2. What is a web-application?
Any application that is served commonly via
the http or https protocol.
Usually being served from a remote computer
acting as the host or the server.
3. Why is Web Application Security Important?
Web applications are used to perform most major tasks or
website functions. They include forms that collect
personal, classified and confidential information such as
medical history, credit and bank account information as
well as user satisfaction feedback.
If your organization is legally bound by legislations to
protect the privacy and security of personally identifiable
information, and hackers can get at this sensitive
information, you run the risk of being found guilty of non-
compliance.
Almost 75 percent of attacks are tunneling through web
applications .
The consequences of a security breach are great: loss of
revenues, damage to credibility, legal liability and loss of
customer trust.
4. On average, there are anywhere from 5 to 15 defects
per 1,000 lines of code.
A 5-year Pentagon study concluded that it takes an
average of 75 minutes to track down one defect.
Fixing one of these defects takes 2 to 9 hours each.
That translates to 150 hours, or roughly $30,000, to
clean every 1,000 lines of code.
• Researching each of the 4,200 vulnerabilities
published by CERT for just 10 minutes would have
required 1 staffer to research for 17.5 full workweeks or
700 hours.
Gartner Group estimates that a company with 1,000
servers can spend $300,000 to test and deploy a patch;
most companies deploy several patches a week.
5. How Hackers Get In ?
Browser-based attacks use flaws in the web-based
application code. Software most vulnerable to these
types of attacks includes:
User interface code -- provides the look and feel of
the site .
Web server -- supports the physical
communication between the user’s browser and
the web applications .
Front-end applications -- interfaces directly with
the user interface code, and back-end systems .
6. Common Vulnerabilities
Hack attack What hackers use it for ?
Cookie Poisoning Identity theft/ Session Hijack
Hidden Field Manipulation eShoplifting
Parameter Tampering Fraud
Buffer Overflow Denial of Service/ Closure of Business
Cross-Site Scripting Hijacking/ Identity Theft
Backdoor and Debug Trespassing
Options
Forceful Browsing Breaking and Entering
HTTP Response Splitting Phishing, Identity Theft and eGraffiti
Known Vulnerabilities Taking control of the site
SQL Injection Manipulation of DB information
Broken Authentication Login without authentication/Trespassing
Information leakage Trespassing
8. What is SQL injection?
SQL injection is an attack in which malicious code is
inserted into strings that are later passed to an instance of
SQL Server for parsing and execution.
The primary form of SQL injection consists of direct
insertion of code into user-input variables that are
concatenated with SQL commands and executed.
A less direct attack injects malicious code into strings that
are destined for storage in a table or as metadata.
The injection process works by prematurely terminating a
text string and appending a new command. Because the
inserted command may have additional strings appended
to it before it is executed, the attacker terminates the
injected string with a comment mark "--". Subsequent text
is ignored at execution time.
9. Exploiting a Basic Vulnerability
Consider a web-application deployed by a book retailer
that enables users to search books based on
author,publisher,etc.
Now when the user searches for all the books published
by Wiley, the application performs the following query:-
SELECT * FROM books WHERE publisher = ‘WILEY’;
This part comprises of the sql keywords and names Item of DATA supplied
of tables and columns within the database. by the USER.
All of this was written by the programmer. String data should
always be encapsulated
within ‘ ‘ in sql queries.
10. Now consider the following query when the user
searches for O’Reilly.
SELECT * FROM books WHERE publisher = ‘O’Reilly’;
In this case the interpreter would generate an error
since Reilly’ is not a valid sql syntax.
Hence when an application behaves in such a manner, it
is wide open to SQL Injections.
11. Injecting Into Different Statement Types
SELECT statement
SELECT statements are used to retrieve information
from the database.
The entry point of SQL injection attacks is normally the
WHERE clause of the query, in which the user supplied
data is passed to the database to control the scope of
the query result.
Since WHERE clause is usually the final component of
the query enabling the attacker to use the comment
symbol(-- ) to truncate the query to his input without
invalidating any syntax.
12. SELECT * FROM register WHERE uname='' OR 1=1-- ' &&
pword='abc123‘
‘OR 1=1--
14. INSERT statement
INSERT statements are used to create a new row of data
within a table.
INSERT INTO users(uname,password,id,priv) VALUES
(‘daf’,’secret’,2241,1)
If the username or password fields are vulnerable to
SQL injections , the attacker can insert arbitrary values
into the database, assign admin privileges to himself,
etc.
In case of a complete blind attack, the attacker may not
know in advance about the number and type of fields.
So he can keep adding additional fields to VALUES until
the desired account is created.
15. UPDATE statement
UPDATE statements are used to modify one or more
existing rows of data within a table.
These are used in functions where the user modifies his
existing information for eg. Changing contact
information, changing password, etc.
It works in a similar way to the INSERT statement except
that it has a WHERE clause to tell the database which
rows to update.
UPDATE users SET password=‘newsecret’ WHERE user =
‘marcus’ and password = ‘secret’
If the function is vulnerable to SQL injections the
attacker can bypass the existing password check and
change the password
16. for the admin by entering the query as:
UPDATE users SET password=‘newsecret’ WHERE user =
‘admin’-- and password = ‘secret’
This way the password part is ignored.
If the attacker uses admin’ OR 1=1 – then the query becomes:
UPDATE users SET password=‘newsecret’ WHERE user =
‘admin’ OR 1=1 -- and password = ‘newsecret’
In this case the password of every user is reset to newsecret.
17. DELETE statement:
DELETE statement is used to delete rows from the specified
table.
In this case also the WHERE clause is used to specify which
rows to delete. Hence by making changes to the WHERE
clause can have far-reaching effects on the database.
"SELECT * FROM customers WHERE username ='$name'";
In the above query $name is provided by the user, so when
executed it will display the row where username matches the
one provided by the user.
18. SELECT * FROM customers WHERE username =‘anu’
User
input
19. If the user enters a malicious input ,the query
becomes:
SELECT * FROM CUSTOMER WHERE name='';DELETE
FROM customer WHERE 1-- '‘
‘;DELETE FROM
CUSTOMER WHERE 1=1
–‘
20. The UNION Operator
The UNION operator is used to combine the results of two or
more SELECT statements into a single result set.
If there exists a SQL injection vulnerability in the SELECT
statement, the attacker can use the UNION operator to
perform another query and combine the result with the first
one.
SELECT * FROM customer WHERE name = ‘$name’
This would return the original result.
21. SELECT * FROM customer WHERE name = ‘anu’
UNION
SELECT id,name FROM product– ‘
‘UNION SELECT
id,name FROM
product – ‘
22. Shows all the rows of the customer table along the data from
product table:
23. NOTE:
When the results of two queries are combined using the
UNION operator, the two result sets must have the same
structure.
SELECT name FROM CUSTOMER WHERE name='' UNION
SELECT id,name FROM product-- ''
The used SELECT statements have a different number of
columns
Also the attacker should know the name of the target
database table along-with its relevant column names.
24. Preventing SQL Injections
Partially effective measures:
◦ Because single quotation marks play an important role
in SQL injections, so common approach is to escape
any user entered single quotation mark by doubling
them up.
The above method proves ineffective when numeric data is
being embedded into SQL queries.
Also in second order injections ,when the data that has been
inserted using the INSERT query is used in another SQL
query.
◦ Using custom stored procedures can also help provide
security.
But using them does not guarantee to prevent SQL injections
since a procedure can itself contain SQL injection
vulnerabilities within its code.
Also if the procedure is invoked in an unsafe way using
user-supplied input.
25. Parameterized Queries:
The construction of queries involving user
input is performed two steps:
◦ The application specifies the structure of the query leaving
placeholders for each user input.
◦ The application specifies values for the placeholders.
26. Example:
<?php
$mysqli = new mysqli("server", "username", "password", "database_name");
// mysqli is a class : represents a relation b/w mysql and PHP
$unsafe_variable = $_POST["user-input"];
$stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");
// prepare function used to prepare SQL statement for execution
$stmt->bind_param("s", $unsafe_variable);
// s means the database expects a string
$stmt->execute();
$stmt->close();
$mysqli->close();
// close database connection
?>
27. Configuring the PHP Environment :
There are various configuration options in the php.ini file that
can affect the applications security, such as:
◦ Register Globals : If register_globals option is enabled then
PHP creates global variables for all the request parameters.
Since it is not required to initialize them before use, they
can cause security issues. It has been removed entirely
from PHP 6 .
◦ Safe Mode : If safe_mode option is enabled then PHP places
restrictions on the use of some functions. For eg.
shell_exec function is disabled since it can be used to
execute OS commands, the additional_parameters
parameter of the mail function is disabled as it can lead to
SMTP injection flaws..etc
28. ◦ Magic Quotes : If magic_quotes_gpc option is enabled then
single quote, double quote, backslash and NULL characters
are automatically escaped using a backslash. If
magic_quotes_sybase option is enabled then single quotes
are escaped using single quotes.
Using magic quotes can alter the user data that does not
need escaping, hence the slashes need to be removed using
stripslashes function. Magic quotes have been removed
from PHP 6.
addslashes
You can even perform your own escaping of the required
input parameters by passing them through the addslashes
function only when required. When using addslashes , if the
magic quotes are enabled then this will lead to double
escaping (i.e double slashes) which is interpreted as literal
backslash, leaving the user input unescaped.
29. Mysql_real_escape_string() :
It calls the library function mysql_real_escape_string
which prepends backslashes to the following characters:
x00, n, r, , '," and x1a.
30. Recent attacks using SQL injections
On February 5, 2011 HBGary, a technology security firm, was
broken into by Anonymous using a SQL injection in their
CMS-driven website.
On March 27, 2011 mysql.com, the official homepage
for MySQL, was compromised by TinKode using SQL blind
injection.
On June 27, 2011, Lady Gaga's website was hacked by a
group of US cyber attackers called SwagSec and thousands of
her fans’ personal details were stolen from her website.
In October, 2011, Malaysian Hacker, managed to extract data
from www.canon.com.cn by exploiting a vulnerability he came
across. He himself reported the vulnerability to the company
within minutes and claiming to have used SQL Injection.