3.1 Exploit XSS Vulnerabilities
' or '1'='1' -- '.
(See Figure 4-1 below).
Figure 4-1 Real escape strings Index page
Using real escape strings prevents SQL injection on the client side, in the index page in the username and password login fields. The attack using " ' OR 1=1 -- " fails. (See Figures 4-2 & 4-3 below).
Figure 4-2 SQL injection attack.
Figure 4-3 SQL injection attack prevented.
A RIPS scan of the code shows that the code is still vulnerable to SQL injection on the server side.
(See Figure 4-4 below).
Figure 4-4 RIPS scan still vulnerable to SQL Injection.
SQL injections can be easily stopped by using prepared statements. Prepared statements don't use metacharacters, and without metacharacters SQL injection is impossible. PreparedStatements represent a precompiled SQL statement that can be executued many times without having to recompile it for evey execution. Example of common metacharacters used in SQL query statements are semi-colons, single quotes, and double quotes.
The config file contains no code that's vulnerable to SQL injection but the code must be amended with a prepared statement because every page is linked together. The image below shows the original mysql code. (See Figure 4-5 below).
Figure 4-5 Mysql config code.
The config file is edited with a prepared statement known as PHP Data Objects (PDO). The variable $db stands for database and this variable will be called in the other files. The try and catch statement catchs any PDO exceptions.
(See Figure 4-6 below).
Figure 4-6 Config file using PreparedStatement.
The mysql code thats vulnerable to SQL injection on the index file is shown in the image below.
(See Figure 4-7 below).
Figure 4-7 Mysql code Index file.
The PDO prevents SQL injection by removing the metacharacters. The metacharacters removed are the double and single quotes and the concatenation.
Without the metacharacters SQL injection is impossible. Prepared statements have the added advantage of automatically making the data used in the placeholders safe from SQL injection attacks. BindParam bind PHP variables to the parameter markers. The execute function runs a prepared statement which allows you to bind...