6. Cyberattack 3 – Web-based Attacks and Ransomware
Cyberattack 3:
Web-based Attacks and
Ransomware
CITS3004
Alvaro Monsalve
1
1. Web-based attacks
1.1. SQL injection
1.2. XSS
2. Ransomware
Agenda
2
• Attacks that are carried out over the web-based
architecture
– E.g., client and server, P2P, etc.
• Servers can be attacked, or become malicious in many
ways
– SQL injection
– Malvertising
– URL Redirection
– Cross-site scripting (XSS)
– Etc…
3
1. Web-based Attacks
• Injection attacks introduce malicious code as an input to
cause harm to the system
• Such attacks include:
– SQL injection
– XPath injection
– BoF
– LDAP injection
– OS Commanding
– Etc.
4
Injections
Database – a domain specific collection of data
Relational database – the primary current model used in database systems
– Utilising relational tables with a row being an instance set of data in some
domain, and a column being a field about that domain
5
Intro: SQL Databases
Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C
– E.g., the achievements table has two
columns and five rows
– Rows are uniquely identified by the
values in one or more columns (e.g.,
both the Creature_ID and SkillCode
columns identify one row (or instance)
of Achievement)
• Structured Query Language (SQL) is the most prominent of
several query languages for relational database systems
• SQL is powerful, but monolithic, and can be difficult to
generate correct queries for complex questions
• Examples:
SELECT Creature_ID FROM Achievements;
SELECT * FROM Achievements WHERE Creature_ID > 3;
SELECT COUNT(*) FROM Achievements WHERE Creature_ID > 3;
SELECT * FROM Achievements WHERE SkillCode = ‘S’ OR SkillCode = ‘F’;
6
Intro: SQL Database
SQL – Example
SELECT Creature_ID FROM Achievements;
7
Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C
Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C
SQL – Example
SELECT * FROM Achievements WHERE Creature_ID > 2;
8
Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C
Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C
SQL – Example
SELECT COUNT(*) FROM Achievements WHERE Creature_ID > 2;
9
Returns value 2
Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C
SQL – Example
SELECT * FROM Achievements WHERE SkillCode = ‘S’ OR
SkillCode = ‘F’;
10
Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C
Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C
1.1. SQL Injection (SQLi)
SQLi – inserting malicious SQL code through an
application interface
– Often through web application, but possible with any
interface
• E.g., SQLi through URL
– Example of general issue of interpreter injection (injection
of malicious code into any interpreted language)
11
• Three types of SQLi
– In-band
• Error-based
• Union-based
– Inferential
• Boolean-based blind
• Time-based
– Out-of-band
• Enabled feature-based
12
SQLi
Easiest based on the responses received
(and what we will talk about)
To extract data, but time consuming
Features (i.e., DNS or HTTP requests)
need to be enabled to carry this out
SQLi
• Example SQL injection scenario
– Three-tier application (web interface, application, database)
– Overall application tracks own usernames and passwords in
database (advantage: can manage users in real time)
• Example: table named Users_Table has two columns, username and
password, with example rows being something like:
User1, Password1
User2, Password2
etc…
– Web interface accepts username and password in text fields,
passes these to application layer as parameters
13
14
SQLi
SQLi
• Python code uses the SQLite3 application interface, and
contains a dynamically formed SQL statement:
– String query = “SELECT * FROM Users_Table ” +
” WHERE username = ” + ” ‘ ” + username + ” ‘ ” +
” AND password = ” + ” ‘ ” + password + ” ‘ ” ;
• Note: String values must be single quoted in SQL, so
application provides this for each passed string parameter
• Expecting one row to be returned if success, no rows if failure
• Common variant – SELECT COUNT(*) FROM …
15
SQLi
• Normal (valid) Usage
– Username: User1
– Password: Password1
• Generated SQL query
SELECT * FROM Users_Table
WHERE username = ‘User1’
AND password = ‘Password1’
16
17
SQLi
SQLi
• However, attacker can enter the following into the login fields:
– Username: (any username)
– Password: None’ OR ‘a’ = ‘a
• Then, the query becomes:
SELECT * FROM Users_Table
WHERE username = ‘None’
AND password = ‘None’ OR ‘a’ = ‘a’
• Note: WHERE clause => F and F or T => F or T => T
18
19
SQLi
• What went wrong?
– The server did not check the inputs properly
• Specifically, the control string inputs
– There are many ways that an SQL injection can happen
• Regular inclusion of SQL metacharacters through:
– Variable interpolation (changing the value)
– String concatenation with variables and/or constants
– String format functions
– String templating with variable replacement
• Hexadecimal or Unicode encoded metacharacters
20
SQLi – Prevention
• How to resolve this problem?
– Trial 1: Check content
• Client code checks to ensure certain content rules are met
• Server code should check content as well
• Specifically – don’t allow apostrophes to be passed
– Will solve our specific problem case from before
• Problem: there are other characters that can cause problems
– E.g., — (comment), ; (command separator), % (wildcard) etc.
• Which characters do you filter (blacklist) / keep (whitelist)?
• Which approach is better – blacklisting or whitelisting?
21
SQLi – Prevention
• Any username, password = ’ or 1 = 1 —
– Note: –, as the “to-end-of-line comment” special
character, comments out rest of dynamically generated
SQL command line, including terminating single quote in
application
• Then, the query becomes:
SELECT * FROM Users_Table
WHERE username = ‘hello’
AND password = ‘’ OR 1 = 1 –‘
22
SQLi – Variant 1
Commented out
• Any username, password = foo’; DELETE FROM Users_Table WHERE
username LIKE ‘%
• Then, the query becomes:
• Note: system executes two statements separated by ;
– First query will do nothing
– Second query will delete the data depending on the database type
and the level of privilege of the user 23
SQLi – Variant 2
SELECT * FROM Users_Table
WHERE username = ‘hello’
AND password = ‘foo’;
DELETE FROM Users_Table
WHERE username LIKE ‘%’
• Open DataBase Connectivity (ODBC) application
interface allows shell injection using ‘|’ character
– ‘|shell(“cmd /c echo “ & char(124 & “format c:”)|’
• Similar issue has existed with MS SQL Server
Extended Stored Procedures
24
SQLi – Variant 3
• Second-Order SQL Injection
– Attacker creates account with user = root’–
• Application escapes the special character (apostrophe) and inserts
as root ’’–
– Attacker resets password using an existing application
• System query probably fetches username from database to verify
account exists with correct old password, and then updates the
password for that username
• UPDATE users_table SET PASSWORD= ‘pass’ where username =
‘root’–’
25
SQLi – Variant 4
• PL/SQL Cursor Injection
• Structure
– PL/SQL is a procedural language in Oracle built on top of SQL
– Functions and procedures can be defined which set up cursors that
allow execution of dynamically-defined SQL statements
– Injection techniques can be used with these structures as well
26
SQLi – Variant 5
http://www.davidlitchfield.com/cursor-injection.pdf
http://www.davidlitchfield.com/cursor-injection.pdf
• Blind Injection – finding vulnerability through server responses
• Assume web page that gets press releases from db
– http://www.company.com/pressRelease.jsp?id=5
– This generates:
• SELECT title, description, releaseDate, body FROM pressReleases WHERE id = 5
– What if we send:
• http://www.company.com/pressRelease.jsp?id=5 AND 1=1
• If we get press release 5 back, we just found a vulnerability!
– Now, we can craft an SQL query and send
• http://www.company.com/pressRelease.jsp?id=5 AND user_name() = ‘dbo’
• If you get press release 5, you know that you’re running as user dbo
27
SQLi – Variant 6
• Example:
– http://testphp.vulnweb.com/artists.php?artist=1
28
SQLi – vulnweb example
You should be able to access this page (it is public)
http://testphp.vulnweb.com/artists.php?artist=1
• Test to see if it would be vulnerable to an SQLi
– testphp.vulnweb.com/artists.php?artist=1’
29
SQLi – vulnweb example
Note: %27 is a
single quote
• Discover the number of columns using “order by”
– testphp.vulnweb.com/artists.php?artist=1 order by 1
30
SQLi – vulnweb example
Eventually, you will
discover it fails at 4,
meaning there are 3
columns.
• Discover other table contents
– testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,3
31
SQLi – vulnweb example
Now we can port
other schema info to
fields 2 and 3!
• Let’s find out the database name
– testphp.vulnweb.com/artists.php?artist=-1 union select 1,database(),3
32
SQLi – vulnweb example
The database name is:
acuart
• You can now find many other details of the schema,
such as:
– Version
– Current user
– Table names
– Other table fields
– Etc.
33
SQLi – vulnweb example
• Eventually, find some sensitive info stored
34
SQLi – vulnweb example
Username : test
Password : test
• Prepared Statements
– This is supported by database application interfaces, such as
JDBC
• SQL query is precompiled with placeholders
• Data is added in at run-time, converted to correct type for the
given fields
35
SQLi – Prevention
• For example, if an attacker enters
– Username – asdf’ or ‘1’ = ‘1
• Using the prepared statements will cause the query to
look up the username that matches the entered string
– Exactly the string “asdf’ or ‘1’ = ‘1”
36
SQLi – Prevention
• Issues with Prepared Statements
– Cannot use them in all situations
• Generally limited to replacing field values in SELECT, INSERT, UPDATE,
DELETE statements
• E.g., our use for username field value, password field value
– Example: if we also ask the user for information that
determines the choice of table name, cannot use a prepared
statement
37
SQLi – Prevention
• Additional Precautions
– Do not access the database as a privileged user
• Anyone who gains access will have that user’s privilege
– Limit database user to only what they need to do
• E.g., reading information from database, no insert/update/delete
– Do not allow direct access to database from the Internet
• Require users to go through your applications, so you can better control the
activities
– Do not embed database account passwords in your code
• Encrypt and store them in a repository that is read at application startup
– Do not expose information in error messages
• E.g., do not display application stack traces if error occurs
38
SQLi – Prevention
39
SQLi – Prevention
• Cross-Site Scripting (XSS, CSS etc)
• Exploiting the fact that web browsers can execute commands
– Embedded in HTML page
– Support different languages (javascript, ActiveX, etc)
• Cross-Site means sending foreign script from server to client
– Exploiting servers to send attacker’s malicious script codes to the
client
– Client executes the malicious script on its web browser
• Attacker can execute any commands on the client’s computer
– access credentials, DoS, modify web pages
40
1.2. XSS
41
XSS
https://www.acunetix.com/websitesecurity/cross-site-scripting/
The attacker injects a payload in the website’s
database by submitting a vulnerable form with
some malicious JavaScript
The victim requests the web
page from the website
The website serves the
victim’s browser the
page with the attacker’s
payload as part of the
HTML body.
The victim’s
browser will
execute the
malicious script
inside the HTML
body. In this case
it would send the
victim’s cookie to
the attacker’s
server.
42
Stored XSS – Example
• This scenario is Stored XSS
• Consider the user searching for some items on the site
– Parsed in as: http://site.com/search.php?term=batman
• The implementation of search.php:
Results for :
…
Echo search
term into
response
43
Stored XSS – Example
• Now, consider the following link
– http://site.com/search.php?term=
• What happens when the user clicks the link?
1. Browser goes to malicious.com/search.php
2. site.com returns Results for
3. Browser executes the returned script:
• Send the bad guy cookie for site.com
44
Stored XSS – Example
document
.cookie
Results for