It is highly imperative to learn the basics of how each and every functionality works in a web application. If we understand that correctly, then I firmly believe it is very simple to crack any vulnerable application.
To understand how a web application works, we need to learn any programming language and play around with that. I have created a basic login functionality using JAVA and trying to perform SQL injection attack in that. I feel it is important to start with a basic example so that anyone can elevate their from basic understanding.
Below is “login.html” script file which will get the username and password from the user and it is a post method
Below is the backend java program which will validate the user name and password.
Since it is a simple java code, I believe anyone will be able to understand what has been written in the code. Initially, the JDBC connection is established with MySQL server to communicate. Next, user credentials are retrieved from the end-user and validated against the database. If the credentials are correct, then the user will be able to successfully log in.
Below is the record from the database.
Attack scenario:
1.Check for valid user name and password
Result:
2.Check for invalid username and password
Result:
3.SQL Injection:
Providing SQL injection payload in the user name and password field.
Result:
As described above, the attacker is able to successfully log in to the system by providing malicious payload. So, insecure coding leads to an authentication bypass and it needs to eliminate.
I have tweaked the code in such a way that it reflects the last name of the user. However, I am using this vulnerable code to enumerate some sensitive information.
Now, let me provide below payloads to the system and check how the application is going to react.
Payload: ‘ UNION ALL SELECT NULL,version(),NULL,NULL#
Result provides the version of MySQL database.
To retrieve the database names: ‘ UNION ALL SELECT NULL,concat(schema_name),NULL,NULL FROM information_schema.schemata#
Result:
An attacker will be able to retrieve any sort of information from the database using his enumeration and the attack strategy.
In order to avoid such a situation, the developer needs to follow securing coding methods as recommended. I have stated basic secure coding and crucial method below. It is up to the developer to add more protective mechanisms in his/her code.
Secure coding practice:
Prepared Statement:
A prepared statement is one of the methods to protect the SQL injection attack. Below is the example code.
Now testing the scenario with SQL injection payload.
As shown above, the user is not able to login to the system successfully.
Input Sanitization:
Input sanitization is highly imperative to prevent multiple vulnerabilities. In this scenario, I have again tweaked the code in such a way that the username value should be only an email address. Any value other than an email address will not be considered valid.
Checking for invalid input:
Result:
Valid input is given: test@test.com
Result:
If you like the content, please do share and support.
If you like the content, please follow me on medium and LinkedIn
LinkedIn: https://www.linkedin.com/in/pravin-r-p-oscp-28497712b/
