A1:2017-Injection OWASP TOP 10-2017

sql injection

A large number of security breaches all over the world is the outcome of the injection attack. That’s why, In the OWASP top 10 list, A1 injection is ranked no 1.
Injections attacked can be categorized into several types and some of the commons are- SQL injection, LDAP injection and code injection.Most famous among them is SQL injection. 

What is  SQL Injection? SQL is a Structured Query language that enables any web application to interact with database servers and fetched out the result of the query executed to perform some operation such as display some images from a server or authenticate the user. SQL commands such as INSERT, RETRIEVE, UPDATE, and DELETE are used to perform operations on the database.
In SQL injection an attacker injects some SQL commands that are executed in backend database through the use of non-validated input vulnerability of a web application.

How SQL injection works?

              http://mywebsite.com/products?Id=1
                                                ↓
          SELECT * FROM products WHERE ID = 1

In the above example, We need to observe that the first part i.e (http://mywebsite.com/products?Id)  is trusted data and <1> is untrusted data which might be vulnerable to attack.
Usually querry= SELECT * FROM products WHERE ID = 1 will gives all the information of product assigned id=1. From a table named Products.

Next, if an attacker appending the condition http://mywebsite.com/products?Id=1 or 1=1. This conditions will execute in the database and pull out all the entries from the database instead for giving a single id information.

Now understand by taking another case. We have seen a SQL query

SELECT * FROM products WHERE ID = 1

Suppose a user entered the following product id in a web form field:

1; DELETE * products WHERE ‘1’ = ‘1

The back-end database would then obediently execute the following SQL:

SELECT * FROM products
WHERE id = ‘1’; DELETE * FROM products WHERE ‘x’ = ‘x’

Know, databases will execute multiple SQL statements in a row if separated by a semicolon. Thus creating a very simple possible manner for an attacker to delete the entire table. Failure to sanitize the user input for the single quote “‘” character makes it possible for an attacker to delete the entire table.
Hope you had good backups. Right? Right…? 

How Can SQL injection be detected before they harm our business?

SQL injection can easily be mitigated, but even the smartest developers still make mistakes, after all, we all are human beings. Therefore Detection is a best option to mitigate the risk of such attacks. A web application firewall (WAF) can detect and block basic SQL injection attacks, but you shouldn’t rely on it as the sole preventive measure.

Network-based IDS can monitor all connections to your database server and raise an alert on suspicious activity. A host-based IDS can monitor web server logs and flag when something strange happens.

IMPACTS:

  • Authentication Bypass:
    An attacker could enter into a network by bypassing all the authentication mechanism and gain all the admin privilege.

This code injection technique can be very severe as it might destroy your entire database which can result in very severe damage to one’s website or reputation.

  • Remote Code Execution:Attacker could alter, delete, or create data or even can create new accounts with full user rights on the servers that share files and folders. 

 

  • CIA Triad :
    Confidentiality: After gaining the network access, an attacker can easily get full rights over the sensitive stored information in the database.

Compromised data Integrity: Attacker could change the content of the website or even some users data also.

Compromised Availability of data:
SQL injection could also facilitate the attacker to delete sensitive and crucial data which can directly impact the website operations.

Significant risks:

Data loss or corruption
Data theft.
Unauthorized access.
Denial of service.
Complete host system takeover.

COMMON DEFENSES:

Parameterise of SQL Statements– Separate the SQL query from input data. A placeholder is normally substituted for the parameter in the SQL query. The parameter is then passed to the query in a separate statement.

Use positive or “whitelist” server-side input validation.

For any residual dynamic queries, escaping of any special characters using the specific escape syntax for that interpreter.

Follow the principle of least privilege and segment accounts of admin and public.

How to find SQL injection vulnerable site: 

Unfortunately, we cannot do SQL injection attack on all websites. The websites should possed some SQLi vulnerability in order to do this technique. Vulnerable Website URL should have a parameter like php?id=1 or ?id=(any number). As we have seen in above example: http://www.mywebsite.com/products?id=1.

Use Google Dorks to find such websites.
like: default.php?catID=”+92″
gallery.php?id= site:.pk
cat.php?id= “+92”
products.php?id= “+92”
Then to check whether a given website is vulnerable to SQL injection attack or note just add ‘ (Apostrophe) at the end of URL parameter.
like- URL of a website- http://www.example.com/products?id=1
checking SQLi by putting ‘ (Apostrophe) – http://www.example.com/products?id=1’

If this result in some kind of database error such as;
“Warning: mysqlfetcharray() expects parameter 1 to be resource, boolean given in /home/piilcom/publichtml/new.php on line 111”

Then we can say the above website is vulnerable to SQLi.
NOTE: Maybe you see some different SQLi error, sometimes we cannot see any error, but it will show some changes in the web application.

Disclaimer:
This article is only for an Educational purpose. The authors and cybrot.com will not be held liable in the incident if any criminal charges be carried against any individuals for misusing the information in this website to break the law. Any activities related to the above information within this Website is solely your responsibility. The misuse of the information in this website can consequence in criminal charges brought against the persons in question.

One Reply to “A1:2017-Injection OWASP TOP 10-2017”

  1. You really make it seem really easy with your presentation but I to find this topic to be actually one thing which I think I might by no means understand. It seems too complicated and extremely wide for me. I’m looking ahead for your next put up, I will try to get the hang of it!

Leave a Reply

Your email address will not be published.