How to Find and Fix Vulnerabilities Using Spider: SQL Injection Detection Tool?

August 30, 2017 - 15:08

‘Spider - SQL Injection Detection Tool’ is a web application testing tool. This tool is developed for testing security of PHP projects. This testing tool recursively reads and tests every GET and POST requests of the project and identify SQL injection holes.

The objective of ‘Spider’ is to close the way of SQL injection attacks in web application projects. Attacks against web application layers have been increasingly being monitored in the last few years by security professionals. There has been a marked 70% vulnerability report for web applications. These applications often handle sensitive data for many users and thus are prime targets for the attackers. Therefore it is important to ensure the security and privacy of these web applications.

According to the Open Web Application Security Project(OWASP), injection attacks top the list for the top ten web vulnerabilities, in which SQL injections bearing a major chunk. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit security vulnerability in an application's software. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Distribution-of-Attack-Techniques.1.jpg
Source

Generally when an application is communicating with the backend database, it does so in the form of queries with the help of an underlying database driver. This driver is dependent on the application platform being used and the type of backend database, such as MySQL, MSSQL, DB2, or ORACLE. A generic login query would look something like this:

 `SELECT Column1, Column2 FROM table_name WHERE username=’$username′ AND password=’$password′; 

We can split this query into two parts, code section and the data section. The data section is the $username and $password and quotes are being used around the variable to define the string boundary. A SQLI vulnerability results from the application’s use of user input in constructing database statements. The attacker invokes the application, passing as an input a (partial) SQL statement, which the application executes. This permits the attacker to get unauthorized access to, can contaminate the data stored in a database. To prevent this attack, applications need to filter the invalid input values that are used in constructing SQL statements, or else reject potentially dangerous inputs.

Scope

It is very difficult to identify SQL injection holes without any tool. So even tester will miss this large mistake of Programmer. If they do not identify the programmer’s mistake then the company will face large losses.

If testers use this ‘Spider’ testing tool then they can easily identify the programmer's mistake and increase the quality of the product.

Why Spider Testing Tool?

There are so many online SQL injection detection tools available in the market but they fail to detect holes when the testing page is redirected or the error reporting is off. Actual strength of the chain is the strength of weakest link in the chain, software security is the same if we miss one hacking hole then the security of that software is zero. The online SQL Injection testing Tools detect SQL injection holes by reading and comparing the HTML content of the project.

‘Spider’ follows a different approach to overcome this problem. Tools can never provide 100% protection guarantee because hackers keep trying new ways to break the wall. The one thing we have to do, if a hacker breaks the wall is to study the hacking method and close that hole.

Approach

A person can identify SQL injection holes manually by adding query characters in GET or POST requests then we get a query error message with page content, from this error message we get the secret details of the database.

Example of error message:

Databade-err.jpg

Our tool uses a different way to identify SQL injection holes because if we use these manual method then it will fail in the case of ‘Error Reporting’ being off or there is any redirection. To overcome this situation we use another method.

Our tool will try to inject an update query in each GET and POST field, if this injected update query successfully executes then we can say that SQL injection is possible through that field.

Workflow:-

Step1: Copy project folder to temporary path

Step2: Change single query function to multi query in all project

Step3: Create sqlinjectionstatus table in the DB of the given selected project

Step4: Read the URL of the project

Step5: Read the HTML content of the URL throw HTTP using curl

Step6: Convert HTML content to string

Step7: Repeat ‘Step 8’ until the string contain no other requests (GET or POST)

Step8: Insert the request details to ‘sqlinjectionstatus’ table with the ‘injection_flag’ is 0

Step9: Create ‘injection_flag’ changing SQL injection string for each request

Step10: Send request with sql injection string throw HTTP using curl

Step11: Fetch records from sqlinjectionstatus table

Step12: Display status of each requests of given URL

SQL injection string for changing the ‘injection_flag’ of sqlinjectionstatus table:-

  1.  
    ‘; UPDATE `sqlinjectionstatus` SET `injection_flag` = 1 WHERE `url` = ‘<URL>’ AND `method` = ‘<POST OR GET>’ AND `request_name` = '<Request Name>' -- 
  2.  “; UPDATE `sqlinjectionstatus` SET `injection_flag` = 1 WHERE `url` = ‘<URL>’ AND `method` = ‘<POST OR GET>’ AND `request_name` = ‘<Request Name>’ --
  3.  ; UPDATE `sqlinjectionstatus` SET `injection_flag` = 1 WHERE `url` = ‘<URL>’ AND `method` = ‘<POST OR GET>’ AND `request_name` = ‘<Request Name>’ --
  4.  %bf%27; UPDATE `sqlinjectionstatus` SET `injection_flag` = 1 WHERE `url` = ‘<URL>’ AND `method` = ‘<POST OR GET>’ AND `request_name` = ‘<Request Name>’ --

These queries try to inject through each requests using CURL, if the `injection_flag` value is changed to 1 then we can say that the SQL injection is possible through that request.

Solutions and Result

There are many different type of SQL injection holes. Some holes are small, its very difficult to execute injected update query throw smaller hole. So need more case checking and time to identify small SQL injection holes. While checking, our tool does not know what is the actual size of the hole.

For this particular situation, the 3 options are

  • Approach the situation with an assumption that all holes are small (worst case) and check all cases and inject update query.
  • Understand query and hole then try to inject update query.
  • Change all the holes into bigger then try to inject update query.

The first two options need more time of execution to get results, the existing tools identify SQL injection holes from the HTML of error content. Though faster it is not accurate. Our aim is try to develop a faster and accurate one. So I chose the third option. In this we can reduce checkin cases and execution time.

For example, consider a man standing 50 m away from a wall and trying to count the number of holes in the wall, obviously he/she will miss the smaller holes. Hence he/she will need to put more effort for counting the smaller holes. If the holes are of similar big size, then he/she can easily count holes without using any binoculars. Our situation is similar to the above mentioned scenario.

How to change small SQL injection holes to bigger?

SQL injection holes size depend on the SQL query. SQL injection hole in multi query ( multi_query) is a bigger one because we can easily inject and execute other queries through this hole. So before checking this change all single query of the project to multi query. In this way all existing SQL injection holes change to same type and size then we can easily check if SQL injection is possible or not with in lesser time.

Workflow

The system works as follows. The user inputs the domain name, the database name in the db name field, the host name in the host field, gives the database user name, database password and submits the details to the system like this.

SQL-Injection-Testing-Tool.jpg

After submitting the details, the system verifies the credentials given and connects to the corresponding database. The entire project will be copied by the system for testing.

SQL-Injection-Testing-Tool-1.jpg

Then, give the URL of the page to be tested for SQL injection and submit it to the system.

SQL-Injection-Testing-Tool-2.jpg

The system will check every input field for SQL injection and will give a detailed output to the user including which are the fields that is vulnerable to the SQL injection.

SQL-Injection-Testing-Tool-3.jpg

The system is even capable of scanning web applications which create sessions for different users. In which when the URL of the session creation page is entered along with the login details will give the page details in the Page URL. It detects the SQL injection vulnerable requests in that page. Like this

SQL-Injection-Testing-Tool-4.jpg

For the basics:-SQL Injection Basics

Using PDO prepared statement is the best way to prevent SQL injection. To know more, get in touch with us!

Post your comments / questions