SQL Injection

00:00

Hello, everyone, and welcome back to the course, identifying with attacks through logs.

00:05

In the last video, we talked about brute force attacks.

00:09

This is module to Episode four, and in this video

00:12

we'll start talking about injection attacks.

00:15

The first injection attack will be SQL injections. So to start, let's check the video objectives

00:21

first. A brief introduction of injection attacks

00:24

after that,

00:25

or review SQL Tax Sequel injection attacks,

00:29

followed by performing Web analysis toe Identify SQL injection attacks.

00:36

Injection attacks are related toe. Oh, wasp talk a one

00:40

in 2007, it was a top vulnerability

00:43

Injections air so common that OAS classified it as a top vulnerability in 2010 and 2013 as well.

00:51

Here's the definition from a wasp

00:54

injection. Attacks occur when the central request contains some unexpected data

00:58

and this data is executed by the Web server.

01:03

Remember,

01:03

the Web server doesn't care about the request, and if the request is malicious, the Web server will still process it.

01:11

SQL injection is one type of injection attack. There are many other injection attacks.

01:15

Here's a list of some of that

01:18

SQL injection file injection and others, but in this video, we'll focus on SQL injection

01:25

because of the multi layer Web application architecture. ER, the client should Onley access the Web server

01:30

in a SQL injection attack. The client sends the request the Web server, but the Web server will send the request. The database in the database will process it

01:38

depending on the request. Database can execute unexpected commands,

01:42

and these commands that come back to the database server can impact the Web application.

01:47

SQL Injection is considered a critical vulnerability. It directly affect the database server.

01:53

Here we have a comic strip joke about SQL injection

01:57

here. The impact was losing all the data base of the students. This could be fun, but

02:02

if this happens in a production environment, the consequences could be tragic.

02:07

So let's talk about SQL injection.

02:09

Here are some considerations to keep in mind with SQL injection attacks

02:15

it needs to use SQL or the database won't process it.

02:19

Usually it's caused by incorrect user input validation, like allowing special characters in the form.

02:24

It's an old attack. We've known about it since 1998.

02:29

It's also more common on legacy applications.

02:32

It's a server side attack, and it has some types like blind classic Union based and Air based

02:40

in our lab, there's a Web application vulnerable to SQL injection attacks. It's simple. It's just a form with only one text box toe. Put the user ID.

02:51

If we try the number one, we have the admin user information.

02:54

Here you have the request made to the Web server.

02:58

It's a simple request.

02:59

You can see that the i. D. Has the number one the admin I'd

03:04

the information about the admin has shown. But if we don't say a number,

03:07

what happens?

03:09

This is an example of a malicious request

03:13

to summarize this user. I d request you say to the database. I want all the user I. D. S that are equal to a or one equals one

03:21

one equals one is always true. So the database will send all the user names.

03:24

This is the result of the request all user names and information about the user names.

03:31

Now maybe you're thinking,

03:34

Can the Web server logs identify SQL injection attacks?

03:38

Let's analyze both request web server logs.

03:42

The first is the I. D. Number one request in the second logline is a malicious request.

03:47

Notice that whatever you put in the user i d. You'll be sent to the Web server and the database server.

03:53

Another important thing is that this request is encoded.

03:58

After decoding, we'll see the same request that we used

04:00

because of the SQL. It's easy to see encoded requests during SQL injection attacks.

04:06

It's important to notice that the Web server answered both requests, and this includes the malicious requests.

04:14

Depending on your Web application,

04:15

this would mean that your application is vulnerable to the SQL injection.

04:20

Yeah,

04:21

let's analyze these three log lines.

04:25

These lines were generated by the SQL map tool.

04:28

SQL map is a well known tool used to perform vulnerability scans

04:31

or to perform SQL injection attacks.

04:35

Many of the vulnerability scans can execute SQL injections,

04:40

so during the vulnerability scans, it's possible to see SQL injections. And depending on the policy of your company,

04:46

you can classify the attack as a vulnerability scan or as an SQL injection attack.

04:53

Again,

04:54

the user agent can help you in identifying the attack.

04:59

Analyzing the logs, you should see SQL related words or comments like and select case when union and others

05:08

always check the response of the Web, Sir,

05:11

on the previous slide. The answer was 200 so the Web server answered the request.

05:15

In the three log lines, we have 32 to the right direction.

05:18

Sometimes you need to correlate more than one logline toe. Understand the entire attack

05:26

for further information. Here are the same three lot lines but

05:30

now decoded.

05:30

If you don't know about SQL comments, you can ask your database. Admin. Ziff. These comments are malicious or could impact the database server

05:38

in the next slide will analyze tomb or log lines.

05:45

Here they are

05:46

again. We used the SQL map, but we change the user agent.

05:50

You can notice encoded requests and many SQL words.

05:56

The second logline. You have the wear and the exact comments.

06:00

Taking a better look. You can find more comments in words but related toe Linux operational system

06:04

like CAT and F password. And in this slide,

06:09

the decoded request.

06:12

One more question.

06:14

What about post requests

06:16

to analyze post requests? You need more logs from other sources.

06:20

A good source is the back capture.

06:24

For example, this is a Web server log for a post request.

06:28

The Web server log on Lee shows the post request to the log in page.

06:31

There's no information about the request, but in the package capture, you see the http request and all the form data that was sent.

06:40

Notice that this request is similar to our examples, although it's not that easy to get a package capture.

06:45

But if it's possible, you should try and ask for them

06:48

to summarize.

06:50

How do you identify the SQL injection

06:54

first? SQL commands like from Select Where and others

06:59

look for in Cody requests.

07:00

Also, remember the look for user agents and the operational system related comments or words.

07:08

Now let's do some post assessment questions to practice

07:12

in the first question.

07:14

Analyze the log below and identify the Web application attack

07:16

after choose the option with the correct attack,

07:19

you can pause the video if you want.

07:26

It's easy to see that this log is big, contains a lot of encoding. In addition, it's easy to find the SQL words like select and count on others.

07:34

So this is an SQL injection attack.

07:39

For further information,

07:41

here is the decoder request showing the SQL request.

07:45

Now check this affirmation.

07:46

Web server logs will show all information about user actions.

07:50

Is this affirmation. True or false,

07:57

This affirmation is false.

07:59

If the Web application uses post or if the Web server log and configuration is wrong, maybe the law can't help you.

08:05

If this happens, you need to ask for the right configuration or for other logs.

08:13

Video Summary

08:13

In this video, we talked about the type of injection attacks. SQL Injection attacks some directions to identify SQL injection attacks on the Web server logs like SQL Comments and Cody requests user agent and operational system comments

08:28

after we showed the difference between post and get requests showing an example of a package capture with a SQL injection attack

08:39

in the next video,

08:39

we'll keep talking about injection attacks.