TGIMBA Security – SQL Injection

Any self-respecting developer and/or information technology professional takes security seriously.  However, this is a huge, huge (did I say huge?!?) field.  It encompasses networks, software, hardware, physical locations, people, etc.  Since I am nuts about software, it seems like I should focus on security that involves software development 🙂

So, I took my flag ship project ‘TGIMBA’ (http://www.tgimba.com) and created a project to stage mock attacks to test its security as well as learn the various attacks and how to prevent them.  I have placed the project on GitHub and will add new simulated attacks as I learn them:

Setup to run includes:

  • Get source code from GitHub
  • Create database (you will need SQL Server installed locally as well as SSMS)
    • run CreateDb.sql
    • run CreateSchema.sql (be sure to have ‘BucketList’ db selected from list in the query window)
    • run TableCreates.sql (be sure to have ‘BucketList’ db selected from list in the query window)
  • Install Firefox (for Selenium tests)
  • Update the Windows Communication Foundation (WCF) URL when you run the TGIMBA Services project (update WCF Reference in the app.config)
  • Update the Web API in the Program.cs class based on your localhost URL
  • Make sure that the TGIMBA project is set to run in test mode (in both the TgimbaWeb web.config and Services app.config)

NOTE: SQL files are in the ‘SQL’ folder on the ‘SimulatedAttacks’ code project.

Before going on, I want to say that my simulated cyber attacks project is only intended as a learning tool and should only be run against localhost.  It should never be used against external sites.  It should never, never (did I say never?!?) be used to stage an actual attack.

There are many good sources, but the best place to start that I have found (so far) is https://www.owasp.org/index.php/Main_Page.  I had already created this project before I started the blog, so I will be using the current code base as is for the first two entries.  This first entry will be on SQL Injection.

According to Wikipedia, SQL Injection is defined as “a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker)” <https://en.wikipedia.org/wiki/SQL_injection&gt;.

To start my simulated attacks, I compiled a list of commonly used string characters used in attacks from the Owasp website.  Then, I just iterated through each one and hit each of my WCF methods and watched the result.  One effect that I noticed (and have fixed) was that the registration value validation existed on the client, but I never ported it to the WCF service.  For each attack, I have registered the attack character(s) as legitimate users…doh!  Security testing really does work 🙂    Additionally, I realized that to be attack able (at least in this case), the WCF service can’t be embedded in my website like I have done so far.  For testing purposes, I have placed a copy of the WCF service alongside the existing website.

Then, I took the same list and with the help of Selenium (http://www.seleniumhq.org/), I staged the simulated attacks against the login page since this is the first page anyone would see.  I didn’t see any issues with the web page, so I then created a Web API project with the same WCF access methods to TGIMBA and added a class to simulate attacks against it.  I also didn’t find any issues.

When running ‘SimulatedAttacks’ against TGIMBA localhost, please note that you can’t run all of the attacks at the same time.  Run the Web Page/Web API attacks first and then the WCF attacks.  I have Web Page/Web API attacks ready to run and the WCF attacks commented out in the checked in version on GitHub.

For the most part, using parameterized SQL queries is the best defense against SQL Injection.  This same technique, but encoding HTML will be the next blog post in this series when I look at cross-site scripting.

Stay tuned!

References

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s