Explore Ethical Hacking with our project on SQL Injection Vulnerability Analysis, presented by the Boston Institute of Analytics. This comprehensive exploration delves into the intricacies of SQL injection threats, dissecting potential vulnerabilities within databases and querying mechanisms. Our Ethical Hacking project uncovers common attack vectors, mitigation strategies, and best practices to fortify database security against malicious exploits. Join us in our Ethical Hacking endeavor to enhance your understanding of SQL injection vulnerabilities and fortify your defenses against cyber threats. Explore more at https://bostoninstituteofanalytics.org/cyber-security-and-ethical-hacking/
2. What is SQL injection ?
SQL injection is a cyber attack in which the attacker
injects malicious SQL query into an input field or the
parameter like =, allowing the attacker to view or
modify sensitive data.
SQL Injection
4. Types of SQL injection
• In-Band SQL Injection:- It is a type of SQL injection
in which the attacker uses same communication
channel to both launch the attack and gather
results. It consist of two types:
i. Error based SQL Injection:- This method relies on
error messages given by the backend server to
obtain the information of the structure of the
database.
ii. Union based SQL injection:- This SQL injection
technique uses UNION SQL operator to combine
the results of two or more select statement into
a single response.
5. Types of SQL injection
• Inferential (Blind) SQL injection
This is also known as blind based SQL injection. In this
type of attack the attacker cannot see any error
generated by injected SQL query. There are two types
of Inferential SQL injections, they are:-
i. Boolean based SQL injection:- In this attack the
attacker sends an SQL query to the database
which the application interprets as True or False.
ii. Time based SQL injection:- In time based attacks
SQL SLEEP() command is been used. This type of
attack is used to determine if blind based SQL
injection vulnerability is present or not.
6. Types of SQL injection
• Out of band SQL injection
This is a type of SQL injection in which the attacker
does not receive response from the attacked
application on the same communication channel but
instead is able to cause the application to send data to
a remote endpoint that they control.
8. Login Bypass using SQL injection
https://drive.google.com/file/d/1hBwdIwvxqNnYrfvY
A37KVcU6UwdlrdWw/view?usp=drive_link
9. SQL Injection with conditional
response
https://drive.google.com/file/d/1fEzKoWh5evrfRzfW
86M_sImcdIduCJ1g/view?usp=drive_link
10. SQL Injection with conditional
response
• Payloads
Tracking ID is in the form of strings and the server verifies the
Tracking ID and Gives TRUE or FALSE.
'Tracking ID’
Injecting a payload ' AND 1=1-- gives 'Tracking ID' AND 1=1--’
This implies the condition TRUE and welcome back is shown.
Instead one writes 'Tracking ID' AND 1=2--’, one gets TRUE and
FALSE and the resultant is FALSE and welcome back is not shown.
11. SQL Injection with conditional
response
'Tracking ID' AND (SELECT 'x' FROM users LIMIT 1)= ‘x
This Code verifies if there is a table by the name users in the
database and outputs x. This is then set equal to the value x.
'Tracking ID' AND (SELECT username FROM users WHERE
username= 'administrator')= 'administrator
This code verifies if there is a user by the name administrator
and give either TRUE or FALSE. If there is a user by the
username administrator, the condition would be TRUE and
Welcome Back is shown.
12. SQL Injection with conditional
response
'Tracking ID' AND (SELECT username FROM users WHERE
username= 'administrator' AND LENGTH (password)>1)=
'administrator
In this code we try to find out the length of the password.
Condition was FALSE at length of the password greater than
20 and we did not get to see welcome back. So the length of
the password is 20.
'Tracking ID' AND (SELECT SUBSTRING(password,1,1) FROM
users WHERE username= 'administrator' AND LENGTH
(password)>1)= ‘a
This code enumerates out the password.
13. Mitigations of SQL Injection
• Input Validation: Validate and sanitize user input to ensure it adheres to
expected formats and does not contain malicious code. Use input
validation libraries of frameworks to sanitize user input automatically.
• Output Encoding: Encode user-generated content before displaying it
on web pages to prevent the execution of injected scripts. Use HTML
entity encoding or JavaScript escaping to neutralize special characters.
• Content Security Policy (CSP): Configure CSP directives to restrict the
sources from which resources, such as scripts, stylesheets, or images,
can be loaded. Implement strict CSP policies to mitigate the impact of
SQL Injection attacks by limiting the execution of inline scripts and
external resources.
• Parameterized Queries: Use parameterized queries or prepared
statements when interacting with databases to prevent SQL Injection
vulnerabilities.
14. Cross Site Request Forgery (CSRF)
A cross site request forgery is a type of a cyber attack
that tricks the user into accidentally using their
credentials to cause a state changing activity, such as
changing passwords, changing email ids, transferring
funds from their account or some other undesired
action.
15. Cross Site Request Forgery (CSRF)
For a CSRF attack to take place 3 key conditions must be
satisfied:-
i. Relevant action:- There is some action that the
attacker makes use of. This action is some privileged
action like modifying permissions for other users or
any action on user specific data such as changing the
username or password of his/her account.
ii. Cookie based session handling-: The application
relies solely on session cookies to identify the user
who has made the requests.
iii. No predictable parameters:- The requests that
perform the action do not contain any parameters
whose values the attacker cannot determine or
guess.
19. Mitigations of CSRF
• Anti-CSRF Tokens: Generate unique tokens for each user session and
include them in form submissions or HTTP headers. Upon receiving a
request, the server verifies the token's authenticity to ensure it originated
from a legitimate source.
• Same-Site Cookies: Set the SameSite attribute on session cookies to
restrict their usage to the same origin, thereby preventing them from
being sent along with cross-site requests.
• Referer Header Checks: Validate the Referer header of incoming
requests to ensure they originate from the same domain as the web
application.
• Double Submit Cookies: Include a random token in both a cookie and a
form submission. Upon receiving the request, the server should compare
the token values to verify their consistency.