SQL Injection Exploitation: Out-of-Band

Published on 26 January 2021

Out-of-band exploitation refers to exploits where the extracted information is received over a connection other than the one the payload was delivered over. It can be used to bypass defensive technologies as well as complicating the detection and response capability.

SQL Injection can be exploited out-of-band through protocols such as DNS in order to extract database contents. This is particularly useful as an alternative to Time-based exploitation where it can allow for faster extraction.

Read More...

Fixing SQL Injection

Published on 22 January 2021

SQL Injection is a vulnerability that occurs where user supplied input is insecurely concatenated into an SQL query.

We showed how easy can be to detect in our Finding SQL Injection article, and we’ve run through exploitation in many posts such as our post on Exploiting Error-based SQL Injection.

Read More...

Fixing Cross-site Scripting (XSS)

Published on 25 October 2020

This issue comes about where user supplied input is included within server responses without filtration or encoding.

One very effective method of preventing this attack is to use an allow-list (sometimes called a whitelist) which will allow only known good content. For example if your expected input is an integer and the user supplies anything other than an integer you can simply reject that input – and perhaps supply a message to inform the user what the issue is, without including the original payload.

Read More...

Fixing DOM-Based XSS

Published on 25 October 2020

Whilst Reflected and Stored XSS can generally be addressed through server-side user input encoding (such as through the PHP htmlentities() function) or with browser protections such as Content-Security-Policy – this is not sufficient for DOM-XSS.

Read More...

Content Security Policy

Published on 19 October 2020

In our post on Fixing Cross-site Scripting, we recommended the use of Content Security Policy (CSP) to mitigate the effects of this vulnerability. 

It does this by allowing you to set up an allow list of resource locations (such as scripts) for your web pages, and therefore inform the browser to block any scripts that do not come from an authorised source. The problem is, you have to set up an allow list of resource locations, or the resource will be blocked.

Read More...

XXE: XML External Entity Injection

Published on 19 October 2020

XML Entity Injection is a powerful vulnerability that can allow for confidential data theft and in rare cases command execution. It was also often overlooked for a whle - but now it features in the OWASP Top 10 as A4 it's a lot more well known.

Read More...

Becoming a Penetration Tester

Published on 19 October 2020

Breaking into Penetration Testing can be a daunting career move; so in this article we talked about ways you can make your first move towards a career in this industry.

Read More...

Finding SQL Injection

Published on 19 October 2020

SQL Injection is an old vulnerability; first published on Christmas Day 1998 in Phrack Magazine 54. The issue occurs where user supplied input is insecurely concatenated into an SQL query. It generally allows an attacker to perform any of the operations that the database user can execute – such as extracting, changing, or deleting database contents. Rarely, where the database user is highly privileged, this can allow for command execution through features such as the MSSQL xp_cmdshell system stored procedure.

Exploiting the issue manually is often trivial, but there are freely available public exploitation tools available – such as SQLmap.

Read More...

SQL Injection Exploitation: Error-based

Published on 19 October 2020

There are several methods for exploiting SQL Injection vulnerabilties depending on the context of the injection point, any potential filters and Web Application Firewalls (WAF) in place.

These methods are generally broken down into: Error-based, Blind-Boolean, Blind Time-based, Union-Based, and Out-of-Band. Here we’ll be looking at Error-based exploitation.

Read More...

SQL Injection Exploitation: Union-Based

Published on 19 October 2020

UNION SELECT statements can be used for retrieving the results of a second SELECT statement by appending it to the end of another query. This is useful for SQL injection as it allows you to append a query to the end of a query executed by a developer to retrieve arbitrary database contents.

Read More...

Finding DOM-Based XSS

Published on 19 October 2020

We’ve previously written about Reflected and Stored Cross-site Scripting, however this time we want to tackle DOM-Based Cross-site Scripting, or DOM-XSS for short. The exploitation of DOM-XSS is frequently very similar to Reflected Cross-site scripting, were the payload is stored within the URL and exploitation occurs where a user can be tricked into clicking the link, such as through a phishing email – but we’ll break it down step by step.

Read More...

Finding Cross-site Scripting (XSS)

Published on 19 October 2020

Cross-site Scripting (XSS) is a vulnerability that occurs where an attacker could cause a scripting language to execute within another user’s view of a web application. There are three types: Reflected, Stored, and DOM-Based. Finding and exploiting DOM-Based XSS is quite different to stored or reflected, so we’ve separated it into its own article: Finding DOM-XSS.

Read More...

SQL Injection Exploitation: Time-based

Published on 19 October 2020

In terms of crafting payloads, Time-based injection is very similar to Blind-Boolean injection. That is to say that extracting data from the database is generally done one character at a time.

Time-based exploitation uses a function which causes a temporary pause in the database response; these differ depending on the database type but some examples are:

Read More...

SQL Injection Exploitation: Blind-Boolean

Published on 19 October 2020

There are several methods for exploiting SQL Injection vulnerabilties depending on the context of the injection point, any potential filters and Web Application Firewalls (WAF) in place.

These methods are generally broken down into: Error-based, Blind-Boolean, Blind Time-based, Union-Based, and Out-of-Band. Here we’ll be looking at Error-based exploitation.

Read More...