SlideShare a Scribd company logo

OWASP Top 10 - Day 1 - A1 injection attacks

Download as PPTX, PDF
M
Mohamed Talaat

This is my power point slides for the OWASP Cairo Chapter event held in (Information Technology Institute) on 16/3/2019. It's focused on SQL Injection attack, command and code injection and their mitigation, also at the last minutes in the presentation I made a demo on the blind sql injection attack using one of pentesterlab vulnerable machines.

Education
1 of 49
A1 – Injection Attacks Mohamed Talaat Linkedin: https://www.linkedin.com/in/mtibrahim/ Twitter: https://twitter.com/t4144t E-mail: Mohamed.Talaat@owasp.org
Agenda • 1- SQL Injection • Demo • 2- Template Injection • Demo • 3- Broken Authentication • Demo • 4- Session Management • Demo
What’s OWASP? • Open Web Application Security Project aims to increase the awareness of the application security. • Everyone is free to participate in OWASP • We are OWASP Egypt – Cairo Chapter
OWASP Projects • OWASP Top 10 security vulnerabilities project • OWASP ZAP Project • OWASP Juice Shop • More on the following link: https://www.owasp.org/index.php/Category:OWASP_Project
OWASP Top 10 – Application Security Risks
How the web app works? • 3 Tiers Model:
Browser : Presentation Tier
PHP Code : Logic Tier
SQL Code: Storage Tier
SQL Queries Types • Static Query • Dymanic Query
What is the type of this query? • $dbhostname=‘127.0.0.1'; • $dbuser=‘admin'; • $dbpassword='password'; • $dbname='database'; • $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query = "SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT Username, Password FROM Accounts;";
What about this? $id = $_GET['id']; $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query = "SELECT Name, Description FROM Products WHERE ID='$id';"; $results = mysqli_query($connection, $query); display_results($results);
A1 – SQL Injection • The first checked by hackers • Once found, ready to be exploited : )
Injection • What is the SQL & Types • Concept • Injection Issue • Attack • CRUD
Injection Concept • Identify injection point • Finding the best technique to attack • Data Exfiltration
SQLi Real World Scenarios
SQL Injection Scenario Yahoo! Sports blind injection • Stefano entered Yahoo! Web site with the following URL: http://sports.yahoo.com/nfl/draft?year=2010&type=20&round=2 • He tried to put a comment after the year 2010 and noticed what happen • So it will be like this: http://sports.yahoo.com/nfl/draft?year=2010--&type=20&round=2
SQL Injection Scenario Yahoo! Sports blind injection • Original Query: SELECT * FROM PLAYERS WHERE YEAR = 2010 AND TYPE = 20 AND ROUND = 2; • By inserting the dashes, Stefano essentially made it act like: SELECT * FROM PLAYERS WHERE YEAR = 2010;
SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – Before commenting
SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – After commenting
SQL Injection Scenario SQLi to RCE • Ibrahim Raafat (Egyptian Researcher) could exploit a SQLi vulnerability to have full control on the server. • He was doing purchase when he noticed the following URL and tried to inject it with SQLi payload in each parameter until one succeeded. • Union based SQL injection in order_id parameter POST: order_id=-116564954 union select 1337,2,3,4,5,6,7,8,9,10,11,12,13,14,15– – &first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal _code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress &csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96 d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1
SQL Injection Scenario SQLi to RCE • He was able to read sensitive files from the web server
SQL Injection Scenario SQLi to RCE • And also write files to the server!
SQL Injection Scenario SQLi to RCE • Aaaaand the RCE
SQL Injection Scenario SQLi to RCE • After that he got 15K bounty
So how they did it?
Exploiting SQLi SELECT Name, Description FROM Products WHERE ID='$id‘ and PASSWORD=‘$password’; Attacker input: ‘ or ‘a’=‘a # SELECT Name, Description FROM Products WHERE ID='' OR 'a'='a#‘and PASSWORD=‘$password’;
SQL Injection Types • Inband:- • Error Based Injection • Blind Injection • Time Based • Boolean Based (True/false) • Out-Of-Band
SQL Injection Types • Error Based SQLi
SQL Injection Types • Blind SQLi
Injection Points • GET Parameters • POST Parameters • Headers • COOKIES
What can be done with SQLi? • Authentication Bypass • Read file systems? • Run system commands? • Dump all the data?
SQL Injection Scenario • Yahoo Sport Blind Injection
SQL Injection Prevention • Prepared Statement Or Parameterized Query • Stored Procedure • Input Validation (Blacklisting or whitelisting)
SQL Injection Prevention • Prepared Statement Or Parameterized Query
SQL Injection Prevention • Stored Procedure
SQL Injection Prevention • Input Validation: (Escaping) – PHP
SQL Injection Prevention • Input Validation: Type Casting $user_id = (int) $user_id;
Code & Command Injection • OS Command Injection • Code Injection
OS Command Injection - Case
OS Command Injection - Vulnerable
OS Command Injection - Protection
Code injection – case
Code Injection - Vulnerable
Code Injection - Protection
Demo – SQLi in request headers • Perform full scan on the victim • Finding the injection point • Exfiltration • Get the reassure : )
SQLmap • A tool used to automate SQLi slow exfiltration and to identify potential SQLi injection points. • Ready with a great number of scripts to be executed • Could be integrated with other tools such as Burpsuite, Metasploit
SQLmap Basics • -u : pass a URL to SQLmap • --dbs: sort all the databases in the system • --banner: Grap the database banner • --threads 7: increase the number of threads in blind injections • --tables: grap the db tables • -T table: choose table • --dump: dump all the data in a table of db • --level: sets a level from 1 to 5 for the number of injection points (headers and parameters) • --risk: sets a level from 1 to 3 for the type of test made • --batch: run sqlmap defaults
SQLmap Basics • Basic Scan: • sqlmap -u http://192.168.203.139 - - batch • Intense Scan (Not Recommended on production): • sqlmap -u "http://192.168.203.139" --level 5 --risk 3 --threads 7 --batch

Recommended

Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applicationsDaniel Garcia (a.k.a cr0hn)
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 

Recommended

Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applicationsDaniel Garcia (a.k.a cr0hn)
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
PHP Form Validation Technique
PHP Form Validation TechniquePHP Form Validation Technique
PHP Form Validation TechniqueMorshedul Arefin
 
Linq
LinqLinq
LinqVishwa Mohan
 
HTTP Response Codes | Errors
HTTP Response Codes | ErrorsHTTP Response Codes | Errors
HTTP Response Codes | ErrorsSiddharth Sharma
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Java script
Java scriptJava script
Java scriptAbhishek Kesharwani
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesDaveEdwards12
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 

More Related Content

What's hot

Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
PHP Form Validation Technique
PHP Form Validation TechniquePHP Form Validation Technique
PHP Form Validation TechniqueMorshedul Arefin
 
HTTP Response Codes | Errors
HTTP Response Codes | ErrorsHTTP Response Codes | Errors
HTTP Response Codes | ErrorsSiddharth Sharma
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesDaveEdwards12
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 

What's hot (20)

Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
PHP Form Validation Technique
PHP Form Validation TechniquePHP Form Validation Technique
PHP Form Validation Technique
 
Linq
LinqLinq
Linq
 
HTTP Response Codes | Errors
HTTP Response Codes | ErrorsHTTP Response Codes | Errors
HTTP Response Codes | Errors
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Java script
Java scriptJava script
Java script
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Sql injection
Sql injectionSql injection
Sql injection
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 

Similar to OWASP Top 10 - Day 1 - A1 injection attacks

SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Lostar
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Web security
Web securityWeb security
Web securitydogangcr
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 

Similar to OWASP Top 10 - Day 1 - A1 injection attacks (20)

SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Security testing
Security testingSecurity testing
Security testing
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Web security
Web securityWeb security
Web security
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 

Recently uploaded

ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxnelietumpap1
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 

Recently uploaded (20)

ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 

OWASP Top 10 - Day 1 - A1 injection attacks

  • 1. A1 – Injection Attacks Mohamed Talaat Linkedin: https://www.linkedin.com/in/mtibrahim/ Twitter: https://twitter.com/t4144t E-mail: Mohamed.Talaat@owasp.org
  • 2. Agenda • 1- SQL Injection • Demo • 2- Template Injection • Demo • 3- Broken Authentication • Demo • 4- Session Management • Demo
  • 3. What’s OWASP? • Open Web Application Security Project aims to increase the awareness of the application security. • Everyone is free to participate in OWASP • We are OWASP Egypt – Cairo Chapter
  • 4. OWASP Projects • OWASP Top 10 security vulnerabilities project • OWASP ZAP Project • OWASP Juice Shop • More on the following link: https://www.owasp.org/index.php/Category:OWASP_Project
  • 5. OWASP Top 10 – Application Security Risks
  • 6. How the web app works? • 3 Tiers Model:
  • 8. PHP Code : Logic Tier
  • 10. SQL Queries Types • Static Query • Dymanic Query
  • 11. What is the type of this query? • $dbhostname=‘127.0.0.1'; • $dbuser=‘admin'; • $dbpassword='password'; • $dbname='database'; • $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query = "SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT Username, Password FROM Accounts;";
  • 12. What about this? $id = $_GET['id']; $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query = "SELECT Name, Description FROM Products WHERE ID='$id';"; $results = mysqli_query($connection, $query); display_results($results);
  • 13. A1 – SQL Injection • The first checked by hackers • Once found, ready to be exploited : )
  • 14. Injection • What is the SQL & Types • Concept • Injection Issue • Attack • CRUD
  • 15. Injection Concept • Identify injection point • Finding the best technique to attack • Data Exfiltration
  • 16. SQLi Real World Scenarios
  • 17. SQL Injection Scenario Yahoo! Sports blind injection • Stefano entered Yahoo! Web site with the following URL: http://sports.yahoo.com/nfl/draft?year=2010&type=20&round=2 • He tried to put a comment after the year 2010 and noticed what happen • So it will be like this: http://sports.yahoo.com/nfl/draft?year=2010--&type=20&round=2
  • 18. SQL Injection Scenario Yahoo! Sports blind injection • Original Query: SELECT * FROM PLAYERS WHERE YEAR = 2010 AND TYPE = 20 AND ROUND = 2; • By inserting the dashes, Stefano essentially made it act like: SELECT * FROM PLAYERS WHERE YEAR = 2010;
  • 19. SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – Before commenting
  • 20. SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – After commenting
  • 21. SQL Injection Scenario SQLi to RCE • Ibrahim Raafat (Egyptian Researcher) could exploit a SQLi vulnerability to have full control on the server. • He was doing purchase when he noticed the following URL and tried to inject it with SQLi payload in each parameter until one succeeded. • Union based SQL injection in order_id parameter POST: order_id=-116564954 union select 1337,2,3,4,5,6,7,8,9,10,11,12,13,14,15– – &first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal _code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress &csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96 d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1
  • 22. SQL Injection Scenario SQLi to RCE • He was able to read sensitive files from the web server
  • 23. SQL Injection Scenario SQLi to RCE • And also write files to the server!
  • 24. SQL Injection Scenario SQLi to RCE • Aaaaand the RCE
  • 25. SQL Injection Scenario SQLi to RCE • After that he got 15K bounty
  • 26. So how they did it?
  • 27. Exploiting SQLi SELECT Name, Description FROM Products WHERE ID='$id‘ and PASSWORD=‘$password’; Attacker input: ‘ or ‘a’=‘a # SELECT Name, Description FROM Products WHERE ID='' OR 'a'='a#‘and PASSWORD=‘$password’;
  • 28. SQL Injection Types • Inband:- • Error Based Injection • Blind Injection • Time Based • Boolean Based (True/false) • Out-Of-Band
  • 29. SQL Injection Types • Error Based SQLi
  • 31. Injection Points • GET Parameters • POST Parameters • Headers • COOKIES
  • 32. What can be done with SQLi? • Authentication Bypass • Read file systems? • Run system commands? • Dump all the data?
  • 33. SQL Injection Scenario • Yahoo Sport Blind Injection
  • 34. SQL Injection Prevention • Prepared Statement Or Parameterized Query • Stored Procedure • Input Validation (Blacklisting or whitelisting)
  • 35. SQL Injection Prevention • Prepared Statement Or Parameterized Query
  • 36. SQL Injection Prevention • Stored Procedure
  • 37. SQL Injection Prevention • Input Validation: (Escaping) – PHP
  • 38. SQL Injection Prevention • Input Validation: Type Casting $user_id = (int) $user_id;
  • 39. Code & Command Injection • OS Command Injection • Code Injection
  • 41. OS Command Injection - Vulnerable
  • 42. OS Command Injection - Protection
  • 44. Code Injection - Vulnerable
  • 45. Code Injection - Protection
  • 46. Demo – SQLi in request headers • Perform full scan on the victim • Finding the injection point • Exfiltration • Get the reassure : )
  • 47. SQLmap • A tool used to automate SQLi slow exfiltration and to identify potential SQLi injection points. • Ready with a great number of scripts to be executed • Could be integrated with other tools such as Burpsuite, Metasploit
  • 48. SQLmap Basics • -u : pass a URL to SQLmap • --dbs: sort all the databases in the system • --banner: Grap the database banner • --threads 7: increase the number of threads in blind injections • --tables: grap the db tables • -T table: choose table • --dump: dump all the data in a table of db • --level: sets a level from 1 to 5 for the number of injection points (headers and parameters) • --risk: sets a level from 1 to 3 for the type of test made • --batch: run sqlmap defaults
  • 49. SQLmap Basics • Basic Scan: • sqlmap -u http://192.168.203.139 - - batch • Intense Scan (Not Recommended on production): • sqlmap -u "http://192.168.203.139" --level 5 --risk 3 --threads 7 --batch

Editor's Notes

  1. Presentation Tier: View to the user Translates the user requests to HTTP request – sends it to the logic tier Rendering HTML Code to graphical view Logic Tier: Web server which stores the code of the app Middleware which makes the processing tasks Loads, compiles, executes scripts Translates the HTTP request to Database query and sends it to the storage tier Storage: Execute database query Then the logic tier pulls the result back, formats it, sends it back to the presentation tier
  2. The injection issue is the lack of the sanitization for user input (Much confidence) The attack leverages from the ability of an attacker to inject a malicious SQL/ database queries to the logic tier in order to execute it at the database and returns the result to the attacker. CRUD: Create, Read, Update, Delete