Procedural SQL injection
How do you perform a complete SQL injection test on a web site?
As a penetration tester, I often had to test the security of various sites. One of the problems I have seen during those tests was that the results given by me were not 100% complete. I succeeded in finding many SQL injection bugs but sometimes not all of them. So I have developed a methodology that can be used to do thorough SQL injection tests.
My opinion is that automatic tools cannot find all SQL injection bugs, but only the superficial ones. Their results must be completed by manual tests that exploit the logic of the application and the flow of data within the application.
During the tests I use Paros as the automatic helper tool. It is a very good local web proxy that has MITM, spider and scanner capabilities. The steps to do an SQL injection test are:
- Start Paros and configure your web browser to use it as a proxy (localhost:8080). From now on, every request made by your browser will pass through Paros and you will be able to see it, resend it or modify it (including the “hidden” requests).
- The testing architecture looks like this:
- Start browsing manually the targeted website
- Find as many forms as you can and submit them with random data
- You can use the Site Map (if it exists) to identify the interactive pages (ex. Search, Contact, Feedback, Ask a question) and submit data
- All the requests that you do will be memorized by Paros
- Use the Spider utility from Paros to do an automatic crawling in order to find as many pages as it can from that web site
- Step 2 is necessary because Paros does not always find all the site pages and because it uses the pages already discovered to crawl them too
- Do an SQL injection scan with Paros
- Chance the Scan Policy to include only SQL injection and SQL injection fingerprinting
- Start the Scan
- Paros will try to call all the dynamic pages that it has already found with parameters according to the Scan Policy
- Now comes the part that requires true skills
- Analyse the alerts found by Paros
- See what are the pages and parameters that allow injection
- Reproduce manually the injection
- Try to exploit the bug and find real information from the backed database
- Categorize the vulnerability based on its impact (what can you do with it)
- HIGH – allows extraction of information from the database (in band or out of band)
- MEDIUM – allows the attacker to see application error messages but it is not obvious how it can be used to extract information from the database
- LOW – produces an application dis-functionality but it does not give any error messages nor can be used to extract information from the database
- In order to find other SQL injection bugs, you must understand the logic of the application and try to “reverse-engineer” it. Think about how the programmer wrote the application and identify the vulnerable points.
- Write a detailed report on the vulnerabilities found and the ways they can be exploited in order to affect the information from the database and the functionality of the website.