Latest WebApp Security Threats Part 2: How to Prevent Injection Attack

Latest WebApp Security Threats Part 2: How to Prevent Injection Attack

Welcome to Part 2 of this article.

In Part 1, we successfully hacked into the IBM demo site http://demo.testfire.net using injection attack.

It was a happy moment, but truth be told, hacking is not as easy as we saw in Part 1. The devil is in the details.

In this part, we will dive into “How to prevent Injection Attack” but before that, let’s try to understand what we did in Part 1. Specially, how the apostrophe and the double dash work.

Let’s learn a basic philosophy first:

In computing,
there is something called “String”. In English, we can say “Text”. Anything you
write that begins with a quote and ends with a quote is a String. So, if I
write 12345. That is a number. If I put it in quote,”12345”, it becomes a
string.

The quotes tell the computer where your message begins and where it ends.

Let’s consider the statement below

 “When you go to Wamfie, give GH₵ 5,000 to
Lamin IF she is pregnant”

Imagine someone introduces a quote (“) right before the IF

That will split the sentence into two parts as indicated below:

  1. “When you go to Wamfie  give GH₵ 5,000 to Lamin “
  2. IF she is pregnant”

If the person further introduces double dash (–), anything after the closing quote will be ignored, then the message becomes:

When you go to
Wamfie, give GH₵ 5,000 to Lamin. 

The condition that Lamin must be pregnant before she gets that GH₵ 5,000 is completely ignored.

With this understanding, let’s dive into how a user is generally verified and logged in on most website.

There will be something like the statement below at the database level:

SELECT Username
from Users WHERE Username = ‘admin’ AND password = ‘1234’

Note: It’s not as simple as this. The password will not be as plain as this. In the database, the password is encrypted or hashed and sometimes even salted.

When apostrophe is introduced right after the admin, it splits it into two parts

  1. SELECT Username from Users WHERE username = ‘Admin’
  2. ‘ AND password = ‘1234’

When we introduce the double dash (–), it becomes

SELECT Username
FROM Users WHERE username = ‘Admin’ --‘ and password = ‘1234’

Remember: the SQL Engine will ignore anything after the double dash (–)

Technically, that becomes a comment.

So, all that is checked against the database is:

“SELECT Username
FROM Users WHERE username = ‘Admin’ ”

The password is ignored.

One thing you probably didn’t realize is; that initial message in the part 1, telling you to enter password is coming from JavaScript (a front-end validation) so we put anything there just to fool “Mr” JavaScript.

You can try Signing in with Admin’– and any other password, it will work.

Now here comes the challenge.

Imagine adminadministratorguest and kaunda all failed. Thus, no such users exist on the system. How will you be able to guess different usernames? A site like nabco.gov.gh has about 100,000 usernames. Can you guess all?

No, you can’t but thanks to some really crazy guys, you can have access to 100s of tools that have all the above steps build into them. Yours is just to get the tool, install it, launch it and give the name of the website you want to Inject. Once you feed the website name into your setup, you can conveniently call your girlfriend and go walk in the part. By the time you return, bingo!!! nabco.gov.gh is hacked.

No! It’s not hacked. Don’t be excited. It could take hours, days, weeks, and even months. Besides, it’s so easy for the NABCO guys to prevent you from messing with their system.

How that prevention is done is the main purpose of this article. So let’s get into that.

How do you prevent Injection Attack?

The most important advice is:

Do not re-invent the wheels. Use existing frameworks to develop your app.

Such frameworks have all the checks and balances built into it to make sure your forms are protected from injection attack. Flask for Python is a typical example. To prevent such attack, all you need to do is a little configuration and then add the statement form.hidden_tag() to your jinji2 form syntax. You are done!

Now, in case you want to get dirty, then use parametrized queries. In other words, sanitize user inputs before sending the data to your database.

Below is a summary advice from StackOverflow, the developer’s bible.

That is it. We’ve seen how to perform injection attack and how to prevent it.

To quote the words of the Director of ICT, KNUST:

“With these tools [hacking tools] in your hand, you guys are powered to do anything but remember, with a gun in your hand, you can be security man, you can be a watch man, you can be a national security guard and you can also be an armed robber. Please do the right thing ALWAYS”

On this note, I say wasalaam.

Author: Kaunda Ibn Ahmed

Remote.com.gh (Member, Institute of ICT Professionals, Ghana)

For comments, contact kaunda@outlook.comor Mobile: +233 234 80 90 10