Could it be?
What is blind, seeks a perfect union but does care about conditions? No, it is not love; it’s SQL Injection.
People often say I want to hack this, or I want to hack that but are not sure where to begin. Application Security is a good start. It is fascinating on the surface, and it is even better when getting your hands dirty – PortSwigger Academy is an excellent place for this. You can start learning what real Pentesters do when evaluating a web application during professional engagements.
At TCM Security, we encourage using multiple tools to achieve your learning objectives. So let us look at SQLi attacks, tools, and a couple of learning resources.
So, what is SQLi anyway? SQLi is short for SQL Injection, and it is a vulnerability that allows you to view data from a database via a vulnerable application. Of course, you are not supposed to view this data in the first place, but since the application is vulnerable – we can.
Here is PortSwigger’s definition: “SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It allows an attacker to view data that they are not normally able to retrieve.” (PortSwigger Academy – SQLi)
So, we have an idea of SQL injection, so why is it important? OWASP had SQLi as the number one (1) vulnerability on their Top 10 Application Security Risk – 2017 list. (OWASP Top 10) Phew. that is a mouthful.
We can view data we are not supposed to, such as unreleased products not presented on a shopping page or usernames and passwords from other database tables. As you can imagine, the latter can result in a complete takeover of an application when you find administrator credentials or bypass them altogether.
This sounds interesting, how would I practice SQL Injection and learn more?
As I mentioned above, PortSwigger Academy is a great place to learn. In addition, there is Burp Suite – a famous tool from PortSwigger for intercepting traffic that facilitates SQLi, among other attacks. Another tool often used is OWASP’s Zed Attack proxy, better known as ZAP. (OWASP ZAP) They function in similar fashion, but in their own way.
What are the differences between the two? I encourage you to find out by using them and comparing them for yourself. Each has its pros and cons, namely the price and availability of extensions or plugins.
We know where to go for practice and tools to practice with. Now it is time for some visuals and hands-on.
What does SQLi look like?
In this PortSwigger lab, we will see a UNION attack where you send a legitimate request to the server by clicking the “Gifts” search option. Then, you intercept the traffic with Burp Suite, send it to Repeater, and append a payload to the vulnerable parameter: category. What you end up getting are credentials to user accounts within the application. Below we can see Burp Suite returned administrator credentials to us in plain text. With these, we can log into the application with full admin privileges.
SQL Injection can be detrimental to an organization trying to keep their information safe. So how do we remediate SQL Injection vulnerabilities?
Do not use Dynamic SQL, where user-provided input is added directly into SQL statements.
Sanitize user-provided input
When an attacker adds a payload to a SQL query, SQL may not properly escape those characters.
Verify the type of data expected is the data submitted.
Encrypt sensitive data
In the example above, the administrator credentials were viewed in plain text. If that data were encrypted with a strong algorithm, we probably would have never cracked the password.
Salt the encrypted hashes
With salting the encrypted hash, the administrator password would likely never be cracked in our lifetime.
The less information provided to the user regarding errors, the better. Verbose errors should be reserved for the application admins. An error to the user should be something like, “An error has occurred. Reach out to support for assistance.”
Incorporate the use of a Web Application Firewall. This provides an extra layer of security to help thwart SQL injection attacks.
Keep your databases updated by remediating known issues and vulnerabilities that older versions are susceptible to.
We learned about a couple of tools, places to learn and, a bit about SQL Injection. This is just the very beginning when it comes to application security. If you are learning about ethical hacking or penetration testing, you cannot go wrong with AppSec. If you are looking for a dedicated and professional team to pentest your applications, contact TCM Security.
This blog was written by Steven Amador.