Friday, December 21, 2012

Injection Attacks

Rounded Rectangle: Investigation Document: Injection Attacks

Table of Contents

1          Introduction

1.1  What is Injection Attack

Injection Attack is a type of security exploit in which the attacker adds a code to a Web form input box to gain access to resources or make changes to data. It is a request for some action to be performed on a database or in code. Typically, on a Web form for user authentication, when a user enters their name and password into the text boxes provided for them, those values are inserted into a query. If the values entered are found as expected, the user is allowed access; if they aren't found, access is denied.

1.2 Types of Injection Attacks

Weak input validation is a common vulnerability that could allow your application to be exploited by a number of injection attacks. The following are common types of attacks that exploit weak or missing input validation:
·         SQL Injection Attacks
·         Cross Site Scripting (XSS)
·         URL Rewriting/Tempering

2          SQL Injection Attacks

2.1  Introduction

“This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server”.
SQL injection attacks are very critical as attacker can get vital information from server database. To check SQL injection entry points into your web application, find out code from your code base where direct SQL queries are executed on database by accepting some user inputs.
If user input data is crafted in SQL queries to query the database, attacker can inject SQL statements or part of SQL statements as user inputs to extract vital information from database. Even if attacker is successful to crash the application, from the SQL query error shown on browser, attacker can get the information they are looking for. Special characters from user inputs should be handled/escaped properly in such cases.    

2.2  Examples of SQL Injection Attacks

Followings are the some examples of SQL Injection Attacks:

Attack String
1 OR 1=1
1' OR '1'='1
1 AND 1=1
1' AND 1=(SELECT COUNT(*) FROM tablenames); --
1 AND USER_NAME() = 'dbo'
'; DESC users; --
1' AND non_existant_table = '1
' OR username IS NOT NULL OR username = '
1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116
1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --
1' OR '1'='1

3          Cross Site Scripting (XSS) Attacks

3.1 Introduction

When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS.
The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application. If it is, the application can be prone to an attack by Cross Site Scripting.
Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to steal user cookies and information stored in the cookies.
Many web applications get some user information and pass this information in some variables from different pages.
Attacker can easily pass some malicious input or <script> as a ‘&query’ parameter which can explore important user/server data on browser.

3.2 Examples of XSS Attacks

Followings are the some examples of XSS Attacks:

Attack String
 <meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">
 <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
 <IMG SRC="jav ascript:document.vulnerable=true;">
 <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
 <iframe src="javascript:document.vulnerable=true; <
 <BODY BACKGROUND="javascript:document.vulnerable=true;">
 <BGSOUND SRC="javascript:document.vulnerable=true;">
 <FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></FRAMESET>
 <xml src="javascript:document.vulnerable=true;">
 <!-- -- --><script>document.vulnerable=true;</script><!-- -- -->

4          URL Manipulation/Tempering Attacks

4.1 Introduction

URL manipulation, also called URL rewriting, is the process of altering the parameters in a URL (Uniform Resource Locator). Changing some information in the URL may sometimes lead to unintended behavior by the server.
The tester should check if the application passes important information in the query string. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the query string. The tester can modify a parameter value in the query string to check if the server accepts it.
Via HTTP GET request user information is passed to server for authentication or fetching data. Attacker can manipulate every input variable passed from this GET request to server in order to get the required information or to corrupt the data. In such conditions any unusual behavior by application or web server is the doorway for the attacker to get into the application.

4.2 URL Manipulation

By manipulating certain parts of a URL, a hacker can get a web server to deliver web pages he is not supposed to have access to.
On dynamic websites, parameters are mostly passed via the URL as follows:
The data present in the URL are automatically created by the site and when navigating normally, a user simply clicks on the links proposed by the website. If a user manually modifies the parameter, he can try different values, for example:
The hacker may potentially obtain access to an area that is usually protected.
In addition, the hacker can get the site to process an unexpected case, for example:
In the above example, if the site's designer has not anticipated the case where the data is not a number, the site may enter an unexpected state and reveal information in an error message.

4.3 SQL Injection Attacks in URL

An attacker may abuse the fact that the UserID parameter is passed to the database without sufficient validation. The attacker can manipulate the parameter's value to build malicious SQL statements. For example, setting the value "123 OR 1=1" to the ProductID variable results in the following URL:
In this example the semicolon is used to pass the database server multiple statements in a single execution. The second statement is "DROP TABLE ECF.PERMISSION " which may causes SQL Server to delete the entire table.

4.4 XSS Attacks in URL

By adding some text in <HTML> tag in URL application crashes. Below is the example:

5          Tools

5.1 Introduction

Exploit-Me is a suite (add-ons) of Firefox web application security testing tools designed to be lightweight and easy to use. It includes:
·         SQL Inject-Me
·         XSS-Me
Exploit-Me can be downloaded from following URL:
§  SQL Inject-Me: SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities. SQL Inject-Me can easily be download as Add-ons in Mozilla Firefox. After installation it can be viewed in Tools tab as shown below:
When we click upon Open SQL Inject Me sidebar, it will open the SQL Injection tool list in left side bar. As shown below:
§  XSS-Me: Cross-Site Scripting (XSS) is a common flaw found web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.
XSS-Me can easily be download as Add-ons in Mozilla Firefox. After installation it can be viewed in Tools tab as shown below:

When we click upon Open XSS Me sidebar, it will open the XSS tool list in left side bar. As shown below:

5.2 Functioning of tool

Step 1: Open the application in Mozilla Firefox. Now from Tools open the SQL Injection-Me tool. As shown below:

On Sidebar, each tab represents a form on the page and lists all the fields. For example it is displaying, Username, Password and Login button:

Step 2: If we want to insert any SQL Query Injection in any text box fields (Username or Password) we can select the option from left navigation.
1.       For example if we want to insert SQL Query Injection for Username text field. Select the checkbox and click SQL query from ‘txtLogin’ drop down. It will display selected SQL Query in “Username” textbox of the application as shown below here we are selecting query “1' OR '1'='1”
Now click upon Login button on the application and check the result. Same we can select different SQL Quires from drop down and check the results.
2.       For example if we select query “&#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49” from dropdown and click on Login.
Result: Following error will come:

Step3: If you want to execute different quires simultaneously and want to check the results by tool, you need to select the checkboxes from left navigation and click on “Execute” button. It will display results. User can also select “Test all form with all attacks” option, it will execute all selected quires on all forms of application.

It will display results as follows. Error will display in “Red” color and Queries which will execute successfully will display in “Green” color.

5.3 How to customized Quires in Tool library

Step1: Go to “Tool” menu, select SQL Inject me, and then go to options.

Step2:  It will open a pop up window from where user can “Add”, “Remove” SQL quires.

No comments:

Post a Comment

Amazon Deals