Susan was an SQL programmer working at a reputable company. Susan and her husband had been happily married for almost 10 years. Susan wanted to give a surprise gift to her husband on their 10th wedding anniversary. E-shopping4u.com was a well-known online shopping portal that was offering quality products with good discounts on gift items. It was also offering gift vouchers to customers who purchased their products. Susan decided to purchase the gift from E-shopping4u.com. She ordered a costly gift for her husband much in advance, as she wanted the gift to be delivered on the anniversary day. She eagerly waited for the gift. But things did not work the way she wanted; the gift she had ordered was not delivered on the anniversary day. She wanted to know why the company failed to deliver. She searched the Web site for contact numbers. She tried to contact the management of the shopping portal but could not get any response. After many failed attempts, in frustration, she decided to take revenge on the shopping portal.
Susan searched the Internet to find security vulnerabilities related to shopping portals. She searched various security-related Web sites and vulnerability databases on the Internet. Finally, she found an online forum where some user had posted the SQL vulnerabilities of E-shopping4u.com. Half of Susan’s work was done. Being an SQL programmer herself, she knew how the SQL vulnerabilities of a shopping portal could be exploited. She crafted an SQL statement and inserted that statement in place of a username in the portal’s user registration form. She was able to access the entire database of E-shopping4u.com. It was the best chance for her to take revenge on the shopping portal.
Analyze the SQL injection steps that Susan used that enabled her to access the E-shopping4u.com database.
Step one: Susan searched the Internet to find security vulnerabilities related to shopping portals.
In attacking a website, the very first step to take is searching for vulnerable websites by use of tools such as Mozilla (it is fast and supports proxy as well as supporting many plug-ins), acunetix web vulnerability scanner and Burp Suite. So, Susan being a Sql programmer used this method as his first step to perform the attack. This search involves the understanding the point at which the website interacts with the Database so as to access the stored procedures.
By use of Google Dork list, one can use given commands to arrive at vulnerable internet sites, this is achievable as there exist numerous searching tricks, just to mention examples; -URL:html…, and intitle: “index.asp”, a reason why Susan came across the Vulnerable E-shopping4u.com.
Step 2: Checking the website Vulnerability
To check for Vulnerability, a hacker, without consent tries to access the database by inserting single quote (‘) at the end of the URL of a website and then run it. A vulnerable website displays a directing message for example, “ an SQL error at line 1…”. This is a back-end technical message which in essence should not be displayed, or in case vulnerability was to be tested at the login form, say username, an error message of this type, “userid=%293rjfhj%fl=……” means the website is vulnerable and an attacker is likely to succeed. A website which is not vulnerable does not display database error messages or rather the website page just remains where it were or gives a message “Password not found.. or nonexisting user name”.
Step 3: She crafted an SQL statement and inserted that statement in place of a username in the portal’s user registration form.
For her to have this, She first must have searched for the number of columns of the database table. In the vulnerable website, at the end of the URL where we added a single quote (‘), we can replace it with an SQL command ‘order by’, this done incrementally to the point where you find an error. Then proceed to find the vulnerable column in the database by using key word ‘union’ for example in the website, www.techsoftkk.com/login.aspx?id= -2 union select 1,2,3,…, this done by replacing the order by command earlier inserted. She could have performed the operation to come across vulnerable column. Further mining can be done to find the version, then replacing version with database could have helped her come across the website database.
Mining tables
After finding the column an attacker proceeds by using SQL commands to mine for a table name this by use of command Union select table from information schema tables where table name like…… with an error message, an attacker can proceed further by using, NOT like, in case the table is unavailable. When successful with tables she further needed to find column name by use of SQL commands such as ‘group_conncat (Clmn-name)’ from information_schema columns where given_table=…, this procedure can prompt an error which will be leading to further mining in order for it to display the database column names.
Getting to the data
Queries are used to retrieve information from the tables and columns the commands can find the name and even password. To find a username, a command Union selects Top 1 login name from admin login can be used. This can generate an error with a name say fail to convert ‘john’ to another type. With this data in hand, using keyword select pass where username ‘john’ exists becomes pretty easy. To this point, password and usernames can be modified further, hence the success of Susan’s revenge mission
Describe at least two (2) tools that Susan could have used to assist her in the attack described within the case example, and suggest the key benefits that the chosen tools provide hackers. Justify your response.
Sqlmap
This is an automatic SQL injection tool developed in Python. It allows an attacker to detect and exploit SQL injection vulnerabilities in Web applications, EC Council press series [Ethical Hacking and Countermeasures: Data servers and web applications/1435483626]. Susan could have used this tool as it allows performance of several operations once she exploited the vulnerability of a website. This involves running of SQL command an operation Susan took, Reading of the system files an performance of blind SQL injection an Inband SQL injection
SQLier
This tool takes a URL and attempts to find out all the information required to exploit an SQL injection vulnerability, if one exists. This might have been used as she needed to determine the username vulnerability and since SQLier has the ability to build a UNION SELECT query to brute force passwords stored in a database, she might have needed it.s
> Examine the critical manner in which different database systems (e.g., Oracle, MySQL, or Microsoft SQL Server-based, etc.) can play a significant role in the SQL injection attack steps.
SQL Injection in Oracle
A hacker can add Union statements to an available statement and trigger a second statement to be executed. After this, a hacker can add SUBSELECTS to an existing statement. Also in Oracle, data manipulation commands can be injected .
SQL Injection in MySQL
Although its not easy to perform SQL injection in an MYSQL database, it is still possible doing it if the coding was poor. It can also be vulnerable if the scripting of the SQLDatabase can allow hackers to error messages. MYSQL is considered secure from attack as it does not show error messages when columns do a UNION. Thus hackers can not exploit the view of an error message.
Also exist in scripts that manipulate MySQL databases, potentially allowing attackers to see error messages or otherwise exploit these vulnerabilities.
Attacks Against Microsoft SQL Server
SQL injection aims at information kept behind a Web application by manipulating the database that interfaces with it. The injected commands try to manipulate the parameters of a Web-based application so as to modify the SQL statements to extract data from the database.
This attainable by first exposing web applications vulnerable to attacking. As in my SQL, hackers exploit the Microsoft SQL server if coding was done poorly and the website management being poor. A hacker can find SQL servers from the Internet or from within an organization.
Suggest at least two (2) security controls that E-shopping4u.com could have implemented to mitigate the risks of SQL injection. Further, determine whether or not you believe Susan’s attack would have been successful if such security controls were in place.
Use of Regular Expressions
E-shopping4u could have developed their system in a way that it disallows content input to modify database content. Validating every input seals the loopholes for attack, this includes checking for SQL meta-characters; This can be as be achieved by use of regular expressions. In an attack, a single quote is used to generate an error report, but by using a replace function in an SQL, it will not generate it. In the case where Susan targeted the username with a single quote (‘) the coding pswd_strUsername = Replace ( Request.Form(“txtUsername”), “ ‘ ” , “ ‘ ”) would have prevented the attack. This control measure could have made it difficult for Susan to penetrate to the said website as all the input values could have been checked.
Creating Custom Error Messages
Developers can create custom error messages such as “Username error…input valid data” rather than leaving the database generated errors. This might have been avoided by the website in the case hence leaving technical information being leaked to the SQL programmer. Hackers use this errors for them to exploit the vulnerability of a site or webpage. Thus had this security procedure been in place Susan could not have attacked the website.
Running head: CASE STUDY 1
Case Study
Name:
Institution:
Susan was an SQL programmer working at a reputable company. Susan and her husband had been happily married for almost 10 years. Susan wanted to give a surprise gift to her husband on their 10th wedding anniversary. E-shopping4u.com was a well-known online shopping portal that was offering quality products with good discounts on gift items. It was also offering gift vouchers to customers who purchased their products. Susan decided to purchase the gift from E-shopping4u.com. She ordered a costly gift for her husband much in advance, as she wanted the gift to be delivered on the anniversary day. She eagerly waited for the gift. But things did not work the way she wanted; the gift she had ordered was not delivered on the anniversary day. She wanted to know why the company failed to deliver. She searched the Web site for contact numbers. She tried to contact the management of the shopping portal but could not get any response. After many failed attempts, in frustration, she decided to take revenge on the shopping portal.
Susan searched the Internet to find security vulnerabilities related to shopping portals. She searched various security-related Web sites and vulnerability databases on the Internet. Finally, she found an online forum where some user had posted the SQL vulnerabilities of E-shopping4u.com. Half of Susan’s work was done. Being an SQL programmer herself, she knew how the SQL vulnerabilities of a shopping portal could be exploited. She crafted an SQL statement and inserted that statement in place of a username in the portal’s user registration form. She was able to access the entire database of E-shopping4u.com. It was the best chance for her to take revenge on the shopping portal.
Analyze the SQL injection steps that Susan used that enabled her to access the E-shopping4u.com database.
Step one: Susan searched the Internet to find security vulnerabilities related to shopping portals.
In attacking a website, the very first step to take is searching for vulnerable websites by use of tools such as Mozilla (it is fast and supports proxy as well as supporting many plug-ins), acunetix web vulnerability scanner and Burp Suite. So, Susan being a Sql programmer used this method as his first step to perform the attack. This search involves the understanding the point at which the website interacts with the Database so as to access the stored procedures.
By use of Google Dork list, one can use given commands to arrive at vulnerable internet sites, this is achievable as there exist numerous searching tricks, just to mention examples; -URL:html…, and intitle: “index.asp”, a reason why Susan came across the Vulnerable E-shopping4u.com.
Step 2: Checking the website Vulnerability
To check for Vulnerability, a hacker, without consent tries to access the database by inserting single quote (‘) at the end of the URL of a website and then run it. A vulnerable website displays a directing message for example, “ an SQL error at line 1…”. This is a back-end technical message which in essence should not be displayed, or in case vulnerability was to be tested at the login form, say username, an error message of this type, “userid=%293rjfhj%fl=……” means the website is vulnerable and an attacker is likely to succeed. A website which is not vulnerable does not display database error messages or rather the website page just remains where it were or gives a message “Password not found.. or nonexisting user name”.
Step 3: She crafted an SQL statement and inserted that statement in place of a username in the portal’s user registration form.
For her to have this, She first must have searched for the number of columns of the database table. In the vulnerable website, at the end of the URL where we added a single quote (‘), we can replace it with an SQL command ‘order by’, this done incrementally to the point where you find an error. Then proceed to find the vulnerable column in the database by using key word ‘union’ for example in the website, www.techsoftkk.com/login.aspx?id= -2 union select 1,2,3,…, this done by replacing the order by command earlier inserted. She could have performed the operation to come across vulnerable column. Further mining can be done to find the version, then replacing version with database could have helped her come across the website database.
Mining tables
After finding the column an attacker proceeds by using SQL commands to mine for a table name this by use of command Union select table from information schema tables where table name like…… with an error message, an attacker can proceed further by using, NOT like, in case the table is unavailable. When successful with tables she further needed to find column name by use of SQL commands such as ‘group_conncat (Clmn-name)’ from information_schema columns where given_table=…, this procedure can prompt an error which will be leading to further mining in order for it to display the database column names.
Getting to the data
Queries are used to retrieve information from the tables and columns the commands can find the name and even password. To find a username, a command Union selects Top 1 login name from admin login can be used. This can generate an error with a name say fail to convert ‘john’ to another type. With this data in hand, using keyword select pass where username ‘john’ exists becomes pretty easy. To this point, password and usernames can be modified further, hence the success of Susan’s revenge mission
Describe at least two (2) tools that Susan could have used to assist her in the attack described within the case example, and suggest the key benefits that the chosen tools provide hackers. Justify your response.
Sqlmap
This is an automatic SQL injection tool developed in Python. It allows an attacker to detect and exploit SQL injection vulnerabilities in Web applications, EC Council press series [Ethical Hacking and Countermeasures: Data servers and web applications/1435483626]. Susan could have used this tool as it allows performance of several operations once she exploited the vulnerability of a website. This involves running of SQL command an operation Susan took, Reading of the system files an performance of blind SQL injection an Inband SQL injection
SQLier
This tool takes a URL and attempts to find out all the information required to exploit an SQL injection vulnerability, if one exists. This might have been used as she needed to determine the username vulnerability and since SQLier has the ability to build a UNION SELECT query to brute force passwords stored in a database, she might have needed it.s
> Examine the critical manner in which different database systems (e.g., Oracle, MySQL, or Microsoft SQL Server-based, etc.) can play a significant role in the SQL injection attack steps.
SQL Injection in Oracle
A hacker can add Union statements to an available statement and trigger a second statement to be executed. After this, a hacker can add SUBSELECTS to an existing statement. Also in Oracle, data manipulation commands can be injected .
SQL Injection in MySQL
Although its not easy to perform SQL injection in an MYSQL database, it is still possible doing it if the coding was poor. It can also be vulnerable if the scripting of the SQLDatabase can allow hackers to error messages. MYSQL is considered secure from attack as it does not show error messages when columns do a UNION. Thus hackers can not exploit the view of an error message.
Also exist in scripts that manipulate MySQL databases, potentially allowing attackers to see error messages or otherwise exploit these vulnerabilities.
Attacks Against Microsoft SQL Server
SQL injection aims at information kept behind a Web application by manipulating the database that interfaces with it. The injected commands try to manipulate the parameters of a Web-based application so as to modify the SQL statements to extract data from the database.
This attainable by first exposing web applications vulnerable to attacking. As in my SQL, hackers exploit the Microsoft SQL server if coding was done poorly and the website management being poor. A hacker can find SQL servers from the Internet or from within an organization.
Suggest at least two (2) security controls that E-shopping4u.com could have implemented to mitigate the risks of SQL injection. Further, determine whether or not you believe Susan’s attack would have been successful if such security controls were in place.
Use of Regular Expressions
E-shopping4u could have developed their system in a way that it disallows content input to modify database content. Validating every input seals the loopholes for attack, this includes checking for SQL meta-characters; This can be as be achieved by use of regular expressions. In an attack, a single quote is used to generate an error report, but by using a replace function in an SQL, it will not generate it. In the case where Susan targeted the username with a single quote (‘) the coding pswd_strUsername = Replace ( Request.Form(“txtUsername”), “ ‘ ” , “ ‘ ”) would have prevented the attack. This control measure could have made it difficult for Susan to penetrate to the said website as all the input values could have been checked.
Creating Custom Error Messages
Developers can create custom error messages such as “Username error…input valid data” rather than leaving the database generated errors. This might have been avoided by the website in the case hence leaving technical information being leaked to the SQL programmer. Hackers use this errors for them to exploit the vulnerability of a site or webpage. Thus had this security procedure been in place Susan could not have attacked the website.
- EC Council press series [Ethical Hacking and Countermeasures: Web Applications and Data Servers/1435483626] chapter 6.
- Alberto Revelli SQL Ijection Attacks and Defene(2nd edition) chap 4, exploiting SQL injection, page 139-232
- Overstreet, R (2004) Protecting yourself from SQL injection attack http://www.4guysfromrolla/webtech/061902-1.shtml