHint4-2=Don't forget the data type of the new column (e.g. varchar(size) or int(size))
|
||||
SqlStringInjectionHint4-3=ALTER TABLE tablename ADD columnname data type(size);
|
||||
SqlStringInjectionHint4-2=Do not forget the data type of the new column (e.g. varchar(size) or int(size))
|
||||
SqlStringInjectionHint4-3=ALTER TABLE table name ADD column name data type(size);
|
||||
|
||||
SqlStringInjectionHint5-a=Look at the example. There's everything you'll need.
|
||||
SqlStringInjectionHint5-a=Look at the example. There is everything you will need.
|
||||
|
||||
sql-injection.5a.success=<span class='feedback-positive'>You have succeed: {0}</span>
|
||||
sql-injection.5a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
|
||||
sql-injection.5a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
|
||||
sql-injection.5b.success=<span class='feedback-positive'>You have succeed: {0}</span>
|
||||
sql-injection.5b.success=<span class='feedback-positive'>You have succeeded: {0}</span>
|
||||
sql-injection.5b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
|
||||
|
||||
SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack.
|
||||
SqlStringInjectionHint5b2=Insert: <span style="font-style: italic">0 or 1 = 1</span> into the first input field. The Output should tell you if this field is injectable.
|
||||
SqlStringInjectionHint5b3=The first Input field is not susceptible to sql injection.
|
||||
SqlStringInjectionHint5b4=You don't need to insert any quotations into your injection-string.
|
||||
SqlStringInjectionHint5b2=Insert: <span style="font-style: italic">0 or 1 = 1</span> into the first input field. The output should tell you if this field is injectable.
|
||||
SqlStringInjectionHint5b3=The first input field is not susceptible to sql injection.
|
||||
SqlStringInjectionHint5b4=You do not need to insert any quotations into your injection-string.
|
||||
|
||||
sql-injection.6a.success=<span class='feedback-positive'>You have succeed: {0}</span>
|
||||
sql-injection.6a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
|
||||
sql-injection.6a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
|
||||
|
||||
sql-injection.advanced.6a.success=<span class='feedback-positive'>You have succeed: {0}</span>
|
||||
sql-injection.advanced.6a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
|
||||
sql-injection.advanced.6a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
|
||||
SqlStringInjectionHint-advanced-6a-1=Remember, that when using a Union, Each SELECT statement within UNION must have the same number of columns.
|
||||
SqlStringInjectionHint-advanced-6a-2=The Datatype of a column in the first SELECT statement must have a similar datatype to that in the second SELECT statement.
|
||||
SqlStringInjectionHint-advanced-6a-3=Your new SQL Query must end with a comment. eg: --
|
||||
SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like <span style="font-style: italic">'a String'</span> for it. For an integer you could substitute a <span style="font-style: italic">1</span>.
|
||||
SqlStringInjectionHint-advanced-6a-1=Remember that when using an UNION each SELECT statement within UNION must have the same number of columns.
|
||||
SqlStringInjectionHint-advanced-6a-2=The data type of a column in the first SELECT statement must have a similar data type to that in the second SELECT statement.
|
||||
SqlStringInjectionHint-advanced-6a-3=Your new SQL query must end with a comment. eg: --
|
||||
SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like <span style="font-style: italic">'a String'</span> for it. For integers you could substitute a <span style="font-style: italic">1</span>.
|
||||
SqlStringInjectionHint-advanced-6a-5=Try something like: <span style="font-style: italic">Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data --</span>
|
||||
|
||||
sql-injection.6b.success=<span class='feedback-positive'>You have succeed: {0}</span>
|
||||
sql-injection.6b.success=<span class='feedback-positive'>You have succeeded: {0}</span>
|
||||
sql-injection.6b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
|
||||
|
||||
sql-injection.8.success=<span class='feedback-positive'>You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done!</span>
|
||||
sql-injection.8.no.results=<span class='feedback-negative'>No employee found with matching lastname. Or maybe your authentication TAN is incorrect?</span>
|
||||
sql-injection.8.one=<span class='feedback-negative'>That's only one account. You want them all! Try again.</span>
|
||||
sql-injection.8.no.results=<span class='feedback-negative'>No employee found with matching last name. Or maybe your authentication TAN is incorrect?</span>
|
||||
sql-injection.8.one=<span class='feedback-negative'>That is only one account. You want them all! Try again.</span>
|
||||
SqlStringInjectionHint.8.1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command.
|
||||
SqlStringInjectionHint.8.2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR.
|
||||
SqlStringInjectionHint.8.3=Try appending a SQL statement that always resolves to true.
|
||||
SqlStringInjectionHint.8.4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct.
|
||||
SqlStringInjectionHint.8.5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.
|
||||
|
||||
sql-injection.9.success=<span class='feedback-positive'>Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary!</span>
|
||||
sql-injection.9.success=<span class='feedback-positive'>Well done! Now you are earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary!</span>
|
||||
sql-injection.9.one=<span class='feedback-negative'>Still not earning enough! Better try again and change that.</span>
|
||||
SqlStringInjectionHint.9.1=Try to find a way, to chain another query to the end of the existing one.
|
||||
SqlStringInjectionHint.9.2=Use the ; metacharacter to do so.
|
||||
@ -68,26 +68,26 @@ SqlStringInjectionHint.9.4=Make sure that the resulting query is syntactically c
|
||||
SqlStringInjectionHint.9.5=How about something like '; UPDATE employees....
|
||||
|
||||
sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span>
|
||||
sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span>
|
||||
sql-injection.10.entries=<span class='feedback-negative'>There is still evidence of what you did. Better remove the whole table.</span>
|
||||
|
||||
sql-injection.10b.success=<span class='feedback-positive'>You did it! Your code can prevent an SQL Injection attack!</span>
|
||||
sql-injection.10b.failed=<span class='feedback-negative'>Something doesn't seem right with that code. Maybe you should look at an example how to prevent SQL Injections with JDBC?</span>
|
||||
sql-injection.10b.success=<span class='feedback-positive'>You did it! Your code can prevent an SQL injection attack!</span>
|
||||
sql-injection.10b.failed=<span class='feedback-negative'>Something does not seem right with that code. Maybe you should look at an example how to prevent SQL injections with JDBC?</span>
|
||||
sql-injection.10b.no-code=<span class='feedback-negative'>You need to write some code.</span>
|
||||
sql-injection.10b.compiler-errors=<span class='feedback-negative'>Couldn't compile code:</span>
|
||||
sql-injection.10b.compiler-errors=<span class='feedback-negative'>Could not compile code:</span>
|
||||
|
||||
SqlStringInjectionHint.10.1=Use the techniques that you have learned before.
|
||||
SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it.
|
||||
SqlStringInjectionHint.10.3=Try query chaining to reach the goal.
|
||||
SqlStringInjectionHint.10.4=The DDL allows you to delete (DROP) database tables.
|
||||
SqlStringInjectionHint.10.5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'".
|
||||
SqlStringInjectionHint.10.5=The underlying SQL query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'".
|
||||
SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to comment out the rest of the line.
|
||||
|
||||
SqlStringInjectionHint-mitigation-10a-1=First establish a connection, after that you can create a statement.
|
||||
SqlStringInjectionHint-mitigation-10a-2=For every datatype there is a method to insert values into a wildcard symbol in a statement.
|
||||
SqlStringInjectionHint-mitigation-10a-2=For every data type there is a method to insert values into a wildcard symbol in a statement.
|
||||
|
||||
SqlStringInjectionHint-mitigation-10b-1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection.
|
||||
SqlStringInjectionHint-mitigation-10b-2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections.
|
||||
SqlStringInjectionHint-mitigation-10b-3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype.
|
||||
SqlStringInjectionHint-mitigation-10b-2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL injections.
|
||||
SqlStringInjectionHint-mitigation-10b-3=The wildcard symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every data type.
|
||||
SqlStringInjectionHint-mitigation-10b-4=Make sure to execute your statement.
|
||||
SqlStringInjectionHint-mitigation-10b-5=View the previous lesson to check back on how you can build set up a connection.
|
||||
|
||||
@ -96,7 +96,7 @@ SqlStringInjectionHint-mitigation-12a-2=Intercept the request and try to specify
|
||||
SqlStringInjectionHint-mitigation-12a-3=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
||||
SqlStringInjectionHint-mitigation-12a-4=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
||||
|
||||
SqlInjectionChallengeHint1=The Table Name is randomized at each start of Webgoat, try to figure out the name first.
|
||||
SqlInjectionChallengeHint2=Find the Field which is vulnerable to SQL Injection use that to change the password.
|
||||
SqlInjectionChallengeHint3=Change the password through an Update Statement.
|
||||
SqlInjectionChallengeHint4=The Vulnerable Field is the Username Field of the Register form.
|
||||
SqlInjectionChallengeHint1=The table name is randomized at each start of WebGoat, try to figure out the name first.
|
||||
SqlInjectionChallengeHint2=Find the field which is vulnerable to SQL injection use that to change the password.
|
||||
SqlInjectionChallengeHint3=Change the password through an UPDATE Statement.
|
||||
SqlInjectionChallengeHint4=The vulnerable field is the username field of the register form.
|
||||
@ -4,5 +4,5 @@ This lesson describes the more advanced topics for an SQL injection.
|
||||
|
||||
== Goals
|
||||
|
||||
** Combining SQL Injection Techniques
|
||||
** Combining SQL injection Techniques
|
||||
** Blind SQL injection
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
* Stored XSS
|
||||
* Information leakage
|
||||
* Logic errors – business rule validation
|
||||
* SQL Injection
|
||||
* SQL injection
|
||||
|
||||
=== Often the database is considered trusted
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
Question: Does a prepared statement always prevent against an SQL injection?
|
||||
Answer: No it does not
|
||||
|
||||
Let's take a look at the following statement:
|
||||
Let us take a look at the following statement:
|
||||
|
||||
----
|
||||
select * from users order by lastname;
|
||||
|
||||
@ -13,7 +13,7 @@ CREATE TABLE user_data (userid int not null,
|
||||
login_count int);
|
||||
-------------------------------------------------------
|
||||
|
||||
Through experimentation you found that this field is susceptible to SQL Injection.
|
||||
Through experimentation you found that this field is susceptible to SQL injection.
|
||||
Now you want to use that knowledge to get the contents of another table. +
|
||||
The table you want to pull data from is:
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Blind SQL Injection
|
||||
== Blind SQL injection
|
||||
|
||||
Blind SQL injection is a type of SQL injection attack that asks the database true or false
|
||||
questions and determines the answer based on the applications response. This attack is often used when the web
|
||||
@ -7,18 +7,18 @@ injection.
|
||||
|
||||
=== Difference
|
||||
|
||||
Let's first start with the difference between a normal SQL injection and a blind SQL injection. In a normal
|
||||
Let us first start with the difference between a normal SQL injection and a blind SQL injection. In a normal
|
||||
SQL injection the error messages from the database are displayed and gives enough information to find out how
|
||||
the query is working. Or in the case of a union based SQL injection the application does not reflect the information
|
||||
directly on the webpage. So in the case where nothing is displayed you will need to start asking the database questions
|
||||
based on a true or false statement. That's why a blind SQL injection is much more difficult to exploit.
|
||||
the query is working. Or in the case of an UNION based SQL injection the application does not reflect the information
|
||||
directly on the web page. So in the case where nothing is displayed you will need to start asking the database questions
|
||||
based on a true or false statement. That is why a blind SQL injection is much more difficult to exploit.
|
||||
|
||||
There are several different types of blind SQL injections: content based and time based SQL injections.
|
||||
There are several different types of blind SQL injections: content-based and time-based SQL injections.
|
||||
|
||||
|
||||
=== Example
|
||||
|
||||
In this case we are trying to ask the database a boolean question based on for example a unique id, for example
|
||||
In this case we are trying to ask the database a boolean question based on for example an unique id, for example
|
||||
suppose we have the following url: `https://my-shop.com?article=4`
|
||||
On the server side this query will be translated as follows:
|
||||
|
||||
@ -49,7 +49,7 @@ Be aware that this approach might not work if the privileges of the database are
|
||||
system tables cannot be queried with the user used to connect from the web application to the database).
|
||||
|
||||
|
||||
Another way is called a time based SQL injection, in this case you will ask the database to wait before returning
|
||||
Another way is called a time-based SQL injection, in this case you will ask the database to wait before returning
|
||||
the result. You might need to use this if you are totally blind so there is no difference between the response you
|
||||
can use for example:
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
== Immutable Queries
|
||||
|
||||
These are the best defense against SQL Injection. They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.
|
||||
These are the best defense against SQL injection. They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.
|
||||
|
||||
=== Static Queries
|
||||
-------------------------------------------------------
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== What is SQL
|
||||
== What is SQL?
|
||||
|
||||
SQL is a standardized (ANSI in 1986, ISO in 1987) programming language which is used for managing relational databases and performing various operations on the data in them.
|
||||
|
||||
@ -33,7 +33,7 @@ Go ahead to the next pages to get some details on the different types of command
|
||||
|
||||
If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training.
|
||||
|
||||
=== It's your turn!
|
||||
=== It is your turn!
|
||||
Look at the example table.
|
||||
Try to retrieve the department of the employee Bob Franco.
|
||||
Note that you have been granted full administrator privileges in this assignment and can access all data without authentication.
|
||||
@ -1,12 +1,12 @@
|
||||
== Compromising Availability
|
||||
After successfully compromising confidentiality and integrity in the previous lessons, we now are going to compromise the third element of the CIA-Triad: *availability*.
|
||||
After successfully compromising confidentiality and integrity in the previous lessons, we now are going to compromise the third element of the CIA triad: *availability*.
|
||||
|
||||
The are many different ways to violate the ensurement of availability.
|
||||
The are many different ways to violate availability.
|
||||
If an account is deleted or the password gets changed, the actual owner cannot access it anymore.
|
||||
Attackers could also try to delete parts of the database making it useless or even dropping the whole database.
|
||||
Another way to compromise availability would be to per example revoke access-rights from admins or any other users, so that nobody gets access to (specific parts of) the database.
|
||||
|
||||
=== It's your turn!
|
||||
=== It is your turn!
|
||||
Now you are the top earner in your company.
|
||||
But do you see that?
|
||||
There seems to be a *access_log* table, where all your actions have been logged to! +
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Try It! String SQL Injection
|
||||
== Try It! String SQL injection
|
||||
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query is build by concatenating strings making it susceptible to String SQL injection:
|
||||
|
||||
@ -6,4 +6,4 @@ The query in the code builds a dynamic query as seen in the previous example. T
|
||||
"select * from users where LOGIN_COUNT > 0 and FIRST_NAME = ‘" + userName + "'";
|
||||
------------------------------------------------------------
|
||||
|
||||
Using the form below try to retrieve all the users from the users table. You shouldn't need to know any specific user name to get the complete list.
|
||||
Using the form below try to retrieve all the users from the users table. You should not need to know any specific user name to get the complete list.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Try It! Numeric SQL Injection
|
||||
== Try It! Numeric SQL injection
|
||||
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection:
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
As the name says data manipulation language deals with the manipulation of data and includes the most common SQL statements such as SELECT, INSERT, UPDATE, DELETE, etc., and it is used for requesting a result set of records from database tables (select), adding (insert), deleting and modifying (update) data in a database.
|
||||
|
||||
If an attacker uses a SQL injection of the DML type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (…) & integrity (update) (Only people authorized to read the data can do so).
|
||||
If an attacker uses SQL injection of the DML type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (…) & integrity (update) (Only people authorized to read the data can do so).
|
||||
|
||||
|
||||
* DML commands are used for storing, retrieving, modifying, and deleting data.
|
||||
@ -17,7 +17,7 @@ If an attacker uses a SQL injection of the DML type to manipulate your database,
|
||||
WHERE userid = 96134;
|
||||
** This statement delivers the phone number of the employee with the userid 96134.
|
||||
|
||||
=== It's your turn!
|
||||
=== It is your turn!
|
||||
Try to change the department of Tobi Barnett to 'Sales'.
|
||||
Note that you have been granted full administrator privileges in this assignment and can access all data without authentication.
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Data definition language includes commands for defining data structures, especially database schemas which tell how the data should reside in the database.
|
||||
|
||||
If an attacker uses a SQL injection of the DDL type to manipulate your database, he will violate the following of the three protection goals in information security: integrity (alter) & availability (drop). (Only people authorized to change/delete the data can do so.)
|
||||
If an attacker uses SQL injection of the DDL type to manipulate your database, he will violate the following of the three protection goals in information security: integrity (alter) & availability (drop). (Only people authorized to change/delete the data can do so.)
|
||||
|
||||
|
||||
* DDL commands are used for creating, modifying, and dropping the structure of database objects.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Data control language is used to create privileges to allow users to access and manipulate the database.
|
||||
|
||||
If an attacker uses a SQL injection of the DCL type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (grant) & availability (revoke) (Unwanted people could grand themselves admin privileges or revoke the admin rights from an administrator)
|
||||
If an attacker uses SQL injection of the DCL type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (grant) & availability (revoke) (Unwanted people could grand themselves admin privileges or revoke the admin rights from an administrator)
|
||||
|
||||
|
||||
* DCL commands are used for providing security to database objects.
|
||||
|
||||
@ -1,19 +1,19 @@
|
||||
== What is SQL Injection?
|
||||
== What is SQL injection?
|
||||
|
||||
SQL Injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security.
|
||||
SQL injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security.
|
||||
|
||||
SQL Injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL-Interpreter of the application itself. If the input from the client does not get checked for containing SQL Commands, hackers can easily manipulate the underlying SQL-Statement to their advantages. +
|
||||
Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL-query and that way can be used to chain them).
|
||||
SQL injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL interpreter of the application itself. If the input from the client does not get checked for containing SQL commands, hackers can easily manipulate the underlying SQL statement to their advantage. +
|
||||
Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL query and that way can be used to chain them).
|
||||
|
||||
{nbsp} +
|
||||
|
||||
== Example of SQL Injection
|
||||
== Example of SQL injection
|
||||
|
||||
Think of a web application, that allows to display user information, by typing a username into an input field.
|
||||
|
||||
The input will then be sent to the server and gets inserted into a SQL-query which then is processed by an SQL-Interpreter.
|
||||
The input will then be sent to the server and gets inserted into a SQL query which then is processed by an SQL interpreter.
|
||||
|
||||
The SQL-query to retrieve the user information from the database looks like that: +
|
||||
The SQL query to retrieve the user information from the database looks like that: +
|
||||
-------------------------------------------------------
|
||||
"SELECT * FROM users WHERE name = '" + userName + "'";
|
||||
-------------------------------------------------------
|
||||
@ -26,6 +26,6 @@ If the input would be Smith the query then looks like that +
|
||||
and would retrieve all data for the user with the name Smith.
|
||||
|
||||
{nbsp} +
|
||||
But if an attacker supplies an unexpected input which could be part of a SQL-query, the query itself can be modified and that way be used to perform other (malicious) actions on the database.
|
||||
But if an attacker supplies an unexpected input which could be part of a SQL query, the query itself can be modified and that way be used to perform other (malicious) actions on the database.
|
||||
|
||||
Here is an input field. Try typing some SQL in here to better understand how the query changes.
|
||||
@ -1,4 +1,4 @@
|
||||
== Consequences of SQL Injection
|
||||
== Consequences of SQL injection
|
||||
|
||||
=== A successful SQL injection exploit can:
|
||||
* Read and modify sensitive data from the database
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
== Severity of SQL Injection
|
||||
== Severity of SQL injection
|
||||
|
||||
=== The severity of SQL Injection attacks is limited by
|
||||
=== The severity of SQL injection attacks is limited by
|
||||
* Attacker’s skill and imagination
|
||||
* Defense in depth countermeasures
|
||||
** Input validation
|
||||
@ -12,7 +12,7 @@
|
||||
* MySQL Connector/J and C
|
||||
* Oracle
|
||||
|
||||
=== SQL Injection is more common in PHP, Classic ASP, Cold Fusion and older languages
|
||||
=== SQL injection is more common in PHP, Classic ASP, Cold Fusion and older languages
|
||||
* Languages that do not provide parameterized query support
|
||||
* Parameterized queries have been added to newer versions
|
||||
* Early adopters of web technology (i.e. Old Code)
|
||||
|
||||
@ -1,16 +1,16 @@
|
||||
== Compromising confidentiality with String SQL Injection
|
||||
If a system is vulnerable to SQL-Injections it is also easy to compromise aspects of the CIA-Triad _(if you are unfamiliar with the CIA-Triad check out the CIA-Triad lesson in the general category)_.
|
||||
In the following three lessons, you will learn how to use simple SQL-Injection attacks to compromise each of the three. Per example by using _SQL String Injections_ or _query chaining_.
|
||||
== Compromising confidentiality with String SQL injection
|
||||
If a system is vulnerable to SQL injections it is also easy to compromise aspects of the CIA triad _(if you are unfamiliar with the CIA triad check out the CIA triad lesson in the general category)_.
|
||||
In the following three lessons, you will learn how to use simple SQL injection attacks to compromise each of the three. Per example by using _SQL string injections_ or _query chaining_.
|
||||
|
||||
This lesson, we will take a look at *confidentiality*.
|
||||
Confidentiality can easily be compromised if an attacker uses SQL Injection to read sensitive data from the database. For example reading credit card numbers or passwords.
|
||||
Confidentiality can easily be compromised if an attacker uses SQL injection to read sensitive data from the database. For example reading credit card numbers or passwords.
|
||||
|
||||
=== What's String SQL Injection
|
||||
=== What is String SQL injection?
|
||||
If queries are build dynamically in the application by concatenating strings to it, this makes it very susceptible to String SQL injection. +
|
||||
If the input takes a string and that one gets inserted into the query as a string parameter, then you can easily manipulate the build query by using quotation marks to form the string to your specific needs.
|
||||
You could per example end the string parameter with it and input your own SQL after that.
|
||||
|
||||
=== It's your turn!
|
||||
=== It is your turn!
|
||||
You are an employee named John *Smith* working for a big company.
|
||||
The company has an internal system that allows all employees to see their own internal data, like the department they work in and their salary.
|
||||
|
||||
@ -19,7 +19,7 @@ Your current TAN is *3SL99A*.
|
||||
|
||||
Since you always have the urge to be the most earning employee you want to exploit the system and instead of viewing your own internal data _take a look at the data of all your colleagues_ to check their current salaries.
|
||||
|
||||
Use the form below and try to retrieve all the employee data from the *employees* table. You shouldn't need to know any specific names or TANs to get the information you need. +
|
||||
Use the form below and try to retrieve all the employee data from the *employees* table. You should not need to know any specific names or TANs to get the information you need. +
|
||||
You already found out that the query performing your request looks like that:
|
||||
------------------------------------------------------------
|
||||
"SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "';
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Compromising Integrity with Query Chaining
|
||||
== Compromising Integrity with Query chaining
|
||||
After compromising the confidentiality of data in the previous lesson, this time we are gonna compromise the *integrity* of data by using SQL *query chaining*.
|
||||
|
||||
The integrity of any data can be compromised, if an attacker per example changes information that he should not even be able to access.
|
||||
@ -7,10 +7,10 @@ The integrity of any data can be compromised, if an attacker per example changes
|
||||
Query chaining is exactly what it sounds like. When query chaining, you try to append one or more queries to the end of the actual query.
|
||||
You can do this by using the *;* metacharacter which marks the end of a query and that way allows to start another one right after it within the same line.
|
||||
|
||||
=== It's your turn!
|
||||
=== It is your turn!
|
||||
You just found out that Tobi and Bob both seem to earn more money than you!
|
||||
Of course you cannot leave it at that. +
|
||||
Better go and _change your own salary so you're earning the most!_
|
||||
Better go and _change your own salary so you are earning the most!_
|
||||
|
||||
|
||||
Remember: Your name is John *Smith* and your current TAN is *3SL99A*.
|
||||
@ -5,10 +5,10 @@ This lesson describes what is Structured Query Language (SQL) and how it can be
|
||||
=== Goals
|
||||
|
||||
* The user will have a basic understanding of how SQL works and what it is used for
|
||||
* The user will have a basic understanding of what SQL-Injections are and how they work
|
||||
* The user will have a basic understanding of what SQL injections are and how they work
|
||||
* The user will demonstrate knowledge on:
|
||||
** DML, DDL and DCL
|
||||
** String SQL Injection
|
||||
** Numeric SQL Injection
|
||||
** String SQL injection
|
||||
** Numeric SQL injection
|
||||
** violation of the CIA triad
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
== Try it! Writing safe code
|
||||
|
||||
You can see some code down below, but the Code is incomplete. Complete the code, so that is no longer vulnerable for an SQL Injection! Use the classes and methods you have learned before.
|
||||
You can see some code down below, but the code is incomplete. Complete the code, so that is no longer vulnerable for an SQL injection! Use the classes and methods you have learned before.
|
||||
|
||||
The code has to retrieve the status of the user based on the name and the mail address of the user. Both the name and the mail are in the string format.
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
== Try it! Writing safe code
|
||||
|
||||
Now it's time to write your own code!
|
||||
Now it is time to write your own code!
|
||||
Your task is to use JDBC to connect to a database and request data from it.
|
||||
|
||||
*Requirements:*
|
||||
|
||||
* connect to a database
|
||||
* perform a query on the database which is immune to SQL Injection attacks
|
||||
* perform a query on the database which is immune to SQL injection attacks
|
||||
* your query needs to contain at least one string parameter
|
||||
|
||||
*Some tips before you start:* +
|
||||
@ -29,4 +29,4 @@ try {
|
||||
-------------------------------------------------------
|
||||
|
||||
Use your knowledge and write some valid code from scratch in the editor window down below!
|
||||
(if you can't type there it might help to adjust the size of your browser window once, then it should work):
|
||||
(if you cannot type there it might help to adjust the size of your browser window once, then it should work):
|
||||
|
||||
@ -1 +1 @@
|
||||
Now it's time for a quiz! It is recommended to do all SQL-Injection lessons before trying the quiz. Answer all questions correctly to complete the assignment.
|
||||
Now it is time for a quiz! It is recommended to do all SQL injection lessons before trying the quiz. Answer all questions correctly to complete the assignment.
|
||||
Loading…
x
Reference in New Issue
Block a user