View
2.343
Download
1
Category
Preview:
DESCRIPTION
Le due vulnerabilità più diffuse sul web. Perché vengono così sottovalutate? Sono davvero così pericolose? Si può contrastarle efficacemente? Simuliamo degli attachi analizzandone potenzialità e possibili soluzioni
Citation preview
SQL Injection & Cross Site Scripting
Stefano Santomauro
sfn.santomauro@gmail.com
Stefano Santomaurosfn.santomauro@gmail.com
• Hacker? Macché• Security engineer? Non so cosa sia
• Appassionato? Forse
• Esperto? Magari!
• ???
Chi sono
Stefano Santomaurosfn.santomauro@gmail.com
Perché questo talk
• Sappiamo da cosa proteggerci?
• Conosciamo il modo in cui difenderci?
• Perché difenderci?
• Quanto costa?
• …
Stefano Santomaurosfn.santomauro@gmail.com
Le vulnerabilità più diffuse sul WEB
OWASP Top Ten Project•A1 - Injection (SQLi e XPATHi)•A2 - Cross Site Scripting (XSS)•A3: Broken Authentication and Session Management•A4: Insecure Direct Object References•A5: Cross-Site Request Forgery (CSRF)•A6: Security Misconfiguration•A7: Insecure Cryptographic Storage•A8: Failure to Restrict URL Access•A9: Insufficient Transport Layer Protection•A10: Unvalidated Redirects and Forwards
Stefano Santomaurosfn.santomauro@gmail.com
SQL Injection: cos’è
«A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application»
Fonte OWASP
https://www.owasp.org/index.php/SQL_Injection
Stefano Santomaurosfn.santomauro@gmail.com
SQL Injection: come (1/2)
String username = request.getParameter("username");
String password = request.getParameter("password");
String sql = "select * from users where username = '" +username+"' and password = md5('" +password+"')";
Stefano Santomaurosfn.santomauro@gmail.com
SQL Injection: come (2/2)
select * from users where username = ‘tiziousr’ and password = md5(‘tiziopwd’)
select * from users where username =
‘xxx’ or 1=1 --’ and password = md5(‘tiziopwd’)
SQL eseguita
select * from users where username = ‘xxx’ or 1=1
Commento MySQL
Stefano Santomaurosfn.santomauro@gmail.com
SQL Injection: potenzialità
«A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system»
Fonte OWASP
https://www.owasp.org/index.php/SQL_Injection
Stefano Santomaurosfn.santomauro@gmail.com
Cross Site Scripting: cos’è
«XSS attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user»
Fonte OWASP
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Stefano Santomaurosfn.santomauro@gmail.com
Cross Site Scripting: come
JSP input
<input type="text" name="username"/>
Servlet
String username = request.getParameter("username");
request.setAttribute("username", username);
JSP output
<span><%=request.getAttribute("username")%></span>
HTML output
<span><script>alert(123)</script></span>
Stefano Santomaurosfn.santomauro@gmail.com
Cross Site Scripting: potenzialità
«[…] the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page»
Fonte OWASP
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Stefano Santomaurosfn.santomauro@gmail.com
DIMOSTRAZIONE…
Stefano Santomaurosfn.santomauro@gmail.com
La dimostrazione continua… a casa
Adesso sta a voi condurre un attacco di tipo XSS.
Scaricate il progetto al link che
trovate nei Riferimenti e, dopo
aver seguito le istruzioni, provate
a trovare le vostre varianti!
Stefano Santomaurosfn.santomauro@gmail.com
Conclusioni (1/4)
La nostra è stata soltanto una semplice “simulazione” di un caso reale…
Stefano Santomaurosfn.santomauro@gmail.com
Conclusioni (2/4)
…ma se anche non volete credere a me, spero crediate a questo…
Stefano Santomaurosfn.santomauro@gmail.com
Conclusioni (3/4)
Stefano Santomaurosfn.santomauro@gmail.com
Conclusioni (4/4)
Stefano Santomaurosfn.santomauro@gmail.com
Riferimenti
• OWASP (https://www.owasp.org/index.php/Main_Page)• md5decrypter (http://www.md5decrypter.co.uk)• Notizia dell’attacco alla SONY (http://www.itwire.com/business-it-news/security/47605-sony-falls-victim-to-another-simple-sql-injection-attack)• Notizia dell’attacco a Skype (https://superevr.com/blog/2011/xss-in-skype-for-ios/)• OWASP WebGoat (https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project)• DOWNLOAD progetto dimostrativo (http://www.divshare.com/download/17108200-6e1)
Recommended