This lecture considers how attacker-supplied commands might be executed by a vulnerable application, and examines the particular issue of SQL injection. It then frames these issues as input validation problems, and considers a specific case study: that of URL validation.

This exploration of URL validation looks at how homograph attacks can fool users into accepting invalid URLs, how browsers can be tricked into hiding malicious URLs, and how URLs can be abused to mount directory traversal attacks against web servers.

• Lecture video
• Slides (PDF)
• Code examples
• Exercises:
  • Basic SQL Injection
  • Advanced SQL Injection
  • Homograph Attacks
• Other resources:
  • Howard, LeBlanc & Viega, 24 Deadly Sins of Software Security (Chapters 1 & 10)
  • sqlmap, an SQL injection tool
  • Gabrilovich & Gontmakher, The Homograph Attack, Comm. ACM 45(2), February 2002
  • Creative usernames and Spotify account hijacking, a homograph attack from 2013
  • Lloyds Bank homographic phishing example
  • Mailsploit: null injection in email headers, etc (2017)
  • Obfuscation of URLs scanned from QR codes in iOS 11 (2018)