XSS attacks : How to save yourself

Today, all of us have accounts on facebook. Other than that, we have several other online accounts too. What if I told you that without you realizing it, your account may get hacked? What if I told you that clicking a harmless looking link can cause you to lose your account? Would you laugh it off? If your answer is yes, think again.

I can give you a simple link. You click it and that opens up the Google. That’s all I require to hack into your account. Better yet, I can have a webpage with an image and soon as that image loads into your browser, your security gets compromised.

If you’re with me until now, read on.

This article – as the name suggests is about cross site scripting (XSS) attacks – and how to prevent your personal information from being stolen from such an attack. First up – this article isn’t a tutorial for XSS. It’s for people who are not familiar with all this network security stuff.

First things first. Cookies.  Yeah really. What are cookies? Cookies are basically some data stored on your pc that websites use to recognise you, keep track of your movements etc. So, the reason why you can close your browser, and, on opening facebook again in your broeser, it shows your account – that’s because of cookies.

Also, I’d like you to know a little about XSS. Even though this post isn’t meant to learn what XSS actually is – I’ll write something for it down the line – still, it would be good to have some basic idea of what might hit you. XSS is a scripting language based attack – primarily JavaScript. What can JavaScript do? It can do all kinds of weird sh!t. For example, it can open a lot of pop-up windows. It can be made so that whenever you open a page, some information  gets sent to a page that I want without you even knowing it. And, the most important thing of all – it can be used to send away your cookies.

Almost all the websites that you visit these days have some JS being used. Not that it is used only for malicious purposes – JS is used for some great stuff too. But one who wants to use it badly can indeed do so. To execute JS, one can have a link pointing to something like:

javascript: <some JS code>

Or, if the JS is integrated in the page itself, it can be executed as per the wishes of the one who created that page. This can mean that, for example, whenever you move your mouse over some part of the page, some information may be being sent in the background without your knowledge – and that includes cookies.

There are other ways too but I’ll not discuss them here. Now, when your cookies have been sent over – what happens. For example, I have an account that provides free web hosting services. Using that, I can make such an arrangement that whenever any information is sent, it gets recorded.

Generally, it’s the link based attacks that you should be aware of (I won’t explain the reason though). In such cases, the information is sent to the page that performs that recording and then redirects you to some other website. Most of you won’t even notice the address in the address bar when Google opens up in front of you. So, while you are thinking that the link pointed you to Google, something has already happened. Your cookies have been saved in a log file somewhere and you don’t even know about it.

Now, what can the other person do with these cookies? Well, he can set his own browser’s cookies – just like they would be in your browser – from your cookies and tada! In many cases he should be able to open your account just by going to that website.

How to prevent this from happening?

Well, the first thing you can do is this: NEVER paste anything in your address bar that starts with ‘javascript:’ unless you know what you’re doing. Secondly, always check where a link points to by hovering over it an looking at the bottom corners of the browser window. If it begins with ‘javascript:’ then there may be risk involved. Also, the surefire way to avoid this is to turn off JS in your browser but that can hamper the functioning of many websites too.

Anyway, I’ll have more on XSS somewhere down the line. This is it for the time being. Please leave a comment. Also, like and share.

SQL Injection

I haven’t posted in so long! 🙂

So today, we will have a brief introduction of SQL injections (SQLi fir short). For those of you who are unaware of such things, this can be used to hack/deface websites and is commonly used to extract privileged data from websites’ database.

So, what are sql injections?

First up, you should know what sql is. If you don’t, go here and find out a bit about it. Now, sql is used for querying data from a database. Say, we have a table called users. A typical sql statement would be:

SELECT username, passwd, email FROM users;

This query is typed out in a terminal running the appropriate query program. Now, on to injections. Well you see, most of the websites you encounter on the internet have their backend coded in PHP. About the same percentage of the websites have been coded in ASP.NET . Both of them make queries to a database to determine various things – from usernames and passwords to searching for articles written on a news website. The important part is this – both of them have similar procedure for making queries. They first construct a query string that resembles something like you saw above and then pass that string to inbuilt functions that actually pass that query on to the db. Now, I would write some PHP code below as an example:

$usr = $_GET['username'];
$query = "SELECT username, passwd, email FROM users WHERE username='".$usr."';";

The code is simple enough to understand. The first line stores the username in a variable called ‘usr’ can the second line constructs the query. Now the code will call the appropriate functions that make the query to the database.
Now for the loophole. You see, the $usr variable just gets inserted in the query string. So, if suppose $usr==”bk201″ then the query string would become:

SELECT username, passwd, email FROM users WHERE username='bk201';

But on the other hand, if we were to suppose that $usr=="bk201'; INSERT INTO users values( 'malicious_person', '123abc', 'hack@crack.com' );--"
This would only take the hacker the knowledge of the table name and number of columns in the table – both of which can be found out using a little advanced sql injection. This query would add his account to the website’s db and now the person with malicious intent can access what he shouldn’t be able to.
Better still, he can use this:
$usr==”bk201′; DROP TABLE users;–”
These the latter query would result in $query to be equal to:

SELECT username, passwd, email FROM users WHERE username='bk201'; DROP TABLE users;

As you can see, this can be disaster for the admin. This query would delete the table containing all the information of the clients. For a user driven website, this might mean shutting down of the website itself.
Obviously, things aren’t exactly so easy otherwise the internet would be in chaos. Only inexperienced webmasters make their site so that someone can perform sql injections in them. There are several ways to avoid this trouble, and, we shall discuss them somewhere down the line. This will be it for now. Have your opinions about the matter – leave a comment. Also, please like and share ~_~