Friday, December 21, 2012

Injection Attack is a type of security exploit in which the attacker adds a code to a Web form input box to gain access to resources or make changes to data. It is a request for some action to be performed on a database or in code. Typically, on a Web form for user authentication, when a user enters their name and password into the text boxes provided for them, those values are inserted into a query. If the values entered are found as expected, the user is allowed access; if they aren't found, access is denied.

1.2 Types of Injection Attacks

Weak input validation is a common vulnerability that could allow your application to be exploited by a number of injection attacks. The following are common types of attacks that exploit weak or missing input validation:

· SQL Injection Attacks

· Cross Site Scripting (XSS)

· URL Rewriting/Tempering

2 SQL Injection Attacks

2.1 Introduction

“This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server”.

SQL injection attacks are very critical as attacker can get vital information from server database. To check SQL injection entry points into your web application, find out code from your code base where direct SQL queries are executed on database by accepting some user inputs.

If user input data is crafted in SQL queries to query the database, attacker can inject SQL statements or part of SQL statements as user inputs to extract vital information from database. Even if attacker is successful to crash the application, from the SQL query error shown on browser, attacker can get the information they are looking for. Special characters from user inputs should be handled/escaped properly in such cases.

2.2 Examples of SQL Injection Attacks

Followings are the some examples of SQL Injection Attacks:

Attack String

1 OR 1=1

1' OR '1'='1

1'1

1 EXEC XP_

1 AND 1=1

1' AND 1=(SELECT COUNT(*) FROM tablenames); --

1 AND USER_NAME() = 'dbo'

'; DESC users; --

1'1

1' AND non_existant_table = '1

' OR username IS NOT NULL OR username = '

1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116

1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --

1 UNI/**/ON SELECT ALL FROM WHERE

%31%27%20%4F%52%20%27%31%27%3D%27%31

1' OR '1'='1

&#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49

3 Cross Site Scripting (XSS) Attacks

3.1 Introduction

When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS.

The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application. If it is, the application can be prone to an attack by Cross Site Scripting.

Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to steal user cookies and information stored in the cookies.

Many web applications get some user information and pass this information in some variables from different pages.

E.g.: http://www.examplesite.com/index.php?userid=123&query=xyz

Attacker can easily pass some malicious input or <script> as a ‘&query’ parameter which can explore important user/server data on browser.

3.2 Examples of XSS Attacks

Followings are the some examples of XSS Attacks:

Attack String

<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">

<SCRIPT>document.vulnerable=true;</SCRIPT>

<<SCRIPT>document.vulnerable=true;//<</SCRIPT>

</TITLE><SCRIPT>document.vulnerable=true;</SCRIPT>

¼script¾document.vulnerable=true;¼/script¾

<![CDATA[</script>

[\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>

<script>document.vulnerable=true;</script>

4 URL Manipulation/Tempering Attacks

4.1 Introduction

URL manipulation, also called URL rewriting, is the process of altering the parameters in a URL (Uniform Resource Locator). Changing some information in the URL may sometimes lead to unintended behavior by the server.

The tester should check if the application passes important information in the query string. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the query string. The tester can modify a parameter value in the query string to check if the server accepts it.

Via HTTP GET request user information is passed to server for authentication or fetching data. Attacker can manipulate every input variable passed from this GET request to server in order to get the required information or to corrupt the data. In such conditions any unusual behavior by application or web server is the doorway for the attacker to get into the application.

4.2 URL Manipulation

By manipulating certain parts of a URL, a hacker can get a web server to deliver web pages he is not supposed to have access to.

On dynamic websites, parameters are mostly passed via the URL as follows:

http://target/forum/?cat=2

The data present in the URL are automatically created by the site and when navigating normally, a user simply clicks on the links proposed by the website. If a user manually modifies the parameter, he can try different values, for example:

http://target/forum/?cat=6

The hacker may potentially obtain access to an area that is usually protected.

In addition, the hacker can get the site to process an unexpected case, for example:

http://target/forum/?cat=***********

In the above example, if the site's designer has not anticipated the case where the data is not a number, the site may enter an unexpected state and reveal information in an error message.

4.3 SQL Injection Attacks in URL

An attacker may abuse the fact that the UserID parameter is passed to the database without sufficient validation. The attacker can manipulate the parameter's value to build malicious SQL statements. For example, setting the value "123 OR 1=1" to the ProductID variable results in the following URL:

http://bwin5074:81/Portal/PortalMain/Default.aspx?Forms=1&tz=330&ln=en&lnf=en-US&sid=123 or 1=1

In this example the semicolon is used to pass the database server multiple statements in a single execution. The second statement is "DROP TABLE ECF.PERMISSION " which may causes SQL Server to delete the entire table.

http://bwin5074:81/Portal/PortalMain/Default.aspx?Forms=1;DROP+TABLE+ECF.PERMISSION

4.4 XSS Attacks in URL

By adding some text in <HTML> tag in URL application crashes. Below is the example:

http://bwin5074:81/Portal/FormsLogin/Default.aspx?forms=<script>&tz=330&ln=en&lnf=en-US

5 Tools

5.1 Introduction

Exploit-Me is a suite (add-ons) of Firefox web application security testing tools designed to be lightweight and easy to use. It includes:

· SQL Inject-Me

· XSS-Me

Exploit-Me can be downloaded from following URL: http://labs.securitycompass.com/index.php/exploit-me/

§ SQL Inject-Me: SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities. SQL Inject-Me can easily be download as Add-ons in Mozilla Firefox. After installation it can be viewed in Tools tab as shown below:

When we click upon Open SQL Inject Me sidebar, it will open the SQL Injection tool list in left side bar. As shown below:

§ XSS-Me: Cross-Site Scripting (XSS) is a common flaw found web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.

XSS-Me can easily be download as Add-ons in Mozilla Firefox. After installation it can be viewed in Tools tab as shown below:

When we click upon Open XSS Me sidebar, it will open the XSS tool list in left side bar. As shown below:

5.2 Functioning of tool

Step 1: Open the application in Mozilla Firefox. Now from Tools open the SQL Injection-Me tool. As shown below:

On Sidebar, each tab represents a form on the page and lists all the fields. For example it is displaying, Username, Password and Login button:

Step 2: If we want to insert any SQL Query Injection in any text box fields (Username or Password) we can select the option from left navigation.

1. For example if we want to insert SQL Query Injection for Username text field. Select the checkbox and click SQL query from ‘txtLogin’ drop down. It will display selected SQL Query in “Username” textbox of the application as shown below here we are selecting query “1' OR '1'='1”

Now click upon Login button on the application and check the result. Same we can select different SQL Quires from drop down and check the results.

2. For example if we select query “&#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49” from dropdown and click on Login.

Result: Following error will come:

Step3: If you want to execute different quires simultaneously and want to check the results by tool, you need to select the checkboxes from left navigation and click on “Execute” button. It will display results. User can also select “Test all form with all attacks” option, it will execute all selected quires on all forms of application.

It will display results as follows. Error will display in “Red” color and Queries which will execute successfully will display in “Green” color.

5.3 How to customized Quires in Tool library

Step1: Go to “Tool” menu, select SQL Inject me, and then go to options.

Step2: It will open a pop up window from where user can “Add”, “Remove” SQL quires.

BASIC OVERVIEW OF REQUIREMENTS AND CURRENT SYSTEMS

THESE SYSTEMS WHOLLY COMPRISE MY BUSINESS OPERATION CURRENTLY

BASIC OVERVIEW OF REQUIREMENTS AND CURRENT SYSTEMS

I would like the software to manage all my data and perform every operation that currently exists in my business processes.

Mostly i want everything to work as it does now but

· To be integrated into one whole software solution which is online

· enable tutors/clients to enter and view data online at will instead of having to make phone enquiries to view/change their data...i.e. clients can log in, view their tutor’s contact details, view past progress reports and account statements; view details of their last payment etc.... tutors can log in, complete reports, create invoices for their hours...

· enable a better automation of tasks, especially if-then processes which are dependent on an amount of time passing e.g. if client has had > 10 hrs of tutoring then send a “follow up” email.....

· enable access to the system from any internet enabled computer and have different access rights for various staff

The main systems:

1. SALES SYSTEM

CURRENTLY: this system exists as a separate MS Excel file. VBA forms and macros manage this volume of data and keep track of prospective clients as they move through the sales process.

· Stores prospective client enquiries and manages sales data; clients enquire by email, phone, online form

· Needs to operate almost exactly as it currently does... including looking up client locations via the MapQuest API currently being used to see if there are tutors in the vicinity for a given subject and grade level

· This system is very simple; it queries data and has numerous auto- templates for SMS and email messages

· It also has basic stats for how many enquiries are converted to sales etc ...very simple calculations

· Probably the trickiest part of this program is tracking the conversion from enquiry to
“new client” and attributing the sale to a corresponding sales person AND removing the attributed sale if the client cancels before their first lesson

2. Recruitment Management System

General Recruitment Concepts

· Because tutors are mostly uni students and their timetable are subject to change regularly etc many tutors don’t stay for very long due to lack of availability. This means recruitment needs to be constant and in high volume. For this to be feasible it needs to be very efficient.

The Recruitment Process

1. Applicants submit their resume through an online form

2. Successful applicants submit a thorough profile application through an online form

3. Successful applicants are invited to book an interview using online booking software

4. Applicants attend an online interview using software not dissimilar to Skype

5. Successful applicants are called and offered a position, sent a contract

6. Once the contract is received they are sent the training manual and training manual test

7. Once they send back the test they are Entered into our system and sent an email with welcome documents

· Now they can be considered for new students in their areas and are entered into the regular BMS

The Recruitment Management System

· This is a web based software package built by an outsourcer to my exact specifications. It allows for the recruitment process above to be done super efficiently.

· Resume and profile applications go directly into this software package

· It basically takes only the click of one button to move an applicant from one step in the above process to the next

· This works perfectly in its current form; perhaps a couple new queries would be useful to meet new needs

· Really it just needs to be integrated with the rest of the system so that

i. New tutors can be entered into the regular BMS system with a click directly from RMS

ii. Tutor resumes and profile applications can be accessed from the individual tutor record within the regular database (BMS)..

o This system completely manages the whole recruitment process. Captures resumes, organises interviews, sends contracts etc

3. CEP Program – Training Module Software

Basic concept/Purpose

· There needs to be a simple way to remain in communication with tutors otherwise there is no relationship between EMT and the tutors besides monthly invoices

· It would be great to give ongoing bits of training to tutors to keep them somewhat engaged and improve their skill

· Some tutors take their jobs seriously whereas others are very casual about it. Most tutors are Gen-Y

· With an ever growing number of tutors (currently around 220 actively working) if there is going to be regular communication, it needs to be automated as much as possible.

· There also needs to be a way to efficiently collect standardised invoices from tutors

Overview

· The CEP works only with tutors that currently have active students

· It sends a “learning module” or article to tutors on a fortnightly basis

· Each article comes with an online form that the tutors must complete – the form asks

· If tutors are too busy they can elect online “Can’t complete CEP this fortnight”

· There is a part of this program that collects invoices from tutors through an online form.

o The online form collects Monthly Progress reports and Invoices from tutors

o The software form then renames the files to a standardised name series which is compatible with the BMS for end of month processing

o NB: with the new software there will be a separate process to submit tutor invoices – i am just trying to show how the business works.

Functionality

· This system is 100% completely automated

· CEP and invoices are submitted via online forms

· The only human involvement is to overview the submitted CEP forms i.e. reply to any tutors who wanted some help or advice. \

· The system automatically sends SMS and email reminders to tutors when they need to submit any documents

o It also sends auto reminders when tutors are late with their correspondence

· If a tutor has not submitted their CEP form for 3 fortnights in a row, they will not be able to submit an invoice

· This system is an online system written by an outsourced programmer according to my own specifications. It is completely separate to the BMS.

· We also need to manage tutor’s status i.e.

o When they have active students, the CEP should run and they should submit invoices and be sent reminders

o When they don’t have active students they don’t need to complete the CEP forms or submit invoices

· In order to manage the tutor’s status a CEP-Excel software module was created. It allows for communication between the BMS VBA program and the CEP program. This allows for a situation where human involvement is not necessary for managing the CEP or Invoice Submission process.

· This works perfectly as it currently is – it would only need to be integrated

· The current integration has a few tricky IF-THEN rules which determine when to set a tutor to active in the CEP system, when to immediately deactivate them and when to set them as “deactivating” for another month....all these rules are based on testing whether or not a tutor has “active” students and if not then when their last month of work would be/would have been

i. In a nutshell, this system automates the distribution of training modules to tutors and reminds them to submit invoices.

4. BUSINESS MANAGEMENT SYSTEM

This is the excel spreadsheet that holds all our data currently. A VBA form with various functions helps to manage this. It is what i have instead of a database at the moment. There are 2 main data workbooks; one for storing tutor details and one for storing client details. There is also a new workbook for each month to store client details that may change on a monthly basis such as their tutor, payments received; hourly rate etc... I don’t imagine it would be too difficult to model a real database on this data.

The business management system is itself comprised of numerous main functions/processes/interfaces

a) ACCOUNT START

a. Monitor a client’s account after they are entered as a new client for example: see which new clients need to be assigned a tutor; assign an original tutor to them; if a tutor hasn’t confirmed contact with the client send them and email/sms; if the client has had >10hrs tuition send an automated follow up email; after 20hrs tuition send an email requesting testimonials etc; also has incorporated the mapping software to see which tutors are suitable/close

· This is mostly just a set of queries and set of automated email/sms responses

b) TUTOR SWAP

a. Similar to Account Start; see which clients need to be assigned a replacement tutor; this is the process by which a replacement tutor is allocated to a client; again if the tutor hasn’t confirmed contact with client after 2 days of being assigned they are sent an email; after 10hr the client is sent a follow up email etc; also has incorporated the mapping software to see which tutors are suitable/close

· This is mostly just a set of queries and set of automated email/sms responses

c) ACCOUNT MANAGEMENT

a. This is the system by which i manage who owes us how much money; who has not paid any money to their account for 1 month-2months-3months etc; plus a few other query types are available

· This is mostly just a set of queries and set of automated email/sms responses

d) STATISTICS

a. This is a page which calculates various metrics such as average hours per student; average rate per hour etc etc . . . really this is just aggreagating information and manipulating it. There are a few tricky formulas here but nothing genuinely complex.

e) EMAIL PROGRAM

a. This program allows me to send a template email only to those clients or tutors which meet certain conditions. For example an email to clients who are “active”; an email to senior tutors who have had more than 100hours of experience etc

f) INVOICING AND BILLING

· This is by far the most complicated system i have created for the business and is probably the most convoluted in terms of processes, conditions, rules etc BUT it is probably less complicated than the CEP Training Module Software.

1. A tutor’s hours are entered for each student; the software stores those hours in the tutor records and creates a pdf statement which is emailed to clients. Complications arise because there may/may not have been other tutors who worked with this student during the month and we need their invoices for this client account too; also the software tests if the tutor submitted a progress report which is mandatory under certain conditions and if they did not then they are sent a reminder and the account statement is not yet sent etc...

· With the new software this will all need to happen online such that tutors can themselves enter their hours for each student each month etc...

Expected Challenges; Unanswered Questions and Concerns:

1. Data entry from forms. Currently i have custom built forms such as the contact form which clients use to enquire from our website – i would like this data to be auto captured into the “Sales Management” part of the system. I am also concerned about this because in the near future i will have a design company build me a new site and i am not sure how to make it so that the new forms will be compatible with this system that we are going to build?

2. Payments. I need some sort of integrated ecommerce component. Clients need to be able to log in to their account – see what they owe and make a payment. The payment should automatically be added to their account. I am not sure what solutions exist for this? There is Eway and SecurePay which i have been considering – they have APIs.

i. Also, the way i pay my tutors is direct into their bank account using their bank account details – there is a way to semi-automate this by creating ABA files so i don’t have to do it manually for each tutor as i do now. It definitely is possible, have a look at http://www.bluechilli.com/software/apps/cemtex-aba-file/aba-file-format.html . ABA files are simple text documents with very specific formatting.

3. Implementation. How will we convert from me using the old system to using the new system? My business is at a size where i have new clients, new tutors, payments etc on a daily basis. ALSO, how will we enter the existing data into the new system? There is a lot of it – too much to do by hand, and i need that data to be readily available.

4. Security/Password protection etc

i. Currently i use a program called Website Access Manager to manage which users have access to log in to the tutor admin section etc... this will not suffice for our project. Each tutor and each client needs to have access not only to generic forms as now but also to their specific information. As such i believe that a new system/process will need to be created for assigning access priviledges to users – also this needs to be automated somewhat and integrated, for example; when a tutor is “hired” a password and username is automatically created for them and they are assigned standard access rights to their data as well as generic resources which are available to all tutors such as practice maths worksheets

ii. Also, there needs to be a way to manage access rights to this software itself for my employees. i.e. the sales staff should only have access to the sales program; only i should have access to the statistics etc

iii. How will we convert the existing users and passwords to the new system?

5. General risks:

i. Once the software is up and running my WHOLE business will depend on it. Should you fall ill or your company fall apart, there will be no way for errors to be corrected or for new functionality to be installed. This is a major concern for me. I think we can possibly handle this by creating extremely thorough documentation so that in such an event another coder or company of coders could pick up the pieces?

ii. Surely with such a large project there will be many tweaks and “extras” required over the next few months after installation. I don’t think these “extras” are predictable and i would like to organise some sort of retainer payment system whereby on top of the quoted price for the project, i will pay you some sort of maintenance fee? The business is growing and i have high ambitions – changes are likely to be regular.

Software Testing QA, Tutorial For Mobile Native Application Testing, Appium and Selendroid

Friday, December 21, 2012

Injection Attacks

1 Introduction

1.1 What is Injection Attack

1.2 Types of Injection Attacks

2 SQL Injection Attacks

2.1 Introduction

2.2 Examples of SQL Injection Attacks

3 Cross Site Scripting (XSS) Attacks

3.1 Introduction

3.2 Examples of XSS Attacks

4 URL Manipulation/Tempering Attacks

4.1 Introduction

4.2 URL Manipulation

4.3 SQL Injection Attacks in URL

4.4 XSS Attacks in URL

5 Tools

5.1 Introduction

5.2 Functioning of tool

5.3 How to customized Quires in Tool library

BASIC OVERVIEW OF REQUIREMENTS AND CURRENT SYSTEMS