Lesson 7 Lab Notes

In this lab we will go over the following:
  • OWASP Top 10
  • SQL Injection Basics
  • Bypass authentication in Mutillidae using SQLi
CVE Information:

N/A

Module Information:

N/A

Instructions:

What is OWASP Top 10?

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. To raise awareness about applications security, every couple of years they identify some of the most critical risks facing organizations called OWASP Top 10 project. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more.

You can read their Top 10 report here: https://www.owasp.org/index.php/Top_10_2013-Top_10

In this lesson we are going to be focusing on A1 - Injection. More specially, SQL injections.

SQL Injection Basics

What is SQL injection? SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for executive (e.g to dump the database contents to the attacker).

Security misconceptions

  1. The firewall protects my web server and database.
    1. Access to the server through ports 80 and 443 makes the web server part of your external perimeter. If you open ports 80 and 443 on a normal firewall it will allow ALL traffic through on those ports including malicious traffic. This is because a normal firewall does not inspect the packets!
    2. Vulnerabilities in the web server software or applications may allow access to internal network resources.
  2. The IDS protects my web server and database
    1. The IDS is configured to detect signatures of various well-known attacks.
    2. Attack signatures do not include those for attacks against custom applications.
  3. SSL secures my sites
    1. SSL secures the transport of data between the web server and the user's browser.
    2. SSL does not protect against the attacks against the server and applications.
    3. SSL is the hackers best friend due to the false sense of security.

SQL Injection Breakdown

  • Step 1 - Attackers sends data containing SQL fragment
  • Step 2 - Application sends modified database information.
  • Step 3 - Attacker views unauthorized data.

SQL injections cannot be prevented by the firewall or IDS or SSL. The only way SQL injections can be prevented is by being very pierce when you write your code. The mistakes in the code are responsible for SQL injection, it is not the database or web server problem.

Bypass authentication in Mutillidae using SQLi

The first step is determining if a SQL injection exists. Try to 'inject' characters reserved in the database to produce an error message:

  • single quote '
  • backslash \
  • double hyphen --
  • forward slash /
  • period .

In Firefox browse to http:172.16.52.2/mutillidae

Leave the Security Level at 0 and if you want you can turn on Hints. I leave Hints on because I am a noob at Web Application Security. :P

Go to OWASP Top 10 > A1 - Injection > SQLi - Bypass Authentication > Login

Test for SQL injection by typing a single quote in the Name field.

The error proves that the site is vulnerable to a SQL injection. Next type in

' or 1=1 --

This breaks the SQL query and tells it to include our input after the single quote into its query. Resulting in some unintended access!

With the hints on you can see how to construct varies SQL injections. When it says "Field: Proxy" that means you have to proxy Firefox for Burp Suite which isn't something I am going to get into. The creator of Mutillidae has a whole playlist on youtube that goes over that material way better than I ever could. So if you are interested I suggest you watch that over on his channel.

https://www.youtube.com/playlist?list=PLZOToVAK85MrsyNmNp0yyUTBXqKRTh623

results matching ""

    No results matching ""