Thursday, April 16, 2015

Security Testing - SQL Injection - @vodQA Singapore

Testing can be really interesting, realisation happened once again yesterday evening, at vodQA session, hosted by Thoughtworks (TW) Singapore.

Prasanna who works for TW, a very lively and highly experienced professional, lead us thru what he called initial 5% of a technique - SQL Injection, commonly used across the world to hack websites and bring them down and more.

We quickly installed few pieces of software as he suggested, to get our web server and MySQL DB working. Then installed a quick vulnerable web application to get our hands dirty with SQL Injection. The webpage had a field, part of a form to submit. 

Our first task:
1. Make the application throw error.

And so on... (cheat sheet)
2. Find out which database is used by application
3. Pass queries from the form field to get number of columns of the table being used.
4. Find out the list of application users.
5. Open a file from filesystem of the web server (Wow!)
6. From the URL modify query to get information about web application.
7. Write a file to the filesystem of the web server (Really?)
8. Write a shell script to be executed on web server (to cause damages?) 
9. Create a script in python to perform these steps above.

Automated tool to find vulnerabilities of a web application: http://sqlmap.org

A web application available to try your hands: http://testphp.vulnweb.com

A book for more on this and similar: Web Application Hackers Handbook