preventing sqli and xss by ravi rajput in owasp meet ahmedabad
20
Preventing SQLI & XSS acktosecure.com - Ravi Rajpu
-
Upload
ravi-rajput -
Category
Technology
-
view
65 -
download
1
Transcript of preventing sqli and xss by ravi rajput in owasp meet ahmedabad
Preventing SQLI & XSS
hacktosecure.com - Ravi Rajput
About me
hacktosecure.com
• Student of Information Technology• A person with BIG dreams.• Co-Founder of “hacktosecure.com”• Who is not from one of
“THE CEHs” :P :P
Who helped me in this
hacktosecure.com
• A special thanks to PaulOS.• Love to Namu who always push me to do
something.
Agenda
hacktosecure.com
Nothing just to learn
Defending SQLI & XSS
With some FUN
Chart of common Vulnerabilities
hacktosecure.com
Chart for Bugs in CMS
hacktosecure.com
Rocket Science Theory
hacktosecure.com
SQL Injection Defence
hacktosecure.com
• Use Prepared statements.• Use PDO(PHP data objects) library. Use
PDO in try/catch.
Normal QUERY
hacktosecure.com
$q =$_GET[“q”];
$con = mysql_connect(‘localhost’,’ravi’,’passwd’);
$sql = “SELECT * FROM user WHERE id=‘”.$q.”’”;
$result = mysql_query($sql);
PDO QUERY
hacktosecure.com
$STH=$DTH->prepare(“select name,age from usersWhere userid=:userid”);
$STH->execute(array(‘:userid’,$UserID));
Confused….????
hacktosecure.com
Pretty Easy way
hacktosecure.com
• Use add_slashes()for eg. <?php $str = addslashes('What does “hacking" mean?');
echo($str); ?>
• Result : What does \“hacking\" mean?• It adds \ before “ ‘ \
?>
Usage
hacktosecure.com
“select * FROM user WHERE ID=
“”.add_slashes(“$q”).””);
Google about .mysql_real_escape_string
Defending XSS
hacktosecure.com
Defending XSS
hacktosecure.com
• Simply use htmlentities()• Patched ….. Right ???
Defending XSS
hacktosecure.com
• Nope• Use htmlentities() with
ENT_QUOTES• For eg, • Var name = ‘<?php
htmlentities($_GET[‘username’],ENT_QUOTES);?>’;
Libraries for preventing XSS
hacktosecure.com
• Php AntiXss• xss_clean.php• Html Purifier• XSS protector• XSS HTML filter
References
hacktosecure.com
• hacktosecure.com/patch-php-security-loopholes• www.w3schools.com/php/
func_string_addslashes.asp• www.w3schools.com/php/
func_string_htmlspecialchars.asp• http://code.tutsplus.com/tutorials/why-you-
should-be-using-phps-pdo-for-database-access--net-12059
• http://resources.infosecinstitute.com/how-to-prevent-cross-site-scripting-attacks/
• Analyze the code of mutillidae in security level 5.
Questions … ???
hacktosecure.com
Thank you.. !!
hacktosecure.com
