SQL Injection Web Attack (Live Demo for AppSec)

SQL Injection Web Attack (Live Demo for AppSec)


Welcome to Fortify Unplugged. My name’s Brent Jenkins and today we’re going to be talking about what is a SQL
injection. SQL injection is one of the top web application security risks and
it sits on top of the OWASP top ten injection flaws can be introduced
whenever an untrusted data source is sent to an interpreter
how it works is attackers inject code into the user input tricking the query
interpreter into executing malicious commands to showcase how that works I’m gonna pass it over to Lucas v. Stockhausen who is going to show a simplified
version of what a SQL injection would look like over to you, Lucas. Hi, my name
is Lucas v. Stockhausen and I’m product manager and application security
strategist for Fortify. Today I would like to give you an overview of how we can hack
applications and why application security is so important if we talk
about application security we have to understand that we talk about code but
source code so if you look at a classical application you might find
some constructs of source code which are looking like this you have a username
which is read from the authenticated user and that is actually something
where this could become an issue but that’s more of a joke so you look at the
user who has been logged in this name is stored in the variable user name and
then you have an item in this case item name which is coming from a request
meaning from a URL or from a web form which is entered and you see here that
you use these parameters in order to run an SQL statement so you say select star
from the table items where the owner is equals the user name meaning the
authenticated user and the item name is equal to this parameter you got from
the Europe or from from the webform and then you run this query against the
database well a normal entry would be for example you enter something like my
username here could be Lukas and an item name here could be ten could be
everything and if I enter that and this is what the developers normally test
everything works fine but just imagine I would enter something like this right we
have a user name of Lucas and we have an item name of X or one equals one
well as we know one equals one is always true and the only thing you have to
understand here is a little bit of SQL understanding that an end is stronger
binding then or meaning the end condition is evaluated first and that a
semicolon will end every SQL statement and the dash behind here will actually
be a comment so if we enter that stuff in here we get something like this right
now select star from items where owner equals Lucas and item name equals X or 1 equals 1 and then we end the SQL statement and put everything else in
comment and if we execute this one well just to make it more obvious we have
here select star from items where owner equals Lucas and item name equals X or 1 equals 1 that actually allows us to see the full result in this case of the
table items so let me show that we have an application here which are actually
hosts on my own own machine I have the VMware here if we look at that one this
is where I host this application so this is how I actually can how I’m allowed to
run scans against this application so if we log in here as Gary we can actually
see that we have the possibility in order
to search through the application and see what I have been all been ordering
as Gary you see here there are four different items what could be
interesting is the M in case here we have a clear tax credit card number
which obviously would violate PCI DSS immediately and we have account names or
user names which very often nowadays are asked email emails and with that one for
a competitor would be super interesting to potentially go to all these users and
ask them if they do not want to get some stuff from from the competitive store so
what we see here is I can enter as well and a quantity for example of 10 so I am
able to manipulate the data which is brought back by the application in order
to filter it to only the data I want to see the question is if I’m going to
enter something like this here right now just the quote I get an error message
and this error message actually everybody of us has seen already we are
perfectly trained just to click the back button and try it again
something has gone wrong wrong and but actually in this page here we find a ton
of interesting information right we for example see that I’m running this on a
completely outdated version of M Tomcat so that’s a security risk by its own and
we actually see here the quantity and the quote at the end so this is probably
the quote I just entered and into the UI and we see here and a complete SQL
statement which is very similar to the SQL statement I just had on my slide so
let’s explore that further M if we click back here just to make clear the
application is still running right that’s not an thing but if we enter
right now our quote or 1 equals 1 and the semicolon and the – – if we run that
one we get very easily the complete table back here meaning we
have the the results of all users and brought back something we should never
have gotten access to this is truly a simple possibility of an SQL injection
but these things potentially a little bit more elaborate are still in the
systems we still see SQL injections in almost all bigger hex being part of it
and as you know and all these bigger hex are happening constantly so this is
something where a firewall just the normal fire world will never protect you
from and because this is actually happening on the application level.
Awesome, thanks so much, Lucas. So now that we’ve taken a look at how a SQL
injection works and what it looks like how do we stop it we’ve summarized a few bullets for your consideration. Use prepared statements utilize stored
procedures leverage whitelist input validation escape all user supplied
input and use frameworks that have built-in injection protection to further
those points let’s take a brief look at how we at Fortify can help you if you’re
a developer Fortify detects injection flaws and provides type specific
remediation advice if you’re in QA or operations Fortify validates code at
runtime for mitigating controls and if you’re in operations Fortify provides
runtime logging and protection for Java and.net injection attempts. Fortify
application security testing protects your entire software development
lifecycle with the most automated integrated enterprise scale on-premise
and cloud solutions companies build their software around the Fortify
experience expertise and leadership and once again for the sixth year in a row
Gartner has recognized Fortify as a leader in the application security
testing Magic Quadrant due to our strong execution
and constant innovation thanks so much for joining us make sure to LIKE and
subscribe to our channel and leave us a comment and let us know what you thought
about this video have a great day


3 thoughts on “SQL Injection Web Attack (Live Demo for AppSec)

  1. Great video. It'd be helpful to see you cover the OWASP Top 10 attacks on your channel. Keep it up, guys!

  2. I like how this opens with an SQL Injection explanation before jumping in to the demo. Pretty simple…good intro to the topic.

Leave a Reply

Your email address will not be published. Required fields are marked *