fixed minor spelling mistakes, unified wording
This commit is contained in:
Timur Linden
committed by
Nanne Baars
Nanne Baars
parent
875f0487bd
commit
53c16c8b82
@ -18,48 +18,48 @@ SqlStringInjectionHint2-3=Use ' instead of " when comparing two strings.
|
||||
SqlStringInjectionHint2-4=Pay attention to case sensitivity when comparing two strings.
|
||||
|
||||
SqlStringInjectionHint3-1=Try the UPDATE statement
|
||||
SqlStringInjectionHint3-2=UPDATE tablename SET columnname=value WHERE condition;
|
||||
SqlStringInjectionHint3-2=UPDATE table name SET column name=value WHERE condition;
|
||||
|
||||
SqlStringInjectionHint4-1=ALTER TABLE alters the structure of an existing database
|
||||
SqlStringInjectionHint4-2=Don't forget the data type of the new column (e.g. varchar(size) or int(size))
|
||||
SqlStringInjectionHint4-3=ALTER TABLE tablename ADD columnname data type(size);
|
||||
SqlStringInjectionHint4-2=Do not forget the data type of the new column (e.g. varchar(size) or int(size))
|
||||
SqlStringInjectionHint4-3=ALTER TABLE table name ADD column name data type(size);
|
||||
|
||||
SqlStringInjectionHint5-a=Look at the example. There's everything you'll need.
|
||||
SqlStringInjectionHint5-a=Look at the example. There is everything you will need.
|
||||
|
||||
sql-injection.5a.success=<span class='feedback-positive'>You have succeed: {0}</span>
|
||||
sql-injection.5a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
|
||||
sql-injection.5a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
|
||||
sql-injection.5b.success=<span class='feedback-positive'>You have succeed: {0}</span>
|
||||
sql-injection.5b.success=<span class='feedback-positive'>You have succeeded: {0}</span>
|
||||
sql-injection.5b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
|
||||
|
||||
SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack.
|
||||
SqlStringInjectionHint5b2=Insert: <span style="font-style: italic">0 or 1 = 1</span> into the first input field. The Output should tell you if this field is injectable.
|
||||
SqlStringInjectionHint5b3=The first Input field is not susceptible to sql injection.
|
||||
SqlStringInjectionHint5b4=You don't need to insert any quotations into your injection-string.
|
||||
SqlStringInjectionHint5b2=Insert: <span style="font-style: italic">0 or 1 = 1</span> into the first input field. The output should tell you if this field is injectable.
|
||||
SqlStringInjectionHint5b3=The first input field is not susceptible to sql injection.
|
||||
SqlStringInjectionHint5b4=You do not need to insert any quotations into your injection-string.
|
||||
|
||||
sql-injection.6a.success=<span class='feedback-positive'>You have succeed: {0}</span>
|
||||
sql-injection.6a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
|
||||
sql-injection.6a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
|
||||
|
||||
sql-injection.advanced.6a.success=<span class='feedback-positive'>You have succeed: {0}</span>
|
||||
sql-injection.advanced.6a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
|
||||
sql-injection.advanced.6a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
|
||||
SqlStringInjectionHint-advanced-6a-1=Remember, that when using a Union, Each SELECT statement within UNION must have the same number of columns.
|
||||
SqlStringInjectionHint-advanced-6a-2=The Datatype of a column in the first SELECT statement must have a similar datatype to that in the second SELECT statement.
|
||||
SqlStringInjectionHint-advanced-6a-3=Your new SQL Query must end with a comment. eg: --
|
||||
SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like <span style="font-style: italic">'a String'</span> for it. For an integer you could substitute a <span style="font-style: italic">1</span>.
|
||||
SqlStringInjectionHint-advanced-6a-1=Remember that when using an UNION each SELECT statement within UNION must have the same number of columns.
|
||||
SqlStringInjectionHint-advanced-6a-2=The data type of a column in the first SELECT statement must have a similar data type to that in the second SELECT statement.
|
||||
SqlStringInjectionHint-advanced-6a-3=Your new SQL query must end with a comment. eg: --
|
||||
SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like <span style="font-style: italic">'a String'</span> for it. For integers you could substitute a <span style="font-style: italic">1</span>.
|
||||
SqlStringInjectionHint-advanced-6a-5=Try something like: <span style="font-style: italic">Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data --</span>
|
||||
|
||||
sql-injection.6b.success=<span class='feedback-positive'>You have succeed: {0}</span>
|
||||
sql-injection.6b.success=<span class='feedback-positive'>You have succeeded: {0}</span>
|
||||
sql-injection.6b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
|
||||
|
||||
sql-injection.8.success=<span class='feedback-positive'>You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done!</span>
|
||||
sql-injection.8.no.results=<span class='feedback-negative'>No employee found with matching lastname. Or maybe your authentication TAN is incorrect?</span>
|
||||
sql-injection.8.one=<span class='feedback-negative'>That's only one account. You want them all! Try again.</span>
|
||||
sql-injection.8.no.results=<span class='feedback-negative'>No employee found with matching last name. Or maybe your authentication TAN is incorrect?</span>
|
||||
sql-injection.8.one=<span class='feedback-negative'>That is only one account. You want them all! Try again.</span>
|
||||
SqlStringInjectionHint.8.1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command.
|
||||
SqlStringInjectionHint.8.2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR.
|
||||
SqlStringInjectionHint.8.3=Try appending a SQL statement that always resolves to true.
|
||||
SqlStringInjectionHint.8.4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct.
|
||||
SqlStringInjectionHint.8.5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.
|
||||
|
||||
sql-injection.9.success=<span class='feedback-positive'>Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary!</span>
|
||||
sql-injection.9.success=<span class='feedback-positive'>Well done! Now you are earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary!</span>
|
||||
sql-injection.9.one=<span class='feedback-negative'>Still not earning enough! Better try again and change that.</span>
|
||||
SqlStringInjectionHint.9.1=Try to find a way, to chain another query to the end of the existing one.
|
||||
SqlStringInjectionHint.9.2=Use the ; metacharacter to do so.
|
||||
@ -68,26 +68,26 @@ SqlStringInjectionHint.9.4=Make sure that the resulting query is syntactically c
|
||||
SqlStringInjectionHint.9.5=How about something like '; UPDATE employees....
|
||||
|
||||
sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span>
|
||||
sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span>
|
||||
sql-injection.10.entries=<span class='feedback-negative'>There is still evidence of what you did. Better remove the whole table.</span>
|
||||
|
||||
sql-injection.10b.success=<span class='feedback-positive'>You did it! Your code can prevent an SQL Injection attack!</span>
|
||||
sql-injection.10b.failed=<span class='feedback-negative'>Something doesn't seem right with that code. Maybe you should look at an example how to prevent SQL Injections with JDBC?</span>
|
||||
sql-injection.10b.success=<span class='feedback-positive'>You did it! Your code can prevent an SQL injection attack!</span>
|
||||
sql-injection.10b.failed=<span class='feedback-negative'>Something does not seem right with that code. Maybe you should look at an example how to prevent SQL injections with JDBC?</span>
|
||||
sql-injection.10b.no-code=<span class='feedback-negative'>You need to write some code.</span>
|
||||
sql-injection.10b.compiler-errors=<span class='feedback-negative'>Couldn't compile code:</span>
|
||||
sql-injection.10b.compiler-errors=<span class='feedback-negative'>Could not compile code:</span>
|
||||
|
||||
SqlStringInjectionHint.10.1=Use the techniques that you have learned before.
|
||||
SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it.
|
||||
SqlStringInjectionHint.10.3=Try query chaining to reach the goal.
|
||||
SqlStringInjectionHint.10.4=The DDL allows you to delete (DROP) database tables.
|
||||
SqlStringInjectionHint.10.5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'".
|
||||
SqlStringInjectionHint.10.5=The underlying SQL query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'".
|
||||
SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to comment out the rest of the line.
|
||||
|
||||
SqlStringInjectionHint-mitigation-10a-1=First establish a connection, after that you can create a statement.
|
||||
SqlStringInjectionHint-mitigation-10a-2=For every datatype there is a method to insert values into a wildcard symbol in a statement.
|
||||
SqlStringInjectionHint-mitigation-10a-2=For every data type there is a method to insert values into a wildcard symbol in a statement.
|
||||
|
||||
SqlStringInjectionHint-mitigation-10b-1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection.
|
||||
SqlStringInjectionHint-mitigation-10b-2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections.
|
||||
SqlStringInjectionHint-mitigation-10b-3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype.
|
||||
SqlStringInjectionHint-mitigation-10b-2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL injections.
|
||||
SqlStringInjectionHint-mitigation-10b-3=The wildcard symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every data type.
|
||||
SqlStringInjectionHint-mitigation-10b-4=Make sure to execute your statement.
|
||||
SqlStringInjectionHint-mitigation-10b-5=View the previous lesson to check back on how you can build set up a connection.
|
||||
|
||||
@ -96,7 +96,7 @@ SqlStringInjectionHint-mitigation-12a-2=Intercept the request and try to specify
|
||||
SqlStringInjectionHint-mitigation-12a-3=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
||||
SqlStringInjectionHint-mitigation-12a-4=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
||||
|
||||
SqlInjectionChallengeHint1=The Table Name is randomized at each start of Webgoat, try to figure out the name first.
|
||||
SqlInjectionChallengeHint2=Find the Field which is vulnerable to SQL Injection use that to change the password.
|
||||
SqlInjectionChallengeHint3=Change the password through an Update Statement.
|
||||
SqlInjectionChallengeHint4=The Vulnerable Field is the Username Field of the Register form.
|
||||
SqlInjectionChallengeHint1=The table name is randomized at each start of WebGoat, try to figure out the name first.
|
||||
SqlInjectionChallengeHint2=Find the field which is vulnerable to SQL injection use that to change the password.
|
||||
SqlInjectionChallengeHint3=Change the password through an UPDATE Statement.
|
||||
SqlInjectionChallengeHint4=The vulnerable field is the username field of the register form.
|
||||
@ -4,5 +4,5 @@ This lesson describes the more advanced topics for an SQL injection.
|
||||
|
||||
== Goals
|
||||
|
||||
** Combining SQL Injection Techniques
|
||||
** Combining SQL injection Techniques
|
||||
** Blind SQL injection
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
* Stored XSS
|
||||
* Information leakage
|
||||
* Logic errors – business rule validation
|
||||
* SQL Injection
|
||||
* SQL injection
|
||||
|
||||
=== Often the database is considered trusted
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
Question: Does a prepared statement always prevent against an SQL injection?
|
||||
Answer: No it does not
|
||||
|
||||
Let's take a look at the following statement:
|
||||
Let us take a look at the following statement:
|
||||
|
||||
----
|
||||
select * from users order by lastname;
|
||||
|
||||
@ -13,7 +13,7 @@ CREATE TABLE user_data (userid int not null,
|
||||
login_count int);
|
||||
-------------------------------------------------------
|
||||
|
||||
Through experimentation you found that this field is susceptible to SQL Injection.
|
||||
Through experimentation you found that this field is susceptible to SQL injection.
|
||||
Now you want to use that knowledge to get the contents of another table. +
|
||||
The table you want to pull data from is:
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Blind SQL Injection
|
||||
== Blind SQL injection
|
||||
|
||||
Blind SQL injection is a type of SQL injection attack that asks the database true or false
|
||||
questions and determines the answer based on the applications response. This attack is often used when the web
|
||||
@ -7,18 +7,18 @@ injection.
|
||||
|
||||
=== Difference
|
||||
|
||||
Let's first start with the difference between a normal SQL injection and a blind SQL injection. In a normal
|
||||
Let us first start with the difference between a normal SQL injection and a blind SQL injection. In a normal
|
||||
SQL injection the error messages from the database are displayed and gives enough information to find out how
|
||||
the query is working. Or in the case of a union based SQL injection the application does not reflect the information
|
||||
directly on the webpage. So in the case where nothing is displayed you will need to start asking the database questions
|
||||
based on a true or false statement. That's why a blind SQL injection is much more difficult to exploit.
|
||||
the query is working. Or in the case of an UNION based SQL injection the application does not reflect the information
|
||||
directly on the web page. So in the case where nothing is displayed you will need to start asking the database questions
|
||||
based on a true or false statement. That is why a blind SQL injection is much more difficult to exploit.
|
||||
|
||||
There are several different types of blind SQL injections: content based and time based SQL injections.
|
||||
There are several different types of blind SQL injections: content-based and time-based SQL injections.
|
||||
|
||||
|
||||
=== Example
|
||||
|
||||
In this case we are trying to ask the database a boolean question based on for example a unique id, for example
|
||||
In this case we are trying to ask the database a boolean question based on for example an unique id, for example
|
||||
suppose we have the following url: `https://my-shop.com?article=4`
|
||||
On the server side this query will be translated as follows:
|
||||
|
||||
@ -49,7 +49,7 @@ Be aware that this approach might not work if the privileges of the database are
|
||||
system tables cannot be queried with the user used to connect from the web application to the database).
|
||||
|
||||
|
||||
Another way is called a time based SQL injection, in this case you will ask the database to wait before returning
|
||||
Another way is called a time-based SQL injection, in this case you will ask the database to wait before returning
|
||||
the result. You might need to use this if you are totally blind so there is no difference between the response you
|
||||
can use for example:
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
== Immutable Queries
|
||||
|
||||
These are the best defense against SQL Injection. They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.
|
||||
These are the best defense against SQL injection. They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.
|
||||
|
||||
=== Static Queries
|
||||
-------------------------------------------------------
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== What is SQL
|
||||
== What is SQL?
|
||||
|
||||
SQL is a standardized (ANSI in 1986, ISO in 1987) programming language which is used for managing relational databases and performing various operations on the data in them.
|
||||
|
||||
@ -33,7 +33,7 @@ Go ahead to the next pages to get some details on the different types of command
|
||||
|
||||
If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training.
|
||||
|
||||
=== It's your turn!
|
||||
=== It is your turn!
|
||||
Look at the example table.
|
||||
Try to retrieve the department of the employee Bob Franco.
|
||||
Note that you have been granted full administrator privileges in this assignment and can access all data without authentication.
|
||||
@ -1,12 +1,12 @@
|
||||
== Compromising Availability
|
||||
After successfully compromising confidentiality and integrity in the previous lessons, we now are going to compromise the third element of the CIA-Triad: *availability*.
|
||||
After successfully compromising confidentiality and integrity in the previous lessons, we now are going to compromise the third element of the CIA triad: *availability*.
|
||||
|
||||
The are many different ways to violate the ensurement of availability.
|
||||
The are many different ways to violate availability.
|
||||
If an account is deleted or the password gets changed, the actual owner cannot access it anymore.
|
||||
Attackers could also try to delete parts of the database making it useless or even dropping the whole database.
|
||||
Another way to compromise availability would be to per example revoke access-rights from admins or any other users, so that nobody gets access to (specific parts of) the database.
|
||||
|
||||
=== It's your turn!
|
||||
=== It is your turn!
|
||||
Now you are the top earner in your company.
|
||||
But do you see that?
|
||||
There seems to be a *access_log* table, where all your actions have been logged to! +
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Try It! String SQL Injection
|
||||
== Try It! String SQL injection
|
||||
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query is build by concatenating strings making it susceptible to String SQL injection:
|
||||
|
||||
@ -6,4 +6,4 @@ The query in the code builds a dynamic query as seen in the previous example. T
|
||||
"select * from users where LOGIN_COUNT > 0 and FIRST_NAME = ‘" + userName + "'";
|
||||
------------------------------------------------------------
|
||||
|
||||
Using the form below try to retrieve all the users from the users table. You shouldn't need to know any specific user name to get the complete list.
|
||||
Using the form below try to retrieve all the users from the users table. You should not need to know any specific user name to get the complete list.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Try It! Numeric SQL Injection
|
||||
== Try It! Numeric SQL injection
|
||||
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection:
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
As the name says data manipulation language deals with the manipulation of data and includes the most common SQL statements such as SELECT, INSERT, UPDATE, DELETE, etc., and it is used for requesting a result set of records from database tables (select), adding (insert), deleting and modifying (update) data in a database.
|
||||
|
||||
If an attacker uses a SQL injection of the DML type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (…) & integrity (update) (Only people authorized to read the data can do so).
|
||||
If an attacker uses SQL injection of the DML type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (…) & integrity (update) (Only people authorized to read the data can do so).
|
||||
|
||||
|
||||
* DML commands are used for storing, retrieving, modifying, and deleting data.
|
||||
@ -17,7 +17,7 @@ If an attacker uses a SQL injection of the DML type to manipulate your database,
|
||||
WHERE userid = 96134;
|
||||
** This statement delivers the phone number of the employee with the userid 96134.
|
||||
|
||||
=== It's your turn!
|
||||
=== It is your turn!
|
||||
Try to change the department of Tobi Barnett to 'Sales'.
|
||||
Note that you have been granted full administrator privileges in this assignment and can access all data without authentication.
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Data definition language includes commands for defining data structures, especially database schemas which tell how the data should reside in the database.
|
||||
|
||||
If an attacker uses a SQL injection of the DDL type to manipulate your database, he will violate the following of the three protection goals in information security: integrity (alter) & availability (drop). (Only people authorized to change/delete the data can do so.)
|
||||
If an attacker uses SQL injection of the DDL type to manipulate your database, he will violate the following of the three protection goals in information security: integrity (alter) & availability (drop). (Only people authorized to change/delete the data can do so.)
|
||||
|
||||
|
||||
* DDL commands are used for creating, modifying, and dropping the structure of database objects.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Data control language is used to create privileges to allow users to access and manipulate the database.
|
||||
|
||||
If an attacker uses a SQL injection of the DCL type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (grant) & availability (revoke) (Unwanted people could grand themselves admin privileges or revoke the admin rights from an administrator)
|
||||
If an attacker uses SQL injection of the DCL type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (grant) & availability (revoke) (Unwanted people could grand themselves admin privileges or revoke the admin rights from an administrator)
|
||||
|
||||
|
||||
* DCL commands are used for providing security to database objects.
|
||||
|
||||
@ -1,19 +1,19 @@
|
||||
== What is SQL Injection?
|
||||
== What is SQL injection?
|
||||
|
||||
SQL Injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security.
|
||||
SQL injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security.
|
||||
|
||||
SQL Injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL-Interpreter of the application itself. If the input from the client does not get checked for containing SQL Commands, hackers can easily manipulate the underlying SQL-Statement to their advantages. +
|
||||
Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL-query and that way can be used to chain them).
|
||||
SQL injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL interpreter of the application itself. If the input from the client does not get checked for containing SQL commands, hackers can easily manipulate the underlying SQL statement to their advantage. +
|
||||
Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL query and that way can be used to chain them).
|
||||
|
||||
{nbsp} +
|
||||
|
||||
== Example of SQL Injection
|
||||
== Example of SQL injection
|
||||
|
||||
Think of a web application, that allows to display user information, by typing a username into an input field.
|
||||
|
||||
The input will then be sent to the server and gets inserted into a SQL-query which then is processed by an SQL-Interpreter.
|
||||
The input will then be sent to the server and gets inserted into a SQL query which then is processed by an SQL interpreter.
|
||||
|
||||
The SQL-query to retrieve the user information from the database looks like that: +
|
||||
The SQL query to retrieve the user information from the database looks like that: +
|
||||
-------------------------------------------------------
|
||||
"SELECT * FROM users WHERE name = '" + userName + "'";
|
||||
-------------------------------------------------------
|
||||
@ -26,6 +26,6 @@ If the input would be Smith the query then looks like that +
|
||||
and would retrieve all data for the user with the name Smith.
|
||||
|
||||
{nbsp} +
|
||||
But if an attacker supplies an unexpected input which could be part of a SQL-query, the query itself can be modified and that way be used to perform other (malicious) actions on the database.
|
||||
But if an attacker supplies an unexpected input which could be part of a SQL query, the query itself can be modified and that way be used to perform other (malicious) actions on the database.
|
||||
|
||||
Here is an input field. Try typing some SQL in here to better understand how the query changes.
|
||||
@ -1,4 +1,4 @@
|
||||
== Consequences of SQL Injection
|
||||
== Consequences of SQL injection
|
||||
|
||||
=== A successful SQL injection exploit can:
|
||||
* Read and modify sensitive data from the database
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
== Severity of SQL Injection
|
||||
== Severity of SQL injection
|
||||
|
||||
=== The severity of SQL Injection attacks is limited by
|
||||
=== The severity of SQL injection attacks is limited by
|
||||
* Attacker’s skill and imagination
|
||||
* Defense in depth countermeasures
|
||||
** Input validation
|
||||
@ -12,7 +12,7 @@
|
||||
* MySQL Connector/J and C
|
||||
* Oracle
|
||||
|
||||
=== SQL Injection is more common in PHP, Classic ASP, Cold Fusion and older languages
|
||||
=== SQL injection is more common in PHP, Classic ASP, Cold Fusion and older languages
|
||||
* Languages that do not provide parameterized query support
|
||||
* Parameterized queries have been added to newer versions
|
||||
* Early adopters of web technology (i.e. Old Code)
|
||||
|
||||
@ -1,16 +1,16 @@
|
||||
== Compromising confidentiality with String SQL Injection
|
||||
If a system is vulnerable to SQL-Injections it is also easy to compromise aspects of the CIA-Triad _(if you are unfamiliar with the CIA-Triad check out the CIA-Triad lesson in the general category)_.
|
||||
In the following three lessons, you will learn how to use simple SQL-Injection attacks to compromise each of the three. Per example by using _SQL String Injections_ or _query chaining_.
|
||||
== Compromising confidentiality with String SQL injection
|
||||
If a system is vulnerable to SQL injections it is also easy to compromise aspects of the CIA triad _(if you are unfamiliar with the CIA triad check out the CIA triad lesson in the general category)_.
|
||||
In the following three lessons, you will learn how to use simple SQL injection attacks to compromise each of the three. Per example by using _SQL string injections_ or _query chaining_.
|
||||
|
||||
This lesson, we will take a look at *confidentiality*.
|
||||
Confidentiality can easily be compromised if an attacker uses SQL Injection to read sensitive data from the database. For example reading credit card numbers or passwords.
|
||||
Confidentiality can easily be compromised if an attacker uses SQL injection to read sensitive data from the database. For example reading credit card numbers or passwords.
|
||||
|
||||
=== What's String SQL Injection
|
||||
=== What is String SQL injection?
|
||||
If queries are build dynamically in the application by concatenating strings to it, this makes it very susceptible to String SQL injection. +
|
||||
If the input takes a string and that one gets inserted into the query as a string parameter, then you can easily manipulate the build query by using quotation marks to form the string to your specific needs.
|
||||
You could per example end the string parameter with it and input your own SQL after that.
|
||||
|
||||
=== It's your turn!
|
||||
=== It is your turn!
|
||||
You are an employee named John *Smith* working for a big company.
|
||||
The company has an internal system that allows all employees to see their own internal data, like the department they work in and their salary.
|
||||
|
||||
@ -19,7 +19,7 @@ Your current TAN is *3SL99A*.
|
||||
|
||||
Since you always have the urge to be the most earning employee you want to exploit the system and instead of viewing your own internal data _take a look at the data of all your colleagues_ to check their current salaries.
|
||||
|
||||
Use the form below and try to retrieve all the employee data from the *employees* table. You shouldn't need to know any specific names or TANs to get the information you need. +
|
||||
Use the form below and try to retrieve all the employee data from the *employees* table. You should not need to know any specific names or TANs to get the information you need. +
|
||||
You already found out that the query performing your request looks like that:
|
||||
------------------------------------------------------------
|
||||
"SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "';
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
== Compromising Integrity with Query Chaining
|
||||
== Compromising Integrity with Query chaining
|
||||
After compromising the confidentiality of data in the previous lesson, this time we are gonna compromise the *integrity* of data by using SQL *query chaining*.
|
||||
|
||||
The integrity of any data can be compromised, if an attacker per example changes information that he should not even be able to access.
|
||||
@ -7,10 +7,10 @@ The integrity of any data can be compromised, if an attacker per example changes
|
||||
Query chaining is exactly what it sounds like. When query chaining, you try to append one or more queries to the end of the actual query.
|
||||
You can do this by using the *;* metacharacter which marks the end of a query and that way allows to start another one right after it within the same line.
|
||||
|
||||
=== It's your turn!
|
||||
=== It is your turn!
|
||||
You just found out that Tobi and Bob both seem to earn more money than you!
|
||||
Of course you cannot leave it at that. +
|
||||
Better go and _change your own salary so you're earning the most!_
|
||||
Better go and _change your own salary so you are earning the most!_
|
||||
|
||||
|
||||
Remember: Your name is John *Smith* and your current TAN is *3SL99A*.
|
||||
@ -5,10 +5,10 @@ This lesson describes what is Structured Query Language (SQL) and how it can be
|
||||
=== Goals
|
||||
|
||||
* The user will have a basic understanding of how SQL works and what it is used for
|
||||
* The user will have a basic understanding of what SQL-Injections are and how they work
|
||||
* The user will have a basic understanding of what SQL injections are and how they work
|
||||
* The user will demonstrate knowledge on:
|
||||
** DML, DDL and DCL
|
||||
** String SQL Injection
|
||||
** Numeric SQL Injection
|
||||
** String SQL injection
|
||||
** Numeric SQL injection
|
||||
** violation of the CIA triad
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
== Try it! Writing safe code
|
||||
|
||||
You can see some code down below, but the Code is incomplete. Complete the code, so that is no longer vulnerable for an SQL Injection! Use the classes and methods you have learned before.
|
||||
You can see some code down below, but the code is incomplete. Complete the code, so that is no longer vulnerable for an SQL injection! Use the classes and methods you have learned before.
|
||||
|
||||
The code has to retrieve the status of the user based on the name and the mail address of the user. Both the name and the mail are in the string format.
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
== Try it! Writing safe code
|
||||
|
||||
Now it's time to write your own code!
|
||||
Now it is time to write your own code!
|
||||
Your task is to use JDBC to connect to a database and request data from it.
|
||||
|
||||
*Requirements:*
|
||||
|
||||
* connect to a database
|
||||
* perform a query on the database which is immune to SQL Injection attacks
|
||||
* perform a query on the database which is immune to SQL injection attacks
|
||||
* your query needs to contain at least one string parameter
|
||||
|
||||
*Some tips before you start:* +
|
||||
@ -29,4 +29,4 @@ try {
|
||||
-------------------------------------------------------
|
||||
|
||||
Use your knowledge and write some valid code from scratch in the editor window down below!
|
||||
(if you can't type there it might help to adjust the size of your browser window once, then it should work):
|
||||
(if you cannot type there it might help to adjust the size of your browser window once, then it should work):
|
||||
|
||||
@ -1 +1 @@
|
||||
Now it's time for a quiz! It is recommended to do all SQL-Injection lessons before trying the quiz. Answer all questions correctly to complete the assignment.
|
||||
Now it is time for a quiz! It is recommended to do all SQL injection lessons before trying the quiz. Answer all questions correctly to complete the assignment.
|
||||
Reference in New Issue
Block a user