Injection attacks persists on many technologies.This happens when no strict separation between computer instruction and user input.
Typical structure of a program is:
|input| __________ |output|
—–| internal logic |—–
So a program expects an input for system to run and there if proper restriction is not put then attacker can interrupt the system.
injection refers to an instruction to the existing query.
The injection technology requires three components:
1. Technology Identification:
2. Transmission Process
3. Input that are prone to attack
1. Technology Identification: This is process where attacker gain knowledge about the system by web language or hardware processing. Web language can be identified by seeing the webpage but more details can be obtained by viewing
1. Error page
3. view page source
Every technology if loosely coded can be cracked by a smart hacker. The tools we use are:
3. THC- amap
How we use to send data to server.Remember our college days!! where we use to develop web based projects….exactly get and post.
get send the user input to server through url
post sends the user input through SSL that is through secure mechanism
so if get is used people can easily manipulate. Now hackers are more smart they can aso manipulate
1. Hidden html forms
2. HTTP headers
3.Input that are prone to attach checkout the error page:
say there is a login page with id and password as input.The mechansm is user gives an input as id and password and clicks on sbmit button
The form send the data in a secure manner
‘ form name=form1,method=post()
now server catches the information by
the query might be
select id from user_table where user_name=’username’ and password=’password’
the structure of sql query will be
srting query=”select if from user_table where”+
“username='”+ username+” ‘and”+
and resultset rs=stmt.executequery(query)
if the coder has not excluded these following vernability points in the backend in SQL
1.’ or 1=1 —
2. ‘) or 1=1–
can trap the SQL
the select id from user_table where username=’ ‘ or 1=1– ‘and ‘ password =password
in SQL after — everything is ignored …basicallt it tells sql parser that everything right to this is a comment and sql engine ignores that …
so query became
select id from user_table where username=’ ‘ or 1=1
select statement will return either zero length string or where 1=1 true
so 1=1 is always true so it will give all the username
The important point here even if the ‘ or 1=1 fails to check the application it might give error message—-
1.Many ids are matching with the same criteria on XYZ table
2.Error in qery execution on table EMP_table
3.Even sometimes it reports the procedures on error message with table.
This is requirement of a hacker….so he will succeed.
Most of the web forms have no mechanisms in place to block user input. So this is a scope for test engineer.
Just remember two things..
1. It will not give a tabulated output
2. This is a mechanism by inserting query inside of another query