Once we have passwords, we have access to even more data. If the organisation were not aware that we had access, we could take as long as we wanted with this step. #Sql injection burp suite passwordPassword hashes are difficult to hack, however if we had nefarious intentions, we’d take our time and try Dictionary Attacks, Brute Force Attacks, Lookup and Reverse Lookup Tables, Rainbow Tables and more. This is juicy stuff and if this was a real hack, could be a significant breach. Xxx_staff table found, staff member (including personally identifiable information) and hashed passwords contained within this table. Or details of customers and what services they are buying from this organisation. Xxx_po – we are guessing that this is potentially Purchase Order information. The next step is to review the list of tables that were returned, specifically looking for table names that looked like they may contain useful information. This was successful and a great milestone for a hacker as it enables them to see all of the tables within the database. We then modified the query to attempt to display the schema of the database. We modified the SQL statement and resent the request, which informed us that we were able to control the returned data. Whilst watching the request in Burp Suite, we found it to contain a SQL Query statement. We then completed a query within the page and monitored the response through Burp Suite. We loaded the site and went to the query tab. It’s something we come across a lot with our testing, so we thought we’d share some anonymous details of a recent assignment.ĭuring this test, we found a SQL Injection vulnerability where the page was loading the data into a table by using direct SQL commands in the page. That information might be confidential (company secrets), it might be commercially sensitive (perhaps your price list, your customer list, or other IP) and it might contain Personally Identifiable Information (which we are under obligation to protect as part of DPA/GDPR etc).Ĭonsidering the damage that can be caused by a SQL Injection, it is not surprising that it is number one on the OWASP Top 10 list. Imagine now that through our ethical hacking we have access to that database and can start to extract information. If we take Confidentiality as an example, it is a lot easier to understand the risk if we refer to a Customer Record or an HR Database. This helps us to articulate the different areas that a SQL Injection can have on your business. Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL Injection attack.Authorisation: If authorisation information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL Injection vulnerability.Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.A SQL Injection has the following consequences: Or in other words, why should you care?Īs security professionals, we’re concerned about the Confidentiality, Integrity and Availability of your data. It’s great if you’re a developer or tester, however, it does not convert to what that means for your business. The trouble with the description above is that it is not necessarily the best language to describe the risk or impact of a SQL Injection to the rest of the business or a senior manager, particularly if you’re trying to build a business case or request budget. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input to affect the execution of predefined SQL commands. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a file present on the DBMS file system and in some cases issue commands to the operating system. Number One on the top 10 list of web application vulnerabilities is SQL Injection.Ī SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. It represents a broad consensus about the most critical security risks to web applications. The OWASP Top 10 is a standard awareness framework for developers and web application security.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |