d2jsp
Log InRegister
d2jsp Forums > Off-Topic > Computers & IT > Programming & Development > Has Anybody Done Lampsec Ctf's? > Sanitizing Inputs
Add Reply New Topic New Poll
Views: 345Replies: 4Track Topic
Member
Posts: 18,969
Joined: Aug 16 2007
Gold: 16,089.87
#1
Oct 2 2014 02:07pm
Not sure if I can even ask about this type of stuff but...

Just wondering if anybody has done the Lampsec CTF (Capture the flag) 4-9, we're working on it as a group project in class and we're trying to sanitize the input on each machine and fix them from the vulnerable attacks. (After doing them of course before)

I'm wondering how you guys would fix the sql injections - don't answer if this is gonna get me in trouble, but basically sanitizing input from future attacks and keeping the others out from using such attacks. (CTF only - their systems)

Thanks,
Trev

Member
Posts: 13,425
Joined: Sep 29 2007
Gold: 0.00
Warn: 20%
#2
Oct 2 2014 05:50pm
Quote (Trev @ Oct 2 2014 04:07pm)
Not sure if I can even ask about this type of stuff but...

Just wondering if anybody has done the Lampsec CTF (Capture the flag) 4-9, we're working on it as a group project in class and we're trying to sanitize the input on each machine and fix them from the vulnerable attacks. (After doing them of course before)

I'm wondering how you guys would fix the sql injections - don't answer if this is gonna get me in trouble, but basically sanitizing input from future attacks and keeping the others out from using such attacks. (CTF only - their systems)

Thanks,
Trev


To sanitize sql injection switch to a prepared statements base like PDO. This will stop sql injections becuase it runs a prepared statement to get the results and then applies user inputed data to filter the returned results. This causes user data to never come in contact with mysql.

If you are talking about sanitizing input from other languages and projects like say a custom webserver or something, then there are a entire list of things to check and remove from single quotes to dashes to inline comments, sql queries, basically anything that should not be there. For example if the page requests a GET parameter of ID=3, then it should expect an integer and not something like "3 AND ASCII(SUBSTRING((SELECT user FROM userbase limit 1,1) FROM 1 FOR 1)) > 60"

If this is for a specific application you might want to disclose the source or something because there are to many ways to try to patch code, some simpler than others.

This post was edited by AbDuCt on Oct 2 2014 05:53pm
Member
Posts: 18,969
Joined: Aug 16 2007
Gold: 16,089.87
#3
Oct 2 2014 06:05pm
Quote (AbDuCt @ Oct 2 2014 06:50pm)
To sanitize sql injection switch to a prepared statements base like PDO. This will stop sql injections becuase it runs a prepared statement to get the results and then applies user inputed data to filter the returned results. This causes user data to never come in contact with mysql.

If you are talking about sanitizing input from other languages and projects like say a custom webserver or something, then there are a entire list of things to check and remove from single quotes to dashes to inline comments, sql queries, basically anything that should not be there. For example if the page requests a GET parameter of ID=3, then it should expect an integer and not something like "3 AND ASCII(SUBSTRING((SELECT user FROM userbase limit 1,1) FROM 1 FOR 1)) > 60"

If this is for a specific application you might want to disclose the source or something because there are to many ways to try to patch code, some simpler than others.


Okay sweet, the first idea kinda fills what we're doing! I'll do some more researching on what you said and what we're trying to do, bringing the ideas to class on tuesday so just want to have a handle on things before we try to implement anything.

Thanks a bunch! I may have some more questions after I look some more
Member
Posts: 13,425
Joined: Sep 29 2007
Gold: 0.00
Warn: 20%
#4
Oct 2 2014 06:45pm
Quote (Trev @ Oct 2 2014 08:05pm)
Okay sweet, the first idea kinda fills what we're doing! I'll do some more researching on what you said and what we're trying to do, bringing the ideas to class on tuesday so just want to have a handle on things before we try to implement anything.

Thanks a bunch! I may have some more questions after I look some more


If this is for a class I would recommend a prepared statement solution such as MYSQL PDO. Rolling your own protection scheme (such as sanitizing the input by hand) is a waste of time and likely to fail, while using a popular proven solution is much better.


You can find the php PDO manual here: http://php.net/manual/en/ref.pdo-mysql.php

And a quick definition of what it does:

Code
In database management systems, a prepared statement or parameterized statement is a feature used to execute the same or similar database statements repeatedly with high efficiency. Typically used with SQL statements such as queries or updates, the prepared statement takes the form of a template into which certain constant values are substituted during each execution.


http://en.wikipedia.org/wiki/Prepared_statement

This post was edited by AbDuCt on Oct 2 2014 06:49pm
Member
Posts: 18,969
Joined: Aug 16 2007
Gold: 16,089.87
#5
Oct 2 2014 10:01pm
Quote (AbDuCt @ Oct 2 2014 07:45pm)
If this is for a class I would recommend a prepared statement solution such as MYSQL PDO. Rolling your own protection scheme (such as sanitizing the input by hand) is a waste of time and likely to fail, while using a popular proven solution is much better.


You can find the php PDO manual here: http://php.net/manual/en/ref.pdo-mysql.php

And a quick definition of what it does:

Code
In database management systems, a prepared statement or parameterized statement is a feature used to execute the same or similar database statements repeatedly with high efficiency. Typically used with SQL statements such as queries or updates, the prepared statement takes the form of a template into which certain constant values are substituted during each execution.


http://en.wikipedia.org/wiki/Prepared_statement


Okay sweet, I'll check it out! :)
Go Back To Programming & Development Topic List
Add Reply New Topic New Poll

© 2003-2026 d2jsp  Contact