The document discusses the vulnerabilities associated with data stores in web applications, primarily focusing on SQL, XML, and LDAP. SQL injection is highlighted as the most common and critical vulnerability, leading to significant data theft. It explains various techniques attackers use, such as bypassing logins, employing union operators, and identifying database structures to exploit these vulnerabilities.

1. CNIT 129S: Securing
Web Applications
Ch 9: Attacking Data Stores

2. Data Stores
• Most common types are SQL, XML, and
LDAP
• High-value target for attackers
• SQL injection is the #1 vulnerability in
Web apps
• Responsible for more than 90% of all
stolen data

3. Injecting into Interpreted
Contexts

4. Interpreted Languages
• Code is not compiled
• It's executed line-by-line
• Many core languages used in Web apps run
interpreted
• SQL, LDAP, Perl, PHP

5. Code Injection

6. Compiled Languages
• Code injection vulnerabilities are more rare
• Injection has to be written in machine language
• Higher skill level required

7. Bypassing a Login
• Authentication code
• Enter username of
• admin'
• and any password
• Logs in as admin

8. If Admin Username is
Unknown
• Enter this username
• Query becomes
• Log in as first user in the database, typically the
administrator

10. The UNION Operator
• Combines two SELECT statements to produce a
single result set

11. Single SELECT Query

12. Using UNION

13. # for Comments
• Note: some apps use different comment
characters
• Try all of these at the end of your injection
• --
• #
• /*

14. Requirements for UNION
• The two result sets must have the same
structure
• Number of fields and data types
• Attacker must know the name of the table of
interest and its column names

15. Wrong # of Columns

16. Different Data Types
• This works because the numerical data is converted to
strings
• It would fail if the first row were numbers, and the others
strings

17. Hack Steps

18. Find the Number of Columns
• NULL matches any data type
• Query will fail until the # of columns is correct

19. Using NULL

20. Find a String Column
• If query succeeds, the 'a' column is string

21. Find Database Version

22. Finding Version

23. Vulnerable SF College
• I notified them in 2013; years later, they fixed it
• Link Ch 8b

24. Example: MS-SQL

25. Search Address Book for
"Matthew"

26. Single Column

27. 5 Columns

28. Find String Column

29. Get Table and Column
Names

30. Get Credentials