Oct 15, 2020
SQL Injection (SQLi)
SQL Injection (SQLI) is when untrusted data is used to construct an SQL query. The data is inserted (or “injected”) into the SQL query string.
SQLI has been ranked #1 on Top 10 security threats by OWASP.
It is easy for attackers to detect and exploit. It is a powerful attack because it give access to application databases, and most modern web applications rely heavily on databases.
SQLI attacks can have many different goals.
- Probe application or database structure
- Authentication
- Bypass application logins
- Steal data: Usernames, Passwords, Identity info, Credit cards
- Alter data: Change orders or transactions, Elevate permissions
- Destroy data: Sabotage
The most frequent area of attack are WHERE clauses. Other query types are equally vulnerable, just not as frequently used. INSERT, UPDATE, DELETE statement must be considered, as well as other SQL clauses like SELECT and ORDER BY.
Imagine that there is a page which will accept an SQL Injection and send it to the database, but which will display the same standard error page to a user regardless of whether the SQL Injection succeeded or not. Because an attacker cannot see the results this is referred to as a “Blind SQL Injection”.
One common technique is to inject an SQL query which will cause the database to pause or return a slow response if the injection works.
The easiest version is to use SLEEP() to create a slow response. If it works, the server will pause for 5 seconds. If it does not work, it won't.
$id = ' AND sleep(5);--';SQLI Preventions
Sanitizing input is the best way to prevent SQL Injection. However, there is something easier which can serve as a first line of defense. The application never needs full database privileges. This follows the principle of Least Privilege. The application should have the least amount of privilege necessary to do its job. SQL has a special permission (the GRANT OPTION) which allows granting permissions to other database users. Most importantly, never let the application connect as root user.
SQLI Sanitizing
In simple terms, this means putting a backslash (\) before any single quotes. In PHP, the function mysqli_real_escape_string() is a helpful tool for escaping strings for use with MySQL databases.
File Upload Abuse:
File Upload Abuse is the abuse of public file upload features. Too many or too large files can deplete a system’s file storage resources. Another potential abuse is users uploading the wrong content type.
Malware: The most serious file upload abuse is the uploading of malware. Malware gets its name from “malicious software”.
Malware comes in many different varieties. Each one has a different purpose and a different goal.
- Adware
- Bots and botnets: Spam, Denial of Service (DoS)
- Ransomware
- Spyware: Keystroke loggers, Data harvesting, Enable web cameras
- Bypass access controls
- Rootkit (total server control)
File Upload Abuse Preventions
The best prevention of file abuse is to authenticate users before allowing them to upload files.
Remote Code Execution
Remote Code Execution is when external code is able to execute internal, operating-system-level commands on a server from a distance.
Once an attacker has access to the internal OS-level, it is possible to perform any task a logged in user could do.
- Read, add, modify, delete files
- Change access privileges, passwords
- Turn on and off configurations and services
- Communicate to other servers
In order to pull off Remote Code Execution, two things are required:
- A programmer must use a function which allows communication with the OS.
- An attacker must be able to get dynamic data into that function call.
Remote Code Execution Preventions
The best prevention is to avoid using system functions. This is generally true, but especially when working with dynamic data. Usually there is a better, safer way to do the same thing. In some programming languages (including PHP) it is possible to disable these functions entirely so that they cannot be used.
