Nowadays, SQL Injection is still one of the deadliest form of attack that a hacker can do to a website. Improper coding, using outdated libraries and version of the programming language used, improper configuration of the webserver are the most common weakness that a hacker is looking for before they attack their target website.
I have prepared below a Sql Injection check list(in general practice) to disallow hackers to carry out an attack successfully:
- Implement input validation and field masking at the view level.
- Ensure that your model layer properly uses placeholders.
- Check the data types of input parameters.
- Avoid insecure packages that have access to the database.
- Make use of application security monitoring features. Example: Detecting SQL Injection Attacks based on Text Analysis and Detection of SQL Injection Attack Using Machine Learning Techniques
- Enforce security policies and best practices with your team.
This other checklist may not apply to all programming languages but are is still useful to look at when developing a website/application:
- Don’t allow multiple statements
- Allow list user input
- Use Query Tokenization
- Use an allow instead of a deny list
- Use regular expression in input validations to remove any special characters
- Whitelist URLs for database access
- Escape and encode special database characters
- Use updated web development technologies and database setups (such as PDO instead of MySQLi) that include in-built SQLi protection
- Enforce the use of parameterized queries and prepared statements
I have a prepared below a method of testing whether a web page is vulnerable to SQL Injection attack. I used Burp Suite to carry out the attack and DVWA as the target website.
To set up the attack using burp suite, pls check the initial procedure I did on my previous post(A Simple Brute Force Attack using Burp Suite and DVWA as Target). Once that is done, open DVWA web application from the pre-configured browser. Then go to the SQL Injection but set the Security level to Low. Then, set "Intercept on" on burp suite. Now enter any value to the text box at dvwa and press the button beside it.
Then go back to burp suite.
Right click on the intercepted code and click the "Send to Intruder" from context menu that appeared.
Go to the Intruder menu and click the clear button on right side with a section sign. Then highlight the text that was entered on the DVWA web page. In my case, I entered 'bbbbb'. Then press the add button located above the clear button.
Next go to the payloads section and leave all as is and enter the sql injection codes that you think can expose unknown data. I suggest to use the Sql Injection Word list from this website. To check the result you check how I did it in my previous post(A Simple Brute Force Attack using Burp Suite and DVWA as Target). And applying the same procedure,
The response I got from all except the last were the same, there were no response but the last item yielded some result:
I also entered the same code in DVWA and got the following result:
And that's how to test the vulnerability of a web page. This is not as simple as it may seem, having millions of code combination would be much useful to check the vulnerability of a webpage.
No comments:
Post a Comment