SlideShare a Scribd company logo

OWASP Top 10 - Day 1 - A1 injection attacks

Download as pptx, pdf
M
Mohamed Talaat

This is my power point slides for the OWASP Cairo Chapter event held in (Information Technology Institute) on 16/3/2019. It's focused on SQL Injection attack, command and code injection and their mitigation, also at the last minutes in the presentation I made a demo on the blind sql injection attack using one of pentesterlab vulnerable machines.

1 of 49
Downloaded 21 times
1
A1 – Injection Attacks Mohamed Talaat Linkedin: https://www.linkedin.com/in/mtibrahim/ Twitter: https://twitter.com/t4144t E-mail: Mohamed.Talaat@owasp.org
2
Agenda • 1- SQL Injection • Demo • 2- Template Injection • Demo • 3- Broken Authentication • Demo • 4- Session Management • Demo
3
What’s OWASP? • Open Web Application Security Project aims to increase the awareness of the application security. • Everyone is free to participate in OWASP • We are OWASP Egypt – Cairo Chapter
4
OWASP Projects • OWASP Top 10 security vulnerabilities project • OWASP ZAP Project • OWASP Juice Shop • More on the following link: https://www.owasp.org/index.php/Category:OWASP_Project
5
OWASP Top 10 – Application Security Risks
6
How the web app works? • 3 Tiers Model:
7
Browser : Presentation Tier
8
PHP Code : Logic Tier
9
SQL Code: Storage Tier
10
SQL Queries Types • Static Query • Dymanic Query
11
What is the type of this query? • $dbhostname=‘127.0.0.1'; • $dbuser=‘admin'; • $dbpassword='password'; • $dbname='database'; • $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query =
12
What about this? $id = $_GET['id']; $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query =
13
A1 – SQL Injection • The first checked by hackers • Once found, ready to be exploited : )
14
Injection • What is the SQL & Types • Concept • Injection Issue • Attack • CRUD
15
Injection Concept • Identify injection point • Finding the best technique to attack • Data Exfiltration
16
SQLi Real World Scenarios
17
SQL Injection Scenario Yahoo! Sports blind injection • Stefano entered Yahoo! Web site with the following URL: http://sports.yahoo.com/nfl/draft?year=2010&type=20&round=2 • He tried to put a comment after the year 2010 and noticed what happen • So it will be like this: http://sports.yahoo.com/nfl/draft?year=2010--&type=20&round=2
18
SQL Injection Scenario Yahoo! Sports blind injection • Original Query: SELECT * FROM PLAYERS WHERE YEAR = 2010 AND TYPE = 20 AND ROUND = 2; • By inserting the dashes, Stefano essentially made it act like: SELECT * FROM PLAYERS WHERE YEAR = 2010;
19
SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – Before commenting
20
SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – After commenting
21
SQL Injection Scenario SQLi to RCE • Ibrahim Raafat (Egyptian Researcher) could exploit a SQLi vulnerability to have full control on the server. • He was doing purchase when he noticed the following URL and tried to inject it with SQLi payload in each parameter until one succeeded. • Union based SQL injection in order_id parameter POST: order_id=-116564954 union select 1337,2,3,4,5,6,7,8,9,10,11,12,13,14,15– – &first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal _code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress &csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96 d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1
22
SQL Injection Scenario SQLi to RCE • He was able to read sensitive files from the web server
23
SQL Injection Scenario SQLi to RCE • And also write files to the server!
24
SQL Injection Scenario SQLi to RCE • Aaaaand the RCE
25
SQL Injection Scenario SQLi to RCE • After that he got 15K bounty
26
So how they did it?
27
Exploiting SQLi SELECT Name, Description FROM Products WHERE ID='$id‘ and PASSWORD=‘$password’; Attacker input: ‘ or ‘a’=‘a # SELECT Name, Description FROM Products WHERE ID='' OR 'a'='a#‘and PASSWORD=‘$password’;
28
SQL Injection Types • Inband:- • Error Based Injection • Blind Injection • Time Based • Boolean Based (True/false) • Out-Of-Band
29
SQL Injection Types • Error Based SQLi
30
SQL Injection Types • Blind SQLi
31
Injection Points • GET Parameters • POST Parameters • Headers • COOKIES
32
What can be done with SQLi? • Authentication Bypass • Read file systems? • Run system commands? • Dump all the data?
33
SQL Injection Scenario • Yahoo Sport Blind Injection
34
SQL Injection Prevention • Prepared Statement Or Parameterized Query • Stored Procedure • Input Validation (Blacklisting or whitelisting)
35
SQL Injection Prevention • Prepared Statement Or Parameterized Query
36
SQL Injection Prevention • Stored Procedure
37
SQL Injection Prevention • Input Validation: (Escaping) – PHP
38
SQL Injection Prevention • Input Validation: Type Casting $user_id = (int) $user_id;
39
Code & Command Injection • OS Command Injection • Code Injection
40
OS Command Injection - Case
41
OS Command Injection - Vulnerable
42
OS Command Injection - Protection
43
Code injection – case
44
Code Injection - Vulnerable
45
Code Injection - Protection
46
Demo – SQLi in request headers • Perform full scan on the victim • Finding the injection point • Exfiltration • Get the reassure : )
47
SQLmap • A tool used to automate SQLi slow exfiltration and to identify potential SQLi injection points. • Ready with a great number of scripts to be executed • Could be integrated with other tools such as Burpsuite, Metasploit
48
SQLmap Basics • -u : pass a URL to SQLmap • --dbs: sort all the databases in the system • --banner: Grap the database banner • --threads 7: increase the number of threads in blind injections • --tables: grap the db tables • -T table: choose table • --dump: dump all the data in a table of db • --level: sets a level from 1 to 5 for the number of injection points (headers and parameters) • --risk: sets a level from 1 to 3 for the type of test made • --batch: run sqlmap defaults
49
SQLmap Basics • Basic Scan: • sqlmap -u http://192.168.203.139 - - batch • Intense Scan (Not Recommended on production): • sqlmap -u "http://192.168.203.139" --level 5 --risk 3 --threads 7 --batch
A1 – Injection Attacks Mohamed Talaat Linkedin: https://www.linkedin.com/in/mtibrahim/ Twitter: https://twitter.com/t4144t E-mail: Mohamed.Talaat@owasp.org
Agenda • 1- SQL Injection • Demo • 2- Template Injection • Demo • 3- Broken Authentication • Demo • 4- Session Management • Demo
What’s OWASP? • Open Web Application Security Project aims to increase the awareness of the application security. • Everyone is free to participate in OWASP • We are OWASP Egypt – Cairo Chapter
OWASP Projects • OWASP Top 10 security vulnerabilities project • OWASP ZAP Project • OWASP Juice Shop • More on the following link: https://www.owasp.org/index.php/Category:OWASP_Project
OWASP Top 10 – Application Security Risks
How the web app works? • 3 Tiers Model:
Browser : Presentation Tier
PHP Code : Logic Tier
SQL Code: Storage Tier
SQL Queries Types • Static Query • Dymanic Query
What is the type of this query? • $dbhostname=‘127.0.0.1'; • $dbuser=‘admin'; • $dbpassword='password'; • $dbname='database'; • $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query =
What about this? $id = $_GET['id']; $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query =
A1 – SQL Injection • The first checked by hackers • Once found, ready to be exploited : )
Injection • What is the SQL & Types • Concept • Injection Issue • Attack • CRUD
Injection Concept • Identify injection point • Finding the best technique to attack • Data Exfiltration
SQLi Real World Scenarios
SQL Injection Scenario Yahoo! Sports blind injection • Stefano entered Yahoo! Web site with the following URL: http://sports.yahoo.com/nfl/draft?year=2010&type=20&round=2 • He tried to put a comment after the year 2010 and noticed what happen • So it will be like this: http://sports.yahoo.com/nfl/draft?year=2010--&type=20&round=2
SQL Injection Scenario Yahoo! Sports blind injection • Original Query: SELECT * FROM PLAYERS WHERE YEAR = 2010 AND TYPE = 20 AND ROUND = 2; • By inserting the dashes, Stefano essentially made it act like: SELECT * FROM PLAYERS WHERE YEAR = 2010;
SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – Before commenting
SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – After commenting
SQL Injection Scenario SQLi to RCE • Ibrahim Raafat (Egyptian Researcher) could exploit a SQLi vulnerability to have full control on the server. • He was doing purchase when he noticed the following URL and tried to inject it with SQLi payload in each parameter until one succeeded. • Union based SQL injection in order_id parameter POST: order_id=-116564954 union select 1337,2,3,4,5,6,7,8,9,10,11,12,13,14,15– – &first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal _code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress &csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96 d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1
SQL Injection Scenario SQLi to RCE • He was able to read sensitive files from the web server
SQL Injection Scenario SQLi to RCE • And also write files to the server!
SQL Injection Scenario SQLi to RCE • Aaaaand the RCE
SQL Injection Scenario SQLi to RCE • After that he got 15K bounty
So how they did it?
Exploiting SQLi SELECT Name, Description FROM Products WHERE ID='$id‘ and PASSWORD=‘$password’; Attacker input: ‘ or ‘a’=‘a # SELECT Name, Description FROM Products WHERE ID='' OR 'a'='a#‘and PASSWORD=‘$password’;
SQL Injection Types • Inband:- • Error Based Injection • Blind Injection • Time Based • Boolean Based (True/false) • Out-Of-Band
SQL Injection Types • Error Based SQLi
SQL Injection Types • Blind SQLi
Injection Points • GET Parameters • POST Parameters • Headers • COOKIES
What can be done with SQLi? • Authentication Bypass • Read file systems? • Run system commands? • Dump all the data?
SQL Injection Scenario • Yahoo Sport Blind Injection
SQL Injection Prevention • Prepared Statement Or Parameterized Query • Stored Procedure • Input Validation (Blacklisting or whitelisting)
SQL Injection Prevention • Prepared Statement Or Parameterized Query
SQL Injection Prevention • Stored Procedure
SQL Injection Prevention • Input Validation: (Escaping) – PHP
SQL Injection Prevention • Input Validation: Type Casting $user_id = (int) $user_id;
Code & Command Injection • OS Command Injection • Code Injection
OS Command Injection - Case
OS Command Injection - Vulnerable
OS Command Injection - Protection
Code injection – case
Code Injection - Vulnerable
Code Injection - Protection
Demo – SQLi in request headers • Perform full scan on the victim • Finding the injection point • Exfiltration • Get the reassure : )
SQLmap • A tool used to automate SQLi slow exfiltration and to identify potential SQLi injection points. • Ready with a great number of scripts to be executed • Could be integrated with other tools such as Burpsuite, Metasploit
SQLmap Basics • -u : pass a URL to SQLmap • --dbs: sort all the databases in the system • --banner: Grap the database banner • --threads 7: increase the number of threads in blind injections • --tables: grap the db tables • -T table: choose table • --dump: dump all the data in a table of db • --level: sets a level from 1 to 5 for the number of injection points (headers and parameters) • --risk: sets a level from 1 to 3 for the type of test made • --batch: run sqlmap defaults
SQLmap Basics • Basic Scan: • sqlmap -u http://192.168.203.139 - - batch • Intense Scan (Not Recommended on production): • sqlmap -u "http://192.168.203.139" --level 5 --risk 3 --threads 7 --batch
Ad

Recommended

Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
Arbin Godar
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
Seid Yassin
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
penetration Tester
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Xss ppt
Xss pptXss ppt
Xss ppt
penetration Tester
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrep
Null Bhubaneswar
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington Beach
Jeff Prom
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
Aju Thomas
 

More Related Content

What's hot (20)

Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
Seid Yassin
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
penetration Tester
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Xss ppt
Xss pptXss ppt
Xss ppt
penetration Tester
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrep
Null Bhubaneswar
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
Seid Yassin
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
penetration Tester
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Xss ppt
Xss pptXss ppt
Xss ppt
penetration Tester
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrep
Null Bhubaneswar
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 

Similar to OWASP Top 10 - Day 1 - A1 injection attacks (20)

SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington Beach
Jeff Prom
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
Aju Thomas
 
SQL Injection Attack Guide for ethical hacking
SQL Injection Attack Guide for ethical hackingSQL Injection Attack Guide for ethical hacking
SQL Injection Attack Guide for ethical hacking
Ayan Live Rourkela
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Abhinav Nair
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
Ahamed Saleem
 
Sql injection
Sql injectionSql injection
Sql injection
Suraj Tiwari
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
PetraVukmirovic
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
cybersecurity and sql injection for students
cybersecurity and sql injection for studentscybersecurity and sql injection for students
cybersecurity and sql injection for students
VeenaShree20
 
SQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen TestingSQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen Testing
191013607gouthamsric
 
Sql injection
Sql injectionSql injection
Sql injection
GauthamMK
 
SQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupSQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity Meetup
Janith Malinga
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
Sql injection
Sql injectionSql injection
Sql injection
Bee_Ware
 
Intro to SQL Injection
Intro to SQL InjectionIntro to SQL Injection
Intro to SQL Injection
hon1nbo
 
sql injection login bypass sqli-191017162412.pdf
sql injection login bypass sqli-191017162412.pdfsql injection login bypass sqli-191017162412.pdf
sql injection login bypass sqli-191017162412.pdf
bankservicehyd
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington Beach
Jeff Prom
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
Aju Thomas
 
SQL Injection Attack Guide for ethical hacking
SQL Injection Attack Guide for ethical hackingSQL Injection Attack Guide for ethical hacking
SQL Injection Attack Guide for ethical hacking
Ayan Live Rourkela
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Abhinav Nair
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
Ahamed Saleem
 
Sql injection
Sql injectionSql injection
Sql injection
Suraj Tiwari
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
PetraVukmirovic
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
cybersecurity and sql injection for students
cybersecurity and sql injection for studentscybersecurity and sql injection for students
cybersecurity and sql injection for students
VeenaShree20
 
SQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen TestingSQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen Testing
191013607gouthamsric
 
Sql injection
Sql injectionSql injection
Sql injection
GauthamMK
 
SQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupSQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity Meetup
Janith Malinga
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
Sql injection
Sql injectionSql injection
Sql injection
Bee_Ware
 
Intro to SQL Injection
Intro to SQL InjectionIntro to SQL Injection
Intro to SQL Injection
hon1nbo
 
sql injection login bypass sqli-191017162412.pdf
sql injection login bypass sqli-191017162412.pdfsql injection login bypass sqli-191017162412.pdf
sql injection login bypass sqli-191017162412.pdf
bankservicehyd
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
Ad

Recently uploaded (20)

Coleoptera: The Largest Insect Order.pptx
Coleoptera: The Largest Insect Order.pptxColeoptera: The Largest Insect Order.pptx
Coleoptera: The Largest Insect Order.pptx
Arshad Shaikh
 
How to Manage Maintenance Request in Odoo 18
How to Manage Maintenance Request in Odoo 18How to Manage Maintenance Request in Odoo 18
How to Manage Maintenance Request in Odoo 18
Celine George
 
Optimization technique in pharmaceutical product development.pptx
Optimization technique in pharmaceutical product development.pptxOptimization technique in pharmaceutical product development.pptx
Optimization technique in pharmaceutical product development.pptx
UrmiPrajapati3
 
Freckle Project April 2025 Survey and report May 2025.pptx
Freckle Project April 2025 Survey and report May 2025.pptxFreckle Project April 2025 Survey and report May 2025.pptx
Freckle Project April 2025 Survey and report May 2025.pptx
EveryLibrary
 
Smart Borrowing: Everything You Need to Know About Short Term Loans in India
Smart Borrowing: Everything You Need to Know About Short Term Loans in IndiaSmart Borrowing: Everything You Need to Know About Short Term Loans in India
Smart Borrowing: Everything You Need to Know About Short Term Loans in India
fincrifcontent
 
প্রত্যুৎপন্নমতিত্ব - Prottutponnomotittwa 2025.pdf
প্রত্যুৎপন্নমতিত্ব - Prottutponnomotittwa 2025.pdfপ্রত্যুৎপন্নমতিত্ব - Prottutponnomotittwa 2025.pdf
প্রত্যুৎপন্নমতিত্ব - Prottutponnomotittwa 2025.pdf
Pragya - UEM Kolkata Quiz Club
 
How to Create Time Off Request in Odoo 18 Time Off
How to Create Time Off Request in Odoo 18 Time OffHow to Create Time Off Request in Odoo 18 Time Off
How to Create Time Off Request in Odoo 18 Time Off
Celine George
 
EUPHORIA GENERAL QUIZ FINALS | QUIZ CLUB OF PSGCAS | 21 MARCH 2025
EUPHORIA GENERAL QUIZ FINALS | QUIZ CLUB OF PSGCAS | 21 MARCH 2025EUPHORIA GENERAL QUIZ FINALS | QUIZ CLUB OF PSGCAS | 21 MARCH 2025
EUPHORIA GENERAL QUIZ FINALS | QUIZ CLUB OF PSGCAS | 21 MARCH 2025
Quiz Club of PSG College of Arts & Science
 
AR3201 WORLD ARCHITECTURE AND URBANISM EARLY CIVILISATIONS TO RENAISSANCE QUE...
AR3201 WORLD ARCHITECTURE AND URBANISM EARLY CIVILISATIONS TO RENAISSANCE QUE...AR3201 WORLD ARCHITECTURE AND URBANISM EARLY CIVILISATIONS TO RENAISSANCE QUE...
AR3201 WORLD ARCHITECTURE AND URBANISM EARLY CIVILISATIONS TO RENAISSANCE QUE...
Mani Sasidharan
 
LDMMIA Reiki Yoga S8 Free Workshop Grad Level
LDMMIA Reiki Yoga S8 Free Workshop Grad LevelLDMMIA Reiki Yoga S8 Free Workshop Grad Level
LDMMIA Reiki Yoga S8 Free Workshop Grad Level
LDM & Mia eStudios
 
Pests of Rice: Damage, Identification, Life history, and Management.pptx
Pests of Rice: Damage, Identification, Life history, and Management.pptxPests of Rice: Damage, Identification, Life history, and Management.pptx
Pests of Rice: Damage, Identification, Life history, and Management.pptx
Arshad Shaikh
 
How to Configure Add to Cart in Odoo 18 Website
How to Configure Add to Cart in Odoo 18 WebsiteHow to Configure Add to Cart in Odoo 18 Website
How to Configure Add to Cart in Odoo 18 Website
Celine George
 
IDSP(INTEGRATED DISEASE SURVEILLANCE PROGRAMME...
IDSP(INTEGRATED DISEASE SURVEILLANCE PROGRAMME...IDSP(INTEGRATED DISEASE SURVEILLANCE PROGRAMME...
IDSP(INTEGRATED DISEASE SURVEILLANCE PROGRAMME...
SweetytamannaMohapat
 
Dashboard Overview in Odoo 18 - Odoo Slides
Dashboard Overview in Odoo 18 - Odoo SlidesDashboard Overview in Odoo 18 - Odoo Slides
Dashboard Overview in Odoo 18 - Odoo Slides
Celine George
 
Adam Grant: Transforming Work Culture Through Organizational Psychology
Adam Grant: Transforming Work Culture Through Organizational PsychologyAdam Grant: Transforming Work Culture Through Organizational Psychology
Adam Grant: Transforming Work Culture Through Organizational Psychology
Prachi Shah
 
Module 4 Presentation - Enhancing Competencies and Engagement Strategies in Y...
Module 4 Presentation - Enhancing Competencies and Engagement Strategies in Y...Module 4 Presentation - Enhancing Competencies and Engagement Strategies in Y...
Module 4 Presentation - Enhancing Competencies and Engagement Strategies in Y...
GeorgeDiamandis11
 
How to Manage Allocations in Odoo 18 Time Off
How to Manage Allocations in Odoo 18 Time OffHow to Manage Allocations in Odoo 18 Time Off
How to Manage Allocations in Odoo 18 Time Off
Celine George
 
POS Reporting in Odoo 18 - Odoo 18 Slides
POS Reporting in Odoo 18 - Odoo 18 SlidesPOS Reporting in Odoo 18 - Odoo 18 Slides
POS Reporting in Odoo 18 - Odoo 18 Slides
Celine George
 
CBSE - Grade 11 - Mathematics - Ch 2 - Relations And Functions - Notes (PDF F...
CBSE - Grade 11 - Mathematics - Ch 2 - Relations And Functions - Notes (PDF F...CBSE - Grade 11 - Mathematics - Ch 2 - Relations And Functions - Notes (PDF F...
CBSE - Grade 11 - Mathematics - Ch 2 - Relations And Functions - Notes (PDF F...
Sritoma Majumder
 
Pragya Champion's Chalice 2025 Set , General Quiz
Pragya Champion's Chalice 2025 Set , General QuizPragya Champion's Chalice 2025 Set , General Quiz
Pragya Champion's Chalice 2025 Set , General Quiz
Pragya - UEM Kolkata Quiz Club
 
Coleoptera: The Largest Insect Order.pptx
Coleoptera: The Largest Insect Order.pptxColeoptera: The Largest Insect Order.pptx
Coleoptera: The Largest Insect Order.pptx
Arshad Shaikh
 
How to Manage Maintenance Request in Odoo 18
How to Manage Maintenance Request in Odoo 18How to Manage Maintenance Request in Odoo 18
How to Manage Maintenance Request in Odoo 18
Celine George
 
Optimization technique in pharmaceutical product development.pptx
Optimization technique in pharmaceutical product development.pptxOptimization technique in pharmaceutical product development.pptx
Optimization technique in pharmaceutical product development.pptx
UrmiPrajapati3
 
Freckle Project April 2025 Survey and report May 2025.pptx
Freckle Project April 2025 Survey and report May 2025.pptxFreckle Project April 2025 Survey and report May 2025.pptx
Freckle Project April 2025 Survey and report May 2025.pptx
EveryLibrary
 
Smart Borrowing: Everything You Need to Know About Short Term Loans in India
Smart Borrowing: Everything You Need to Know About Short Term Loans in IndiaSmart Borrowing: Everything You Need to Know About Short Term Loans in India
Smart Borrowing: Everything You Need to Know About Short Term Loans in India
fincrifcontent
 
প্রত্যুৎপন্নমতিত্ব - Prottutponnomotittwa 2025.pdf
প্রত্যুৎপন্নমতিত্ব - Prottutponnomotittwa 2025.pdfপ্রত্যুৎপন্নমতিত্ব - Prottutponnomotittwa 2025.pdf
প্রত্যুৎপন্নমতিত্ব - Prottutponnomotittwa 2025.pdf
Pragya - UEM Kolkata Quiz Club
 
How to Create Time Off Request in Odoo 18 Time Off
How to Create Time Off Request in Odoo 18 Time OffHow to Create Time Off Request in Odoo 18 Time Off
How to Create Time Off Request in Odoo 18 Time Off
Celine George
 
EUPHORIA GENERAL QUIZ FINALS | QUIZ CLUB OF PSGCAS | 21 MARCH 2025
EUPHORIA GENERAL QUIZ FINALS | QUIZ CLUB OF PSGCAS | 21 MARCH 2025EUPHORIA GENERAL QUIZ FINALS | QUIZ CLUB OF PSGCAS | 21 MARCH 2025
EUPHORIA GENERAL QUIZ FINALS | QUIZ CLUB OF PSGCAS | 21 MARCH 2025
Quiz Club of PSG College of Arts & Science
 
AR3201 WORLD ARCHITECTURE AND URBANISM EARLY CIVILISATIONS TO RENAISSANCE QUE...
AR3201 WORLD ARCHITECTURE AND URBANISM EARLY CIVILISATIONS TO RENAISSANCE QUE...AR3201 WORLD ARCHITECTURE AND URBANISM EARLY CIVILISATIONS TO RENAISSANCE QUE...
AR3201 WORLD ARCHITECTURE AND URBANISM EARLY CIVILISATIONS TO RENAISSANCE QUE...
Mani Sasidharan
 
LDMMIA Reiki Yoga S8 Free Workshop Grad Level
LDMMIA Reiki Yoga S8 Free Workshop Grad LevelLDMMIA Reiki Yoga S8 Free Workshop Grad Level
LDMMIA Reiki Yoga S8 Free Workshop Grad Level
LDM & Mia eStudios
 
Pests of Rice: Damage, Identification, Life history, and Management.pptx
Pests of Rice: Damage, Identification, Life history, and Management.pptxPests of Rice: Damage, Identification, Life history, and Management.pptx
Pests of Rice: Damage, Identification, Life history, and Management.pptx
Arshad Shaikh
 
How to Configure Add to Cart in Odoo 18 Website
How to Configure Add to Cart in Odoo 18 WebsiteHow to Configure Add to Cart in Odoo 18 Website
How to Configure Add to Cart in Odoo 18 Website
Celine George
 
IDSP(INTEGRATED DISEASE SURVEILLANCE PROGRAMME...
IDSP(INTEGRATED DISEASE SURVEILLANCE PROGRAMME...IDSP(INTEGRATED DISEASE SURVEILLANCE PROGRAMME...
IDSP(INTEGRATED DISEASE SURVEILLANCE PROGRAMME...
SweetytamannaMohapat
 
Dashboard Overview in Odoo 18 - Odoo Slides
Dashboard Overview in Odoo 18 - Odoo SlidesDashboard Overview in Odoo 18 - Odoo Slides
Dashboard Overview in Odoo 18 - Odoo Slides
Celine George
 
Adam Grant: Transforming Work Culture Through Organizational Psychology
Adam Grant: Transforming Work Culture Through Organizational PsychologyAdam Grant: Transforming Work Culture Through Organizational Psychology
Adam Grant: Transforming Work Culture Through Organizational Psychology
Prachi Shah
 
Module 4 Presentation - Enhancing Competencies and Engagement Strategies in Y...
Module 4 Presentation - Enhancing Competencies and Engagement Strategies in Y...Module 4 Presentation - Enhancing Competencies and Engagement Strategies in Y...
Module 4 Presentation - Enhancing Competencies and Engagement Strategies in Y...
GeorgeDiamandis11
 
How to Manage Allocations in Odoo 18 Time Off
How to Manage Allocations in Odoo 18 Time OffHow to Manage Allocations in Odoo 18 Time Off
How to Manage Allocations in Odoo 18 Time Off
Celine George
 
POS Reporting in Odoo 18 - Odoo 18 Slides
POS Reporting in Odoo 18 - Odoo 18 SlidesPOS Reporting in Odoo 18 - Odoo 18 Slides
POS Reporting in Odoo 18 - Odoo 18 Slides
Celine George
 
CBSE - Grade 11 - Mathematics - Ch 2 - Relations And Functions - Notes (PDF F...
CBSE - Grade 11 - Mathematics - Ch 2 - Relations And Functions - Notes (PDF F...CBSE - Grade 11 - Mathematics - Ch 2 - Relations And Functions - Notes (PDF F...
CBSE - Grade 11 - Mathematics - Ch 2 - Relations And Functions - Notes (PDF F...
Sritoma Majumder
 
Pragya Champion's Chalice 2025 Set , General Quiz
Pragya Champion's Chalice 2025 Set , General QuizPragya Champion's Chalice 2025 Set , General Quiz
Pragya Champion's Chalice 2025 Set , General Quiz
Pragya - UEM Kolkata Quiz Club
 
Ad

OWASP Top 10 - Day 1 - A1 injection attacks

  • 1. A1 – Injection Attacks Mohamed Talaat Linkedin: https://www.linkedin.com/in/mtibrahim/ Twitter: https://twitter.com/t4144t E-mail: [email protected]
  • 2. Agenda • 1- SQL Injection • Demo • 2- Template Injection • Demo • 3- Broken Authentication • Demo • 4- Session Management • Demo
  • 3. What’s OWASP? • Open Web Application Security Project aims to increase the awareness of the application security. • Everyone is free to participate in OWASP • We are OWASP Egypt – Cairo Chapter
  • 4. OWASP Projects • OWASP Top 10 security vulnerabilities project • OWASP ZAP Project • OWASP Juice Shop • More on the following link: https://www.owasp.org/index.php/Category:OWASP_Project
  • 5. OWASP Top 10 – Application Security Risks
  • 6. How the web app works? • 3 Tiers Model:
  • 8. PHP Code : Logic Tier
  • 10. SQL Queries Types • Static Query • Dymanic Query
  • 11. What is the type of this query? • $dbhostname=‘127.0.0.1'; • $dbuser=‘admin'; • $dbpassword='password'; • $dbname='database'; • $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query = "SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT Username, Password FROM Accounts;";
  • 12. What about this? $id = $_GET['id']; $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname); $query = "SELECT Name, Description FROM Products WHERE ID='$id';"; $results = mysqli_query($connection, $query); display_results($results);
  • 13. A1 – SQL Injection • The first checked by hackers • Once found, ready to be exploited : )
  • 14. Injection • What is the SQL & Types • Concept • Injection Issue • Attack • CRUD
  • 15. Injection Concept • Identify injection point • Finding the best technique to attack • Data Exfiltration
  • 16. SQLi Real World Scenarios
  • 17. SQL Injection Scenario Yahoo! Sports blind injection • Stefano entered Yahoo! Web site with the following URL: http://sports.yahoo.com/nfl/draft?year=2010&type=20&round=2 • He tried to put a comment after the year 2010 and noticed what happen • So it will be like this: http://sports.yahoo.com/nfl/draft?year=2010--&type=20&round=2
  • 18. SQL Injection Scenario Yahoo! Sports blind injection • Original Query: SELECT * FROM PLAYERS WHERE YEAR = 2010 AND TYPE = 20 AND ROUND = 2; • By inserting the dashes, Stefano essentially made it act like: SELECT * FROM PLAYERS WHERE YEAR = 2010;
  • 19. SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – Before commenting
  • 20. SQL Injection Scenario Yahoo! Sports blind injection • Yahoo Sport Blind Injection – After commenting
  • 21. SQL Injection Scenario SQLi to RCE • Ibrahim Raafat (Egyptian Researcher) could exploit a SQLi vulnerability to have full control on the server. • He was doing purchase when he noticed the following URL and tried to inject it with SQLi payload in each parameter until one succeeded. • Union based SQL injection in order_id parameter POST: order_id=-116564954 union select 1337,2,3,4,5,6,7,8,9,10,11,12,13,14,15– – &first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal _code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress &csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96 d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1
  • 22. SQL Injection Scenario SQLi to RCE • He was able to read sensitive files from the web server
  • 23. SQL Injection Scenario SQLi to RCE • And also write files to the server!
  • 24. SQL Injection Scenario SQLi to RCE • Aaaaand the RCE
  • 25. SQL Injection Scenario SQLi to RCE • After that he got 15K bounty
  • 26. So how they did it?
  • 27. Exploiting SQLi SELECT Name, Description FROM Products WHERE ID='$id‘ and PASSWORD=‘$password’; Attacker input: ‘ or ‘a’=‘a # SELECT Name, Description FROM Products WHERE ID='' OR 'a'='a#‘and PASSWORD=‘$password’;
  • 28. SQL Injection Types • Inband:- • Error Based Injection • Blind Injection • Time Based • Boolean Based (True/false) • Out-Of-Band
  • 29. SQL Injection Types • Error Based SQLi
  • 31. Injection Points • GET Parameters • POST Parameters • Headers • COOKIES
  • 32. What can be done with SQLi? • Authentication Bypass • Read file systems? • Run system commands? • Dump all the data?
  • 33. SQL Injection Scenario • Yahoo Sport Blind Injection
  • 34. SQL Injection Prevention • Prepared Statement Or Parameterized Query • Stored Procedure • Input Validation (Blacklisting or whitelisting)
  • 35. SQL Injection Prevention • Prepared Statement Or Parameterized Query
  • 36. SQL Injection Prevention • Stored Procedure
  • 37. SQL Injection Prevention • Input Validation: (Escaping) – PHP
  • 38. SQL Injection Prevention • Input Validation: Type Casting $user_id = (int) $user_id;
  • 39. Code & Command Injection • OS Command Injection • Code Injection
  • 41. OS Command Injection - Vulnerable
  • 42. OS Command Injection - Protection
  • 44. Code Injection - Vulnerable
  • 45. Code Injection - Protection
  • 46. Demo – SQLi in request headers • Perform full scan on the victim • Finding the injection point • Exfiltration • Get the reassure : )
  • 47. SQLmap • A tool used to automate SQLi slow exfiltration and to identify potential SQLi injection points. • Ready with a great number of scripts to be executed • Could be integrated with other tools such as Burpsuite, Metasploit
  • 48. SQLmap Basics • -u : pass a URL to SQLmap • --dbs: sort all the databases in the system • --banner: Grap the database banner • --threads 7: increase the number of threads in blind injections • --tables: grap the db tables • -T table: choose table • --dump: dump all the data in a table of db • --level: sets a level from 1 to 5 for the number of injection points (headers and parameters) • --risk: sets a level from 1 to 3 for the type of test made • --batch: run sqlmap defaults
  • 49. SQLmap Basics • Basic Scan: • sqlmap -u http://192.168.203.139 - - batch • Intense Scan (Not Recommended on production): • sqlmap -u "http://192.168.203.139" --level 5 --risk 3 --threads 7 --batch

Editor's Notes

  • #7: Presentation Tier: View to the user Translates the user requests to HTTP request – sends it to the logic tier Rendering HTML Code to graphical view Logic Tier: Web server which stores the code of the app Middleware which makes the processing tasks Loads, compiles, executes scripts Translates the HTTP request to Database query and sends it to the storage tier Storage: Execute database query Then the logic tier pulls the result back, formats it, sends it back to the presentation tier
  • #15: The injection issue is the lack of the sanitization for user input (Much confidence) The attack leverages from the ability of an attacker to inject a malicious SQL/ database queries to the logic tier in order to execute it at the database and returns the result to the attacker. CRUD: Create, Read, Update, Delete