Académique Documents
Professionnel Documents
Culture Documents
0 and Security
MySQL Webcast| 9.11.2006 | Johann-Peter Hartmann
Agenda
❙ Actually everybody:
❙ MySpace today, Hotmail last week
❙ Resignation of the german chancellor
❙ Official Site of the government
❙ Political Newspaper no 1
❙ Financial Times Germany
❙ Lots of other news sites …
❙ Data Espionage
❙ CSS History Hack
visited link not yet visited
❙ Detect Firefox Plugins using chrome://
<img src=“chrome://google-toolbar/skin/icon.jpg“
onLoad=“alert(‘Google Toolbar installed!‘)“>
❙ Detect existing Logins using images
src=“http://victim.com/admin/images/logo.gif“
MySQL: Web 2.0 and Security
© MAYFLOWER GmbH 2006 7
How to get around XSS filters
❙ xmlHTTPRequest-Security
❙ same-host-origin police
❙ Similar to java applets
❙ Cross-Domain-AJAX I: the DNS way
❙ DNS pinning to avoid IP changes
❙ But: re-request if ip does not answer
❙ Request to www.evil.com
❙ www.evil.com answers
❙ www.evil.com closes port 80 to client
❙ dns.evil.com changes www.evil.com to 192.168.0.1
❙ Next request to www.evil.com
❙ No connection, so a new dns request is made
❙ Answer: 192.168.0.1
❙ We got JavaScript to read any page from 192.168.0.1
MySQL: Web 2.0 and Security
© MAYFLOWER GmbH 2006 10
Cross-Domain-AJAX II :Proxy Request
Spoofing
GET http://evil.com/1.html 1.html
Client m /1.htm
l Proxy evil.com
i l .co
turn h ttp://ev
re
GET http://evil.com/2.html
GET http://evil.com/3.html 2.html
3.html
tm l
m /2.h
/e v il.co
:/
rn http
retu
GET http://victim.com/adm/ adm/
victim.com
l
tm
.h
/1
m
co
il.
ev
://
tp
ht
ET
G
❙ Validate Input
❙ Check for certain characters
❙ Names, Numbers, Select boxes
❙ a known format ( +49 89 24 20 54 13)
❙ length limitations
❙ Compare with whitelist, if possible
❙ Escape data by type of usage
❙ Entities when displaying strings in HTML text
❙ Entities when using strings in HTML attributes
❙ SQL dialect based encoding when using sql without
binding
❙ Slashes to escape things in JavaScript and JSON
❙ URL encoding when used in URLs