What is SQL Injection and XSS?

Our world is getting more digital with more businesses going online via websites and mobile applications. The rampant evolving of this area also increases the number of cyber crimes, inflicting monetary losses to online businesses. If you are building your business online, make sure you take necessary steps to avoid becoming a victim of cyber crime.

You can read more about the cyber crime statistics here:

👉https://www.varonis.com/blog/cybersecurity-statistics/

Some of the famous cyber attacks include SQL injection, cross-site scripting (XSS) and Distributed denial-of-service (DDOS). Today we will be focusing on attack our mockup web application using SQL injection and XSS.

Hackme (Mockup WebApp)

We will need a dummy web application with almost zero security measures. You can get it here:

👉https://github.com/tattwei46/Hackme

Hackme application has 3 parts:

  • Login Page
  • Search Page – Allows you to search for a particular book title
  • Comment Page – Allows you to post comments

We are using MySQL for our database. Refer to http://tattweicheah.com/how-to-use-python-with-mysql-2/ on which softwares to download and install.

In Hackme project folder, there is a file called data.sql that contains a list of queries to help you populate your database. You should have 3 tables, books, users and comments.

Prerequisite knowledge

Prior trying to attempt these attacks, it is better to have some knowledge on HTML, SQL and J2EE. You can get those tutorials here

Let’s start to hack our website!😈

Photo by NeONBRAND on Unsplash

What is Distributed Denial-of-Service (DDoS) attack?

DDoS is an attack that floods a targetted server’s network causing it to slow down drastically or come to a halt.

Here is the flow of the attack:

  1. Perpetrator infects a network of computers with malware.
  2. These malwares turn a network of computers into bots or zombies.
  3. Perpetrator then instructs the bots to send request to a targetted server.
  4. Server network becomes flooded with requests that eventually causing it to be slow or irresponsive.

DDoS inflicts alot of damages on cooperations that relies on 24/7 reliable network connection for example banking sites.

What is SQL Injection?

SQL Injection is a method that allows perpetrators to execute malicious SQL statements and bypass application security measures to retrieve or alter database contents.

Let’s look at an example. Below is our login page from our Hackme application.

Now, let’s assume we have John who is the admin for this site. What happens when he logins to the site with his credentials? Well, the application sends a query to the database that looks like this:

SELECT * FROM users WHERE username='john' AND password='john123'

So basically the webapp grabs the data from text inputs and constructs a query out of it.

Let’s take a look at the query below and guess what would be the result?

SELECT * FROM users WHERE username='hacker' AND password='hacker123' OR '1'='1'

Well for the first part of the query, the database cannot find a match of a username of hacker and password of hacker123, hence it returns no result or a false. But for the second part of the query, ‘1’=’1′ is definitely equals true. Since the first and second query is combined by OR operator, we get a TRUE! And this allows us to bypass the authentication page!

Take note to NOT include the ‘ at the end else you will get syntax error

There you go. Our first hack. We have successfully bypassed the web authentication and managed to login.

First hack!

Let’s take it to another level. Wouldn’t we be interested to retrieve a list of usernames and passwords?

In our SearchPage, we can search for any book title. For example, I would want to know if the store has “Start With Why” by Simon Sinek. Hence, I search the keyword “why” and application shows there is a result.

Here is how the query looks like:

SELECT * FROM books where NAME LIKE '%why%'

Here is how it looks in our MySQL workbench query window

Let’s change the query by adding some characters to pre-terminate our query and ignore the remaining characters.

SELECT * FROM books where NAME LIKE '%why'; -- %'

As you can visually see, the color of characters changed from orange to blue that denotes remaining characters in blue will be ignored in the query. By pre-terminating the query, we can then inject some sql to it.

Next we are going to inject UNION and SELECT into pre-terminated query to retrieve some information that is related to the database.

SELECT * FROM books where NAME LIKE '%why' UNION (SELECT 1, TABLE_NAME, TABLE_SCHEMA FROM information_schema.tables); -- %'

So basically, we are executing 2 queries. First query allows us to check there is a matching book name. Second query allows us to we get a list of table names with their associated database names (or table_schema) from information_schema.tables. The information_schema basically provides access to database metadata.

More information here: 👉https://docs.oracle.com/cd/E19078-01/mysql/mysql-refman-5.0/information-schema.html

Notice we select 1 in the query. The reason for this is because when we try to UNION 2 tables, the number of columns and types of 2 tables must be the same. Since in first table, the first column is book id which is a type integer, we need to either retrieve integer values or give a dummy integer value. Any mismatch of information will cause an error to be thrown by database.

Let’s type in the code marked in red and yellow in the search box.

The database returns us a bunch of data. Let’s zoom in.

Now, we have spotted some interested table names, which are books, comments and users. The table “books” is probably storing all books information. There is one table name we are most interested which is “users”.

You might think, great, so now we can change the query to select all information from users. But we can’t! Remember the limitation of using UNION, we need to match number of columns and their types. So we need to get the column names of users table.

SELECT * FROM books where NAME LIKE '%why' UNION (SELECT 2, COLUMN_NAME, 3 FROM information_schema.columns WHERE TABLE_NAME = 'users'); -- %'

In this query, we retrieve the column names of table users. In the result below, the column names are id, password, role and username. The ones in upper casing belongs to users table in system database.

Finally, we can send our last query to retrieve all users information.

SELECT * FROM books where NAME LIKE '%why' UNION (SELECT id, username, password FROM users); -- %'

Boom! We have retrieved username and password of all users.

What is Cross-Site Scripting (XSS) ?

XSS is a method that exploits website vulnerability by injecting scripts that will run at client’s side.

XSS is quite similar to SQL injection except instead of using query, we use actual javascript code. We can trick the database to store this script as string. When there is a read request, this script together with other information is sent to the client browser. The browser upon spotted the javascript code will attempt to run it.

Let’s see this in an example. We will be using the last part of the Hackme application which is the CommentPage. This page stores all comments and display them in a table.

In the text box, let’s try to submit the following as comment.

<script>alert(\'Hello From XSS\')</script>

Do take note, if you have single or double quote, you need to have a backward slash prior to those characters.

Cool huh. We just injected a script that makes alert box whenever anyone tries to access comment page. Let’s see what is actually happening. When you submit a script, the database stores everything as a string. Here is the content of the table “comments” in MySQL.

When the database returns the data back to web application, here is how its rendered.

When the browser spots a <script> tag code, it will automatically tries to run it.

Let’s do another example with XSS. We will inject a script that redirects user to a fake login page. Let’s assume this fake login fake is hosted by hacker’s and it looks very similar to the real login page (except for the url). If users failed to see the bogus url address, they will attempt to login and thus the hacker is able to retrieve the username and password. This method is called phishing.

<script type="text/javascript">window.location.href = \"http://localhost:8080/hackme/FakeLoginPage.jsp\"</script>

As you can see here, after successfully storing the script into the database, whenever anyone retrieves the data together with the script, browser will execute the script and redirects them to another page.

Let’s try another scenario where John is already logged in and decided to go to the comments section (with redirect script already injected).

There are ways to prevent all these attacks. This will be covered in next article. Till then, happy hacking! 👻

About the author

Founder of tattweicheah.com. Loves music, sport and most importantly software development.

Leave a Reply

Your email address will not be published. Required fields are marked *