Welcome to this new episode of the OWASP Top 10 vulnerabilities course, where we explain in detail each vulnerability. In this blog post, you will learn SQL injection.
This is a subset of the OWASP Top 10 injection vulnerabilities. If you’d like to have a bigger picture of Injection, I invite you to read this blog post before continuing.
OWASP Cheat Sheet that provides numerous language specific examples of parameterized queries using both Prepared Statements and Stored Procedures The Bobby Tables site (inspired by the XKCD webcomic) has numerous examples in different languages of parameterized Prepared Statements and Stored Procedures. The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. This OWASP SQL injection Prepared Statements Cheat Sheet explains how to use it in all major programming languages. Another approach would be to use stored procedures, where the SQL queries are stored on a database and no user input is dynamically inserted into them. The following articles describe how to exploit different kinds of SQL Injection Vulnerabilities on various platforms that this article was created to help you avoid: SQL Injection Cheat Sheet; Bypassing WAF's with SQLi - SQL Injection Bypassing WAF; Description of SQL Injection Vulnerabilities: OWASP article on SQL Injection Vulnerabilities.
What is SQL injection?
This vulnerability happens where the application processes malicious user input to query a SQL database. A n example would be the login feature of an admin portal. In fact, a vulnerable piece of code could be as follows:
The code above expects two user inputs, an email and a password. Then, it constructs a SQL query by concatenating the email and password. From there, if the result is not empty, the application allows the user to access the administration dashboard.
The idea is to construct a valid SQL query while bypassing the password protection. If we try the payload ‘ or 1=1;– in the email input and dummy in the password, the resulting SQL query would be:
It is a valid SQL query which always returns true since 1 is always equal to 1. Besides, the double dashes comment out the rest of the SQL query. The result will pass the check and give us admin access without knowing neither the email nor the password.
You can practice SQL injection by going to the SQL injection hands-on examples blog post.
SQL injection attacks
This vulnerability is really impactful. I mentioned the TalkTalk’s breach on the OWASP Top 10 Injection blog post, which should give you an insight into how serious SQL injection could be. The following is a list of publicly available reports which bug bounty hunters reported on HackerOne. I’ll invite you to read my write-up, which I found on a private HackerOne program. So, make sure to subscribe to the newsletter to be notified.
- $4000 bug report: It is a well written report on an error-based SQL injection which affected Starbucks.
- $2000 vulnerability report: It is a blind SQL injection vulnerability that the ethical hacker found on labs.data.gov.
- Blind injection affecting the US Department Of Defense.
How to exploit SQL injection manually?
The first thing is to determine if it is an error or blind based injection.
Error based SQL injection
The most basic test is to trigger an exception by injecting either single or double quotes, unless there is some protection filter in place. From there, just rely on the errors and try to either get unauthorized access or read sensitive data. There is a detailed blog post about this approach in the SQL injection practical examples.
Blind SQL injection
If the application doesn’t return any errors, try to provoke a time delay using a sleep. If it doesn’t work, try to spot any difference in the HTTP response between a SQL query which returns true and another which returns false.
As an ethical hacker, be very cautious when manipulating the SQL query! You should avoid altering or deleting data unless explicitly permitted by your client. Losing data can lead to serious business losses and will harm your reputation.
How to exploit SQL injection using automated tools
You can use automated testing once you find a vulnerability manually. Alternatively, you can use automated scanners to speed up your testing process if you have a large number of user inputs. You can use either OWASP Zap, Burp Suite or Sqlmap to test for this vulnerability automatically. I cover each one of them in this hands-on OWASP Top 10 training.
How to prevent SQL injection?
As it turns out, fixing this highly impactful security vulnerability is extremely simple. As a developer, the most effective and primary protection against this deadly vulnerability is to use prepared statements. This OWASP SQL injection Prepared Statements Cheat Sheet explains how to use it in all major programming languages.
Another approach would be to use stored procedures, where the SQL queries are stored on a database and no user input is dynamically inserted into them.
You can also use a whitelist to control parts of your SQL query before executing it. For example, if you search a store by category, you may want to validate that the category parameter is included in a list of whitelisted categories. If successful, then you run the SQL query. However, I wouldn’t recommend it as a primary defense. You can use it as a secondary defense mechanism.
Another secondary defense would be to apply protection filters which would sanitize and escape the user inputs. However, this can be bypassed.
You can find more on this topic on the OWASP prevention Cheat Sheet.
SQL injection common filters bypass
To prevent SQL injection, developers use common filters to check user input. Unfortunately, they can be bypassed. Whether you are As a developer or an ethical hacker, you should be aware of them. So please take your time understanding the idea behind these filters, this will enrich your skills whether you are a developer or an ethical hacker.
That’s it for today! Hopefully you’ve learnt a lot during this episode. If you enjoyed learning from this content, make sure to subscribe to the newsletter. I update all the subscribers on each Friday.
Login page #5
- Login page with user name and password verification.
- MD5 Encryption used for password.
- Both user name and password field are prone to code injection.
Credentials for logging in normally
User name | Password |
---|---|
harry | password |
SQL injection.
Executed SQL query when username is harry and password is password:
SELECT*FROMusersWHEREname='harry'ANDpassword='5f4dcc3b5aa765d61d8327deb882cf99'When a user enters a user name and password, a SQL query is created and executed to search on the database to verify them. However, the password is not stored as clear text on the database. They are encrypted with MD5 algorithm. The above query searches in the users table where name is harry and password is 5f4dcc3b5aa765d61d8327deb882cf99, which is the MD5 encrypted value of password. If matching entries are found, the user is authenticated.
In order to bypass this security mechanism, SQL code has to be injected on to the input fields. The code has to be injected in such a way that the SQL statement should generate a valid result upon execution. If the executed SQL query has errors in the syntax, it won't fetch a valid result. Aralion driver download. So filling in random SQL commands and submitting the form will not always result in successful authentication.
Sql Injection Cheat Sheet Owasp Pdf
Cheat sheet
Owasp Sql Injection Attacks
User name | Password | SQL Query |
---|---|---|
harry | password | SELECT*FROMusersWHEREname='harry'ANDpassword='5f4dcc3b5aa765d61d8327deb882cf99' |
' or '1'='1'# | blah | SELECT*FROMusersWHEREname='OR'1'='1'#' and password='6f1ed002ab5595859014ebf0951522d9' |