Cross Site Scripting XSS

June 30th, 2010

As a website security consultant, Cross Site Scripting or XSS vulnerabilities are something that I see just as often as the always popular SQL Injection attack.

Cross Site Scripting seems to have originally meant, placing some malicious code on your victim site, that would pull code (usually javascript, but sometimes vbscript) from another malicious domain. Each client that visited the victim site, would end up unknowingly having 3rd party malicious script code executed on his own browser. Now, it has become a term used to describe any type of malicious scripting attack.

The first example is a simple one. Many sites allow user comments. A user could quite easily enter:
This is my comment!<script type=”text/javascript”>
alert(“script!”);
</script>

Any user that hits this affected page, will now see a popup box with the text “script!”. The user could also just as easily have entered a script source of http://www.nastydomain.com/nastyscript.js which will be downloaded and executed.

The second option is to place some javascript code that steals the user’s cookies for that particular site, and then post them to a 3rd party site. His cookies may contain a login and password, or more likely a login hash. The attacker can then use these cookies to hijack the user’s session, and access possible sensitive areas of a site under that user’s account, as that hijacked user.

Fortunately the solution is simple. Either use htmlentities() to ‘escape’ HTML entities, i.e. converting <‘s to &lt; etc. Or, use strip_tags, to remove all HTML tag input.

MySQL – Find Duplicates Only

June 25th, 2010

Within MySQL, we may want to select duplicate records, instead of just selecting unique records. Assuming a table name of ‘table’ and the field to check on being ‘field’;

To select UNIQUE rows only:
SELECT DISTINCT field FROM table;

To select DUPLICATE rows only:
SELECT field FROM table GROUP BY field HAVING ( COUNT(field) = 2 )

To select DUPLICATE, TRIPLICATE or more rows only:
SELECT field FROM table GROUP BY field HAVING ( COUNT(field) > 1 )

PHP, MySQL and memcached

June 24th, 2010

According to memcached is a distributed object memory caching system. It can be used to set and get data by keys by any application that supports sockets.

As a website security consultant I advise you to ensure that your memcache server runs on 127.0.0.1 only and that you secure your server. Anyone with access to the server can telnet to the server’s local interface and get/set your memcache data.

I’ve used memcached for a number of PHP/MySQL projects, where I want greater cache control on database queries, than just relying on MySQL’s inbuilt caching abilities.

Now, whilst memcached should not be used to mask bad database design and optimization, or badly written SQL queries, it can help dramatically with queries that simply take a long time and have already been optimized as far as possible.

Assume that you had a simple database query wrapper:
Read the rest of this entry »

MySQL – Running Processes

June 6th, 2010

Showing running processes is easy, just log in to the MySQL command line and issue ‘SHOW PROCESSLIST;’
mysql> SHOW PROCESSLIST;
+———-+——+————————-+————+———+——+———-+———————————————————————————————–+
| Id | User | Host | db | Command | Time | State | Info |
+———-+——+————————-+————+———+——+———-+———————————————————————————————–+
| 66041116 | root | localhost | NULL | Query | 0 | NULL | SHOW PROCESSLIST |
| 66042322 | sql | www.adampalmer.me/iodigitalsec:57281 | websonline | Query | 1 | Updating | UPDATE `video_tags` SET `quantity` = ’27’ WHERE CONVERT( `tag` USING utf8 ) = ‘sport’ LIMIT 1 |
+———-+——+————————-+————+———+——+———-+———————————————————————————————–+
2 rows in set (0.00 sec)

You can also use ‘SHOW’ to display a wide range of information: http://dev.mysql.com/doc/refman/5.0/en/show.html