SQL Injection Walkthrough 1.0 Introduction When a machine has only port 80 opened, your most trusted vulnerability scanner cannot return anything useful, and you know that the admin always patch his server, we have to turn to web hacking. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS. This article does not introduce anything new, SQL injection has been widely written and used in the wild. 1.1 What is SQL Injection? 1.2 What do you need? 2.0 What you should look for? Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise). 2.1 What if you can't find any page that takes input? 3.0 How do you test if it is vulnerable? hi' or 1=1-- Into login, or password, or even in the URL. 3.1 But why ' or 1=1--? ' or 'a'='a
Cross-site Scripting (XSS) This is an Attack. To view all attacks, please see the Attack Category page. Last revision (mm/dd/yy): 06/5/2018 Overview Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. An attacker can use XSS to send a malicious script to an unsuspecting user. Related Security Activities How to Avoid Cross-site scripting Vulnerabilities See the DOM based XSS Prevention Cheat Sheet See the OWASP Development Guide article on Phishing. See the OWASP Development Guide article on Data Validation. How to Review Code for Cross-site scripting Vulnerabilities See the OWASP Code Review Guide article on Reviewing Code for Cross-site scripting Vulnerabilities. How to Test for Cross-site scripting Vulnerabilities See the latest OWASP Testing Guide article on how to test for the various kinds of XSS vulnerabilities. Description Cross-Site Scripting (XSS) attacks occur when: Stored XSS Attacks Reflected XSS Attacks Alternate XSS Syntax
SQL Injection Attacks by Example A customer asked that we check out his intranet site, which was used by the company's employees and customers. This was part of a larger security review, and though we'd not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration. "SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches. There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale of discovery as much as the process of exploitation. So we'll do it in steps. A standalone query of
SQL injection Computer hacking technique A classification of SQL injection attacking vector as of 2010. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. In a 2012 study, it was observed that the average web application received four attack campaigns per month, and retailers received twice as many attacks as other industries.[2] History[edit] The first public discussions of SQL injection started appearing around 1998;[3] for example, a 1998 article in Phrack Magazine.[4] Form[edit] Classic SQLIBlind or Inference SQL injectionDatabase management system-specific SQLICompounded SQLI SQL injection + insufficient authentication[7]SQL injection + DDoS attacks[8]SQL injection + DNS hijacking[9]SQL injection + XSS[10] Technical implementations[edit]
SQL Injection Demo - Nazim's IIS Security Blog SQL injection seems to have faded from prominence lately and has become just a buzz word. To make things a little more real I put together a quick demo for it, to demonstrate that you don't necessarily have to go out of your way to make your web application exploitable. Here are the ingredients for this demo: ASP.NET application using System.Data.SqlClient to access a SQL database. CAUTION: This is a sample to demo SQLInjection and is hence insecure. Setting up the Database I used SQLExpress for my demo, but you can use whatever is available. Enable the sa account and gave it a password. Populate the tables with sample data. SELECT * FROM Users; SELECT * From Orders; Setting up a Web Application on your Server I used IIS 7.0 and ASP.NET 2.0, but you could use other tools as well. Make sure IIS is running and that you can access the default page. <! Here is the sample code-behind the ASP.Net page, SQLLoginUnsafe.aspx.cs. Make sure you can access the website from your local machine. Conclusion
SQL Injection This is an Attack. To view all attacks, please see the Attack Category page. Last revision (mm/dd/yy): 04/10/2016 Overview A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. Threat Modeling SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Related Security Activities How to Avoid SQL Injection Vulnerabilities Description Examples
Cross-site scripting Background[edit] Security on the web is based on a variety of mechanisms, including an underlying concept of trust known as the same origin policy. This essentially states that if content from one site (such as is granted permission to access resources on the system, then any content from that site will share these permissions, while content from another site ( will have to be granted permissions separately. Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. XSS vulnerabilities have been reported and exploited since the 1990s. Types[edit] There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS: non-persistent and persistent. Non-persistent[edit] A reflected attack is typically delivered via email or a neutral web site. Persistent[edit] Exploit examples[edit]
Session hijacking attack This is an Attack. To view all attacks, please see the Attack Category page. Last revision (mm/dd/yy): 08/14/2014 Description The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. The session token could be compromised in different ways; the most common are: Predictable session token; Session Sniffing; Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc); Man-in-the-middle attack Man-in-the-browser attack Examples Example 1 Session Sniffing Figure 2. Example 2 Cross-site script attack The attacker can compromise the session token by using malicious code or programs running at the client-side. Figure 3. References
Session hijacking A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine. If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net. A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. History[edit] Session hijacking was not possible with early versions of HTTP. HTTP protocol versions 0.8 and 0.9 lacked cookies and other features necessary for session hijacking. Early versions of HTTP 1.0 did have some security weaknesses relating to session hijacking, but they were difficult to exploit due to the vagaries of most early HTTP 1.0 servers and browsers. Methods[edit] Prevention[edit]
Cross-Site Request Forgery (CSRF) This is an Attack. To view all attacks, please see the Attack Category page. Last revision (mm/dd/yy): 11/9/2013 Overview CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. Related Security Activities How to Review Code for CSRF Vulnerabilities See the OWASP Code Review Guide article on how to Reviewing code for CSRF Vulnerabilities. How to Test for CSRF Vulnerabilities How to Prevent CSRF Vulnerabilities Listen to the OWASP Top Ten CSRF Podcast. John Melton also has an excellent blog post describing how to use the native anti-CSRF functionality of the OWASP ESAPI. Description Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. Using a secret cookie Examples
Cross-site request forgery History[edit] CSRF vulnerabilities have been known and in some cases exploited since 2001.[3] Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.[2] Exploits are under-reported, at least publicly, and as of 2007[4] there are few well-documented examples. About 18 million users of eBay's Internet Auction Co. at Auction.co.kr in Korea lost personal information in February 2008.[5] Customers of a bank in Mexico were attacked in early 2008 with an image tag in email. The link in the image tag changed the DNS entry for the bank in their ADSL router to point to a malicious website impersonating the bank.[6] Example and characteristics[edit] The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated.[1] For example, one user, Alice, might be browsing a chat forum where another user, Mallory, has posted a message. Mallory: Hello Alice! Limitations[edit]