Notes:
- Examples below will not work on this domain. If you want to play
with these examples, please see the Virtual Machine we prepared for
your tutorial.
- The notes below outline the points we covered in class. We spoke about each of the points in detail.
SQL Injection
For this lecture we covered SQL Injection Attacks by Example.
We went through this by example in class. All of the following is installed
in one of your lab Virtual Machines.
- Database: Postgresql
- Some notes on Relational Databases. We covered the
concepts during lecture but at a higher level.
- The underlying schema
- The page we went through for the SQL injection demo
- The form on the above page was calling siMailLogin.pl (a perl cgi-script).
The issue in this script is the construction of a SQL query with users input.
- Know your inputs: To mitigate this problem, check your inputs (remember,
better to look for good inputs and reject the rest VS look for bad and accept the rest).
- Even better: use a prepared statement as in siMailLoginBetter.pl.
Prepared statements are sent to the database as parameterized queries. The database
parses the parameterized query and then waits for parameters to be sent.
When parameters are sent, they are filled in to the parse tree for the query. There is
no ambiguity about the role of the parameters.
XSS
- Clients and servers, http clients (web browsers) and servers (web servers).
- Javascript and its role in delivering client side content.
- Cookies and their role in we applications.
- Examples