What is a web-application? Any application that is served commonly via the http or https protocol. Usually being served from a remote computer acting as the host or the server.
Why is Web Application Security Important? Web applications are used to perform most major tasks or website functions. They include forms that collect personal, classified and confidential information such as medical history, credit and bank account information as well as user satisfaction feedback. If your organization is legally bound by legislations to protect the privacy and security of personally identifiable information, and hackers can get at this sensitive information, you run the risk of being found guilty of non- compliance. Almost 75 percent of attacks are tunneling through web applications . The consequences of a security breach are great: loss of revenues, damage to credibility, legal liability and loss of customer trust.
On average, there are anywhere from 5 to 15 defects per 1,000 lines of code. A 5-year Pentagon study concluded that it takes an average of 75 minutes to track down one defect. Fixing one of these defects takes 2 to 9 hours each. That translates to 150 hours, or roughly $30,000, to clean every 1,000 lines of code.• Researching each of the 4,200 vulnerabilities published by CERT for just 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours. Gartner Group estimates that a company with 1,000 servers can spend $300,000 to test and deploy a patch; most companies deploy several patches a week.
How Hackers Get In ? Browser-based attacks use flaws in the web-based application code. Software most vulnerable to these types of attacks includes: User interface code -- provides the look and feel of the site . Web server -- supports the physical communication between the user’s browser and the web applications . Front-end applications -- interfaces directly with the user interface code, and back-end systems .
Common VulnerabilitiesHack attack What hackers use it for ?Cookie Poisoning Identity theft/ Session HijackHidden Field Manipulation eShopliftingParameter Tampering FraudBuffer Overflow Denial of Service/ Closure of BusinessCross-Site Scripting Hijacking/ Identity TheftBackdoor and Debug TrespassingOptionsForceful Browsing Breaking and EnteringHTTP Response Splitting Phishing, Identity Theft and eGraffitiKnown Vulnerabilities Taking control of the siteSQL Injection Manipulation of DB informationBroken Authentication Login without authentication/TrespassingInformation leakage Trespassing
What is SQL injection? SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the attacker terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.
Exploiting a Basic VulnerabilityConsider a web-application deployed by a book retailerthat enables users to search books based onauthor,publisher,etc.Now when the user searches for all the books publishedby Wiley, the application performs the following query:-SELECT * FROM books WHERE publisher = ‘WILEY’;This part comprises of the sql keywords and names Item of DATA suppliedof tables and columns within the database. by the USER.All of this was written by the programmer. String data should always be encapsulated within ‘ ‘ in sql queries.
Now consider the following query when the usersearches for O’Reilly.SELECT * FROM books WHERE publisher = ‘O’Reilly’;In this case the interpreter would generate an errorsince Reilly’ is not a valid sql syntax.Hence when an application behaves in such a manner, itis wide open to SQL Injections.
Injecting Into Different Statement TypesSELECT statement SELECT statements are used to retrieve information from the database. The entry point of SQL injection attacks is normally the WHERE clause of the query, in which the user supplied data is passed to the database to control the scope of the query result. Since WHERE clause is usually the final component of the query enabling the attacker to use the comment symbol(-- ) to truncate the query to his input without invalidating any syntax.
SELECT * FROM register WHERE uname= OR 1=1-- &&pword=abc123‘ ‘OR 1=1--
You are logged in as the first registered user.
INSERT statement INSERT statements are used to create a new row of data within a table. INSERT INTO users(uname,password,id,priv) VALUES (‘daf’,’secret’,2241,1) If the username or password fields are vulnerable to SQL injections , the attacker can insert arbitrary values into the database, assign admin privileges to himself, etc. In case of a complete blind attack, the attacker may not know in advance about the number and type of fields. So he can keep adding additional fields to VALUES until the desired account is created.
UPDATE statement UPDATE statements are used to modify one or more existing rows of data within a table. These are used in functions where the user modifies his existing information for eg. Changing contact information, changing password, etc. It works in a similar way to the INSERT statement except that it has a WHERE clause to tell the database which rows to update. UPDATE users SET password=‘newsecret’ WHERE user = ‘marcus’ and password = ‘secret’ If the function is vulnerable to SQL injections the attacker can bypass the existing password check and change the password
for the admin by entering the query as: UPDATE users SET password=‘newsecret’ WHERE user =‘admin’-- and password = ‘secret’This way the password part is ignored.If the attacker uses admin’ OR 1=1 – then the query becomes: UPDATE users SET password=‘newsecret’ WHERE user =‘admin’ OR 1=1 -- and password = ‘newsecret’In this case the password of every user is reset to newsecret.
DELETE statement: DELETE statement is used to delete rows from the specified table. In this case also the WHERE clause is used to specify which rows to delete. Hence by making changes to the WHERE clause can have far-reaching effects on the database. "SELECT * FROM customers WHERE username =$name"; In the above query $name is provided by the user, so when executed it will display the row where username matches the one provided by the user.
SELECT * FROM customers WHERE username =‘anu’ User input
If the user enters a malicious input ,the querybecomes: SELECT * FROM CUSTOMER WHERE name=;DELETEFROM customer WHERE 1-- ‘ ‘;DELETE FROM CUSTOMER WHERE 1=1 –‘
The UNION Operator The UNION operator is used to combine the results of two or more SELECT statements into a single result set. If there exists a SQL injection vulnerability in the SELECT statement, the attacker can use the UNION operator to perform another query and combine the result with the first one. SELECT * FROM customer WHERE name = ‘$name’ This would return the original result.
SELECT * FROM customer WHERE name = ‘anu’UNIONSELECT id,name FROM product– ‘ ‘UNION SELECT id,name FROM product – ‘
Shows all the rows of the customer table along the data from product table:
NOTE: When the results of two queries are combined using the UNION operator, the two result sets must have the same structure. SELECT name FROM CUSTOMER WHERE name= UNION SELECT id,name FROM product-- The used SELECT statements have a different number of columns Also the attacker should know the name of the target database table along-with its relevant column names.
Preventing SQL Injections Partially effective measures: ◦ Because single quotation marks play an important role in SQL injections, so common approach is to escape any user entered single quotation mark by doubling them up. The above method proves ineffective when numeric data is being embedded into SQL queries. Also in second order injections ,when the data that has been inserted using the INSERT query is used in another SQL query. ◦ Using custom stored procedures can also help provide security. But using them does not guarantee to prevent SQL injections since a procedure can itself contain SQL injection vulnerabilities within its code. Also if the procedure is invoked in an unsafe way using user-supplied input.
Parameterized Queries: The construction of queries involving user input is performed two steps: ◦ The application specifies the structure of the query leaving placeholders for each user input. ◦ The application specifies values for the placeholders.
Example:<?php $mysqli = new mysqli("server", "username", "password", "database_name"); // mysqli is a class : represents a relation b/w mysql and PHP $unsafe_variable = $_POST["user-input"]; $stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)"); // prepare function used to prepare SQL statement for execution $stmt->bind_param("s", $unsafe_variable); // s means the database expects a string $stmt->execute(); $stmt->close(); $mysqli->close(); // close database connection ?>
Configuring the PHP Environment : There are various configuration options in the php.ini file that can affect the applications security, such as: ◦ Register Globals : If register_globals option is enabled then PHP creates global variables for all the request parameters. Since it is not required to initialize them before use, they can cause security issues. It has been removed entirely from PHP 6 . ◦ Safe Mode : If safe_mode option is enabled then PHP places restrictions on the use of some functions. For eg. shell_exec function is disabled since it can be used to execute OS commands, the additional_parameters parameter of the mail function is disabled as it can lead to SMTP injection flaws..etc
◦ Magic Quotes : If magic_quotes_gpc option is enabled then single quote, double quote, backslash and NULL characters are automatically escaped using a backslash. If magic_quotes_sybase option is enabled then single quotes are escaped using single quotes. Using magic quotes can alter the user data that does not need escaping, hence the slashes need to be removed using stripslashes function. Magic quotes have been removed from PHP 6. addslashes You can even perform your own escaping of the required input parameters by passing them through the addslashes function only when required. When using addslashes , if the magic quotes are enabled then this will lead to double escaping (i.e double slashes) which is interpreted as literal backslash, leaving the user input unescaped.
Mysql_real_escape_string() : It calls the library function mysql_real_escape_string which prepends backslashes to the following characters: x00, n, r, , ," and x1a.
Recent attacks using SQL injections On February 5, 2011 HBGary, a technology security firm, was broken into by Anonymous using a SQL injection in their CMS-driven website. On March 27, 2011 mysql.com, the official homepage for MySQL, was compromised by TinKode using SQL blind injection. On June 27, 2011, Lady Gagas website was hacked by a group of US cyber attackers called SwagSec and thousands of her fans’ personal details were stolen from her website. In October, 2011, Malaysian Hacker, managed to extract data from www.canon.com.cn by exploiting a vulnerability he came across. He himself reported the vulnerability to the company within minutes and claiming to have used SQL Injection.