SQL Injection

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
2 hours 5 minutes
Difficulty
Beginner
CEU/CPE
3
Video Transcription
00:00
Hello, everyone, and welcome back to the course, identifying with attacks through logs.
00:05
In the last video, we talked about brute force attacks.
00:09
This is module to Episode four, and in this video
00:12
we'll start talking about injection attacks.
00:15
The first injection attack will be SQL injections. So to start, let's check the video objectives
00:21
first. A brief introduction of injection attacks
00:24
after that,
00:25
or review SQL Tax Sequel injection attacks,
00:29
followed by performing Web analysis toe Identify SQL injection attacks.
00:36
Injection attacks are related toe. Oh, wasp talk a one
00:40
in 2007, it was a top vulnerability
00:43
Injections air so common that OAS classified it as a top vulnerability in 2010 and 2013 as well.
00:51
Here's the definition from a wasp
00:54
injection. Attacks occur when the central request contains some unexpected data
00:58
and this data is executed by the Web server.
01:03
Remember,
01:03
the Web server doesn't care about the request, and if the request is malicious, the Web server will still process it.
01:11
SQL injection is one type of injection attack. There are many other injection attacks.
01:15
Here's a list of some of that
01:18
SQL injection file injection and others, but in this video, we'll focus on SQL injection
01:25
because of the multi layer Web application architecture. ER, the client should Onley access the Web server
01:30
in a SQL injection attack. The client sends the request the Web server, but the Web server will send the request. The database in the database will process it
01:38
depending on the request. Database can execute unexpected commands,
01:42
and these commands that come back to the database server can impact the Web application.
01:47
SQL Injection is considered a critical vulnerability. It directly affect the database server.
01:53
Here we have a comic strip joke about SQL injection
01:57
here. The impact was losing all the data base of the students. This could be fun, but
02:02
if this happens in a production environment, the consequences could be tragic.
02:07
So let's talk about SQL injection.
02:09
Here are some considerations to keep in mind with SQL injection attacks
02:15
it needs to use SQL or the database won't process it.
02:19
Usually it's caused by incorrect user input validation, like allowing special characters in the form.
02:24
It's an old attack. We've known about it since 1998.
02:29
It's also more common on legacy applications.
02:32
It's a server side attack, and it has some types like blind classic Union based and Air based
02:40
in our lab, there's a Web application vulnerable to SQL injection attacks. It's simple. It's just a form with only one text box toe. Put the user ID.
02:51
If we try the number one, we have the admin user information.
02:54
Here you have the request made to the Web server.
02:58
It's a simple request.
02:59
You can see that the i. D. Has the number one the admin I'd
03:04
the information about the admin has shown. But if we don't say a number,
03:07
what happens?
03:09
This is an example of a malicious request
03:13
to summarize this user. I d request you say to the database. I want all the user I. D. S that are equal to a or one equals one
03:21
one equals one is always true. So the database will send all the user names.
03:24
This is the result of the request all user names and information about the user names.
03:31
Now maybe you're thinking,
03:34
Can the Web server logs identify SQL injection attacks?
03:38
Let's analyze both request web server logs.
03:42
The first is the I. D. Number one request in the second logline is a malicious request.
03:47
Notice that whatever you put in the user i d. You'll be sent to the Web server and the database server.
03:53
Another important thing is that this request is encoded.
03:58
After decoding, we'll see the same request that we used
04:00
because of the SQL. It's easy to see encoded requests during SQL injection attacks.
04:06
It's important to notice that the Web server answered both requests, and this includes the malicious requests.
04:14
Depending on your Web application,
04:15
this would mean that your application is vulnerable to the SQL injection.
04:20
Yeah,
04:21
let's analyze these three log lines.
04:25
These lines were generated by the SQL map tool.
04:28
SQL map is a well known tool used to perform vulnerability scans
04:31
or to perform SQL injection attacks.
04:35
Many of the vulnerability scans can execute SQL injections,
04:40
so during the vulnerability scans, it's possible to see SQL injections. And depending on the policy of your company,
04:46
you can classify the attack as a vulnerability scan or as an SQL injection attack.
04:53
Again,
04:54
the user agent can help you in identifying the attack.
04:59
Analyzing the logs, you should see SQL related words or comments like and select case when union and others
05:08
always check the response of the Web, Sir,
05:11
on the previous slide. The answer was 200 so the Web server answered the request.
05:15
In the three log lines, we have 32 to the right direction.
05:18
Sometimes you need to correlate more than one logline toe. Understand the entire attack
05:26
for further information. Here are the same three lot lines but
05:30
now decoded.
05:30
If you don't know about SQL comments, you can ask your database. Admin. Ziff. These comments are malicious or could impact the database server
05:38
in the next slide will analyze tomb or log lines.
05:45
Here they are
05:46
again. We used the SQL map, but we change the user agent.
05:50
You can notice encoded requests and many SQL words.
05:56
The second logline. You have the wear and the exact comments.
06:00
Taking a better look. You can find more comments in words but related toe Linux operational system
06:04
like CAT and F password. And in this slide,
06:09
the decoded request.
06:12
One more question.
06:14
What about post requests
06:16
to analyze post requests? You need more logs from other sources.
06:20
A good source is the back capture.
06:24
For example, this is a Web server log for a post request.
06:28
The Web server log on Lee shows the post request to the log in page.
06:31
There's no information about the request, but in the package capture, you see the http request and all the form data that was sent.
06:40
Notice that this request is similar to our examples, although it's not that easy to get a package capture.
06:45
But if it's possible, you should try and ask for them
06:48
to summarize.
06:50
How do you identify the SQL injection
06:54
first? SQL commands like from Select Where and others
06:59
look for in Cody requests.
07:00
Also, remember the look for user agents and the operational system related comments or words.
07:08
Now let's do some post assessment questions to practice
07:12
in the first question.
07:14
Analyze the log below and identify the Web application attack
07:16
after choose the option with the correct attack,
07:19
you can pause the video if you want.
07:26
It's easy to see that this log is big, contains a lot of encoding. In addition, it's easy to find the SQL words like select and count on others.
07:34
So this is an SQL injection attack.
07:39
For further information,
07:41
here is the decoder request showing the SQL request.
07:45
Now check this affirmation.
07:46
Web server logs will show all information about user actions.
07:50
Is this affirmation. True or false,
07:57
This affirmation is false.
07:59
If the Web application uses post or if the Web server log and configuration is wrong, maybe the law can't help you.
08:05
If this happens, you need to ask for the right configuration or for other logs.
08:13
Video Summary
08:13
In this video, we talked about the type of injection attacks. SQL Injection attacks some directions to identify SQL injection attacks on the Web server logs like SQL Comments and Cody requests user agent and operational system comments
08:28
after we showed the difference between post and get requests showing an example of a package capture with a SQL injection attack
08:39
in the next video,
08:39
we'll keep talking about injection attacks.
08:41
We'll discuss file injection or file inclusion and the two types of inclusion local and remote file inclusion.
Up Next
Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By