Josh-CO Dev

Solving the worlds problems one line of code at a time.


Leave a comment

Tools – SQLMAP

I decided to start sharing some of the tools that I use on a daily basis to perform my job, and one of my favorites is SQLMAP. SQLMAP is a command-line tool that is used for automatic SQL injection and database take over. It is built in python so it is available for any operating system that can run python.

The tool itself will support MySQL, Oracle, Microsoft SQL Server, MS Access, SQLite, and a few other database systems. Basically, if an application is important enough to have a database, SQLMAP can attack it. The tool can hit a url, a direct connection to the database, log files (such as Burp), config files, and many others. There are options to support proxies, cookies, specify injection points, etc. For a full list of options a switches consult the user manual.

It is also a great tool to use for demos. Quite often, I am invited to management level meetings to talk about application security and why it is so important. Like many things in information security, nothing is quite as convincing as giving a live demo.

If you would like to learn more about the product, go check it out at http://sqlmap.org/ or the github project at https://github.com/sqlmapproject/sqlmap.

Please note that using this tool against any database that you do not own would generally be considered illegal. Please use at your own risk. There are several platforms that you can download to test a tool like SQLMAP in your own environment, such as SQLOL or DVWA but we will leave that discussion for a later time.


Leave a comment

Another basic way to defend against XSS attacks

Another mediocre way to defend against XSS attacks is to encode or “escape” any input before allowing it to be handled by the interpreter. Here is a basic example of how to handle this in JavaScript. Use the same html as our previous example, then just paste this functions into your scripts.js file and rename the submit button to correspond to the event handler.

    $("#btnSubmit3").click(function () {

        var htmlToRender = "Welcome to our site " + escape($("#inputName").val());

        $("#Content").html(htmlToRender);
    });

This will strip out any special character so that they are not handled by the interpreter. In the below example, I tried to enter the following code:

<script>alert('a')</script>Josh

And this was the result

%3Cscript%3Ealert%28%27a%27%29%3C/script%3EJosh

Before, we saw that this actually caused an alert box to pop up on the screen. Making this one simple change allowed the statement to be ignored altogether.

Much like our previous defense example, this will not give you defense in depth, but it will give you a basic level of security that you may have never even thought you needed.