1 00:00:09,856 --> 00:00:10,166 >> All right. 2 00:00:10,166 --> 00:00:10,806 Welcome back. 3 00:00:11,106 --> 00:00:12,226 This is Section 8. 4 00:00:12,606 --> 00:00:13,426 I'm Chris Gerber. 5 00:00:13,426 --> 00:00:16,356 Tonight I'm going to be talking about SQL injection. 6 00:00:16,356 --> 00:00:17,496 Cross-site scripting. 7 00:00:18,006 --> 00:00:19,526 Cross-site request forgery. 8 00:00:19,656 --> 00:00:20,806 The exec command. 9 00:00:20,806 --> 00:00:23,146 And all sorts of things that you can do wrong 10 00:00:23,146 --> 00:00:25,806 and how we can protect ourselves against these things. 11 00:00:26,456 --> 00:00:27,856 David just covered a lot of this. 12 00:00:27,916 --> 00:00:29,906 But tonight we'll actually get to play with some code 13 00:00:29,906 --> 00:00:32,946 that I've written so that you can actually see these problems 14 00:00:32,946 --> 00:00:33,716 happening live. 15 00:00:34,266 --> 00:00:38,686 As a starting point, I've already posted my code. 16 00:00:38,686 --> 00:00:42,326 You'll see it on the website tomorrow. 17 00:00:42,326 --> 00:00:43,666 But if you're following along at home, 18 00:00:44,136 --> 00:00:46,866 you can actually clone my code down right now to follow along. 19 00:00:47,076 --> 00:00:49,956 Get clone, it's up on bitbucket under my account, 20 00:00:49,956 --> 00:00:51,986 and it's section8.git. 21 00:00:54,696 --> 00:00:55,416 All right. 22 00:00:56,006 --> 00:00:58,626 So the first topic we're going to talk about is SQL injection. 23 00:00:59,476 --> 00:01:01,776 So we've got a snippet of code here. 24 00:01:02,426 --> 00:01:04,246 And I might ask, what looks 25 00:01:04,246 --> 00:01:06,276 like could possibly be wrong with this code? 26 00:01:06,706 --> 00:01:07,586 Any thoughts? 27 00:01:08,516 --> 00:01:17,246 [ Background Sounds ] 28 00:01:17,746 --> 00:01:17,976 Sure. 29 00:01:18,516 --> 00:01:28,866 [ Inaudible Comment ] 30 00:01:29,366 --> 00:01:32,486 So it's going to match the first row for the username 31 00:01:32,486 --> 00:01:33,956 and password, but what's wrong there? 32 00:01:34,516 --> 00:01:39,006 [ Background Sounds ] 33 00:01:39,506 --> 00:01:39,766 Nothing? 34 00:01:40,516 --> 00:01:49,876 [ Inaudible Comment ] 35 00:01:50,376 --> 00:01:52,336 Okay. So the 1 is actually something different here. 36 00:01:52,426 --> 00:01:56,446 The 1 just says, return the value 1 specifically, 37 00:01:56,766 --> 00:01:58,376 in a column called 1 coincidentally, 38 00:01:59,546 --> 00:02:00,756 if this record is found. 39 00:02:01,386 --> 00:02:03,846 But I think I had another possibility. 40 00:02:03,996 --> 00:02:07,806 >> Yes. Can someone potentially input, 41 00:02:07,806 --> 00:02:11,776 insert some SQL code inside the, one of the variables? 42 00:02:12,106 --> 00:02:12,606 >> Exactly. 43 00:02:12,606 --> 00:02:15,396 So the problem here is I'm not doing anything 44 00:02:15,396 --> 00:02:17,606 to protect these two variables, user and password. 45 00:02:17,606 --> 00:02:20,236 So someone could actually start injecting SQL code there. 46 00:02:21,196 --> 00:02:26,256 So what if password was set to quote 47 00:02:26,386 --> 00:02:27,986 or quote quote equals quote? 48 00:02:29,176 --> 00:02:32,396 Basically, telling me that I would append 49 00:02:32,396 --> 00:02:34,396 in another option here, the "or." 50 00:02:34,916 --> 00:02:38,856 Quote quote always equals quote quote. 51 00:02:38,986 --> 00:02:40,816 So this would always return true. 52 00:02:41,556 --> 00:02:42,606 So that gets interesting. 53 00:02:43,056 --> 00:02:44,916 The other one that's interesting is if user happened 54 00:02:44,916 --> 00:02:47,896 to be quote semicolon drop table users. 55 00:02:48,606 --> 00:02:50,586 Suddenly my entire users' table could be dropped 56 00:02:50,586 --> 00:02:51,306 from the database. 57 00:02:51,306 --> 00:02:53,526 So now we're actually going to see how this stuff works, 58 00:02:53,526 --> 00:02:56,956 which is, I think, a lot of fun. 59 00:02:57,156 --> 00:02:58,896 So I've got the rest of this code here. 60 00:02:59,516 --> 00:03:04,056 [ Background Sounds ] 61 00:03:04,556 --> 00:03:06,996 And this should basically look familiar. 62 00:03:07,086 --> 00:03:10,346 I'm going to show you the two exploits as we go through. 63 00:03:10,346 --> 00:03:11,726 But they're there in the comments if you want 64 00:03:11,726 --> 00:03:12,806 to try these at home later. 65 00:03:13,826 --> 00:03:14,926 We're connecting to the database. 66 00:03:14,926 --> 00:03:17,716 We're making sure the parameters are set. 67 00:03:18,286 --> 00:03:26,136 And then we get to the command we just looked at, here. 68 00:03:26,656 --> 00:03:31,956 And if we have success, we're going to return true 69 00:03:31,956 --> 00:03:35,766 from this function so that we can printout either successful 70 00:03:35,766 --> 00:03:37,836 login or bad username or password. 71 00:03:38,176 --> 00:03:41,146 And before I show you this, 72 00:03:41,146 --> 00:03:44,616 I also want to show you what our tables look like. 73 00:03:44,956 --> 00:03:47,056 They're relatively straightforward here. 74 00:03:48,196 --> 00:03:51,146 Everything's under this jharvard section 8. 75 00:03:51,146 --> 00:03:53,406 It's covered up, but it is, trust me it's Section 8. 76 00:03:54,666 --> 00:03:58,796 And the users' table has some values in it already. 77 00:04:00,926 --> 00:04:03,906 So I've just got these two columns, id and password. 78 00:04:04,346 --> 00:04:06,716 I've just put them in in plain text as another example 79 00:04:06,716 --> 00:04:07,996 of something you might not want to do. 80 00:04:07,996 --> 00:04:10,766 But makes it easier to demonstrate here tonight. 81 00:04:11,606 --> 00:04:15,126 And I've got these four rows in the table. 82 00:04:15,266 --> 00:04:16,736 The other table that I want to point 83 00:04:16,736 --> 00:04:21,356 out real quickly is I've created this second table called "test." 84 00:04:22,286 --> 00:04:26,006 Which is one column called "id." 85 00:04:26,006 --> 00:04:26,726 It's a number. 86 00:04:27,206 --> 00:04:28,106 Auto increment. 87 00:04:28,196 --> 00:04:30,806 It's just the fact that this table exists right now 88 00:04:30,806 --> 00:04:31,476 that's important. 89 00:04:32,046 --> 00:04:37,166 Now let's actually try to break things. 90 00:04:39,236 --> 00:04:45,526 So I'll go out to our website. 91 00:04:49,886 --> 00:04:57,956 Section 8 slash, and let's first try 92 00:04:58,056 --> 00:04:59,786 with an incorrect password just 93 00:04:59,786 --> 00:05:01,886 to see what things should look like. 94 00:05:02,386 --> 00:05:06,476 So the URL's a little tiny on the view here. 95 00:05:06,596 --> 00:05:09,586 But, basically, the parameters I've passed in are Chris 96 00:05:10,066 --> 00:05:13,256 and a password of BADPWD for bad password. 97 00:05:14,146 --> 00:05:16,576 My password in the database is the word "password." 98 00:05:16,866 --> 00:05:18,836 So it's come back and told me, no, 99 00:05:18,836 --> 00:05:20,496 this is not your username and password. 100 00:05:20,496 --> 00:05:23,106 So the next thing we want to confirm 101 00:05:23,106 --> 00:05:25,856 for proper functionality is if I put in the proper password. 102 00:05:26,446 --> 00:05:28,656 So I'll change the URL, and I'll change my password 103 00:05:28,656 --> 00:05:30,036 to "password." 104 00:05:30,456 --> 00:05:35,276 And you'll see now that, instead of bad username or password, 105 00:05:35,276 --> 00:05:37,496 we actually are getting a successful login. 106 00:05:38,586 --> 00:05:40,526 So this is the way things are supposed to work. 107 00:05:40,526 --> 00:05:42,916 Now, let's start exploring. 108 00:05:43,086 --> 00:05:51,806 Let's try that quote or quote quote equals quote. 109 00:05:51,956 --> 00:05:59,906 >> Is there any way to zoom in on things like that or not? 110 00:06:00,126 --> 00:06:00,706 The URL's tiny. 111 00:06:00,706 --> 00:06:02,616 >> I don't think so. 112 00:06:02,616 --> 00:06:05,066 It was in the previous slides. 113 00:06:05,066 --> 00:06:07,006 I hoping they can sort it out. 114 00:06:09,346 --> 00:06:09,466 >> Okay. 115 00:06:09,686 --> 00:06:10,036 >> All right. 116 00:06:10,036 --> 00:06:11,536 So after entering that, 117 00:06:12,646 --> 00:06:16,216 you'll see that we're still getting a successful login even 118 00:06:16,216 --> 00:06:18,066 though we shouldn't be. 119 00:06:18,066 --> 00:06:19,596 This is obviously not my password. 120 00:06:19,676 --> 00:06:22,916 And it's specifically because we've now injected this short 121 00:06:22,916 --> 00:06:26,946 bit of code that says, no matter what happened 122 00:06:26,946 --> 00:06:30,396 with these two ends, if quote quote equals quote quote, 123 00:06:30,396 --> 00:06:34,566 which will always be true, then this should return a 1. 124 00:06:34,926 --> 00:06:36,576 And we get our successful login. 125 00:06:37,146 --> 00:06:40,276 So this is not good. 126 00:06:40,896 --> 00:06:43,666 People can login sort of willy-nilly at this point. 127 00:06:44,446 --> 00:06:46,806 But we haven't done anything destructive yet. 128 00:06:47,226 --> 00:06:49,666 So the next step is to go a little further. 129 00:06:50,806 --> 00:06:53,596 Since we do have access to anything we do want to do 130 00:06:53,646 --> 00:06:57,566 in SQL, we can actually do, close the quote. 131 00:06:57,566 --> 00:07:00,226 And then add a semicolon to close the command. 132 00:07:00,476 --> 00:07:02,556 And then add the next command that we want, 133 00:07:02,556 --> 00:07:04,356 which in this case was drop table. 134 00:07:04,806 --> 00:07:07,726 And instead of users, I'm just going to drop table test. 135 00:07:08,246 --> 00:07:13,076 Just so I don't completely destroy my database while we're 136 00:07:13,076 --> 00:07:13,556 working here. 137 00:07:14,086 --> 00:07:16,286 And we can run that command. 138 00:07:16,876 --> 00:07:20,106 It tells me that I've got a bad username or password, 139 00:07:20,106 --> 00:07:22,046 but I'm not too concerned about that. 140 00:07:22,226 --> 00:07:25,776 What I'm more concerned about is when I come back to phpMyAdmin 141 00:07:26,156 --> 00:07:30,726 and refresh jharvard section 8, 142 00:07:31,146 --> 00:07:33,536 I now have four tables listed instead of five. 143 00:07:34,066 --> 00:07:35,886 You can see on the left I haven't refreshed this. 144 00:07:35,886 --> 00:07:37,056 Test used to be there. 145 00:07:37,766 --> 00:07:39,446 But now the test table is completely gone 146 00:07:39,446 --> 00:07:42,966 from my database, which is obviously not good at all. 147 00:07:43,516 --> 00:07:47,586 [ Background Sounds ] 148 00:07:48,086 --> 00:07:51,106 So that's a little bit about SQL injection. 149 00:07:52,756 --> 00:07:55,736 Next, I want to jump over and talk a little bit 150 00:07:55,736 --> 00:07:57,256 about cross-site scripting. 151 00:07:58,716 --> 00:07:59,816 So looking at this code, 152 00:08:00,516 --> 00:08:02,466 where might I have gone wrong in this example? 153 00:08:02,926 --> 00:08:05,106 Looking at code where I'm preparing a statement. 154 00:08:05,106 --> 00:08:05,926 So I've gotten a little better. 155 00:08:05,926 --> 00:08:07,436 I'm using a prepared statement now. 156 00:08:08,126 --> 00:08:12,786 I'm going to insert a record into a table called "comments." 157 00:08:12,896 --> 00:08:14,906 It's just a single value, which is the comment. 158 00:08:15,506 --> 00:08:17,096 Then I'm going to go back later, and I'm going 159 00:08:17,096 --> 00:08:18,256 to select those comments. 160 00:08:18,426 --> 00:08:21,996 And I'm apparently printing table rows out to the browser 161 00:08:21,996 --> 00:08:23,976 as I'm redisplaying the information that's 162 00:08:23,976 --> 00:08:24,656 in the database. 163 00:08:25,126 --> 00:08:27,956 Any thoughts on what might be wrong here? 164 00:08:28,516 --> 00:08:36,956 [ Background Sounds ] 165 00:08:37,456 --> 00:08:37,926 All right. 166 00:08:37,926 --> 00:08:40,506 So where things are going to start going off the rails 167 00:08:40,506 --> 00:08:44,056 in this case, I'm taking whatever the user has given me. 168 00:08:44,876 --> 00:08:46,736 Which we'll see where it's coming in. 169 00:08:47,036 --> 00:08:48,336 But anything the user is giving me 170 00:08:48,516 --> 00:08:50,206 and writing it directly into the database. 171 00:08:51,206 --> 00:08:53,426 I haven't checked what I'm writing to the database. 172 00:08:53,426 --> 00:08:54,286 It could be anything. 173 00:08:54,876 --> 00:08:56,836 And then I'm pulling it directly out of the database 174 00:08:56,836 --> 00:09:00,206 and writing it directly out into my HTML. 175 00:09:00,766 --> 00:09:01,996 Without checking for things 176 00:09:01,996 --> 00:09:07,276 like is there HTML formatting that's actually in there? 177 00:09:07,276 --> 00:09:08,146 Things like that. 178 00:09:08,896 --> 00:09:12,476 So this basic just dollar sign comment 1 here 179 00:09:12,476 --> 00:09:14,706 without an HTML special [inaudible] is 180 00:09:14,706 --> 00:09:17,086 where things are going to get bad. 181 00:09:19,316 --> 00:09:22,726 So given that, what if my comment is, for example, 182 00:09:22,776 --> 00:09:24,766 as I think David has shown before, 183 00:09:25,316 --> 00:09:28,126 script alert hacked close script. 184 00:09:28,566 --> 00:09:32,026 And we can start to look at some examples here as well. 185 00:09:32,026 --> 00:09:40,926 So I've got another script file here, xss.php. 186 00:09:41,166 --> 00:09:50,236 You can see I've got four examples that we'll get into. 187 00:09:50,236 --> 00:09:52,696 But, basically, we're just connecting to the database. 188 00:09:53,796 --> 00:09:55,936 I'm starting a session. 189 00:09:58,596 --> 00:10:00,726 To make it a little more explicit 190 00:10:00,726 --> 00:10:03,496 as to how things could really go bad, I'm actually going 191 00:10:03,496 --> 00:10:06,706 to store the user and the password in cookies as well. 192 00:10:10,046 --> 00:10:11,286 And then I'm just, as we had seen, 193 00:10:11,286 --> 00:10:13,246 going to insert the record into the database. 194 00:10:14,086 --> 00:10:17,016 And, sorry, if it's a post, 195 00:10:17,016 --> 00:10:18,636 I'm going to insert the record into the database. 196 00:10:19,256 --> 00:10:21,326 Otherwise, or even if it was a post, 197 00:10:21,326 --> 00:10:24,186 I'm going to display a table that has all the comments 198 00:10:24,296 --> 00:10:30,686 that had appeared in just this very short little page. 199 00:10:34,216 --> 00:10:35,826 So let's switch over. 200 00:10:35,966 --> 00:10:38,186 Let's see what the database looks like real quick for this. 201 00:10:38,186 --> 00:10:42,826 I've got two databases that I want to show you. 202 00:10:44,046 --> 00:10:45,386 One is this comments database. 203 00:10:45,386 --> 00:10:46,716 This is where we're going 204 00:10:46,716 --> 00:10:49,166 to store the comments for our real website. 205 00:10:49,166 --> 00:10:52,036 It's just got an id, auto incremented 206 00:10:52,036 --> 00:10:54,496 and then the comment is a text field. 207 00:10:55,066 --> 00:10:56,886 So just very simple, straightforward approach 208 00:10:56,886 --> 00:10:59,176 to storing comments in the database. 209 00:10:59,966 --> 00:11:03,086 The other table that I've create is one called "cookies." 210 00:11:03,596 --> 00:11:05,326 And we'll see what this is shortly. 211 00:11:05,626 --> 00:11:10,896 Same idea, it's just two columns an id, auto incrementing 212 00:11:11,266 --> 00:11:14,346 and cookie, which is apparently a text field. 213 00:11:17,136 --> 00:11:19,956 So let's go over to the actual web page. 214 00:11:20,516 --> 00:11:26,546 [ Background Sounds ] 215 00:11:27,046 --> 00:11:28,156 So it's a very simple page. 216 00:11:28,426 --> 00:11:30,456 At the top is the current comments. 217 00:11:30,616 --> 00:11:32,616 I've got a header on my table, but there's no rows. 218 00:11:32,616 --> 00:11:34,646 So there's not much to see at this point. 219 00:11:35,266 --> 00:11:38,916 But now I can add a new comment and hit submit. 220 00:11:39,026 --> 00:11:43,496 So I could, assuming this was a normal [inaudible] order, 221 00:11:43,496 --> 00:11:46,726 something like that, I might send out just a hello. 222 00:11:47,516 --> 00:11:49,746 And now that's in the database and is displaying 223 00:11:49,746 --> 00:11:50,566 in the comments table. 224 00:11:51,876 --> 00:11:53,106 Things like that are fine. 225 00:11:53,546 --> 00:11:57,106 The next person come in, comes in, hi. 226 00:11:57,236 --> 00:11:59,726 And the comments keep building up. 227 00:12:01,136 --> 00:12:05,356 But what if we start thinking a little more deviously. 228 00:12:06,536 --> 00:12:12,026 What if we do script alert hacked, as we had seen 229 00:12:12,026 --> 00:12:19,366 in the comments at the top of the source code. 230 00:12:19,576 --> 00:12:20,746 So this gets interesting. 231 00:12:21,006 --> 00:12:22,756 You'll see a very thin, 232 00:12:22,756 --> 00:12:25,006 little row appeared between hello and hi. 233 00:12:26,436 --> 00:12:28,066 Nothing happened. 234 00:12:28,066 --> 00:12:29,256 We didn't get the dialogue box. 235 00:12:29,256 --> 00:12:32,136 But what we did get in this very fine print 236 00:12:32,136 --> 00:12:34,836 down here is a message from Chrome, 237 00:12:34,836 --> 00:12:36,886 where Chrome is actually trying to help me out. 238 00:12:37,006 --> 00:12:41,176 It says specifically, "Refused to execute a Javascript script. 239 00:12:41,336 --> 00:12:43,736 Source code of script found within request." 240 00:12:44,426 --> 00:12:46,166 So Chrome is smart enough to realize 241 00:12:46,166 --> 00:12:51,336 that I just posted this bit of Javascript code out to the site. 242 00:12:51,896 --> 00:12:56,246 It's probably not good that it's coming right back to me. 243 00:12:57,196 --> 00:13:00,256 Now, unfortunately, it only checks the first time 244 00:13:00,796 --> 00:13:02,106 that you've submitted that. 245 00:13:02,566 --> 00:13:10,376 If I refresh the page now, I think I might, 246 00:13:10,816 --> 00:13:12,736 I left a break point in my code. 247 00:13:12,736 --> 00:13:13,366 Sorry about that. 248 00:13:14,716 --> 00:13:18,866 The dialogue box actually pops up. 249 00:13:19,096 --> 00:13:20,726 Now, that's still not too bad. 250 00:13:20,726 --> 00:13:22,486 I've created a dialogue box. 251 00:13:23,326 --> 00:13:26,796 But what if we got a little more interesting 252 00:13:26,796 --> 00:13:27,976 with that dialogue box? 253 00:13:27,976 --> 00:13:31,156 What if instead we alerted the actual document cookie? 254 00:13:31,626 --> 00:13:36,716 So we get our old dialogue box. 255 00:13:37,676 --> 00:13:39,396 Then Chrome picks up our mistake. 256 00:13:39,686 --> 00:13:42,626 But if we refresh, 257 00:13:43,146 --> 00:13:46,276 we're actually getting my actual cookie. 258 00:13:46,946 --> 00:13:47,986 The session ID. 259 00:13:48,296 --> 00:13:48,956 My user ID. 260 00:13:48,956 --> 00:13:50,976 And my password, all displayed directly to the screen. 261 00:13:51,516 --> 00:13:55,796 [ Background Sounds ] 262 00:13:56,296 --> 00:14:00,126 Now, that's okay, but we're telling the end user what this 263 00:14:00,126 --> 00:14:00,836 information is. 264 00:14:00,836 --> 00:14:03,216 And that's probably not as interesting. 265 00:14:04,426 --> 00:14:06,896 So I wrote another piece of code that I want to bring 266 00:14:06,896 --> 00:14:09,076 up for you really quickly here. 267 00:14:09,636 --> 00:14:14,126 It's a file called log.php. 268 00:14:15,636 --> 00:14:17,366 This is part 2 of my attack. 269 00:14:18,726 --> 00:14:22,046 This is going to take whatever it's passed, essentially, 270 00:14:22,046 --> 00:14:24,976 and just insert it into that cookies table in my database. 271 00:14:25,516 --> 00:14:29,566 [ Background Sounds ] 272 00:14:30,066 --> 00:14:32,616 And that is the entire program. 273 00:14:32,826 --> 00:14:33,806 Connect to the database. 274 00:14:33,846 --> 00:14:35,726 Write out whatever's passed to it. 275 00:14:38,036 --> 00:14:39,746 So as an example of that, 276 00:14:41,076 --> 00:14:46,466 I could do log.php?cookie equals test. 277 00:14:47,796 --> 00:14:49,226 No obvious display. 278 00:14:49,226 --> 00:14:52,976 But if I go to actually look in my database now. 279 00:14:53,516 --> 00:14:57,586 [ Background Sounds ] 280 00:14:58,086 --> 00:14:58,566 Did it go? 281 00:14:59,516 --> 00:15:12,546 [ Background Sounds ] 282 00:15:13,046 --> 00:15:14,476 I managed to break my code. 283 00:15:14,476 --> 00:15:16,476 I'll make sure this is fixed before I publish it back 284 00:15:16,476 --> 00:15:19,026 up to the git repository. 285 00:15:19,026 --> 00:15:21,976 What we should be seeing at this point is it should be writing 286 00:15:22,686 --> 00:15:25,386 just whatever was passed to it directly out. 287 00:15:25,386 --> 00:15:26,746 Oh, I know what the problem is. 288 00:15:26,746 --> 00:15:32,206 I renamed my parameter from cookie to X. Was it X or Q? 289 00:15:32,776 --> 00:15:36,976 It is X. 290 00:15:37,516 --> 00:15:47,146 [ Background Sounds ] 291 00:15:47,646 --> 00:15:50,156 Yeah. So now you can see that we do have a record 292 00:15:50,156 --> 00:15:51,516 in the database, where it's just written 293 00:15:51,516 --> 00:15:55,026 that test directly out for us. 294 00:15:55,836 --> 00:15:57,416 Much better. 295 00:15:57,586 --> 00:16:02,416 So going back to our xss.php. 296 00:16:03,516 --> 00:16:09,276 [ Background Sounds ] 297 00:16:09,776 --> 00:16:11,796 And get past that break point. 298 00:16:12,146 --> 00:16:14,376 I've got my two previous alerts. 299 00:16:14,816 --> 00:16:18,636 We could add a new item. 300 00:16:19,476 --> 00:16:23,546 And we'll also get a little more devious here. 301 00:16:23,546 --> 00:16:29,426 I've leave it here so that you can actually see the whole thing 302 00:16:29,426 --> 00:16:31,346 from the moment before I enter it. 303 00:16:32,246 --> 00:16:34,456 I'm going to actually put the word "hello." 304 00:16:34,896 --> 00:16:36,946 So it's not obvious that there's not just a blank row 305 00:16:36,946 --> 00:16:38,186 in the comment table anymore. 306 00:16:39,226 --> 00:16:43,406 But then I'm also going to inject this actual script here. 307 00:16:43,926 --> 00:16:46,086 And I'm going to use this one, 308 00:16:46,956 --> 00:16:51,256 X equals new XMLHttp request x.open get. 309 00:16:51,556 --> 00:16:54,116 And you might start to look at this and start to realize 310 00:16:54,116 --> 00:16:56,526 that this is sort of the Ajax approach that we had talked 311 00:16:56,526 --> 00:16:59,466 about just a lecture ago. 312 00:17:00,376 --> 00:17:02,106 I'm going to send out a get request 313 00:17:02,476 --> 00:17:04,426 to the section 8 slash log.php. 314 00:17:04,426 --> 00:17:08,466 And I'm actually going to pass the document.cookie 315 00:17:08,466 --> 00:17:09,466 in as a parameter. 316 00:17:09,466 --> 00:17:11,286 And I'm going to send that. 317 00:17:12,736 --> 00:17:15,836 So let's go ahead and add that to our database as well. 318 00:17:16,376 --> 00:17:19,036 We still have our old tool alerts. 319 00:17:19,526 --> 00:17:23,546 But we also have "hello" as our comment. 320 00:17:24,236 --> 00:17:28,176 Nothing visually incorrect with what's going on here. 321 00:17:28,706 --> 00:17:30,886 But if we look in our database again. 322 00:17:31,516 --> 00:17:35,546 [ Background Sounds ] 323 00:17:36,046 --> 00:17:41,966 Cookies. What did I do wrong? 324 00:17:42,516 --> 00:17:59,516 [ Background Sounds ] 325 00:18:00,016 --> 00:18:02,000 [ Inaudible Comment ] 326 00:18:02,516 --> 00:18:09,776 [ Background Sounds ] 327 00:18:10,276 --> 00:18:11,636 I did nothing wrong. 328 00:18:13,136 --> 00:18:15,646 Once again, Chrome has picked 329 00:18:15,646 --> 00:18:17,556 up that this was the first time I submitted that. 330 00:18:17,556 --> 00:18:19,956 And it has refused to run that bit of code. 331 00:18:19,956 --> 00:18:21,576 Because it knows what I'm doing is bad. 332 00:18:21,786 --> 00:18:25,186 And it's trying to protect myself, protect me from myself. 333 00:18:25,266 --> 00:18:28,056 Which is good until I refresh the page. 334 00:18:28,056 --> 00:18:32,336 Or someone else comes and views the page. 335 00:18:33,656 --> 00:18:34,526 First alert. 336 00:18:34,706 --> 00:18:35,526 Second alert. 337 00:18:36,576 --> 00:18:37,546 The comment happens. 338 00:18:38,266 --> 00:18:40,426 And, actually, this time, instead of that alert, 339 00:18:40,426 --> 00:18:43,886 in the fine print down here you'll actually see a response 340 00:18:44,326 --> 00:18:47,506 that tells me that my Ajax called completed successfully. 341 00:18:48,116 --> 00:18:50,526 Which is good news for me as the hacker. 342 00:18:50,526 --> 00:18:51,356 Bad news for you. 343 00:18:51,576 --> 00:18:56,426 And it's actually performed this right to my log at this point. 344 00:18:57,566 --> 00:19:01,426 So if we come back over and browse again, 345 00:19:02,636 --> 00:19:06,486 you'll see that we now have row 10, which has stored 346 00:19:06,566 --> 00:19:09,956 by PHPSESSID, as well as my username and my password 347 00:19:10,106 --> 00:19:12,756 in this separate database for me. 348 00:19:15,286 --> 00:19:17,026 Now, I took this one step further, 349 00:19:17,026 --> 00:19:20,066 and I was very interested to see where this went. 350 00:19:20,456 --> 00:19:30,486 I then created a second virtual host. 351 00:19:30,746 --> 00:19:32,396 So we've got section 8 352 00:19:32,396 --> 00:19:33,806 that we're working out of at the moment. 353 00:19:34,136 --> 00:19:36,656 To make this a little more realistic, 354 00:19:37,086 --> 00:19:43,276 you'll see that I've also got another one here called "badguy" 355 00:19:43,636 --> 00:19:45,976 to create a completely separate host. 356 00:19:46,516 --> 00:19:51,546 [ Background Sounds ] 357 00:19:52,046 --> 00:19:54,036 And I've put this log function in here as well. 358 00:19:55,496 --> 00:20:03,836 And if you look, I've actually just used a link. 359 00:20:04,106 --> 00:20:06,076 So it's pointing to the exact same piece of code 360 00:20:06,076 --> 00:20:08,786 so that we know I haven't magically swapped anything 361 00:20:08,786 --> 00:20:09,196 out here. 362 00:20:09,926 --> 00:20:11,946 In fact, you could even just look right at the file 363 00:20:11,946 --> 00:20:14,746 and see it's the exact same file as we were looking at. 364 00:20:18,116 --> 00:20:20,976 But let's now take the same approach. 365 00:20:21,516 --> 00:20:30,776 [ Background Sounds ] 366 00:20:31,276 --> 00:20:34,806 But instead of just going to my server, let's see what happens 367 00:20:34,806 --> 00:20:37,036 when we go out to bad guys server. 368 00:20:37,036 --> 00:20:39,366 If I, let's say I'm trying to actually now write this back 369 00:20:39,366 --> 00:20:41,966 to a server that I own, being the bad guy in this case. 370 00:20:42,516 --> 00:20:51,586 [ Background Sounds ] 371 00:20:52,086 --> 00:20:52,586 One alert. 372 00:20:53,096 --> 00:20:53,696 Two alert. 373 00:20:54,776 --> 00:20:56,646 No alert. Refused to execute. 374 00:20:57,536 --> 00:21:00,276 Reload just to make sure that we know what's going on here. 375 00:21:00,566 --> 00:21:01,176 One alert. 376 00:21:01,176 --> 00:21:01,666 Two alert. 377 00:21:02,196 --> 00:21:08,436 We've actually gotten a new error here, which makes me happy 378 00:21:08,436 --> 00:21:10,326 because Chrome is, once again, looking out for me. 379 00:21:10,836 --> 00:21:16,156 I've got in the very fine print, XMLHttp request cannot load, 380 00:21:17,136 --> 00:21:18,846 badguy, slash, et cetera. 381 00:21:19,926 --> 00:21:23,116 Origin section eight is not allowed 382 00:21:23,116 --> 00:21:25,216 by access control allow origin. 383 00:21:25,826 --> 00:21:28,246 So, basically, what Chrome has realized here is 384 00:21:28,246 --> 00:21:33,266 that we're trying to take data from this one origin 385 00:21:33,616 --> 00:21:36,146 and write it into this other server 386 00:21:36,146 --> 00:21:37,296 in an uncontrolled manner. 387 00:21:37,696 --> 00:21:39,876 So it is in this case actually protecting me 388 00:21:39,976 --> 00:21:42,976 from doing the damage of writing this out to the database. 389 00:21:43,516 --> 00:21:48,026 [ Background Sounds ] 390 00:21:48,526 --> 00:21:48,976 All right. 391 00:21:49,516 --> 00:21:53,756 [ Background Sounds ] 392 00:21:54,256 --> 00:21:57,746 Now let's look into cross-site request forgery. 393 00:21:58,336 --> 00:22:02,566 So I've got an example here where this is some sort 394 00:22:02,566 --> 00:22:04,776 of stock transactions. 395 00:22:05,426 --> 00:22:08,896 We're trying to write into a portfolio the values 396 00:22:08,896 --> 00:22:10,516 of ID symbol and shares. 397 00:22:10,516 --> 00:22:12,906 The ID I'm getting right from the session. 398 00:22:13,306 --> 00:22:15,496 So there must be a cookie prepared 399 00:22:15,496 --> 00:22:17,786 or a PHP session prepared that's throwing the ID 400 00:22:17,786 --> 00:22:18,706 of the individual. 401 00:22:19,416 --> 00:22:20,606 And I'm getting the symbol 402 00:22:20,606 --> 00:22:22,316 and the shares right from a get request. 403 00:22:23,976 --> 00:22:25,846 Anyone have any concerns about this code? 404 00:22:26,516 --> 00:22:33,076 [ Background Sounds ] 405 00:22:33,576 --> 00:22:37,056 Well, what if I visit a page with this? 406 00:22:37,126 --> 00:22:38,676 So this is on another site. 407 00:22:39,256 --> 00:22:46,036 It's got script source equals, this is apparently coming 408 00:22:46,036 --> 00:22:47,596 out of buy.php at this point. 409 00:22:48,436 --> 00:22:51,656 Symbol equals GOOG shares equals 1000 close script. 410 00:22:52,696 --> 00:22:54,836 So this is going to be a piece of code that's embedded 411 00:22:54,836 --> 00:22:59,036 into someone else's page, not my page, and is going to try 412 00:22:59,036 --> 00:23:00,286 to buy shares on my behalf. 413 00:23:00,946 --> 00:23:07,996 So we could take a look at this. 414 00:23:08,196 --> 00:23:10,686 So the first thing I want to do, actually, let's, 415 00:23:11,966 --> 00:23:13,726 is show you the tables that we're looking at. 416 00:23:13,726 --> 00:23:16,326 Just so you have a sense. 417 00:23:16,446 --> 00:23:17,936 We'll go to portfolios. 418 00:23:18,336 --> 00:23:26,396 And let's look at the structure first just to make it clear. 419 00:23:26,586 --> 00:23:28,486 We've got the three fields that we're expecting. 420 00:23:28,486 --> 00:23:30,096 The ID of the individual. 421 00:23:30,566 --> 00:23:32,416 The symbol of the stock. 422 00:23:32,416 --> 00:23:33,906 And then the number of shares that's going to be stored. 423 00:23:34,516 --> 00:23:38,806 [ Background Sounds ] 424 00:23:39,306 --> 00:23:43,756 And currently this user 1, apparently, 425 00:23:43,756 --> 00:23:45,686 owns a hundred shares of Apple stock. 426 00:23:46,606 --> 00:23:48,976 So that's our baseline for where we're starting from here. 427 00:23:49,516 --> 00:23:54,546 [ Background Sounds ] 428 00:23:55,046 --> 00:23:57,736 A normal user might come along and go to buy.php. 429 00:23:58,516 --> 00:24:02,546 [ Background Sounds ] 430 00:24:03,046 --> 00:24:04,266 Oh, actually, let me show you this first. 431 00:24:04,576 --> 00:24:05,936 Buy.php, that's what my note was. 432 00:24:06,516 --> 00:24:19,776 [ Background Sounds ] 433 00:24:20,276 --> 00:24:23,156 This looks pretty much like what we're expecting so far. 434 00:24:23,156 --> 00:24:24,846 We've got the database connection. 435 00:24:25,756 --> 00:24:27,926 We've got the title on our page. 436 00:24:28,516 --> 00:24:32,736 [ Background Sounds ] 437 00:24:33,236 --> 00:24:37,256 If we're receiving through the get request, the symbol 438 00:24:37,256 --> 00:24:39,386 and shares, we're actually going 439 00:24:39,386 --> 00:24:40,956 to do an insert into our database. 440 00:24:40,956 --> 00:24:41,976 And tell the user that we bought those shares. 441 00:24:42,516 --> 00:24:49,596 [ Background Sounds ] 442 00:24:50,096 --> 00:24:53,196 The other file that goes with this is portfolio.php. 443 00:24:53,196 --> 00:25:01,426 This is little bit more, but relatively straightforward here. 444 00:25:01,856 --> 00:25:04,416 What this is going to be is a display of the shares 445 00:25:04,416 --> 00:25:05,766 that the user currently owns. 446 00:25:06,146 --> 00:25:07,336 So we connect to the database. 447 00:25:07,506 --> 00:25:09,506 We're starting the session. 448 00:25:09,506 --> 00:25:12,236 We're apparently forcing the ID to 1, just as a way 449 00:25:12,236 --> 00:25:13,736 to make this code work very quickly. 450 00:25:14,706 --> 00:25:17,766 I've got a function I can call to print the table 451 00:25:17,766 --> 00:25:19,626 of the shares that the user owns. 452 00:25:20,126 --> 00:25:26,176 And then this all appears within a very small page 453 00:25:26,976 --> 00:25:28,176 with the title portfolio 454 00:25:28,176 --> 00:25:29,776 and just shows you the current portfolio. 455 00:25:30,516 --> 00:25:34,666 [ Background Sounds ] 456 00:25:35,166 --> 00:25:43,186 The last file I want to preview is this actual attack. 457 00:25:44,196 --> 00:25:49,216 This is hosted potentially somewhere else. 458 00:25:49,216 --> 00:25:52,876 We'll actually demonstrate it in, you can either do it 459 00:25:52,876 --> 00:25:53,976 from the Section 8 site. 460 00:25:53,976 --> 00:25:56,106 Or I've also put this under bad guy as well, 461 00:25:56,106 --> 00:25:57,616 so you can test it from there. 462 00:25:58,726 --> 00:26:01,046 It tells you it's obviously a completely benign website, 463 00:26:01,046 --> 00:26:01,476 trust them. 464 00:26:02,686 --> 00:26:05,226 And then it uses two different approaches to try 465 00:26:05,226 --> 00:26:07,986 to trigger the purchasing of shares. 466 00:26:07,986 --> 00:26:09,386 One using a script tag. 467 00:26:09,386 --> 00:26:10,796 One using an image tag. 468 00:26:11,316 --> 00:26:14,166 As David had mentioned, there's many ways you can do this. 469 00:26:14,166 --> 00:26:17,756 And these are two possible ones to run code 470 00:26:18,866 --> 00:26:23,696 without the user having to do anything. 471 00:26:23,736 --> 00:26:24,276 All right. 472 00:26:28,416 --> 00:26:35,036 So the first thing I'm going to do is I'm actually going 473 00:26:35,036 --> 00:26:37,466 to close the window and start a new one. 474 00:26:37,656 --> 00:26:39,996 So deleting my current session. 475 00:26:40,466 --> 00:26:44,286 And we're going to go right 476 00:26:44,736 --> 00:26:47,726 to this attempted exploit to start things off. 477 00:26:48,186 --> 00:26:53,816 And we're going to do it on our site, 478 00:26:53,816 --> 00:26:54,966 not search Google for that. 479 00:26:55,516 --> 00:27:09,566 [ Background Sounds ] 480 00:27:10,066 --> 00:27:10,316 All right. 481 00:27:10,316 --> 00:27:11,856 So the page has appeared. 482 00:27:12,256 --> 00:27:14,406 It just says, this is my completely benign website. 483 00:27:14,776 --> 00:27:16,786 We do see that broken image. 484 00:27:16,926 --> 00:27:18,026 So that's one thing. 485 00:27:19,126 --> 00:27:21,016 But we don't see any indication 486 00:27:21,016 --> 00:27:22,846 around the script line that was in there. 487 00:27:23,606 --> 00:27:26,476 So if you were doing this yourself, 488 00:27:26,476 --> 00:27:28,026 you might not want to use the image tag. 489 00:27:28,026 --> 00:27:29,646 Because it might be a visual indicator. 490 00:27:30,096 --> 00:27:31,466 But just to show you the two approaches 491 00:27:31,466 --> 00:27:33,166 and what things might like look. 492 00:27:33,996 --> 00:27:35,716 So the one thing that's good 493 00:27:35,716 --> 00:27:39,166 at this point is I hadn't actually started my session yet. 494 00:27:39,816 --> 00:27:43,156 So there was no cookie in place to hijack at this point. 495 00:27:44,146 --> 00:27:46,616 So if we come back and browse again, 496 00:27:47,726 --> 00:27:48,916 you'll see there's been no change. 497 00:27:48,916 --> 00:27:51,026 We still just own a hundred shares of Apple stock. 498 00:27:51,356 --> 00:27:52,996 So off to a good start. 499 00:27:52,996 --> 00:28:00,916 Now we can take a look at what normal functionality would 500 00:28:00,916 --> 00:28:01,276 look like. 501 00:28:01,826 --> 00:28:04,346 So we can go to portfolio.php. 502 00:28:06,586 --> 00:28:08,966 And as we expect, it just shows our hundred shares 503 00:28:08,966 --> 00:28:09,726 of Apple stock. 504 00:28:09,726 --> 00:28:10,906 So things are still going well. 505 00:28:11,906 --> 00:28:13,736 We could now buy some shares. 506 00:28:13,946 --> 00:28:15,946 So we could buy. 507 00:28:16,516 --> 00:28:20,576 [ Background Sounds ] 508 00:28:21,076 --> 00:28:21,456 There it is. 509 00:28:21,806 --> 00:28:25,586 In this case I'm choosing symbol equals MSFT for Microsoft. 510 00:28:25,866 --> 00:28:27,696 And shares equals 200. 511 00:28:28,066 --> 00:28:32,136 And congratulations, you've just bought 200 shares of Microsoft. 512 00:28:32,386 --> 00:28:34,016 We didn't check your balances or anything. 513 00:28:34,016 --> 00:28:34,806 So this is great. 514 00:28:34,806 --> 00:28:35,506 We get free stock. 515 00:28:35,976 --> 00:28:39,756 And if we go back to the portfolio, 516 00:28:39,756 --> 00:28:41,756 we'll see those changes reflected. 517 00:28:42,326 --> 00:28:45,456 So we now have these two stocks. 518 00:28:45,566 --> 00:28:46,846 So everything is working well. 519 00:28:47,306 --> 00:28:50,266 But now we can go back to the exploit. 520 00:28:50,776 --> 00:28:52,986 The cookie is still live. 521 00:28:53,246 --> 00:28:57,756 I'm going off to some other page. 522 00:28:57,996 --> 00:29:04,226 And all we see here is some plain text 523 00:29:04,226 --> 00:29:05,946 and a broken image link. 524 00:29:07,296 --> 00:29:15,566 But now, if we go over to the portfolio, we'll see that, 525 00:29:15,746 --> 00:29:17,566 without the user doing anything, 526 00:29:18,156 --> 00:29:20,056 we've actually injected the shares of Google 527 00:29:20,056 --> 00:29:21,966 and Yahoo directly into their account for them. 528 00:29:22,516 --> 00:29:26,556 [ Background Sounds ] 529 00:29:27,056 --> 00:29:34,826 Now, we could also try this from bad guy, htp bad guy. 530 00:29:35,516 --> 00:29:48,796 [ Background Sounds ] 531 00:29:49,296 --> 00:29:50,646 So my font got very small. 532 00:29:51,026 --> 00:29:53,706 But it's otherwise exactly the same page. 533 00:29:54,226 --> 00:30:04,776 And if we go back to our main portfolio site, 534 00:30:05,066 --> 00:30:11,246 fortunately this time it didn't buy the shares for us. 535 00:30:11,436 --> 00:30:14,596 And I neglected to bring up the bottom. 536 00:30:15,026 --> 00:30:18,006 We should have seen that Chrome was understanding what was going 537 00:30:18,006 --> 00:30:21,366 on here and preventing that particular attack for us. 538 00:30:21,366 --> 00:30:23,356 So I'll leave that as an exercise 539 00:30:23,356 --> 00:30:25,286 so you have a good excuse to go home and play with some 540 00:30:25,286 --> 00:30:25,976 of this stuff when you get home. 541 00:30:26,516 --> 00:30:30,546 [ Background Sounds ] 542 00:30:31,046 --> 00:30:31,496 All right. 543 00:30:32,516 --> 00:30:37,546 [ Background Sounds ] 544 00:30:38,046 --> 00:30:40,246 So I've got one more thing that I wanted to demonstrate. 545 00:30:40,246 --> 00:30:42,656 And that's the exec command in php. 546 00:30:43,016 --> 00:30:45,276 Exec is basically the same 547 00:30:45,276 --> 00:30:47,306 as the backticks, as David has shown. 548 00:30:48,386 --> 00:30:50,026 In this very short example, 549 00:30:50,026 --> 00:30:52,816 I'm taking a command that's being passed 550 00:30:52,816 --> 00:30:53,906 in as a post parameter. 551 00:30:53,906 --> 00:30:55,836 So we feel like it should be a little bit safer. 552 00:30:56,646 --> 00:30:59,376 And then I'm just executing it and capturing the output. 553 00:31:00,426 --> 00:31:01,686 So what's bad about this? 554 00:31:01,686 --> 00:31:02,976 So many things are bad about this. 555 00:31:03,516 --> 00:31:12,596 [ Background Sounds ] 556 00:31:13,096 --> 00:31:15,646 So what if I do something like this? 557 00:31:16,046 --> 00:31:18,666 So W get, I don't think we've talked about. 558 00:31:18,666 --> 00:31:20,826 This is actually a command line tool 559 00:31:21,666 --> 00:31:23,926 that let's you download a web page. 560 00:31:25,356 --> 00:31:30,646 The minus Q zero minus or dash Q zero dash, all that's going 561 00:31:30,646 --> 00:31:33,036 to do is display the output to the screen rather 562 00:31:33,036 --> 00:31:35,446 than saving this to a file, just for convenience. 563 00:31:35,956 --> 00:31:38,986 I'm going to give it the web page, 564 00:31:39,286 --> 00:31:42,656 but what's interesting is I can actually pass in post data 565 00:31:42,906 --> 00:31:45,616 to this request right from this command line tool. 566 00:31:46,506 --> 00:31:49,976 So I can create a post of command equals who am I? 567 00:31:50,516 --> 00:31:56,636 [ Background Sounds ] 568 00:31:57,136 --> 00:31:59,976 So let's see what all this starts to look like. 569 00:32:00,516 --> 00:32:10,046 [ Background Sounds ] 570 00:32:10,546 --> 00:32:13,906 Here's the full code for what we're looking 571 00:32:13,906 --> 00:32:16,476 at with the exploits at the top. 572 00:32:16,476 --> 00:32:18,866 Same part that we saw where we're checking 573 00:32:19,186 --> 00:32:20,176 if the command was set. 574 00:32:20,176 --> 00:32:22,476 If so, we're going to execute it and capture the output. 575 00:32:22,926 --> 00:32:24,816 Otherwise the output's just going to be an empty array, 576 00:32:24,816 --> 00:32:26,326 just to be a placeholder. 577 00:32:26,846 --> 00:32:28,896 And then we're going to go down, 578 00:32:28,896 --> 00:32:33,956 and there's a very short page here. 579 00:32:34,176 --> 00:32:37,116 One thing that I had thought I was doing that was smart, 580 00:32:38,136 --> 00:32:40,276 I've limited the number of options there are. 581 00:32:40,436 --> 00:32:42,436 So it should only be the date command. 582 00:32:42,536 --> 00:32:43,496 The cal command. 583 00:32:43,606 --> 00:32:44,596 Or the ls command. 584 00:32:45,026 --> 00:32:48,506 But it's submitted through a post. 585 00:32:48,696 --> 00:32:51,946 And it's really just saying, take that value 586 00:32:52,166 --> 00:32:56,266 and do command equals whatever the value is, date, cal or ls. 587 00:32:57,506 --> 00:32:59,376 And when I hit submit, it goes. 588 00:32:59,556 --> 00:33:03,266 And then the last command is output out to the display. 589 00:33:03,266 --> 00:33:13,186 So we can look at this running as we expect, exec.php. 590 00:33:13,396 --> 00:33:18,256 It gives us a drop down of the available commands. 591 00:33:19,456 --> 00:33:22,656 So I could say, I want to know the date. 592 00:33:22,876 --> 00:33:24,246 Hit submit. 593 00:33:24,346 --> 00:33:29,446 And when I hit submit, it comes back and says, it's Saturday. 594 00:33:29,446 --> 00:33:31,956 I don't know how that happened but sounds great. 595 00:33:31,956 --> 00:33:34,556 We should all go home. 596 00:33:34,756 --> 00:33:37,166 We also can do things like the calendar. 597 00:33:37,166 --> 00:33:39,866 So I can see a current calendar for the month of July. 598 00:33:41,326 --> 00:33:45,206 Or I can do an ls command and see the files 599 00:33:45,206 --> 00:33:46,466 that I've been presenting here tonight. 600 00:33:47,436 --> 00:33:50,236 So this all works fine, and life is good there. 601 00:33:51,566 --> 00:33:56,726 But now we can actually jump into the terminal and test some 602 00:33:56,726 --> 00:33:58,486 of this alternate functionality. 603 00:33:59,736 --> 00:34:06,926 So using my W get command, we're going to go out to the site. 604 00:34:07,976 --> 00:34:09,556 Section 8. 605 00:34:09,886 --> 00:34:14,976 Exec.php. And we're going to pass in. 606 00:34:15,516 --> 00:34:20,586 [ Background Sounds ] 607 00:34:21,086 --> 00:34:24,496 Command equals who am I, for example. 608 00:34:24,496 --> 00:34:26,866 And what did I do wrong? 609 00:34:27,516 --> 00:34:40,796 [ Background Sounds ] 610 00:34:41,296 --> 00:34:42,066 All right. 611 00:34:42,066 --> 00:34:42,566 I was close. 612 00:34:42,566 --> 00:34:44,066 It's not Q zero. 613 00:34:44,066 --> 00:34:46,996 It's QO. My printout didn't differentiate my O's 614 00:34:46,996 --> 00:34:47,586 from my zeros. 615 00:34:48,666 --> 00:34:50,516 But you can see the output from the page. 616 00:34:51,176 --> 00:34:53,986 And tucked away under output of last command, 617 00:34:54,806 --> 00:34:58,106 we can see that jharvard was the result of that who am I command. 618 00:34:58,646 --> 00:35:03,606 Now, taking this another step forward. 619 00:35:03,846 --> 00:35:12,906 I might try a command like you name minus A. And now I'm going 620 00:35:12,906 --> 00:35:16,736 to learn everything about the locally running system. 621 00:35:16,736 --> 00:35:18,776 So this is apparently a Linux box. 622 00:35:19,706 --> 00:35:28,416 It's running 3.4.4-5.fc17.i686 symmetric multiprocessing. 623 00:35:28,646 --> 00:35:29,386 Time stamp. 624 00:35:30,286 --> 00:35:32,686 It's a 386 style architecture. 625 00:35:34,136 --> 00:35:35,716 Lots of good information here. 626 00:35:36,906 --> 00:35:38,856 Now, as we had talked about in lecture, 627 00:35:39,506 --> 00:35:41,706 as you start knowing things about, you know, 628 00:35:41,706 --> 00:35:43,236 a server is running Apache. 629 00:35:43,236 --> 00:35:47,296 A server is running php version 5.,et cetera. 630 00:35:48,186 --> 00:35:49,136 Additional information, 631 00:35:49,136 --> 00:35:51,936 like knowing what platform is actually running 632 00:35:52,096 --> 00:35:54,206 and what user name is being used, 633 00:35:54,716 --> 00:35:56,446 gives me a lot more opportunities 634 00:35:56,446 --> 00:35:57,706 to create attack vectors. 635 00:35:57,756 --> 00:35:58,996 So we might not be thinking 636 00:35:58,996 --> 00:36:02,116 about a web based attack at that point. 637 00:36:02,336 --> 00:36:04,196 But the more we can learn about the system, 638 00:36:04,636 --> 00:36:07,636 the more opportunities we have to attempt 639 00:36:07,636 --> 00:36:11,526 to do something evil against the system. 640 00:36:11,526 --> 00:36:15,786 So just the fact that this is completely unchecked. 641 00:36:15,876 --> 00:36:20,016 And any command could be run on the platform that is available 642 00:36:20,016 --> 00:36:23,006 to the user that's currently logged in is certainly something 643 00:36:23,006 --> 00:36:24,566 to be concerned about. 644 00:36:28,136 --> 00:36:29,526 So where does this leave us? 645 00:36:30,766 --> 00:36:33,046 A few things that you should really be remembering. 646 00:36:33,426 --> 00:36:35,296 We've told you these things through the semester. 647 00:36:35,296 --> 00:36:37,636 Hopefully, now that you've seen them in action, 648 00:36:37,826 --> 00:36:41,166 there's a little more reality as to why they could be a problem. 649 00:36:41,716 --> 00:36:45,036 You should always escape your SQL parameters. 650 00:36:45,366 --> 00:36:48,076 We talked early on about my SQL real escape string. 651 00:36:48,636 --> 00:36:51,626 We then later showed you how to use PDO so you could do prepare, 652 00:36:51,626 --> 00:36:55,666 bind, value and exec to handle those sort of issues. 653 00:36:56,046 --> 00:37:00,356 Any time you're going to escape, display something as HTML, 654 00:37:00,406 --> 00:37:01,996 you should escape that as well. 655 00:37:01,996 --> 00:37:03,796 So use your HTML special chars. 656 00:37:04,116 --> 00:37:08,036 You should confirm important transactions. 657 00:37:08,156 --> 00:37:09,776 So here we were able to buy stock. 658 00:37:09,776 --> 00:37:12,906 As David's talked about in class, Amazon requires you 659 00:37:12,906 --> 00:37:13,966 to authenticate again. 660 00:37:14,376 --> 00:37:15,446 Other sites use capture. 661 00:37:15,446 --> 00:37:16,246 Things like that. 662 00:37:16,246 --> 00:37:19,346 You should look for ways to prevent these malicious sites 663 00:37:19,346 --> 00:37:20,506 from tricking the user 664 00:37:20,506 --> 00:37:23,926 into performing an action using an existing session cookie. 665 00:37:24,446 --> 00:37:27,246 And the last one I wanted to point out is 666 00:37:27,246 --> 00:37:29,906 that post parameters are definitely not necessarily any 667 00:37:29,906 --> 00:37:30,696 safer than get. 668 00:37:31,246 --> 00:37:33,436 It adds a slight layer of inconvenience. 669 00:37:33,536 --> 00:37:35,546 But anyone who's really trying to get 670 00:37:35,546 --> 00:37:39,226 into your site using these parameters can readily construct 671 00:37:39,226 --> 00:37:40,306 a post request manually. 672 00:37:40,786 --> 00:37:44,376 So those are my thoughts for this evening. 673 00:37:44,376 --> 00:37:46,306 Are there any questions with any 674 00:37:46,306 --> 00:37:50,716 of the things we covered tonight? 675 00:37:50,826 --> 00:37:50,976 Yes. 676 00:37:51,516 --> 00:38:02,546 [ Inaudible Question ] 677 00:38:03,046 --> 00:38:04,256 Yeah. So the question was, 678 00:38:04,326 --> 00:38:07,216 through the SQL injection attack, is it possible 679 00:38:07,216 --> 00:38:10,406 to reveal the structure of the database? 680 00:38:10,406 --> 00:38:11,946 And that certainly is possible. 681 00:38:11,946 --> 00:38:14,936 I should know the command off the top of my head. 682 00:38:14,936 --> 00:38:17,226 But believe it's something along the line of show tables. 683 00:38:17,846 --> 00:38:21,336 But certainly, yeah, you've got access to any SQL command. 684 00:38:21,336 --> 00:38:24,396 So anything that potentially, depending on your permissions, 685 00:38:24,426 --> 00:38:25,956 that a DBA would have access to, 686 00:38:26,296 --> 00:38:29,486 would be available to you as well. 687 00:38:29,646 --> 00:38:34,936 Any other questions tonight? 688 00:38:34,936 --> 00:38:35,356 All right. 689 00:38:35,836 --> 00:38:39,126 Well, I hope everyone has gotten their Project 1 turned in. 690 00:38:39,126 --> 00:38:41,266 I hope things are going well with Project 2. 691 00:38:41,736 --> 00:38:45,566 We'll have folks around tonight to handle office hours. 692 00:38:46,136 --> 00:38:49,246 And I believe there's also an online section tonight? 693 00:38:49,436 --> 00:38:52,916 Yep. So the information for that would be posted on the website. 694 00:38:52,916 --> 00:38:54,946 Good luck with the projects. 695 00:38:54,996 --> 00:38:56,946 We've got one more lecture and one more section. 696 00:38:57,016 --> 00:38:58,896 So we look forward to seeing you Monday. 697 00:38:58,896 --> 00:39:01,756 And hope you have a good time coding over the weekend. 698 00:39:01,756 --> 00:39:02,856 Thanks everyone.