In the complex fabric of web security, understanding the threat landscape is paramount. This series embarks on a detailed exploration of SQL injections, a notorious and enduring threat within the cybersecurity arena. Part 1 of this series focuses on exposing the vulnerabilities that make SQL injections not only possible but also dangerously effective. Through a hands-on tutorial using the OWASP Juice Shop, I aim to illuminate the technical mechanisms of SQL injections, thereby setting the stage for a deeper discussion on defense strategies in Part 2.
SQL Injections and the OWASP Top 10
SQL Injection attacks manipulate backend databases through insecure application inputs. Attackers exploit these vulnerabilities to bypass authentication, access, modify, or delete data. Critical to their strategy is the reconnaissance phase of the Cyber Kill Chain, where attackers meticulously scan for vulnerabilities within the application’s defense, scoping out potential input fields to exploit– a precursor to the actual injection.
The Open Web Application Security Project (OWASP) lists SQL Injection within its Top 10 Web Application Security Risks, underscoring the attack’s prevalence and danger. The OWASP Top 10 serves as a benchmark for web application security, highlighting areas where developers and security professionals should exercise utmost vigilance.
Introducing the OWASP Juice Shop
The OWASP Juice Shop serves as an exemplary platform for security professionals and enthusiasts to hone their skills. This intentionally vulnerable web application offers a safe environment to explore and exploit various web vulnerabilities, including SQL injections, thereby providing invaluable hands-on experience.
Executing an SQL Injection on Juice Shop
The practical component of my exploration involved conducting an SQL injection attack on the Juice Shop application. Here’s how it unfolded, with an emphasis on using the Firefox Developer Tools:
1. Provoke an Error: The first step involves entering specific credentials to trigger an error response from the database. By inputting a single quote ‘ as the email and 111 as the password in the login field, I create conditions for revealing database errors.
2. Accessing Firefox Developer Tools: To analyze the error and inspect the SQL query, I use Firefox Developer Tools. You can access these tools in Firefox by right-clicking on the web page and selecting “Inspect,” or by pressing Ctrl+Shift+I (Cmd+Opt+I on macOS). Navigate to the “Network” tab before logging in to capture the login request.
3. Inspect and Analyze: After triggering the error, look for the login request in the “Network” tab of the Developer Tools. Click on this request, then select the “Response” tab to view the database’s response and the SQL query initiated by our false credentials.
4. Understanding the SQL Query:
- SELECT * FROM Users WHERE email = ”’ AND password = ‘698d51a19d8a121ce581499d7b701668’ AND deletedAt IS NULL
- This query shows how the application searches for user credentials, setting the stage for our SQL injection.
5. Crafting the SQL Injection: With the query as my foundation, I construct an injection to bypass the authentication process. By using ‘ OR TRUE — as the email input, I manipulate the query logic to our advantage. After the injection takes place the following query will be sent to the database:
- SELECT * FROM Users WHERE email = ” OR TRUE –‘ AND password = ‘698d51a19d8a121ce581499d7b701668’ AND deletedAt IS NULL
6. Decoding the Attack Vector:
- ‘: Closes the email string initiated by the query, allowing the injection to be interpreted as part of the command.
- OR TRUE: Introduces a condition that always evaluates to true, ensuring any user can be authenticated.
- —: Comments out the remainder of the query, removing the need for a matching password.
- Hello: I type “hello” as the password but string of characters will do.
Conclusion and Takeaways
This tutorial serves as a stark reminder of the simplicity and effectiveness of SQL injections. As I wrap up Part 1, my journey from understanding to action underscores the critical need for vigilance and proactive measures in web application security. Stay tuned for SQL Injections Part 2: A Threat-Informed Defense, where I will delve into defense mechanisms through a SIEM perspective, utilizing tools such as Wazuh and the MITRE ATT&CK framework for a comprehensive threat defense strategy.