Introduction

This section of the course exposes students to some of the security issues associated with badly implemented websites.

Contents include:

Any questions or comments should be directed to: The creator's email

SQL Injection

An SQL injection attack occurs when a user is able to key in SQL code into a webpage. The most common situation where this occurs is when variables are simply concatenated into the query instead of being bound.

Most modern SQL libraries of most programming languages include a feature called "binding." In binding, a variable marker is put in the SQL query. A variable in the programming language is then mapped to the marker. The binding function checks the variable in the programming language and transforms the contents to be "safe." Often, what happens is suspicious characters like quotation marks or unusual symbols are transformed so they are considered part of the variable rather than part of the overall query. For example, the single quote (') might be transformed into \', i.e., a slash is put in front of the quote, so it is treated as a quote symbol rather than a quote in an SQL command.

To illustrate, compare the two versions of the SQL code embedded in PHP below. The version on the left is more vulnerable to an SQL injection than the one on the right. The red font highlights the critical differences.

  $stmt=$mydb->prepare(
    "Select isbn, title, listprice, discount,".
        "book.category_code, category_name ".
      "from book ".
          "inner join bookcat ".
          "on book.category_code=bookcat.category_code ".
      "where upper(title) like '".$titlesearch."'"
  );
  $stmt->execute();

  $stmt=$mydb->prepare(
    "Select isbn, title, listprice, discount,".
        book.category_code, category_name ".
      "from book ".
        "inner join bookcat ".
         "on book.category_code=bookcat.category_code ".
      ""where upper(title) like :thetitle "
  );
  $stmt->bindParam(":thetitle",$titlesearch,PDO::PARAM_STR);                      
  $stmt->execute();

These two pieces of code are implemented as (note all hyperlinks appear as new pages):

getbook_injectable.php: The vulnerable code. For example, when you click on this link, the code is passed the argument "title=junk' union select username, userpass, null, null, null, null from accounts where true or username='. Observe how all usernames and (encrypted) passwords are revealed in the result.
getbook.php: The injection resistant code. For example, when you click on this link, the code is passed the argument "title=junk' union select username, userpass, null, null, null, null from accounts where true or username='. Observe how usernames and (encrypted) passwords are not revealed in the result.
A user interface for the injectable code. Type "junk' union select username, userpass, null, null, null, null from accounts where true or username='" into the "Book Title" field. Make sure to include the single quotes. Observe how user accounts now appear on the page.
A user interface for the inject resistant code. Observe how the SQL injection of the previous example does not work here.

Any questions or comments should be directed to: The creator's email

Using SQL Map to Automate SQL Injections

The video here introduces students to SQL Map, a tool that automates SQL injection attacks.

Live Web Modification - The Repayment Scam

The video introduces students to how a webpage can be changed live while the user is viewing it. This is commonly done in online repayment scams.

The technique relies on the fact webpages are rendered on the client machine. A scammer who has remote access to a client machine can therefore modify web pages the client sees live by opening the web page debugger and modifying the elements.

Malicious Websites

The code used to create websites can be used to perform both ethical and unethical tasks. Clicking on this link will bring you to a webpage that looks like it is just showing you a picture of food. However, the web page does two things behind your back.

File Dropper

First, there is a hidden hyperlink on the page that is auto-clicked. The moment you visit the page, it drops a file onto your computer. The file dropped is harmless. That doesn't mean files dropped by other websites would be.

The file dropper has three main parts. First is the hyperlink, which is set so it is invisible:

Next is the JavaScript function that drops the file:

Finally, the function is linked to the body.

IP Logger

Second, the "image" in the code isn't an image. It is a piece of PHP code that loads and displays an image, and also logs your IP address. The list of captured IP addresses can be found here. The code could have captured more information, but the presented code is for illustration purposes.

The code itself is as per below. Note how easy to write the code is. It is just seven lines.

Any questions or comments should be directed to: The creator's email

Code Injection

In a code injection attack, a user (not the developer) is able to add code to a website that other users will be able to experience. One example of such websites is badly designed social media sites. Users post messages to sites which other people can see. These messages can include malicious code. An example of such a site is here.

Code injections can be prevented in a similar way to SQL injections. One reviews all submissions and ensures any elements that become code are "escaped," i.e., transformed into something innocuous. In the case of client-side browsing code, such elements include the angle brackets which are used to identify HTML tags.

Any questions or comments should be directed to: The creator's email

Race Conditions

A race condition can arise when the identical piece of code designed to work on only one process is executed quickly in two separate processes. When that happens, unusual things can happen. An example of a race condition can be found here.

In the example, the same discount can be applied twice if for the same buyer, the discount coupon button is pressed twice within 10 seconds on two different browsers.

In this specific case, the problem could have been avoided by properly setting a primary key on the table or by optimizing the code. The code is deliberately written to be slow. There's an explicit 10 second delay coded into the code between the query to check if there is a coupon and the query to insert a coupon into the database.

Any questions or comments should be directed to: The creator's email

Burp Suite

Burp Suite is a collection of tools to do analyses on web pages. In the below video, I show how to use Burp Suite to perform a dictionary attack on a login page and explore injection attacks. I also talk about how Burp Suite can be used to do race condition attacks. Unfortunately, race conditions are only testable on the commercial version of Burp Suite so I can't show that.

Web Vulnerability Scanners

Web vulnerability scanners are automated tools that will traverse your website, attempting to hack every page. Example tools include Nikto, Skipfish, Wapiti and the Zed Attack Proxy (ZAP). This video walks through the output of each of these scanners on cecilchua.online.

False Hyperlinks

JavaScript can disable the expected behavior of any control by returning false. This can be used by a phisher to present a webpage to a user such that what the webpage claims to do is not what it actually does. For example, a webpage can claim to hyperlink to a particular site, but actually direct the user to another site that looks like the first.

An example of disguising hyperlinks can be found here.

In the example, the URL appears to direct the user to Google. An inspection of the hyperlink shows that Google is the anchored href. However, the JavaScript disables the hyperlink and instead redirects the user elsewhere.

This specific attack is often attempted via email. It is for this reason most email clients disable JavaScript by default. However, note JavaScript capability is often built into email clients and can be turned on in some organizations.

Any questions or comments should be directed to: The creator's email