We live in a technological world where most things are connected through the Internet. Smart-cars-houses-devices-watches are beyond their basic capabilities and in constant evolution. Websites are also a good example of innovation because, in the past, they were merely texts/images on an HTML page. We may say, it was created for fun and entertainment, but now we use it for shopping, banking, advertising, etc. Today, it connects humans and companies globally and that’s why we need to keep it secure. The boundaries between our real world and the digital world are thinner than ever and threats are constantly appearing, sounds apocalyptic, doesn't it?
In order keep our websites secure, we have created 10 tips based on the OWASP Top 10. The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to help and improve the security of software by proving guidelines and best practices for it. According to OWASP Top 10, the most common and dangerous vulnerability is Injection, because it’s a very broad category that includes practically most of all serious web application security risks.
Injection flaws occur when an attacker can send hostile data to a web service, API, etc., and it gets executed it can result in data loss, corruption, or disclosure to unauthorised parties, loss of accountability, or denial of access. We have different kinds of injections, such as SQL Injection, OS Command Injection, XPATH, LDAP Injection. In this article, we’ll focus on SQL Injection, because it’s a type of injection that might cover all the other types due to the way of operation.
SQL Injection is dangerous because it uses true mechanisms for sending/querying information, but maliciously, and that’s why that the infrastructure’s control does not block it. It believes that the user is doing an acceptable query but, he’s using it for malicious purpose.
Figure 1 - Flow of SQL Injection attack.
In the example below, we can see a real attack to an open-source streaming platform called YouPHPTube and AVideo that could lead to remote code execution. This vulnerability was discovered this year and it was already sent to the owners of the project.
Basically, this vulnerability happened because it wasn't properly sanitize user input data $_GET['catName']. The only security control focus on checking and removing simple quotes in the user’s given strings. With this vulnerability, an unauthenticated user is able to retrieve MySQL error messages by using an encoded “\” -> %5c.
Figure 2 - Using an encoded “\”, it was possible to receive an error message. Now that we know it’s possible to bypass filter using encoding, it’s possible to retrieve, for example, the passwords from table users using a UNION query and encoded characters %23 (‘) and %5c (\) at the end.
Figure 3 - Request to retrieve passwords.
Figure 4 - Response with the password.
The link for the complete POC can be found here and link the news regarding the vulnerability can be found here.
With the user input being the main attack vector, the best approach is controlling and even blocking user input based on specific patterns. Developers can also avoid this threat by applying the following techniques:
SQL Injection is one of the most common vulnerabilities according to OWASP due to improper input validations and poor implementation of protection mechanisms. Injection can result in large data loss, public disclosure by attackers, denial of service, among others. As we read above, it is quite simple to solve it. It must be considered seriously by developers since the planning phase of a project when using a database. Besides that, there’re some frameworks such as Hibernate (HQL) to help to construct queries more securely (if teams implement it correctly and maintain it up to date). To conclude, it’s highly important to protect our applications from SQL Injection by using code defensively and monitoring crucial environments.
Read the full article, here.
Article by David Santos Silva.
We live in a technological world where most things are connected through the Internet. Smart-cars-houses-devices-watches are beyond their basic capabilities and in constant evolution. Websites are also a good example of innovation because, in the past, they were merely texts/images on an HTML page. We may say, it was created for fun and entertainment, but now we use it for shopping, banking, advertising, etc. Today, it connects humans and companies globally and that’s why we need to keep it secure. The boundaries between our real world and the digital world are thinner than ever and threats are constantly appearing, sounds apocalyptic, doesn't it?
In order keep our websites secure, we have created 10 tips based on the OWASP Top 10. The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to help and improve the security of software by proving guidelines and best practices for it. According to OWASP Top 10, the most common and dangerous vulnerability is Injection, because it’s a very broad category that includes practically most of all serious web application security risks.
Injection flaws occur when an attacker can send hostile data to a web service, API, etc., and it gets executed it can result in data loss, corruption, or disclosure to unauthorised parties, loss of accountability, or denial of access. We have different kinds of injections, such as SQL Injection, OS Command Injection, XPATH, LDAP Injection. In this article, we’ll focus on SQL Injection, because it’s a type of injection that might cover all the other types due to the way of operation.
SQL Injection is dangerous because it uses true mechanisms for sending/querying information, but maliciously, and that’s why that the infrastructure’s control does not block it. It believes that the user is doing an acceptable query but, he’s using it for malicious purpose.
Figure 1 - Flow of SQL Injection attack.
In the example below, we can see a real attack to an open-source streaming platform called YouPHPTube and AVideo that could lead to remote code execution. This vulnerability was discovered this year and it was already sent to the owners of the project.
Basically, this vulnerability happened because it wasn't properly sanitize user input data $_GET['catName']. The only security control focus on checking and removing simple quotes in the user’s given strings. With this vulnerability, an unauthenticated user is able to retrieve MySQL error messages by using an encoded “\” -> %5c.
Figure 2 - Using an encoded “\”, it was possible to receive an error message. Now that we know it’s possible to bypass filter using encoding, it’s possible to retrieve, for example, the passwords from table users using a UNION query and encoded characters %23 (‘) and %5c (\) at the end.
Figure 3 - Request to retrieve passwords.
Figure 4 - Response with the password.
The link for the complete POC can be found here and link the news regarding the vulnerability can be found here.
With the user input being the main attack vector, the best approach is controlling and even blocking user input based on specific patterns. Developers can also avoid this threat by applying the following techniques:
SQL Injection is one of the most common vulnerabilities according to OWASP due to improper input validations and poor implementation of protection mechanisms. Injection can result in large data loss, public disclosure by attackers, denial of service, among others. As we read above, it is quite simple to solve it. It must be considered seriously by developers since the planning phase of a project when using a database. Besides that, there’re some frameworks such as Hibernate (HQL) to help to construct queries more securely (if teams implement it correctly and maintain it up to date). To conclude, it’s highly important to protect our applications from SQL Injection by using code defensively and monitoring crucial environments.
Read the full article, here.
Article by David Santos Silva.
We live in a technological world where most things are connected through the Internet. Smart-cars-houses-devices-watches are beyond their basic capabilities and in constant evolution. Websites are also a good example of innovation because, in the past, they were merely texts/images on an HTML page. We may say, it was created for fun and entertainment, but now we use it for shopping, banking, advertising, etc. Today, it connects humans and companies globally and that’s why we need to keep it secure. The boundaries between our real world and the digital world are thinner than ever and threats are constantly appearing, sounds apocalyptic, doesn't it?
In order keep our websites secure, we have created 10 tips based on the OWASP Top 10. The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to help and improve the security of software by proving guidelines and best practices for it. According to OWASP Top 10, the most common and dangerous vulnerability is Injection, because it’s a very broad category that includes practically most of all serious web application security risks.
Injection flaws occur when an attacker can send hostile data to a web service, API, etc., and it gets executed it can result in data loss, corruption, or disclosure to unauthorised parties, loss of accountability, or denial of access. We have different kinds of injections, such as SQL Injection, OS Command Injection, XPATH, LDAP Injection. In this article, we’ll focus on SQL Injection, because it’s a type of injection that might cover all the other types due to the way of operation.
SQL Injection is dangerous because it uses true mechanisms for sending/querying information, but maliciously, and that’s why that the infrastructure’s control does not block it. It believes that the user is doing an acceptable query but, he’s using it for malicious purpose.
Figure 1 - Flow of SQL Injection attack.
In the example below, we can see a real attack to an open-source streaming platform called YouPHPTube and AVideo that could lead to remote code execution. This vulnerability was discovered this year and it was already sent to the owners of the project.
Basically, this vulnerability happened because it wasn't properly sanitize user input data $_GET['catName']. The only security control focus on checking and removing simple quotes in the user’s given strings. With this vulnerability, an unauthenticated user is able to retrieve MySQL error messages by using an encoded “\” -> %5c.
Figure 2 - Using an encoded “\”, it was possible to receive an error message. Now that we know it’s possible to bypass filter using encoding, it’s possible to retrieve, for example, the passwords from table users using a UNION query and encoded characters %23 (‘) and %5c (\) at the end.
Figure 3 - Request to retrieve passwords.
Figure 4 - Response with the password.
The link for the complete POC can be found here and link the news regarding the vulnerability can be found here.
With the user input being the main attack vector, the best approach is controlling and even blocking user input based on specific patterns. Developers can also avoid this threat by applying the following techniques:
SQL Injection is one of the most common vulnerabilities according to OWASP due to improper input validations and poor implementation of protection mechanisms. Injection can result in large data loss, public disclosure by attackers, denial of service, among others. As we read above, it is quite simple to solve it. It must be considered seriously by developers since the planning phase of a project when using a database. Besides that, there’re some frameworks such as Hibernate (HQL) to help to construct queries more securely (if teams implement it correctly and maintain it up to date). To conclude, it’s highly important to protect our applications from SQL Injection by using code defensively and monitoring crucial environments.
Read the full article, here.
Article by David Santos Silva.