Few months ago, I attended a web application hack workshop, and I want to share a couple of stuffs I picked up from there. Part one of this article will talk about how to perform injection attack, whilst part two will be on counter measures.
Below are the latest types of attacks that your web application can be vulnerable to, according to Open Web Application Security Project (OWASP). Consistently, Injection attack has been the number 1.
2017 report is the latest. Most likely, anytime soon, their new report will be out, and trust me, injection will still be in a comfortable lead.
The screen shot below compares the 2013 and 2017 OWASP reports.
Now, let’s take the first one.
If you are in the web space, you know about it already. The only change is, now Injection attack is not peculiar to SQL. This makes sense because there are databases that don’t run on SQL language. MongoDB and CouchDB are in the category of NoSQL. Their querying language is not SQL. Their database structure is not relational, and their abstraction uses ODM (object document mapper) instead of ORM (Object relational mapper)
Injection attack in short, is trying to add (inject) a query (a test, a letter, a code, or anything imaginable) at the front end of a web application, hoping the security features of the front end will ignore it. Once it is ignored, it can land in the database code, and then cause trouble. You will add this through any of the forms you will find on the website. It could be login form, sign up form, search form, comment form, etc.
So, how do you go about it?
The International Business Machine (IBM) has a website, dedicated just for that. They intentionally built it with series of vulnerabilities. Injection attack is one of such. Pull your browser and head over to http://demo.testfire.net
Next step: Click on the Sign In at the upper right menu. This is where the magic happens.
Press the Login button. Do not enter anything in the username and password fields.
You should see the message below.
Next, enter any guessed username. I will guess my own name (kaunda). Enter only the username and leave the password blank. You should see the below message.
OK, that is cool.
First of all, this site has made it clear to the attacker as to what is needed. As a guide, be careful of error messages that tells the user exactly what has gone wrong. You are indirectly telling an attacker what to do next. “Wrong credentials” or “Login failed” are nice error messages that developers can use.
We have a guessed Username already, so let’s guess password too. You can guess anything and use, I will guess 1234.
Now, let’s start the actual injection attack. Remember, injection attack tries to add some code or text to the underlying SQL or whatever query language. The special two things we will wish to add (inject) are
- Apostrophe (‘). We will add apostrophe to our username (Eg. kaunda’)
- Double dash(--). Later we will add double dash too. (Eg kaunda’--)
Let’s start with the apostrophe.
Enter kaunda’ as username, and 1234 as password.
You should see the below message
Syntax Error. Does it ring a bell? That should tell us that the apostrophe has caused some trouble to the underling SQL code that is authenticating the user.
Now, add two dashes (--) after the apostrophe. That gives kaunda’--
Unfortunately, that still gives error.
This error message is an indication that, truly there is no username as kaunda in their system. That makes sense. IBN system, most likely will not have username as “kaunda”. But if it’s a website built in Zambia or somewhere southern Africa, someone will most likely have such a username. If it’s Ghana, someone will most likely have a username as kofi or afia. If the website is for the Zongo Ministry, then likely there will be username as alhassan or memunatu. That is common sense, and it works in hacking. For certain things, you must do an intelligent guess.
So for a global system, it will make sense to guess username as Admin or administrator or Guest or any of the common names found on most systems. These names are mostly default accounts that most developers use/create for testing purpose.
Let’s go with Admin.
Enter Username admin’-- and password 1234.
You’ve hacked IBM. Well done. Get yourself a cup of coffee as you watch out for PART 2 of this article. How to prevent Injection Attack
Author: Kaunda Ibn Ahmed
Remote.com.gh (Member, Institute of ICT Professionals, Ghana)
For comments, contact [email protected] or Mobile: +233 234 80 90 10