1 00:00:01,320 --> 00:00:07,710 As you've seen so far Eskil injections are very dangerous and also they're very easy to occur and very 2 00:00:07,710 --> 00:00:08,730 easy to find. 3 00:00:08,850 --> 00:00:15,630 You'll find them everywhere and some really famous websites people try to prevent these vulnerabilities 4 00:00:16,170 --> 00:00:17,460 using filters. 5 00:00:17,550 --> 00:00:20,470 Filters can make it look like there is no exploits. 6 00:00:20,580 --> 00:00:27,300 But if you actually try harder by using encoding different types of encoding or using a proxy then you'll 7 00:00:27,300 --> 00:00:30,690 be able to bypass most of these filters. 8 00:00:30,690 --> 00:00:32,500 Some programmers use a blacklist. 9 00:00:32,520 --> 00:00:38,110 So for example they prevent the use of union they prevent the use of insert and stuff like that. 10 00:00:38,220 --> 00:00:41,130 Again it's not 100 percent secure. 11 00:00:41,130 --> 00:00:47,140 It can be bypassed using a whitelist exactly the same issues as the blacklist. 12 00:00:47,160 --> 00:00:54,750 The best way to do it is to program your web application in a way that it does not allow code to be 13 00:00:54,750 --> 00:00:58,140 injected into it and then execute it. 14 00:00:58,140 --> 00:01:04,950 So the best way to do that is to do to use parameter rights statements where the data and the code is 15 00:01:04,950 --> 00:01:05,940 separated. 16 00:01:06,120 --> 00:01:13,190 And the best way to show you what I mean by that is using an example I'm keeping the least amount of 17 00:01:13,190 --> 00:01:16,570 program and in this example I don't want it to be a program an example. 18 00:01:16,640 --> 00:01:21,860 There's actually mistakes in the program in there but I'm trying to give you the concept more than how 19 00:01:21,860 --> 00:01:22,550 to program it. 20 00:01:23,600 --> 00:01:29,630 So the vulnerable code that we were looking at used to do this so it used to do select star from accounts 21 00:01:29,660 --> 00:01:37,670 where user name is equal to whatever we put in Text Box 1 and then we used to put in Text Box 1 let's 22 00:01:37,670 --> 00:01:44,460 just put it here. 23 00:01:44,580 --> 00:01:56,970 We used to say admin and then it closed the code and then were able to do a union select and execute 24 00:01:56,970 --> 00:01:57,800 something else. 25 00:01:57,930 --> 00:02:03,870 And then once we're done we used to add the comment which basically ignores everything that comes in 26 00:02:03,870 --> 00:02:04,290 after it. 27 00:02:04,710 --> 00:02:09,680 So when you copy this and you paste it in here 28 00:02:12,390 --> 00:02:13,510 you'll see what's happening. 29 00:02:13,560 --> 00:02:15,060 So it's selecting. 30 00:02:15,090 --> 00:02:20,870 Now let's just get rid of this because this is just making the colors not nice I'm actually going to 31 00:02:20,930 --> 00:02:28,990 just put a comment on this so it's gonna do a select star from accounts where user name is equal to 32 00:02:28,990 --> 00:02:33,160 admin union select and execute whatever we want to do. 33 00:02:33,370 --> 00:02:39,640 This is very bad and it's very hard to protect against as I said user filters and stuff will only hide 34 00:02:39,790 --> 00:02:41,920 the problem will not fix it. 35 00:02:42,190 --> 00:02:46,750 The best way to do this is using the parameter rise statements just like so. 36 00:02:46,750 --> 00:02:48,690 So this is the safe way to do it. 37 00:02:48,970 --> 00:02:53,770 First of all you prepare your statement most languages like BHP and all of them they actually have a 38 00:02:53,770 --> 00:03:01,510 function like that and you can prepare select staff from accounts where user name is equal to question 39 00:03:01,510 --> 00:03:06,770 mark and then you send the values. 40 00:03:06,780 --> 00:03:13,680 So BHP now knows the Eskil statement is select staff from accounts where user name is equal to something 41 00:03:14,370 --> 00:03:17,130 and then it's going to take the value of Text Box 1. 42 00:03:17,520 --> 00:03:28,290 So even if we come in and we use our very sneaky statement right here and pasted in there the web application 43 00:03:28,290 --> 00:03:36,000 will know that the value for this is admin unions select so it will actually try to go and select staff 44 00:03:36,000 --> 00:03:41,940 from accounts where the user name and then it actually it'll add its own quotes and they try to find 45 00:03:41,940 --> 00:03:44,570 a user name with the following user name. 46 00:03:44,580 --> 00:03:48,000 So this whole thing will be executed like so 47 00:03:54,810 --> 00:04:01,130 so it will be select staff from accounts where user name is equal to admin unions select this hashtag 48 00:04:01,360 --> 00:04:08,540 so it will never whatever you put in your text box will be sent as a value. 49 00:04:08,600 --> 00:04:13,900 And the web application will know that this is a value it's not a code and it'll never executed. 50 00:04:14,120 --> 00:04:18,340 Therefore this will protect you against as cruel injections. 51 00:04:18,770 --> 00:04:21,830 You can use the filters as second line of defense. 52 00:04:22,100 --> 00:04:30,250 And I also advise that you use the least privilege as possible so use for each database. 53 00:04:30,290 --> 00:04:35,750 Use one user with the least amount of privileges they want so don't allow the users to do anything that 54 00:04:35,750 --> 00:04:36,940 they won't allow them. 55 00:04:36,970 --> 00:04:43,070 If if it's a simple site that only does selection that only allows the user to select if it only needs 56 00:04:43,070 --> 00:04:46,430 to select an insert then only allow them to select an insert. 57 00:04:46,430 --> 00:04:50,690 And this is a rule you should keep with everything even within its systems make sure the parent with 58 00:04:50,690 --> 00:04:56,450 the permissions are always as these as possible each user don't have any extra permissions that they 59 00:04:56,450 --> 00:04:57,020 don't need.