1
00:00:01,360 --> 00:00:07,500
As you've seen so far as skill injections are very dangerous and also they're very easy to Ocker and

2
00:00:07,500 --> 00:00:08,860
very easy to find.

3
00:00:08,940 --> 00:00:12,590
You'll find them everywhere in some really famous websites.

4
00:00:12,810 --> 00:00:17,390
People try to prevent these vulnerabilities using filters.

5
00:00:17,610 --> 00:00:23,870
Filters can make it look like there is no exploits but if you actually try harder by using encoding

6
00:00:24,000 --> 00:00:29,920
different types of encoding or using a proxy then you'll be able to bypass most of these filters.

7
00:00:30,740 --> 00:00:32,570
Some programmers use a blacklist.

8
00:00:32,570 --> 00:00:35,550
So for example they prevent the use of union.

9
00:00:35,600 --> 00:00:38,250
They prevent the use of insert and stuff like that.

10
00:00:38,270 --> 00:00:41,210
Again it's not 100 percent secure.

11
00:00:41,210 --> 00:00:43,970
It can be bypassed using a whitelist.

12
00:00:43,970 --> 00:00:47,190
Exactly the same issues as the blacklist.

13
00:00:47,240 --> 00:00:54,800
The best way to do it is to program your web application in a way that it does not allow code to be

14
00:00:54,800 --> 00:00:57,590
injected into it and then execute it.

15
00:00:58,190 --> 00:01:05,970
So the best way to do that is to do to use parameterize statement where the data and the code is separated.

16
00:01:06,170 --> 00:01:13,250
And the best way to show you what I mean by that is using an example I'm keeping the least amount of

17
00:01:13,250 --> 00:01:13,780
programming.

18
00:01:13,790 --> 00:01:16,690
In this example I don't want it to be a program and example.

19
00:01:16,700 --> 00:01:21,680
There's actually mistakes in the programming in there but I'm trying to give you the concept more than

20
00:01:21,680 --> 00:01:22,780
how to program it.

21
00:01:23,670 --> 00:01:29,700
So the vulnerable code that we were looking at used to do this so it used to do select star from accounts

22
00:01:29,700 --> 00:01:37,500
where username is equal to whatever we put in text box 1 and then we used to put in text box 1.

23
00:01:37,540 --> 00:01:38,690
Let's just put it here.

24
00:01:44,660 --> 00:01:57,390
We used to say as men and then close the code and then we're able to do a union select and execute something

25
00:01:57,390 --> 00:01:57,840
else.

26
00:01:57,990 --> 00:02:03,810
And then once we were done we used to add the comment which basically ignores everything that comes

27
00:02:03,810 --> 00:02:04,730
in after it.

28
00:02:04,770 --> 00:02:09,700
So when you copy this and you put it in here

29
00:02:12,440 --> 00:02:13,610
you'll see what's happening.

30
00:02:13,610 --> 00:02:15,130
So it's selection.

31
00:02:15,140 --> 00:02:20,860
Now let's just get rid of this because this is just making the cut is not nice and I'm actually going

32
00:02:20,860 --> 00:02:29,050
to just put a comment on this so it's going to do a select from accounts where user name is equal to

33
00:02:29,050 --> 00:02:33,460
Aardman Union select and execute whatever we want to do.

34
00:02:33,460 --> 00:02:36,240
This is very bad and it's very hard to protect against.

35
00:02:36,250 --> 00:02:42,170
As I said use filters and stuff all only highlight the problem will not fix it.

36
00:02:42,230 --> 00:02:46,790
The best way to do this is using the parameterize statements just like so.

37
00:02:46,790 --> 00:02:48,980
So this is the safe way to do it.

38
00:02:49,040 --> 00:02:53,810
First of all you prepare your statement most languages like BHB and all of them they actually have a

39
00:02:53,810 --> 00:03:01,580
function like that and you can prepare select starer from accounts where a user name is equal to a question

40
00:03:01,580 --> 00:03:06,860
mark and then you send the values.

41
00:03:06,860 --> 00:03:13,700
So ph we now knows the skill statement is select star from accounts where user name is equal to something

42
00:03:14,420 --> 00:03:17,580
and then it's got the value of text box 1.

43
00:03:17,600 --> 00:03:28,360
So even if we come in and we use our very sneaky statement right here and pasted in there the web application

44
00:03:28,360 --> 00:03:33,880
will know that the value for this is admen Union selects out alive.

45
00:03:33,880 --> 00:03:39,260
She try to go and select start from accounts where the user name username and then it actually it'll

46
00:03:39,310 --> 00:03:44,640
add its own quotes and they try to find a username with the following username.

47
00:03:44,650 --> 00:03:48,040
So this whole thing will be executed like so

48
00:03:54,890 --> 00:04:01,340
so it will be next from accounts where username is equal to as many union select this hashtag.

49
00:04:01,490 --> 00:04:09,710
So it'll never lever whatever you put in your text box will be sent as a value and the web application

50
00:04:09,710 --> 00:04:11,110
will know that this is a value.

51
00:04:11,120 --> 00:04:14,030
It's not a code and it'll never executed.

52
00:04:14,180 --> 00:04:18,350
Therefore this will protect you against Escurial injections.

53
00:04:18,830 --> 00:04:22,050
You can use the filters as a second line of defense.

54
00:04:22,160 --> 00:04:31,820
And I also advise that you use the least privileges possible so use for each database use one user with

55
00:04:31,820 --> 00:04:36,590
the least amount of privileges they want so don't allow the users to do anything that they won't allow

56
00:04:36,590 --> 00:04:37,000
them.

57
00:04:37,010 --> 00:04:43,040
If it's a simple website that only do the selection then only allow the user to select if it only needs

58
00:04:43,120 --> 00:04:46,380
to select and insert then only allow them to select an answer.

59
00:04:46,490 --> 00:04:49,370
And this is a rule you should keep with everything even within existence.

60
00:04:49,370 --> 00:04:53,410
Make sure the person with the permissions are always as these as possible.

61
00:04:53,420 --> 00:04:57,040
Each user don't have any extra permissions that they don't need.