Disease Treat

Know About Ulcers Blog

SQL Injection, XML Injection, and LDAP Injection – CompTIA Security+ SY0-401: 3.5


Code injection is
a type of attack where you’re taking your own
code into your own exploit and your embedding it within
an existing data stream. You may be able to do
that from a website. You may be able to do that
by manipulating packets as they’re going by. There’s many different
tools to be able to do that. And there’s many
different types of code that you can use and inject
into a stream of data. This is usually enabled
or it’s something that is available as an
exploit because somebody’s done a bad job of
coding the program. Normally applications
should look at what people
are using as input and clean it up and
make sure that people don’t take advantage of these
injection type vulnerabilities. But if you’re doing
filtering and you’re properly handling the input and the
output from an application, you shouldn’t be able to inject
your own type of information into the middle of that. There’s so many
different data types. People do data injection
of HTML, of SQL traffic, XML, LDAP. There’s many different ways
to put your own little piece of information within a
stream to try to get around some of the security
that might be there. When we think about large
enterprise databases, we usually think about
SQL based databases. This is SQL. The stands for structured
query language. This is a very common
language that many of the largest databases
out there will use. You’ll see this in relational
database management systems. It’s a very, very
common database language and it’s very powerful
database language, which is why we see it in
some of these very, very large databases. Well, one of the
things you can do is inject your own SQL code
into some of these streams and you end up having
the SQL injection. You’re modifying the
actual SQL requests that are being
made to a database. And you’re doing it
through a web front end. Usually you don’t have direct
access to the database. You talk to a web server
behind the scenes, the web server then talks
to the SQL database. But if I can give the web
browser in front of me bad information to give to the
web server, which then gives bad information
to the SQL Server, I can then get information
out of the database that perhaps the developer never
intended me to be able to do. If you look at SQL injection
it’s very prevalent, but there’s other types
of injection as well. For instance XML injection. XML stands for extensible
markup language. It’s a very common format that’s
used these days to transfer information between
point A and point B. We can store information,
transfer information, and it’s a standard format. Because it’s a standard
format there’s an opportunity here to inject my own
type of XML requests inside of that to be able
to change things however I would like to change
them on that web server. Good applications will
validate this XML, badly or poorly programmed
applications will not. And that’s an opportunity
for the bad guy to get into this XML to be able
to have your application do things that perhaps you were
not intending that application to do. Another type of code that
susceptible to injection, we see this often, is LDAP. LDAP stands for lightweight
directory access protocol. It was actually protocol
created a long time ago by the telephone companies,
they need an easy way to access user names, to access
your first name, last name, your address, and
your phone number, and it needed to be
in a massive database. And that’s where, really,
directory access protocol came from. What the lightweight
directory access protocol is what we’ve now used on our
computer systems these days and generally you see this as
name services somewhere but other databases will also use
this LDAP protocol as well. So if I can craft
my own LDAP messages and insert them inside
of an LDAP stream, I may be able to get around a
poorly programmed application. Let’s perform some
SQL injection that’s going to allow me to login
to an administrator’s account without having the
administrator’s password. That obviously would be
a pretty insecure system, and indeed this one we’re
using absolutely is. This is called WebGoat,
these are a series of very, very vulnerable
web applications. You can download WebGoat
from the open web application security project
that’s at www.owasp.org This is a human
resources app and what I want to do is not
login as an employee, I want to login as Neville,
who is the administrator. But to be able to do that,
I need to inject information into the data stream. And I’m going to use an add on
in this Firefox that I’m using. It’s an add on that you
can download and try called Tamper Data. It allows me to modify
information on the screen. Change the way this data is
being seen on the screen. I’m going to make this window
a little bit smaller so we can see what’s going on. What it allows me
to do is as data goes to the web server I can
stop it, modify the data, and then send it on its way. And we can actually do the
reverse in the other direction if we wanted to. I’m going to turn
on the tampering, I’m going to start to tamper. Which means any time I send
information to a web server it’s going to ask if
I want to change it. So I’m not even going to type
in a password for Neville, I’m just going to hit
log on and tamper says, would you like to
continue tampering? Will absolutely, yes, I would. Because as part of this
information in the header and parameters that are sent to
the web server in the password field I’m going to perform
some SQL injection. I’m going to type
in some SQL code here that is going to get around
the very, very bad programming that is on this
particular computer. So there’s the SQL code
that I have in place and when I click OK it’s going
to continue with the tampering. And if you look, I am now logged
in as Neville with full access to everybody’s profiles. It is remarkable and quite
powerful, this SQL injection. And that’s why when the SQL
injection problems occur, they’re usually quite
devastating because they provide so much
access to the database and usually it’s
information that you don’t want the bad
guys to be able to see.

2 thoughts on “SQL Injection, XML Injection, and LDAP Injection – CompTIA Security+ SY0-401: 3.5

Leave a Reply

Your email address will not be published. Required fields are marked *