## Week 13: Web Security

### SQL Injection
SQL Injection is commonly known as SQLi. SQL Injection is an attack that targets the server and its database. The goal is to manipulate the database's logic. These are commonly server-side attacks.

A SQLi attack occurs when an attacker can interfere with the queries that an application makes to its database. This interference allows the attacker to view, modify, or delete data they are not authorized to access.

- Vulnerability: The application constructs a SQL query by concatenating (stitching together) user input directly into the query string, without properly validating or sanitizing that input.
- The Attack: The attacker introduces a special character (most commonly a single quote ') into a form field (like a username or search box) to break out of the intended query string and inject their own SQL commands.

The mechanics of SQL Injection (SQLi) involve tricking the server-side application into running an unintended SQL command against its database.

- Target: The application's back-end code and the database.

- Mechanism: The attacker inserts malicious input into a web form (like a login or search bar) that tricks the application into executing an unintended SQL command. This is possible when user input is concatenated directly into a SQL query string without proper sanitization.

- Impact: The attacker can steal, modify, or delete sensitive data from the database, bypass authentication (log in without a password), or even gain control over the database server.

- Analogy: It's like a user writing an instruction inside an envelope you're addressing to the bank, and the bank teller (the server) blindly executes the instruction because it thinks it's part of the address.

Key Example: Entering ' OR 1=1 -- into a username field to bypass a login.

Example: 

`query = "SELECT * FROM users WHERE username = '" + user_input + "' AND password = '" + pass_input + "'"`

If the attacker enters the following into the username field: ' OR 1=1 --

The resulting executed database query becomes:

`SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = '...'`

- The ' closes the opening quote for the username value.
    - Using special characters (like ' and --) to escape the input field's boundaries and inject code into the SQL query string.

- OR 1=1 is a condition that is always True.
    - Injecting an always-true condition (e.g., OR 1=1) to bypass a login check.

- -- is a comment marker in SQL, which causes the rest of the original query (including the need for a correct password) to be ignored.
    - Using -- (or # in some databases) to nullify the rest of the original query, including the password check.

**Result**: The application authenticates the attacker as the first user found in the database (often an admin) because the WHERE clause evaluates to TRUE.

### Cross-Site Scripting (XSS)

Cross-Site Scripting is an attack that targets the end-user's browser, not the server itself. Commonly client-side attacks

The goal is to inject malicious client-side script (typically JavaScript) into a web application, often targeting other users (victims) of the application, not the server itself.

The web application fails to properly sanitize user input before rendering it in a web page. The browser then trusts and executes the injected script.

The malicious script runs with the victim's privileges on the site. This allows the attacker to steal the victim's session cookies, redirect the user, or even hijack the session.


|Type| How it Works | Example of Vulnerable Input|
|:--|:--|:--|
|Stored XSS (Most dangerous)|"Malicious script is permanently stored in the application's database (e.g., in a comment or profile field) and served to all users who view that page."|A comment field that stores: `<script>alert(document.cookie)</script>` |
|Reflected XSS|"Malicious script is part of a URL (e.g., in a search parameter) and is reflected back to the user's browser, but is not stored permanently."| A search field that reflects the search term back to the user's page.|


- Target: The browser of the unsuspecting user (the victim).

- Mechanism: The attacker injects malicious client-side script (typically JavaScript) into a web page. When the victim's browser loads that page, it executes the malicious script because it trusts the content coming from the website. This happens when the application fails to validate or encode user input before rendering it on the page.

- Impact: The malicious script runs with the victim's permissions for that site. This allows the attacker to steal the victim's session cookies (which can be used to hijack their session), redirect them to malicious sites, or capture keystrokes.

- Analogy: It's like leaving a dangerous piece of code (the script) on a public whiteboard (the web page). When a user reads the whiteboard, their brain (the browser) automatically executes the dangerous instruction.

Key Example: A user posts a comment that contains `<script>alert(document.cookie)</script>`. When another user views that comment, their browser pops up an alert box showing their session cookie.

XSS is a vulnerability that allows an attacker to inject malicious scripts into a web page viewed by another user. Consequently, they bypass the Same-Origin Policy (SOP)

 SOP is a security mechanism implemented in modern web browsers to prevent a malicious script on one web page from obtaining access to sensitive data on another page. SOP defines origin based on the protocol, hostname, and port. Consequently, a malicious ad cannot access data or manipulate the page or its functionality on another origin, such as an online shop or bank page. XSS dodges SOP as it is executing from the same origin.

Three main types of XSS:
- Reflected XSS: This attack relies on the user-controlled input reflected to the user. For instance, if you search for a particular term and the resulting page displays the term you searched for (reflected), the attacker would try to embed a malicious script within the search term.
- Stored XSS: This attack relies on the user input stored in the websiteâ€™s database. For example, if users can write product reviews that are saved in a database (stored) and being displayed to other users, the attacker would try to insert a malicious script in their review so that it gets executed in the browsers of other users.
- DOM-based XSS: This attack exploits vulnerabilities within the Document Object Model (DOM) to manipulate existing page elements without needing to be reflected or stored on the server. This vulnerability is the least common among the three.

| Feature | SQL Injection (SQLi) | Cross-Site Scripting (XSS) |
|:---|:---|:---|
|Location of Exploit | Server/Database | Client/Victim's Browser | 
|Language Used | SQL commands | JavaScript (typically) | 
|Who is Targeted | The Application and its Data | The End User (Victim) |

---

Reflection:

How is a machine learning model being "fooled" by a malicious input similar to how a SQL Injection attack "tricks" a database?
