SQL Injection and CSRF
1
1 SQL injection
Task 1.
SQL Injection and CSRF Lab
Assume that a database only stores the sha256 value for the password and eid columns. The following SQL
statement is sent to the database, where the values of the $passwd and $eid variables are provided by
users. Does this program have a SQL injection problem.
$sql = “SELECT * FROM employee WHERE eid=’SHA2($eid, 256)’ and password=’SHA2($passwd, 256)’”;
Task 2.
This problem is similar to the last task, except that the hash value is not calculated inside the SQL statement; it is calculated in the PHP code using PHP’s hash() function. Does this modified program have
a SQL injection problem?
$hashed_eid = hash(’sha256’, $eid); $hashed_passwd = hash(’sha256’, $passwd);
$sql = “SELECT * FROM employee
WHERE eid=’$hashed_eid’ and password=’$hashed_passwd’”;
For hash () function, you can look at it on PHP manual link.
Task 3.
What if the SQL statement is constructed in the following way (with a line break in the WHERE clause), can
you still launch an effective SQL injection attack?
SELECT * FROM employee
WHERE eid= ’$eid’ AND
password=’$password’
Task 4.
Please modify the following program using the prepared statement.
$sql = “UPDATE employee SET password=’$newpwd’ WHERE eid =’$eid’ and password=’$oldpwd’”;
2 Cross Site Request Forgery Part of CSRF lab will be delivered next week.
Task 5.
Using LiveHTTPHeader, we find out that the following GET request is used to send an HTTP request to
www.example.com to delete a page owned by a user (only the owner of a page can delete the page).
http://www.example.com/delete.php?pageid=5
GET /delete.php?pageid=5
Host: www.example.com …
Please construct a simple malicious web page, so when a victim visits this web page, a forged request will be launched against www.example.com to delete a page belonging to the user.
Lab 8 –Web Security – SQLinjection-2 & CSRF
SQL Injection and CSRF 2
Task 6.
Do browsers know whether an HTTP request is cross-site or not?
Task 7.
Do servers know whether an HTTP request is cross-site or not?
Task 8.
Why is it important for a server to know whether a request is cross-site or not?
Task 9
For this task you will need to use Vbox-SeedUbuntu. You should have set it up last week. In the SeedUbuntu’ Firefox, install HTTP header Live from addon.
Open the CSRF lab site from the Sites for LAB as shown in the image below
Make sure that the HTTP Header Live is visible. From the view, in the sidebar you will see the option to turn on and off HTTP Header Live.
Login to the application CSRFLabSite and note the different http headers generated.
What http method is used to authenticate the user? What is the cookie value?
Task 10
Next lab we will be looking at more on CSRF attack and its countermeasures. It will be worth look at: https://cheatsheetseries.owasp.org/cheatsheets/Cross- Site_Request_Forgery_Prevention_Cheat_Sheet.html
3 PHP filters
Validating data = Determine if the data is in proper form. Sanitizing data = Remove any illegal character from the data.
Lab 8 –Web Security – SQLinjection-2 & CSRF
SQL Injection and CSRF 3
https://www.w3schools.com/php/php_filter.asp https://www.php.net/manual/en/filter.filters.sanitize.php
4 Optional.
Don’t forget to explore DVWA – Damn Vulnerable Web Application (Very famous for web security).
Explore vulnerabilities in DVWA
a) Install it from here http://www.dvwa.co.uk/
b) Host it in your Apache virtual hosts
c) Knowledge gained in this lab, can be applied to it.
Reference and acknowledgement.
Copyright © 2006 – 2016 Wenliang Du, All rights reserved.
Free to use for non-commercial educational purposes. Commercial uses of the materials are prohibited. The SEED project was funded by multiple grants from the US National Science Foundation.
Lab 8 –Web Security – SQLinjection-2 & CSRF