Security Testing of Web Applications (II/III)
Last week I spoke about Session hijacking and methods to secure Authentication details. This week I will be talking about the various types of attacks that are used to try and gain access to the Administrative Interface on the target application server.
Administrative Interface Access
Administrative Interface Access is the ultimate goal of any attack whose objective is to gain administrator privilege on a target application server. Administrative interface attacks are usually implemented using any number of attack strategies including SQL Injection, Cross-Site Scripting, Parameter Tampering, Buffer Overflow etc. This week I will talk about SQL Injection and will cover the others next week.
SQL Injection is one of the web attack mechanisms used by hackers to steal data. It is the type of attack that takes advantage of improper coding of web applications that allows hacker to inject SQL commands to gain access to the data held within database.Web applications allow legitimate website visitors to submit and retrieve data to/from a database. Databases are the back end and core part of a website. They store data needed for website to deliver specific content to visitors. User credentials, financial and payment information, company statistics may all be resident within a database and accessed by legitimate users through web applications.
Features such as login pages, support and product request forms, feedback forms, forums, search pages, shopping carts and the general delivery of dynamic content, shape modern websites. These website features are sensitive to SQL Injection attacks, because the fields available for user input allow SQL statements to pass through and query the database directly.SQL Injection happens when a developer accepts user input that is directly placed into a SQL statement and doesn’t properly filter out dangerous characters. This can allow an attacker to not only steal data from the database, but also can modify and delete it.
For example, in the case of login page, legitimate user can enter his/her username and password combination to access a secure area to view his/her personal details.When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification.On verification, the legitimate user is granted appropriate access. Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised and sent directly with the SQL query to the database.
We can avoid SQL Injection by using the following methods.
- Filter out characters like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
- For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.
- Change “Startup and run SQL Server” using low privilege user in SQL Server Security tab.
- Delete stored procedures that are not using.
Next week I will talk about the other methods used: Parameter Tampering, Cross-Site Scripting and Buffer Overflow attacks.
About the Author :
Dhanya P.B. joined Bobcares in October 2006. Initially working in the Technical Support department, she later moved to our Software Development department where her talents truly shined. She has been working as a dedicated software tester for the past two and a half years and is passionate about learning the rhythms of various Software Testing Techniques. In her free time she listens to soft music and enjoys cooking.