A Web Application is a program that is accessed over a network connection using HTTP or HTTPS existing in the webserver. The web application is a client-server application that clients run in a web browser. The web application contains a set of web pages, scripts, images, etc. Web applications help organizations to grow their business.
A static website contains web pages with fixed content. A static site can be built using HTML and hosted on a Web server.
The information on dynamic websites changes based on user interaction, the time zone, the viewer’s native language, and other factors. These pages include Web scripting code, such as PHP or ASP. When a dynamic page is accessed, the code within the page is parsed on the Web server, and the resulting HTML is sent to the client web browser. Dynamic websites can interact with the user, capable of access information stored on the database. Dynamic web pages are also known as database-driven websites.
The Open Web Application Security Project (OWASP), an online community, produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. It aims to raise awareness about application security by identifying some of the most critical risks that organizations are facing.
A1:2017 – Injection
A2:2017 – Broken Authentication
A3: 2017 – Sensitive Data Exposure
A4:2017 – XML External Entities (XXE)
A5:2017 – Broken Access Control
A6:2017 – Security Misconfiguration
A7:2017 – Cross-Site Scripting (XSS)
A8:2017 – Insecure Deserialization
A9:2017 – Using Components with Known Vulnerabilities
A10:2017 – Insufficient Logging & Monitoring
Types of XSS
8.Insecure Deserialization: Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
This attack involves the manipulation of parameters exchanged between client and server to modify application data such as user credentials, permissions, price, the number of products. Establishing a proxy can make the process of tampering simply if the web application fails in proper session management.
Any requests sent to the server are not validated (No server-side validation). The server processes the request without verifying whether the user made the request or not. Because of poor validation, requests can be forged and sent to users to force them to do things that they are not intended to do. By clicking some links, users may unknowingly change account passwords.
Local File Inclusion – Allows an attacker to gain access to any file on the server computer. An attacker can even access a file located apart from the web-root folder.
Remote File Inclusion – Allows an attacker to gain access to any file from any server. We can execute files located on a remote server on the vulnerable server.
SQL (Structured Query Language) is a database management language used to manage databases to perform various operations like create, read, update and delete on the database. SQL is used by database administrators, as well as developers to organize user data properly. Web applications interact with the database server in the form of queries. SQL queries include select, add, insert, update, delete, create, alter and truncate.
A database is a collection of information that is organized into rows, columns, and tables, and it is indexed so that it can be easily accessed, managed and updated. Data in the database gets updated, expanded, and deleted as new information is added.
A server is a software that runs continuously and responds to requests sent by the clients, Communication between a client and a server happens using a specific protocol example HTTP, HTTPS Server running web application include three components:
Web servers primarily respond to HTTP / HTTPS requests sent by the clients and pass these requests on to handlers.
The application server handles requests to create dynamic web pages. The application server processes the user request to generate the HTML page for the end-user, instead of serving a static HTML page stored on the disk. Application server software runs on the same physical server machine as where the webserver is running.
the database server is a server that houses a database application like JDBC, ODBC to provide database services to other computer programs. Most database applications respond to a query language. Each database understands its query language and converts each submitted query to a server-readable form and executes it to retrieve results.
The relation between the web server and the database server is the web server uses the application server to retrieve the data from the database and host the data with the help of the web server application. So web server works as the front end, and the database server works as a backend to provide data to a web server.
The technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution on backend database to retrieve information directly from the database. It is used to gain unauthorized access to the database. SQL Injection is not a vulnerability in a database or web server; it is a vulnerability in a web application that occurs due to a lack of input validation.
Types of SQL Injection attacks
The attacker uses this technique to bypass user authentication without providing the valid Username and password and tries to log into a web application with administrative privileges.
Authentication Bypass Cheat Sheet:
|1’ or ‘1’ = ‘1||admin’ or 1=1|
|admin’ —||admin’ or 1=1–|
|admin’ #||admin’ or 1=1#|
|admin’/*||admin’) or ‘1’=’1’#|
|admin’ or ‘1’=’1||admin’) or ‘1’=’1’–|
|admin’ or ‘1’=’1’–||admin’) or (‘1’=’1’/*|
|admin’ or ‘1’=’1’/*||admin’) or (‘1’=’1’#|
|admin’ or 1=1 or “=’||admin’) or (‘1’=’1’–|
|admin’) or (‘1’=’1||admin’ or (‘1’=’1|
|admin’ or 1=1/*||admin’ or 1=1#|
|or 1=1||or 1=1–|
|or 1=1#||or 1=1/*|
|admin’ or 1=1 or “=’||admin’) or ‘1’=’1/*|
THE error-based SQL injection technique relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site or logged to a file with restricted access instead. By analyzing these errors, the attacker can grab system information such as the database, database version, OS, etc.
Blind SQL injection is a type of SQL Injection attack that queries the database true or false questions and determines the answer based on the application’s response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database.
Suggestive measures for SQL Injection Vulnerability