OWASP

Course
Time
12 hours 9 minutes
Difficulty
Beginner
CEU/CPE
12

Video Transcription

00:01
Hey, everyone, welcome back to the core. So in the last video, we talked about the differences between the old Las Top 10 list for 2013 and the list for 2017.
00:11
In this video, we're gonna talk about different injection vulnerabilities as well as different injection attacks.
00:18
So quick pre assessment question here. Janice, working as a penetration tester for alien invaders, incorporated. She's already mapped in new, berating the Target Network. Her focus is now shifted to the company's Web application.
00:29
So which of the following tools should she use on a Web application to test input? Validation
00:36
all rights. If you guessed. Answer. See, you are correct. And actually following this video, I'll introduce you to a world famous person that's gonna talk a little bit about barbecue sequel
00:46
And, of course, and map is for scanning wire. Shark has forced packet sniffing and looking at packets, and then hash cat is a password cracker. So again, you don't need to know what any of those are. But it's one to let you know
00:57
so learning objectives for this video, we're gonna talk about the risk rating methodology. We'll also talk about the risk rating for injection. We're gonna talk about the prevalence check for injections, injections, vulnerabilities, Theo and potential impact as well as ways we can. Either mitigator prevent them.
01:14
So are always passes. Rick risk raining methodology, and we're gonna cover this on basically every single module. So well, I'll show you the risk rating for that particular item on the old glass. Top 10 Red is the worst. As you can see here, red is at the top there. It's a number three, and it's basically that it's easily exploitable.
01:33
It's, you know, very widespread.
01:34
It's very easy for an attacker to detect this and use it, and then the technical impacts. You know, it's very severe, like some kind of major issue, like remote code execution or, you know, tuition and data, that sort of stuff. Those we number three.
01:49
Then we better average ones that kind of middle ground there. And then we have our ones that Avery, you know, potentially very challenging for an attacker to exploit, or the vory uncommon or it's very difficult to figure out, you know, to find the vulnerability or there's really no effect once it's exploited.
02:07
So speaking of all those you'll see injection right here. Now, of course, this is why Injections number one. All the list for the loss. Top 10. Because you'll see most of the categories. Here are what we call the bad, and we will continue calling the bad throughout the course. It's the red there.
02:23
Rejection vulnerabilities. Basically, what's happening here is untrusted. Data is being interpreted. Eso We've got several different types of injection attacks sequel injection, which we'll talk about a little bit. And we're going to do all these these three in the in the lab after this,
02:42
Not after right after this video, but the video afterwards after I introduce you to the world famous
02:46
individual s So we'll talk about sequel injection attacks, command injection and then html injection attack our
02:54
22 types, eh? So you've got your basic, your story or you're persistent type and then you're reflected type. So the store type
03:02
is basically
03:05
taking malicious code. Um,
03:07
and it's basically storing it on the service side. So that way, every time a user accesses that server, that code is being provisioned out. So every time they visit that compromise when pates are getting infected,
03:19
whereas reflected is just that single
03:23
infection executed on the on the user's browser. Eso If I closed my browser session or if, like you're in, you get infected and I don't visit the site, then I don't really have a risk or five isn't the site. Maybe you were the only person that got infected because the code is being executed on your end of things.
03:40
So different types of sequel injection. So we're gonna focus primarily on let's and sets the most common type of all these injection attacks that we see. We've got union based, air based blind and I'm in a couple of types of blind will talk about and then also stacked queries.
03:57
Also, union based issues is the union's statement, which is basically a way we can join together different select statements. So, for example, of select will be like a I want to get this information from the database so you no select, you know, all years, their names from you know, this table or whatever. So
04:14
basically select as the name implies is we're trying to get information
04:16
back from the database. We're trying to choose certain things from the database.
04:23
So what happens here is we? We have Ah, as I mentioned, the unit commanders joining together select quarries. So we're basically building on top of the original select query
04:32
and to extend beyond. So let's say that I have a legitimate, select query, and I want, you know, a zay mentioned. Select some information from the database like a name or something, and then what I would do as an attacker's, I would combine several U. S. I would use the union statement to combine several select queries to
04:48
instead of just getting like the user name. Now I'm going in and getting so security number, date of birth,
04:54
all that good stuff
04:57
air base. So the goal here is to get the database to respond with an error that's gonna show us the proper syntax. So then, from there we can build out attack commands and potentially getting from action information back from the database
05:13
Blind injection. So, as I mentioned, this one has both bullion or time based civilian is basically like a true or false true yes or no type of thing. So, for example, we may say a true statement like, you know, you know, the I d. equals one and one equals one. And then we may provide a false statement, Right? So, like I d
05:31
equals one. And you know,
05:33
one equals two or something like that, you know? So we're providing a false statement there,
05:39
and then time based relies on the database kind of pausing or sleeping for a period of time and then returning results on based off that that could indicate, you know, whether or not that's equal query actually executed successfully or not. So, again, both these air blind based in
05:57
we don't necessarily see exactly their message coming back
06:00
from the database. But we do. We are able to garner some information about was the command attack successful
06:10
and then start static worries. Basically, this is a termination original query that immediately executes another query. So, you know, for example, in this example here we're selecting all the records from the my sequel users table in the database. And this is just an example of what that way look like.
06:29
So prevalent. Is this prevalent? Well, yes. This is probably the most prevalent thing on the wall. Stop 10 sequel injection attacks specifically.
06:36
Um, so we see it in a lot of different areas, so injection vulnerabilities cross the border into sequel injection. We see these across the board things like sequel. L dap OS commands in maximal part, sirs.
06:51
Uh, queries for no sequel. SMTP headers, etcetera, etcetera. So a lot of different places,
06:58
we may see this type of attack.
07:01
So how to check? Well, number one is there's no validation, right? So as we're entering data and there's not actually any validation going on, so that easily tells us that this may be vulnerable to some type of injection attack.
07:14
*** it. Dynamic worries without content
07:16
context. Excuse me. Aware. Escaping. So that just means that they're gonna be used directly an interpreter s. So there's no basically, with that, there's no, uh, parameter eyes calls. So there's no parameters being set
07:30
and then structured, you know, hostile data inquiries.
07:34
So that way, you know, So the attacker maybe, uh,
07:38
using, like, truncated or contaminated
07:43
data. So that way, we don't know exactly what they're trying to run or, you know, at least the interpreter doesn't recognize that it's actually malicious. And so it goes ahead and processes that particular coat
07:55
impact. So one of the biggest impacts is data loss. Also data corruption, especially in sequel injection attacks. The attacker will try to get access to the database and then from there they can potentially inject code in delete stuff or dis corrupted.
08:09
Also, disclosure on unauthorized parties. Again, that kind of goes back to the data loss aspect of it, and then denial of access is well, right. So if I could take over your database and I can potentially lock you out of it, what are you going to do as a company ride? You'll you'll probably pay me whatever I want. Uh, whatever I want to charge you.
08:26
So prevention. So you know, source code review could use that. Validating input is probably the biggest thing. They're sanitizing input to make sure there's nothing malicious in it. Using safe AP eyes using things like the limit. Uh uh, command in sequel or so that way, we limit the amount of data that somebody can get back in a single query on many testing.
08:45
Why listen on the server side and then you know, of course, setting parameters for the queries.
08:52
So quick, Post assessment question here, calm is a security analyst. That is wanting to find a sequel control that will help prevent against mass data loss.
09:00
What's the following should she use?
09:05
All right, so I kind of get this one away just a little bit ago. The answer here is be the limit is the control that we can use a side of sequel to limit the amount of information that's being removed in a single query.
09:18
All right, so in this video, we talked about sequel injection attacks. We talked about OS injection OS Command A CZ. Well, as a team a little bit. We also talked about injection vulnerabilities at a high level. And the next video, we're gonna introduce you to the world famous person I keep talking about, and then we'll have our injection
09:37
labs, and then we'll move into the next module, which will be broken authentication.

Up Next

OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and resources to help organizations protect critical apps. Cybrary’s OWASP certification training course covers the organization’s popular “Top 10” risk assessment.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor