OWASP TOP 1 – SQL Injection Attacks

OWASP Top 1

Injection attacks are classified as the OWASP Top 1 vulnerability in the OWASP-10 Vulnerability List. This is a type of attack that is high risk and easy to carry out because it only requires to have access through a search engine such as Firefox or Chrome to the vulnerable database. The enumeration process, which is the analysis process to identify vulnerabilities, can be done directly in the database that works through the web page.

There are different types of injection attacks; the most common is called SQL injection, which consists of inserting SQL code from the client side (web browser) pointing to web applications (any application that may be vulnerable and exposed via the Internet) in order to extract financial information of customers such as credit card numbers, customer passwords, passwords of vulnerable database administrators, or to find an access that allows the attacker to breach the internal system from the database.

Let’s start with some questions and answers…

What systems are vulnerable to SQL injection attacks?

If your company has a database exposed to the Internet which is not properly encrypted or with unsecure programmed fields, it could be vulnerable to SQL injection attacks.

How can I know if my database exposed to the Internet is affected by this type of vulnerability?

There are different techniques to discover if your database is affected by this type of vulnerability. Input validations along with query parameterization are the only sure way to diagnose and prevent SQL injections. These safe practices involve looking for calls to external resources such as “fork”, “exec” or “system” among others, to make requests and wait for results.

OWASP Top 1 – Anatomy of an SQL injection

We would like to show you an example of SQL injection that could help you to get a better understanding on this vulnerability:

Using a web browser, it is possible to identify the version of an operating system through the execution of SQL commands in a database vulnerable to SQL injections:

Using the SQL command: “UNION ALL SELECT 1,@@version,3,4

As you can see, the version of the operating system is exposed: “5.1.63-0 + squeeze1“. In this example, it was possible to identify the operating system using “@@version” in the SQL code. The reason for this result is that a vulnerable database exposes the columns when the resources are called through the union of the different columns with the SQL command “UNION ALL, SELECT” and random numbers.

Results like this are an indicator that your company’s website is vulnerable to SQL injection attacks. The second technique for finding SQL injection vulnerabilities is to use advanced website scanners such as Burp Suite or OWASP-ZAP. Training is required to manage and understand the results of these tools. Here, we show the results of OWASP-ZAP against the same vulnerable system:

The scanner found another vulnerable link in the same affected database. Also, the scanner provides the affected code involved in the vulnerability.

These vulnerability scanners can be run from outside the network pointing directly to your corporate website, allowing malicious entities to discover and exploit these vulnerabilities.

A third technique to find out if your website is vulnerable to SQL injection attacks is using a single quote. Yes, you read it right; a single quote in a web link can tell you if your database is vulnerable.

As you can see in the picture, a single comma causes the system to generate an error. This type of message is an indicator that the database is vulnerable to SQL injections.

In SQL language, the single quote is used as a limiter and helps to find out if the strings are escaping correctly in the application. If the strings are not configured properly, the application will respond with an SQL error message. This implies that we can interact using well-formed SQL queries to retrieve different types of data such as usernames, passwords, customers credit card information, personal information such as SSNs, and any type of data that is stored in the database.

For example, the hash of the password that belongs to the administrator of this database could be exposed with the following command:

1 UNION ALL select 1,concat(login,0x3a,password),3,4 FROM USERS

It would not be very complicated for a hacker to log in as an administrator to the system of this database having access to this information and discover the password that belongs to this hash:

Now, this is just the beginning; hackers have developed very advanced tools to reproduce the steps displayed on thousands of websites automatically. Let’s see the operation of a tool called SQLMAP on the same database:

List of columns available for enumeration:

List of database tables:

Listing the username, hash and password of the “users” table through an automatic brute force procedure:

THIS IS WHAT HACKERS DO IN YOUR SYSTEMS AT NIGHT.

What could a hacker do after using the OWASP Top 1 vulnerability to exploit an online database?

Well, the variables of attacks are endless from this point. Access to the operating system in the background or lateral movement to more hierarchical servers and computers on the internal network are just some of the actions that an experienced attacker could take. Exposure of customer data and loss of business reputation can be critical to your business if you do not take appropriate steps to secure your databases.

Is my corporate website vulnerable if we have a security certificate?

A security certificate can encrypt the communication between the end user and the database, but it cannot protect against other vulnerabilities such as SQL injection if your database is affected by this vulnerability.

How can RedDefense Global help me to keep my databases and corporate website safe?

RedDefense Global will put your corporate websites and databases to the test. We use advanced scanners, manual penetration testing, and different techniques and procedures that may include crawling, rough tampering, code review, and folder permissions. We do all of this in coordination with your internal staff in charge of your information systems. These procedures are necessary to find out if the potential vulnerabilities are false positives or real vulnerabilities. If they are real vulnerabilities, we will provide you with effective methods to patch, update, and/or remove the vulnerability according to the situation to keep your environment safe.

Additional resources regarding this type of attack

https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection.html

https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html

https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet_in_Java.html

Vulnerabilities based on CWE Ranking.

CWE-77: Command Injection

CWE-89: SQL Injection

CWE-564: Hibernate Injection

CWE-917: Expression Language Injection

SOLUTION AND PREVENTION

https://www.reddefenseglobal.com/services