CyberSecurity Notes
Web Application Security
Focuses on protecting web applications from vulnerabilities and cyberattacks.
Involves implementing measures to ensure confidentiality, integrity, and availability.
Aims to safeguard sensitive user data and maintain application trustworthiness.
Concerns identifying, mitigating, and preventing potential threats.
OWASP Top 10
A regularly updated list of the most critical security risks to web applications.
Published by the Open Web Application Security Project (OWASP).
Serves as a standard for developers and organizations to understand and mitigate web application vulnerabilities.
Highlights impactful vulnerabilities in web security, offering guidance to secure web applications against these risks.
OWASP Top 10 Security Risks (2021 Edition)
Broken Access Control: Unauthorized access to data or functionality due to improper permission enforcement.
Cryptographic Failures: Jeopardized confidentiality and integrity of sensitive data due to weak or missing encryption.
Injection: Arbitrary command execution through flaws in input handling, e.g., SQL injection.
Insecure Design: Vulnerabilities created by poor architectural or design decisions.
Security Misconfiguration: Risks due to misconfigured security settings.
Vulnerable and Outdated Components: Risks introduced by using outdated or unpatched libraries or frameworks.
Identification and Authentication Failures: Compromised user accounts enabled by weak authentication mechanisms.
Software and Data Integrity Failures: Compromised systems due to insufficient validation of software updates or data integrity.
Security Logging and Monitoring Failures: Difficult breach detection and response due to lack of monitoring.
Server-Side Request Forgery (SSRF): Exploiting the server to make unauthorized requests.
Common Web Vulnerabilities
SQL Injection
Cross-Site Scripting (XSS)
Directory Traversal
Broken Authentication/Default Credentials
Sensitive Data Exposure / Information Disclosure
Vulnerable and Outdated components
SQL Injection
A web security vulnerability that allows an attacker to interfere with the queries a web application makes to its database.
Attackers inject malicious SQL statements into input fields or parameters.
This can manipulate the database to execute unauthorized actions, such as retrieving, modifying, or deleting sensitive data, bypassing authentication, or gaining full control of the database server.
SQL Injection exploits a vulnerability in the application’s software, not in the database layer itself.
The weakness lies in how the application handles user inputs before passing them to the database.
Major Types of SQL Injection
Error-based SQL Injection: Uses database error messages to extract information.
Union-based SQL Injection: Combines results of multiple queries using the
UNIONoperator to extract data from other tables.Boolean-based SQL Injection (blind): Exploits true or false conditions in queries. Attackers infer information based on application behavior.
Example: Using
'OR 1=1'to manipulate the query’s result.
Time-based SQL Injection (blind): Executes queries that cause delays when a condition is true. Attackers infer information by measuring response times.
Example: Using
'SLEEP(5)'in a query to cause a delay if the condition is true.
Bypass Login Authentication using Boolean-based SQLi
Boolean-based blind SQLi: Relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
In the backend, the
login.phpsource code appears as follows:
$q = mysql_query (" select account from users WHERE username = '$username ' AND pass = '$pass '");
NORMAL user query:
$pass = Password!
$q = mysql_query (" select account from users WHERE username = 'ELTE ' AND pass = 'Password ! '");
MALICIOUS user query:
$pass = 'OR 'a'='a.
$q = mysql_query (" select account from users WHERE username = 'ELTE ' AND pass = ' ' OR 'a '='a' ");
This
pass = ' ' OR 'a'='a'becomes always true, which means pass is either an empty string or TRUE, making the condition always TRUE!
Query manipulation using Boolean-based SQLi
Example:
Always TRUE Query:
artists.php?artist=1 and 1=1.Always FALSE Query:
artists.php?artist=1 and 1=2.
$sql = " SELECT * FROM ART WHERE id=" . $_GET ["id"];
The application’s behavior changes based on the outcome of a TRUE or FALSE query, indicating a potential Boolean-based SQL injection vulnerability.
Error-based SQLi
Error-based SQL injection relies on error messages thrown by the database server to obtain information about the structure of the database.
Typical error messages
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near”’ at line 1SQL Error : 1064 You have an error in your SQL syntax.Microsoft OLE DB Provider for ODBC Drivers error ’80040e14’ SQL Error near ’admin at line 1
Query manipulation using Error-based SQLi
In this example, we can observe the error message generated by the database.
Query without ERROR Query:
listproducts.php?cat=1.Query WITH ERROR Query:
listproducts.php?cat=1’.
Union-based SQL Injection
Leverages the
UNIONSQL operator to combine the results of two or moreSELECTstatements into a single result.Example:
SELECT name, description, price FROM products WHERE category=1 AND 1=2 UNION SELECT username, password, 1 FROM members
Time-based blind SQL Injection
Relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding.
The response time indicates to the attacker whether the result of the query is TRUE or FALSE.
Syntax
SELECT IF(expression, true, false)http://www.site.com/vulnerable.php?id=1’ waitfor delay ’00:00:15’–BENCHMARK(5000000,ENCODE(’text’,’by 5 seconds’))
SQL injction vulnerable login.php
```
if (( $post [ username ]) AND ( $post [ password ])) {
$query = 'SELECT * FROM config WHERE uname =