Hey everybody, welcome back i am the creator of TheSecurityByte and i am back with another web application attack lesson and today we're gonna talk about one of the most common OWASPTop10 vulnerabilities and the owasp's top 10 latest and greatest and the number one vulnerability which has been the number one vulnerability for many many years is injection attacks.
So injection attacks can happen from database injections there's all kinds of different injection attacks but the but the basics around the injection attack is is relatively similar across all the different types of injection attacks so I'm going to talk about how these things happen and maybe some ways to to guard against these.
All right so let's say you have a user out here in the internet and that user wants to access your web application so you have a web application out here and this web application has a page so this user go to www.victim.com and it's got a login page asking for a username and password and let's say that part of this web application is certainly had a lot of HTML and CSS and JavaScript and all that kind of all the different components that go into this but there's also a database.
Now our web application have a database called DB that contains all kinds of stuff and maybe there's a whole bunch of different databases but let's say for example there's one that has all of the usernames and all the passwords and it's stored here in this database.
Then what happens is when a user accesses the web application and they're gonna type in their username and password and hit login then what happen is this page is going to send a request down to the database and it's going to say hey I've got this input username and password to get the accessible usernames and passwords from database.
SQL
When it does that it uses a certain type of language to communicate with the database and and there's a very common one most of you probably know what what we're talking about here but if you don't know there's this language called SQL (structured query language) and so a lot of these injection attacks focus on sequel injections.
Now let's get back to the user, In login form user enters username and password and posts the form.
Username = admin password = test
Then some code is executed to build up SQL query and the query is run against the database, like this:
select * from users where username = 'admin' and password='test'
then some checks are executed:
- if count(query_result)==0 then // deny login
- else //let user in
It is totally logical, right? If someone posts username and password and they don’t match any records in user table, it means login data are not valid and login is denied. Otherwise - logically speaking - login data are considered as valid and user is let in.
Manipulating The SQL Query
Well, it is not exactly right. See what happens when a hacker posts a crafted username and password in field:
- Username = admin' OR '1=1 --
- password = test
Because the comment sequence (--) causes the remainder of the query to be ignored,The query in backend is resolved like this:
select * from users where user_name = 'admin' OR '1=1 --'
This query will return all users from user table. since OR 1=1 is always TRUE the application logic will let you in.
What can you achieve by doing an SQL injection?
By doing an SQL injection : you OWN the site.. since you can also login as the admin .. so, you can delete, update, modify data or even deface the website !!
Basically by sql injection, you can get the user details and can even get the admin details.. such as username and passwords.. now you can control the site.
So, after gaining the password.. you can log into the control panel or admin login page.. and get into file manager.. upload a shell by which you can deface the website.. or you can edit details or you can steal some information such as personal details of a company.. and do anything you want.. because now you are the owner of the site :)
But always use it for good, inform the registrant of site.. maybe he could give you give you a great prize or some bounty.. Be Ethical !!
What are some methods used for preventing SQL injection?
this is very common question from all developers side.
Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors.
- used both side validation -- server side as well as client side.
- user parameterized Query like select * from table_name where username=? and password=?
- used php entities function for preventing the store xss.
- apply waf mod_security firewall. it protect your website for some kind of union and select all query.
- Query parameters to keep dynamic input values separate from SQL.
- Escaping dynamic input as you interpolate it into SQL strings.
- Whitelisting other values that can't be parameterized or escaped.
- Monitoring query logs to spot attempts at SQL injection promptly.
- Using a query proxy that whitelists queries that your application runs.
It all comes down to a lack of understanding about how SQLi vulnerabilities work. The problem is that Web developers tend to think that database queries are coming from a trusted source, namely the database server itself. Still that is not enough, skilled candidate can play with this kind of security.
So that this is a very common attack method - to use you know an injection into a vulnerable database and man it happens all the time out there so injection attacks huge thing they've been the number one vulnerability on the OWASP top ten for many many years it's still a big deal it's still you know it's still out there still used all the time so be careful out there build your web app properly and and let's be safe on the internet today.
0 Comments