1 00:00:01,360 --> 00:00:07,500 As you've seen so far as skill injections are very dangerous and also they're very easy to Ocker and 2 00:00:07,500 --> 00:00:08,860 very easy to find. 3 00:00:08,940 --> 00:00:12,590 You'll find them everywhere in some really famous websites. 4 00:00:12,810 --> 00:00:17,390 People try to prevent these vulnerabilities using filters. 5 00:00:17,610 --> 00:00:23,870 Filters can make it look like there is no exploits but if you actually try harder by using encoding 6 00:00:24,000 --> 00:00:29,920 different types of encoding or using a proxy then you'll be able to bypass most of these filters. 7 00:00:30,740 --> 00:00:32,570 Some programmers use a blacklist. 8 00:00:32,570 --> 00:00:35,550 So for example they prevent the use of union. 9 00:00:35,600 --> 00:00:38,250 They prevent the use of insert and stuff like that. 10 00:00:38,270 --> 00:00:41,210 Again it's not 100 percent secure. 11 00:00:41,210 --> 00:00:43,970 It can be bypassed using a whitelist. 12 00:00:43,970 --> 00:00:47,190 Exactly the same issues as the blacklist. 13 00:00:47,240 --> 00:00:54,800 The best way to do it is to program your web application in a way that it does not allow code to be 14 00:00:54,800 --> 00:00:57,590 injected into it and then execute it. 15 00:00:58,190 --> 00:01:05,970 So the best way to do that is to do to use parameterize statement where the data and the code is separated. 16 00:01:06,170 --> 00:01:13,250 And the best way to show you what I mean by that is using an example I'm keeping the least amount of 17 00:01:13,250 --> 00:01:13,780 programming. 18 00:01:13,790 --> 00:01:16,690 In this example I don't want it to be a program and example. 19 00:01:16,700 --> 00:01:21,680 There's actually mistakes in the programming in there but I'm trying to give you the concept more than 20 00:01:21,680 --> 00:01:22,780 how to program it. 21 00:01:23,670 --> 00:01:29,700 So the vulnerable code that we were looking at used to do this so it used to do select star from accounts 22 00:01:29,700 --> 00:01:37,500 where username is equal to whatever we put in text box 1 and then we used to put in text box 1. 23 00:01:37,540 --> 00:01:38,690 Let's just put it here. 24 00:01:44,660 --> 00:01:57,390 We used to say as men and then close the code and then we're able to do a union select and execute something 25 00:01:57,390 --> 00:01:57,840 else. 26 00:01:57,990 --> 00:02:03,810 And then once we were done we used to add the comment which basically ignores everything that comes 27 00:02:03,810 --> 00:02:04,730 in after it. 28 00:02:04,770 --> 00:02:09,700 So when you copy this and you put it in here 29 00:02:12,440 --> 00:02:13,610 you'll see what's happening. 30 00:02:13,610 --> 00:02:15,130 So it's selection. 31 00:02:15,140 --> 00:02:20,860 Now let's just get rid of this because this is just making the cut is not nice and I'm actually going 32 00:02:20,860 --> 00:02:29,050 to just put a comment on this so it's going to do a select from accounts where user name is equal to 33 00:02:29,050 --> 00:02:33,460 Aardman Union select and execute whatever we want to do. 34 00:02:33,460 --> 00:02:36,240 This is very bad and it's very hard to protect against. 35 00:02:36,250 --> 00:02:42,170 As I said use filters and stuff all only highlight the problem will not fix it. 36 00:02:42,230 --> 00:02:46,790 The best way to do this is using the parameterize statements just like so. 37 00:02:46,790 --> 00:02:48,980 So this is the safe way to do it. 38 00:02:49,040 --> 00:02:53,810 First of all you prepare your statement most languages like BHB and all of them they actually have a 39 00:02:53,810 --> 00:03:01,580 function like that and you can prepare select starer from accounts where a user name is equal to a question 40 00:03:01,580 --> 00:03:06,860 mark and then you send the values. 41 00:03:06,860 --> 00:03:13,700 So ph we now knows the skill statement is select star from accounts where user name is equal to something 42 00:03:14,420 --> 00:03:17,580 and then it's got the value of text box 1. 43 00:03:17,600 --> 00:03:28,360 So even if we come in and we use our very sneaky statement right here and pasted in there the web application 44 00:03:28,360 --> 00:03:33,880 will know that the value for this is admen Union selects out alive. 45 00:03:33,880 --> 00:03:39,260 She try to go and select start from accounts where the user name username and then it actually it'll 46 00:03:39,310 --> 00:03:44,640 add its own quotes and they try to find a username with the following username. 47 00:03:44,650 --> 00:03:48,040 So this whole thing will be executed like so 48 00:03:54,890 --> 00:04:01,340 so it will be next from accounts where username is equal to as many union select this hashtag. 49 00:04:01,490 --> 00:04:09,710 So it'll never lever whatever you put in your text box will be sent as a value and the web application 50 00:04:09,710 --> 00:04:11,110 will know that this is a value. 51 00:04:11,120 --> 00:04:14,030 It's not a code and it'll never executed. 52 00:04:14,180 --> 00:04:18,350 Therefore this will protect you against Escurial injections. 53 00:04:18,830 --> 00:04:22,050 You can use the filters as a second line of defense. 54 00:04:22,160 --> 00:04:31,820 And I also advise that you use the least privileges possible so use for each database use one user with 55 00:04:31,820 --> 00:04:36,590 the least amount of privileges they want so don't allow the users to do anything that they won't allow 56 00:04:36,590 --> 00:04:37,000 them. 57 00:04:37,010 --> 00:04:43,040 If it's a simple website that only do the selection then only allow the user to select if it only needs 58 00:04:43,120 --> 00:04:46,380 to select and insert then only allow them to select an answer. 59 00:04:46,490 --> 00:04:49,370 And this is a rule you should keep with everything even within existence. 60 00:04:49,370 --> 00:04:53,410 Make sure the person with the permissions are always as these as possible. 61 00:04:53,420 --> 00:04:57,040 Each user don't have any extra permissions that they don't need.