 Welcome back everybody. It's a pleasure to welcome Toshendra Sharma, who's our next speaker. Toshendra finished his MTech here in IIT Bombay in our department, working in the area of application security. Even as he was a student, he founded this company called Vegellant in 2011. His company makes cloud-based security products for enterprises. It's a startup that was incubated here at IIT Bombay. Just on a personal note, I found Toshendra one of the most enthusiastic kinds of people I could ever find. He really has tremendous hands-on experience. And because of that, I've asked him to make a presentation. In fact, I asked him to make a presentation in almost every of my courses. Since there was a question on SQL injection and XSS, I thought he has many presentations with him. I thought it might be most appropriate to continue that thread on SQL injection. Some people had a question. He has actually shown us how we can hack into sites around the world and so on all life. I don't know whether he's going to do that today. I hope he does. Assuming the internet is working here. And I think you will really have a wonderful time listening to him. You will probably not want him to stop. But of course, he's a busy man these days. And we'll have to wind up. But let's hope we can encounter him again in one of these things. With that, a big welcome to Toshendra Sharma. Hello, everyone. My name is Toshain, as Thar has told us. So I'll be talking about the web application security. And as you all must be aware that in web application security, there are two major attacks that we have. And these major attacks are SQL injection and the cross-site scripting. So today I'll talk about some practical aspects of the SQL injection, rather than the theoretical aspects, so that we can learn or see how web application can be hacked. So we can see that how real-time and actual live web application can be hacked and how we can actually defend them. So we'll consider the both things about how to attack and how to defend. As well as see what are the programmatically we can sort it out and how in programming we can make a little bit change and make our application secure. So I'll start with the presentation. And now the first question is simple. What is it? What exactly SQL injection is? So as you might have thought about the SQL injection is means somewhere we are injecting the SQL, or SQL is nothing but a structured query language which help you in patching some data from the database to some non-procedural way. So SQL injection is the alteration of SQL command. SQL command's purpose without knowing the user or without knowing the developers that these changes have been occurred. So you can see the alteration of SQL command's purpose by injecting some special string through the user's input. For example, there is a user input called user name and password. So if you want to enter the user name and password, rather than entering the user name and password, a hacker can actually provide anything. Anything means he can even provide the SQL commands in place of the user name. So what if the user name directly goes to the server and gets executed as like normal user, but actually it is a SQL query. So rather than processing it as a user, it will access it as a SQL query and will execute the query. So that query can be anything. It can even damage the whole table, whole column, and it can even drop the whole database. So now you can say that injecting a complete command with or without the other letters through the user's input into the database engine may call SQL injection. So it's simply providing something which developers generally do not expect. So we provide whatever we want to send, and then people and their program or the application will accept it as an authenticated input and will process it. What is the problem with that? Okay, so suppose user has provided an input and we have just accepted it without considering that it might be an SQL query, then what is the problem? So the malicious command can even drop the whole table and database as I have already mentioned and the complete control of the database to the hacker. That can also be given by leaking the user name and password of the database. So you can see very simple cartoon over here. It says that somebody named their kids as a robot, single code, bracket, terminator, drop table, students, terminator, hyphen, hyphen. So it means that whenever this name will go into the database, this will actually try to execute two different queries. One is the robot and the second one would be the drop table students. So that drop table students, the second query will actually drop the table from the database and anyone, even the organizations or companies who are using it will lose the complete data or information. So now who is responsible? The question is, okay, SQL injection has occurred because what? So what would be the exact reason for having the SQL injection and who is actually responsible for defending these and whose responsibility to make it very much secure? So I would say the reason for SQL injection is the no proper sanitization of user's input while feeding the query into the database engine. The idea is simple, whenever you are taking something from the user, you suppose to consider that it might be malicious. So whenever you are taking an input from a user, consider that it might be malicious, sanitize it, filter it whenever as much as you can, and then process it. Otherwise do not accept it or discard it. So now sanitization means simply, like for example I'll give you one practical example. What if you are getting a letter from an unknown source and then you are just accepting whatever is coming inside the package and you are taking it into your home. Considering that courier service are not going to filter your box or not going to see or not going to scan your boxes. So obviously you will never accept a box from the unknown source and just keep it inside your house because it might be a bomb. So it's simply and it's very similar to that. Whenever you take an input from a user, no matter what user, what kind of user you are taking, always and always sanitize it, always filter it, consider that it might be malicious and then only proceed to the server side processing like SQL query execution or whatever you want to do. So now sanitization as you might be aware that in the all web application there are two entities which are one is a server, one is a client. So now the question comes where we need to exactly do the sanitization. Either it should be on the server or it should be on the client. So client means if we want to do the sanitization inside the browser using some javascript so that is called client side sanitization and if you are doing the filtering the query or melting the user input into the server inside the server side scripts like PHP, JSP or Python then it becomes a server side sanitization. So what is the ideal condition whether it should be both whether it should be either client side or the other server side then I would say it should be both because it will give you the extra layer but the ultimate requirement is server side you cannot miss the server side sanitization at any cost so otherwise your application will be hackable definitely. Now I will give you the very small example in the PHP so as you might be aware that this is the one example where people are actually giving which is coming from the get password or you can say get array so in the PHP there are two methods to send the data variable to the server one is get one is another is post in get we actually show the variable name into the URL like for example okay for example this is the URL okay and then URL and then there is question mark id is equal to some xyz right so this xyz is actually the query the people are going to pass to the server so this method is called get method right so whenever you are passing this executing this URL this variable id will be available in the server in the PHP under this variable name get which is an array and then you have to pass the index which is id so now you can access the incomplete variable which xyz has been passed so suppose if you are taking the xyz into the database and just processing that to executing some query definitely it might create some problem if the xyz is actually the script then it will create a huge problem for you so now the idea is we need to make sure that whenever somebody is sending it to the server before doing any further processing we suppose to call a function whatever you call it sanitize so this sanitize function will actually make sure that whatever is coming from the get has been sanitized and then sanitize function will return it to the id so now the id will be saved and then now using the id further in your application will be considered as secure enough now if you go to the application so as you can see we are taking the id from the get variable and storing it inside the id we are taking the password from the get variable and storing it inside the password and executing a very simple query select star from the users where user id is equal to id and password is equal to password means we are trying to check whether the any row exist in the database where user id is equal to provided id and password is equal to provided password so this is simple case of username and input validation and then we are executing the query and expecting some result so result might be number of queries or whatever the exact row suppose we provide in place of password what if we provide this string one single code paste or paste single code one single code is equal to single code one what if this is the password what if the user rather than entering is actual password he is entering the this virtual password so as you can see the query in the next slide the string so in place of password and just I just replace this string the whatever we have in provided and make the exact SQL query right so now you can see if you execute this query select start from user where user id is equal to id and password is equal to one or one is equal to one so this condition which is the on the right hand side of the and operator will become a tautology and will always return true because either password is equal to one or one is equal to one so it this is very very sure that one is always equal to one so this will return true and the user id is equal to whatever id you provide you will login so this is a simple case where you can login to a user admin panel or wherever the user are without actually providing the real password you can provide this special string and then login so I have a simple demo for this I'll show you the some live website where I can login as you guys can see this is a very simple HTML form where you can just provide the user name and password whatever the password is and then submit the form so the server will send you the response either if the user name password is correct then it will give you the login success otherwise it will give you login failure for example I am going to provide the right password so now you can see there is a login success so now I am going to provide rather than this actual password as you can see this whatever the password you provide except the real password it will always give you login failure so now rather than providing the actual this wrong password or the actual password I am going to write a very creative string and then try to execute the query so if it is an SQL injection then it will give me the login success result so now you can see login successful because the query has become a tautology and it has returned true the only thing you need to be correct is the user name has to be correct and that's it so user name is mostly available nowadays so you can always access the pages so there are lots of live pages available on the internet I have some of them so I am not sure if it is a good idea to show someone's admin panel here live so we will skip that so rather than this we can I think show it here in this way so I think you might have understood that what is the SQL injection and how it works how it can actually modify the queries original purpose without impacting any other things in the program or without impacting the functionality of the program so now as you can see what is the difference like how we can solve it right so now how we can solve it means how we can protect our application so it's very simple that wherever you see this whenever you are taking the input from the user using the get dollar underscore get or dollar underscore post or dollar underscore file there are many other five or six arrays by which you can take the input from the user always sanitize it through some sanitization methodology which are mostly available in form of the mysql underscore scape underscore real underscore scape string function so I will show you the practical code snippet which is secure and which is insecure in a live demo okay so now what type of SQL injections are available nowadays so we will say union based SQL injection and the blind SQL injection so now union based SQL injection are nothing but a method of making two queries executing at the same time using a union operator and then in the second query we will perform whatever operation we want to perform for our own purpose so like for example suppose hacker wants to run a select star query on a database without impacting the actual functionality of the application then it has to perform the using the union operator and then perform the whatever query in perform in the second query now the blind SQL injection what is the blind SQL injection I think I should explain about the blind SQL injection once I show the union based SQL injection demo so we will open the we will go back to the browser okay I have one live website okay so we will going to I will show you some of the examples here so I am going to load the URL first so I have installed one small plugin or add on in the Firefox which is called a hack bar which will help you in executing the query in a very arranged and very you know structured box manner so now this is a URL which I am going to execute so I will just click on execute okay so we will execute this query and we will see that the normal page actually loads so there is a product description there is a clear window sticker whatever so they are showing lots of things on the page about the price and all so these are things might be coming from the database because they are pushing they are pulling the category ID from the URL and then showing the content based on the category ID so what I am going to do to check whether this page is available to the SQL injection I am going to put a single code at the end of this and we will try to execute and once we execute we will see a certain abnormality in the page so now you can see there is a warning which means there is an error in the page based on the SQL injection okay so now why this error is coming and what is the meaning of this error now as you know I provided only the single code at the end of 2 and the query has shown some abnormal behaviors saying that query could not be executed and mysql underscore fetch underscore array is actually expecting a result parameter but we have provided something null or something empty why this is happening because in the single code in my query the actual SQL query has been interrupted and the single code has caused the query to break in between this means the single code which I have provided using the URL or the get method this single code has been passed to the database engine and has been executed means there is no sanitization available in the database so or in the server side script so it means if there is no sanitization available at the server side means there is a possibility of SQL injection and we are going to exploit it okay now after this what is the step what is the second step so the second step would be to identify the number of columns in the page by using the order by query so what we are going to do is we are going to this and we will type order by suppose 50 for example so this will try to run the query it will try to arrange the column as per the column number 50 only and only if it exists if it does not exist it will give you an error so you will see we will again see the see an error right and it means this query does not exist and if we try to execute the column number 5 the page is loading normally it means column number 5 exists in the table whatever is executing this query right so now we have a good opportunity to identify using the binary search method whether what are the number of columns so I will try with 20 and we will see if the error comes so if the error comes means 20 does not exist and the column number should be between 5 and 20 right so now we will try to execute somewhere between 10 and we will see so this is a very simple binary search so now we have an error so means something between so now we will try with 8 okay so we have a query again so it means somewhere between 5 and 8 let's put 6 so we are trying to identify the number of columns available in the table okay so the answer is 5 so there are 5 columns in the table as you can see the 6 is having throwing an error and the 5 will show you no error so there are 5 columns in the table now the next step is going to be the union which I am going to use for injection so what we will be doing is exactly we will be typing you union select 1,2,3,4,5 so we will type up to 1,2,3,4,5 because there are 5 number of columns so I will explain you the meaning of this so it is simple that we are trying to execute one extra query besides the original query using the union operator and we are passing the select 1,2,3,4,5 and where 1,2,3,4,5 are nothing but a small number in the SQL if you will execute select 1,2,3,4,5 it will return 1,2,3,4,5 numbers as it is means if you are not going to provide any table name whose column this query must be expecting then it will give you the exact number so we are just trying to execute a very dummy query and we will try to see what comes so we are actually expecting the numbers in the page right so let us see what happens as you can see there will be nothing and it will show you no changes so no changes means the query has executed successfully and now what we need to do we need to suppress the original query by passing either minus 2 or putting some null so that the original query should return 0 or null result and our query which is the right hand side query of the union operator should return the number so if you will try to execute you will see the numbers in place of the title so where the numbers are there the title it means this title was coming from column number 1 so this position was column number 1 so now we have a position where we can see the results of our query and we can process the other attacks so now I am going to do it I am going to put in place of 1 I am going to put ver si on and bracket so this is simple version function which will help you in identifying the version of the MySQL which this website is running so if you will execute you will get the version number of the MySQL so now we will start with the attack now we know the position where we are actually going to reflect this information so as you know that we can see the information on the page that is why it is not called blind SQL injection and blind SQL injection is something where you will not be able to see the output in the page in form of some visible outcome you will only see the response or the result in form of the other timing the load timing or the size of the page or something like that but you will never see the result in form of the text like this so this is not the blind SQL injection so now after the version what we can more we can see is we can see the database which the website is using and if we execute this so now we have elastic underscore db is the database name so this is very simple now we have a database name now we will craft our queries accordingly so that we can see the table name because after the database name we need to know the table name so to know the table name what exactly we need to do is after this query we need to type some this string so now as you can see that we are executing the query which is after 5 we are typing the form space or plus sign so place and this both will work from information underscore schema dot tables where table dot underscore schema is equal to database and only one change we have to do is in place of the database we want to concatenate it list of tables so what we need to do we need to type group underscore group underscore concat and here we will type table underscore name and then 2,3,2,3,4,5 so what this query will do is it will execute the query which is after the union and will try to select the concatenated table name from the database from the list of tables where the database is actually the current database which we are running so because there are always a 2,3 database which are standard which we are not using so it might give you the list of huge tables so we are not going to use it so will execute the query and see what we have here we have the list of tables of this website as you can see the admin underscore user underscore information is one table categories is one table and category details is one table so there are three more tables and I think we can also see as you can see the there are more tables so contact us also there is one table so I am going to use I think as you can see there is one table which is looking very interesting is this admin user info so we are going to use this table to identify the column name of this table so now we will focus on this table only so for getting the information of this table what we need to write is we need to type in place of table name we will be typing column underscore name and also we will type a separator we will try to have one separator here so that we can see the all column name separated by a certain value so we can type 0 x3a whatever the special character it has it is an ASCII value we are providing hexadecimal value and then after this what we have to provide is from information underscore schema dot columns rather than tables because this information underscore schema dot columns are the superset of the all columns exist in the database so now we have information underscore schema from columns where table name now in place of table schema we will use a table name because we are going to focus on a particular table admin underscore user underscore info so we will try to execute and see if there is some output we receive okay so now we have good output we have the column name of the tables admin underscore user underscore info so now we are interested in what obviously user name and password rather than user id okay so okay let's see all these three things right admin user id, user name and user password or let's say focus on the admin user id and password only okay so for that what we need to do is okay so in place of group concat where we have had the column names we will type username and then separator comma user password because we have wanted to these two things together and then from direct a table right because we know the table name exactly so we can now focus on the exact table name sorry from okay so now we have user name and password of separated by a semicolon of the admin of this website so this is good enough for us we can now go and do whatever you want on this website so this is just for the educational purpose and to demonstrate that how bad it can be to you know for a website or for a web administrator for an enterprise to you know defend their websites against the hackers and this is a very simple attack this is a very very simple attack and more complex and more creative attacks are available for SQL injection which can even kill your entire information you have on your server and even it can even shut down the entire thing okay so now SQL injection is done I will be focusing on the now cross-eyed scripting which is I will be showing some demonstration on cross-eyed scripting only in the local machine and these demonstration will show you how the cross-eyed scripting can affect the website and can create a problem for the web administrator so now the cross-eyed scripting so people have heard about this thing many times like what is the cross-eyed scripting so why it is called cross-eyed and why it is scripting so cross-eyed scripting means where you are targeting these or running the script without actually having the access to the other side so we are actually cross communication between the two sides in terms of running the slide-side script on the server so it is always all about the client-side script attack but it looks client-side but it is very very dangerous attack it can even cause the web application to shut down because of the so many creative exploits they have so we generally call it a XSS or sometimes some people call it CSS the definition of the cross-eyed scripting is very simple so it is a security hazard that allowed crackers to interfere with your program's logic by inserting their own logic into the HTML remember inserting the own logic into the HTML not in the actual server-side code so it is always going to affect the or impact the client-side code it might be HTML it might be JavaScript it might be CSS or it might be any other thing it might be even some creative functional tags so now as you can see I have one demo available for this so I have installed a dvw is nothing but a small vulnerable web application that you can use to learn multiple web exploitation and attacks on the server and you can learn and defend and see how you can defend your application how you can protect them from the malicious people so there is one there are two sections actually in this application there is a different mode of level of security you can set your security to low, medium or high so right now because I want to demonstrate the attacks I am going to use the security as low security so we will go to the accesses that are reflected which is the first type of accesses attack so their accesses are going to be of two type accesses reflected and accesses stored so these are the most common type but people actually give them another time like or the type like accesses type 0 or type 1, 1, 2, 3 so they are different different views so it does not require actually so there are more two major attacks reflected and stored so I am going to show you the reflected in the reflected as you can see the people are going to type ask you for the name or whatever your name suppose I will type Toshendra that will say hello Toshendra so it means whatever I am typing in this box is actually going to reflect or embed back to this page because of the some server side scripts they have on the panel so this is the most common example wherever you search and on your e-commerce website on whatever website you are using if you are going to search some product on the website they said you search for x, y, z suppose you search for laptop then they will say you search for laptop so means if you are putting that laptop in the text box of the search box of word is going to embed inside the page and will come back from the server so means you are sending a text to the server and it is coming back to the your browser after embedding inside the web page now where is the crack and where is the you know beauty in this how we can inject this methodology rather than actually putting the name we can put the script tag and then the whole script tag will go to the or the javascript tag will go to the server will then embed inside the html and will come back to us so now whatever what we will see is we will see an alert box suppose if we are going to put an alert here so as you can see I am doing to show you the demo going to type script and then alert accesses okay now we will submit so now as you can see I am I can see one small pop up from the browser saying accesses means I have written one small script and now you can see the accesses hello it is showing nothing but if you will go and right click on this and go to the inspect element I will watch carefully in the browser if you will go inside this form method free I will try to see the script tag is already there right so I have written that script alert accesses hi and instead of saying hello whatever the string I have put it is just actually embedded the script and the browser thought that the script which came inside this hello or next to the hello is actually the script which the page wants to execute rather than it just page wants to interpret it so now how will the browser know whether the script tag which are coming inside the page are actually solicited or unsolicited or malicious script tags and non-malicious script tag so ultimately there is no way for the browser to identify but it's a responsibility of the developers to actually configure the server something such that so whenever you see a script tag inside the user request you need to sanitize it and then send it back right so there is a way for making it secure so let me show you what are the secure version of this so I am going to dvwa security I will increase the security to hi and we will submit go back to this accesses reflected and this time I will try it the same thing right I will try to select the alert and submit see now instead of executing this script the same whole script tag has been printed inside the browser page so now because it has been printed inside the browser page so there has to be something you know creative that the developer has implemented and if you will go and see into this HTML element of this page you will right click select element and you can see very clearly that see your whole script has been embedded and rather it has been executed in the previous low security but in this case it has been you know interpreted as a browser as a text and then printed on the screen so now what is the reason behind it and what is the different you know source of secure and insecure application and what was the difference in the server side code while doing this so this is the code wise difference between the secure and insecure version of the same program where the reflected can be defended if you click on the compare it will show you very clear cut so first it is first I am going to show you the normal security or the no security or low security as you can see in the low security I am just trying to see if the name exist in the get area and if it exist and if it is equal to null or if not equal to null so I am going to put the hello and the name right this is very simple I am going to just embed the user submitted input inside the text and then will go to the medium side security medium security and I am trying to search the script tag in the user submitted text and will be we are actually replacing it with the null or we are deleting the script tag from the user input but remember user will never input the only one type of script the script tag as you can see we can always bypass this by putting capital S and then submit it but as you know that HTML is not case sensitive it will accept it as a script tag and here your defense will be broken so there if you if user will submit capital S inside the script whole defense will fail and the user will get exploited but if you see the more security of the high level security what is the best way of doing this is pass the variable or pass the user submitted data with the HTML spatial cache function what this function does in the PHP is this function will convert the spatial character like less than symbol or the greater than symbol which are nothing but the start and the end of the tags into the HTML entities which are nothing but ampersand LT as you can see like for example as you can see the for less than symbol in HTML which is a nothing but the HTML tags start tag or end tag there is a ampersand LT terminator and for the same ampersand GT so this will convert these special symbols into the HTML entities and whenever the HTML entities will be seen by the browser it will always print it as a symbol rather than considering it as a part of the HTML tags so this conversion is the responsibility of HTML spatial cache so these are called HTML entities and these are not at all executed by the browser rather they will be interpreted by the browser as a character and will be printed on the screen so this is the best way to defend your application from the XSS so now we have in the XSS reflected now it is time to see some XSS stored attack on the browser so for the XSS stored I have a very small the feedback page or the sign guest book where you can sign the guest book and then enter whatever you want to enter so I am going to first reset all these whatever previously entered message I have posted for this I can go to the setup and click on create or reset database we will reset everything and we will go to the XSS stored again and we will see there is no message right so this I will go to the security we will try to reduce it to low and we will submit so now in the XSS stored what we can do is we can even store that alert message inside this box okay so I will sign this address book then what will happen this message will be embedded inside the page and will be stored permanently on the server so whenever the person will come and visit this page this script will executed which will be stored inside the page okay now we have executed this as you can see this message has been permanently stored even if I will go to some other page and will come back to XSS stored you will see the pop up again the script has been permanently stored so now I can write any kind of script which can do something like session hijacking I can steal the cookie from the browser I can even you know change the path of the user if it is possible using some URL and do whatever I want because I have and whatever this script I am going to execute I will be executing as a with the permission as a logged in user so whoever has logged in will be responsible for the execution of these scripts and so I am going to show you one good demo for this so I will be showing you first the Ajax based XSS where we will be putting a Ajax script inside the page and whenever the user will visit this page a particular Ajax script will try to submit a request in the backend will try to change the user password and user will never know that his password has been changed by the Ajax script what is Ajax? Ajax is an asynchronous JavaScript and XML it is an asynchronous request submission and processing methodology where we can send the HTTP request and in an asynchronous way asynchronous means without actually impacting the current working of the page we will just send the request from the backend we will get the response and we will done so this is the very creative way to hack someone where he will never know what has been done in the backend so for Ajax based exploit I have a one particular script with me so I have this script which I will be using so this script is nothing but I am going to first include the from the server so I can include any JavaScript from the server and after including this script I am going to call this function which is a change password function in this script only as you can see this is a change password function which I am going to call inside this so I will just copy I will show you the script which I have written here it is a very simple script so we will go to the we will go to the browser we will try to paste it so but as you can see if you will try to paste it it will give us the restriction in the number of characters we have so we can always modify the client side whatever the user input sanitization are there so as you can see there is a maximum care function we have in the maximum care function I am going to change the 50 to 500 so that I should be allowed with the 500 character so any client side validation you can suspend by just going to the elements so I will just paste it and will sign the guest book once I sign the guest book as you can see in the network there will be a request that will be going to the server which will be changing my password okay so as you can see in the back end there is a small get request that has been submitted without even asking me and then the request has processed my password and then change it I am showing the small alert on the password just to make sure that okay we know that yes password but yes that password alert also that can be suspended into the script I will show you the exact what this script exactly is so this is a very simple script so as you can see this script we have a simple function called change password in this change password what we are going to do is we are going to send the HTTP request sorry the Ajax request which is a standard way of submitting an Ajax and after submitting the Ajax and what exactly we are actually submitting the Ajax so this is what we are going to submit open get this URL which is actually the request for to change the password this is a special request URL in this dvwa which we are going to use and this will change the password so we are actually we have included this script first and after including this script we just execute this function very simple and whenever the ready state is 4 means the wherever the HTTP status is 200 means we have received the request or we have actually processed the request you just show an alert so I can just submit this request any time any number of time without hurting anything so this is the simple example of Ajax with stored accesses it can be very dangerous in terms of changing the password submitting the any kind of request to the server without letting the user know that what kind of request he or she has submitted so the request can be you know sending a friend request to someone sending an email to a particular user so all these request can be submitted depends upon the server and the kind of script we have ok now the second kind of attack would be or the second accesses would be stored accesses I am going to show you the how we are going we can steal the cookie of a user ok and store it into the server or the hacker server by using the stored accesses so the exploit is going to be this ok so this is a small exploit which will feel the cookie of a user who will be logging in who will be visiting that page and will submit the cookie to the server and as you can see that server where which will receive the cookie is going to be the local host slash demo slash accesses slash stored slash getdata.php so getdata.php is a small script which will just take the argument which is coming and will store it inside the info.txt file so I will show you the code as well of this getdata.php so here is the code of getdata.php this as you can see this is a very simple code which is just opening a file which is the info.txt on the server in the append mode and will start writing the lines and iterate for the each request which is coming as a key and value and will write into the file and will after that will put some new lines character slash r slash n and will then close the file this is very simple just fetch the whatever is coming and then store it inside the file nothing more than this and now this script is being stored on the malicious server so you can consider that this server can be a malicious server it can be www.xyz hacker.com slash getdata.php so I am going to store this document.write as you can see what we are doing exactly here is we are first we are going to create some variables which are cookies which are document.cookies where cookies underscore request is equal to cookies.replace so we are just replace some characters and we filtered them out like semicolon and star number of spaces with the and sign so we are just executing some regular expression and after that we are actually executing document.write which will create an element inside the web page and will create a DOM object or the DOM element inside the current DOM and will create an image tag where the source of the image would be this where obviously the source of the image should be an image file but where what we are trying to do is we are trying to create a source which is exactly the hacker's URL so what will happen this image will be this browser will try to render this image will try to open this URL and while it is opening this URL it will actually accidentally will submit the cookie to the server so rather than opening the image from the URL it will access this URL and will try to submit the cookie to the server so which is obviously unfortunate this is not something that browser might think that might happen but this is something creative ok so I am going to paste this entire thing as control C and will go back to the stored accesses part so as you can see two alert will execute one is for the accesses another would be for the changing the password which has been changed now I am going to paste this since there is a limit of the word as you can see if I will paste this it will give me the limit of the word so I can suspend this limit by going to the inspect element and change the maximum word maximum length to 500 now I can control a delete and then control v then sign the guest book since I am going to sign the guest book which is a 10 bar old which are which we just execute as it is and the third one as you can see in the network there will be one request which is on getData.php so there is a third request that has been submitted for the getData.php and once this request would have been submitted this will receive the cookie on the server so I will show you the folder where we are actually going to store the info.txt so if I am going to open the info.txt here I have just opened the info.txt and we have a cookie now from the browser so there are two elements security and php session id so we were able to steal the session id of the element as you know if you can steal the session id of a php session you can even hijack the complete session and will use it so session is stealing and session hijacking can be done using this attack so that is why the access is being considered very dangerous attack because there are lots of different variants that you can create and different unique attacks you can create using the access so this is about the access is stored the players I think we were talking about this the attacker the company's web server and the client making for the accesses are actually the client side attack mostly and some of them are server side because they are storing the information on the server which is on a permanent basis some people are calling it a order that second order first order so these are nothing but stored under reflected attacks and nothing more than this so website can be defaced temporarily or permanently defaced means somebody can put a funny face on your website and whenever people will come and visit they will find that image or text very offensive and then the whole thing can go bad because people will never come back to your website because your website has been hacked so they will never come back so it is nothing but a user's trust which you are breaking and once user trust is broken means nobody will come back to use that website so ultimately the website business and the image can be lost and the session can be stolen in a very dangerous way I have shown you one example of stealing the PHP session session very variable and then after that you can continue with the story stealing the complete session and there are lots of other dangerous attack that you can create and accesses is not limited to these things there are so many varieties so many vulnerabilities related to the accesses are available so you should be very careful considering the best way is to defend the accesses always sanitize the user input consider the users are always going to send the malicious input always and then what you are what steps are required to protect your assets protect your information and server you will take never consider that yes developers are generally always consider that whatever the users input are going to be they are going to be the generic users no they are not always going to be the generic user there will be some malicious small script to your hacker will try to come and will try to play with your website so always consider these people in mind and then design your application you have queries regarding the session please press the hand raise I am Dave Shekhar I have a query related to username and password of operating system I don't know operating system where they store the username and password if they store password in a database can we use the SQL injection to login inside the windows or the linux no actually they don't store the username and password into the database they have a very creative system where they store it these are called keys actually as if you might have that there is a key base system in the user windows so stealing the username and password of the windows user is not possible but yes there is a very creative way of resetting the username password without even logging in and accessing the admin account of windows 7 or windows 8 without actually deleting the previous account suppose the window is logged you want to log in right and you want to access the particular data inside this so there is a way of creating a new user and locate or assign the permission of that new user as a admin and then login as a that user and you can even after login in you can delete the previous authentic user so ultimately you will own the machine after that so this you can google I think there is a lot of resource available on this you also have a blog on this like how to reset the windows admin password there is a session available but the SQL injection is not the answer for this that is for sure question about it is you are I have explained about SQL injection and access to you ok so if any website is there and how to check that particular website is one day better what are the step by step process to take the all the vulnerability of the particular website ok ok so you are saying that what are the step by step process to identify whether the website is vulnerable or not right this is your question right so see there are actually lots of security scanners available on the internet which will help you in identifying the security bugs in your website so they will just scan the website and then will give you the report vulnerability report like and there are lots of open source scanners also available on the internet so if you see the OASP page there are more than 10 open source security scanners are available like Nessus is one of them Nessus is a very good and then people use metasploit as well to scan the vulnerabilities on the website and equinetics which is a paid version but it is very good so these are the few software you can use to identify the vulnerability and if you see the URL on the internet and you want to check whether this URL is hackable or not then if the URL is having a certain structure in form of question mark right and then ID is equal to XYZ then put the single code at the end of the XYZ and we will see if the page throws an error if the page throws an error it means there is no sanitization at the server side and you can start exploiting the server in terms of the other SQL injection commands right and there are lots of SQL injection command tools available even I have it right now you just pass the URL and then press the button that is it you do not even have to do the entire SQL injection query and after after the union this and that you just paste the URL and then plus inject so they will scan and attack your whole system so I think automated the scanners are the solution but yes manual audits are one of them and manual audits are very expensive very time consuming and need some experts right so not everyone can manually inspect the code and see whether it is hackable I have one question can we perform SQL injection and cross-site scripting simultaneously yes yes we can there are lots of you know options I will level in performing the SQL injection and cross-site scripting see cross-site scripting is nothing but a way of sending and fetching the data right so it is like client to server the communication is can be designed by the XSS and what you are sending inside the XSS or whatever the script you are writing like for example the in the eject query I can write a query to submit the form right and in that form I can send a SQL query so it is like joining the SQL injection and XSS using XSS like eject we will be submitting the request and in that request we will perform the SQL injection so both the things can be merged so it is like you know there is a construction there are two tools one is for one purpose and another if you use both tools maybe your productivity might increase or you might exploit more information very quickly it can happen I would like to know more on DOM based XSS and question number 2 also like I would like to know whether there are any new attack vectors other than SQL injection and XSS and jacket when these been around for a while so did you see any other new vectors right so I will say first is the DOM based attack so DOM based attack I have one demo but I am very much I am not confident about showing it because the university Indian university which is having a DOM based exploit on their website so like for example so as I can I have shown you that windows. document or windows.write or document.write whoever XSS whatever XSS is using these commands for manipulating the HTML element of a DOM object these are called DOM based XSS so everything will remain same except that they will be using the document.star objects or the DOM objects so these are called DOM based XSS and the second about the new kind of attack yes there are lots of new attacks which are available hard bleed is one of them I think you might have heard that there is a very creative attack for the actually it was a vulnerability in the SSL implementation in open SSL and except this in the web based application DOS attacks are nowadays very common where people are actually submitting the request in a very creative way and trying to suspend the operation of a website and we call it a denial of service attack right and denial of service attack has taken another level by going into the DDOS denial of distributed service attack where we will be trying to send through multiple request to the server from distributed servers right and a multiple servers these are another creative attack and then authentication bypassing cookie manipulations are one of these which are not only a SQL injection people actually implement a code which can be broken in the multiple way so there are lots of ways to hack it and SQL injection and cross scripting actually cover more than 30 to 40% of the vulnerabilities available on the web application and the variety of these vulnerabilities are more than any other than right like header injection attack is one of them like header injection attack we try to inject the certain information using the HTML header which we are actually submitting from user to server so the thumb rule will remain same whenever you are getting something from the user even if it is a header even if it is a request header you are supposed to sanitize it consider that there might be malicious input from the user that's the answer one more question I mean what are the new attack methods you see on android.com so we are actually working on the android application security and from the company side we are launching abvigil.co or sas based or cloud based android app security scanner it will help people to scan the security vulnerabilities in their android application and will give them give a report in a very detailed manner by pinpointing the package name, class name and the method where the vulnerability exists so we are writing a we have written a static source code analyzer for android application security so in android application actually the intent spoofing is one of the big problem nowadays where whenever the intent are being transmitted to the one application to another application they can be actually spoofed so if you are not setting up the permission in your application or whenever you are creating an application you are not setting the permission in a proper way or restricting the broadcast sticky broadcast or another kind of broadcast then it might create a problem for the application so that is the android security there are lots of problems. If I am setting a private cloud in which layer we have to prevent this SQL injection so the cloud providers never provide security at the server level so once you install the server after the installation after the installation like application level security is your responsibility like we are using Amazon cloud and we found that Amazon is responsible for one server to another server based communication and the security of the server but after the server if you install the vulnerable application and your application is being hacked then it is your responsibility so OS level security is being provided by the Amazon but the application level security is your responsibility so you have deployed the defenses in the application which you are creating second while you are configuring the cloud you need to make sure that the permissions you are giving to access the one server by the outer word or one server from another server has to be properly configured like for example you may give permission on all the ports on a server which you are supposed to give right you want to give a permission only on port 80 right and for the web access rest of the server you want to suspend but sometime what happened just for the sake of working you just give permission all the permission to the server so such kind of security is your responsibility and in the cloud they are different different sub network so you need to make sure that whether you are creating the sub network public or private so if you are creating a server which you want to remain in your like for example database server so you would like to create the database server inside the private network rather than the public subnet because obviously you can share the database to the third word outer word without even any problem so there are lots of configuration security you can also access we have three questions first one how to check the vulnerability of website and what kind of tool can you use for it so how to check the vulnerability of the website is like one is the manual option which is obviously time consuming and you can go to a form try to submit a script try to submit a SQL query inside the form and see what happens so it is like hit and trial method yes it is successful and it is time consuming and you need to have a good knowledge about the SQL query and the vulnerability before actually going for this method the second option is the tool which are available and these most of the tools are open source and free and you can log into the OASP website there are list of OASP security scanners available for free which are open source non-commercial tool right and you can even design these tools you can contribute into these tools by forking the repository and and the success of these tools are not 100% of course there will be like 50 to 60% successful but if you want a very deep analysis then I think you have to jump manually for scanning the vulnerability and identifying. Suppose there is an SQL injection attack or accesses attack and how will we identify it and how to work on it from it. So I think identification I have told you that whenever there is a SQL injection if you submit this form or whenever you submit the user input to the server if you pass a single quote inside the string the whole query will disturb that is how you can detect the SQL injection attack. Defending the SQL injection is use a parameterized query where you actually create the query not by just passing the variable into the query but by using some creative parameterized objects which are available in Java and for the PHP there is a function called SQL underscore escape string function which will help you in escaping certain special characters using the forward slash so that your special characters like single quote ampersand or adderate symbol should not have a special meaning in this string. So like escaping this string is the one answer and parameterized query using the JDBC objects or the classes are the best option for defending the application. If suppose I have a website and there is an attack SQL or SSS whatever it may be and when the hackers change the password of my website or admin password how can I get back my password and how can I get back my website. See first thing is like you have an admin root username and password with you right so until and unless you are not giving the root username and password to the server or he is not able to get it then I think you can protect it but if he got the access to the root username and password then I think you have to contact the companies from where you purchase the server so that they should give you the access back because that would be a big deal. First question is whether we can monitor SQL injection through server log files. See if you have set up the log properly by default these logs are not available like this so if you buy a server and you will start setting up the MySQL server on the that application then by default the logs will not be available. If you are smart enough to set up a logs threshold to debug level and store every query which is coming from the user and then monitoring it then only it is possible so and say by default it is not available you have to manually setup yes it is possible to track the SQL injection attack through logs. What are the effective remedy for SQL injection? Effective remedy see once it is being done then you need to identify where are the points where you are taking the input from the user and without sanitizing you are passing it to the query. Here you need to fix these first points and then after that clean the database format everything and then go ahead because you are not sure if user has or the hacker has uploaded a small malware or the back door somewhere in the corner of your server so you need to make sure and you need to scan the whole server to make sure that it is safe now. How can we minimize false alarm ratio in SQL injection? You want to do minimize the false alarm in SQL injection it does not make sense to me right now so it means you are trying to say if you are setting up you have set up a detection system on your server and you want to check whether the SQL injection are being done by a user and it should not give a false alarm to you right? So first you need to set up a system a tracking system which will track the user SQL injection which is coming from the user and if it has found some SQL injection then you have to raise an alarm right so reducing the false positive is applicable in that case only otherwise if somebody is hacking then there is no sense of false positive. Can you explain us the sanitization use of sanitization? It is used for the verification from the server side for the user that I understood by giving a column. So I will just show you in the presentation. Suppose we are having a function called sanitize virtually it is a function which will sanitize everything so what is the difference between using a sanitization and without using a sanitization so I will say if you are using this function like this sanitize right and you are passing a string which is inside this these double codes and is nothing like a, b, c single code x, y, z and then percentage symbol and then 1, 2, 3 and then m percent symbol and this so these are the string this is the string which you are passing to the sanitize function if you will obviously not use the sanitize function then this string will remain as it is and will cause a problem to the server but if you use this function then the written variable would be something like this a, b, c forward slash single code x, y, z forward slash percentage 1, 2, 3 forward slash m percent so now this string will become actual string and will have no impact on the server and will run this as a and server will or the my school will consider it as a normal string without having any problem so this is called sanitization this is one example of sanitization beside this there are lots of different ways and it depends on the different different cases that what is the sanitization suppose I will say even I will say letter a, small a is considered malicious to me then sanitization for me means removing this a simple sanitization actually depends upon this server which is considering which part as a malicious part like for example for my school percentage and this single codes are the malicious so these are the sanitization so my question is how we can bypass the high security excess level and then how to prevent it well see you have to came up with some creative attack vectors by using some methodology like special character sequence which might create some defense which might bypass the defense like for example I told you that the defense which has been applied on the server was replacing the string script tag if somebody will put capital S in the script tag it will bypass so your bypassing methodology will depends upon the server's defense whether it is weak or high or very strong I will say if it is very strong it is monitoring everything defending everything it will be really hard to bypass it right and second question was and then how to prevent it I think I have shown the function for this HTML entities there is a function called HTML special cares or HTML entities in PHP and similarly in other languages there is a function available for converting special characters into HTML entities and then processing it to the server except this user input sanitization is the thumb rule for any kind of defense so these are the way to defend it thank you sir