Exercise OWASP – SQL Injection Attack
1. Introduction
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements, or user input is not strongly typed and thereby unexpectedly executed.
It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
Authenticate on the vulnerable web shop without entering the valid password.
Try to find a way to login without entering compass as password.
- Find out the credit-card details of the user hacker10.
- Exploit the SQL injection vulnerability.
Your report should include the following things:
- Explain the security problem
- Explain your attack. (exploit, screenshot, hacking journal)
- Explain mitigation (remedy)
2. Answer and Solution
2.1 Security problem
Webshop is vulnerable to SQL injection that the password verification of any user can be bypassed.
username: hacker10
SQL Injection for password:
' or '1'='1
If the username is already known, the only thing to be bypassed is the password verification. So, the SQL commands should be fashioned in the similar way.
The password=“ or ‚1‘=’1′ condition is always true, so the password verification never happens!
2.2 Hacking journal
Login with attack string:
Username: hacker10
password:
' or '1' ='1
Credit Card Number is stored in profile:
1323-4545-6767-8989
3. Mitigation
Programming languages talk to SQL databases using database drivers. A driver allows an application to construct and run SQL statements against a database, extracting and manipulating data as needed. Parameterized statements make sure that the parameters (i.e. inputs) passed into SQL statements are treated in a safe manner.
For example, a secure way of running a SQL query in JDBC using a parameterized statement would be:
// Define which user we want to find.
String email = "user@email.com";
// Connect to the database.
Connection conn = DriverManager.getConnection(URL, USER, PASS);
Statement stmt = conn.createStatement();
// Construct the SQL statement we want to run, specifying the parameter.
String sql = "SELECT * FROM users WHERE email = ?";
// Run the query, passing the 'email' parameter value...
ResultSet results = stmt.executeQuery(sql, email);
while (results.next()) {
// ...do something with the data returned.
}
Contrast this to explicit construction of the SQL string, which is very, very dangerous:
// The user we want to find.
String email = "user@email.com";
// Connect to the database.
Connection conn = DriverManager.getConnection(URL, USER, PASS);
Statement stmt = conn.createStatement();
// Bad, bad news! Don't construct the query with string concatenation.
String sql = "SELECT * FROM users WHERE email = '" + email + "'";
// I have a bad feeling about this...
ResultSet results = stmt.executeQuery(sql);
while (results.next()) {
// ...oh look, we got hacked.
}
The key difference is the data being passed to the executeQuery(...) method. In the first case, the parameterized string and the parameters are passed to the database separately, which allows the driver to correctly interpret them. In the second case, the full SQL statement is constructed before the driver is invoked, meaning we are vulnerable to maliciously crafted parameters.
4. Summary
You should always use parameterized statements where available, they are your number one protection against SQL injection.
Source: https://www.hacksplaining.com/prevention/sql-injection