icon for lab

CT310

Recitation 17 - Cross Site Scripting and SQL Injections

In this recitation, we will:


Vulnerability within a website that allows you to run Javascript code

Can plant code and make others that visit the site run the JS

The Samy Worm, by Samy Kamkar (wiki page)

XSS 'Game'

SQL code submitted as user input

Commonly utilizing 'always true' statements

'OR 1=1; -- [malicious SQL code]

'OR 1=1; -- DROP TABLE

Code Curmudgeon's SQLi Hall of Shame

SQLi 'Game'

Most cases of attacks have a one point of entry, so SANITIZE YOUR USER INPUT

Never trust the user to use your site correctly

Fuel escapes many tags and SQL code automatically, but it doesn’t hurt to use the Security class for cleaning direct user input!

Security Class - General Docs

Security Class - Usage Docs