compter tips: Web and SQL Testing

Know the Trade - Web and SQL Testing

Web Hacking Tips, Tricks, and Techniques

The purpose of attacking web server usually is for one of the following reasons: deface the web site, destroy or steal company’s data, gain control of user accounts, perform secondary attacks from the web site, or gain root access to other applications or servers.

Intercepting Traffic with Burp Proxy

Burp Proxy is a tool that lets you create a history of packets that traverse through the proxy or it allows you to intercept the traffic, make modifications to the packet (or not), then forward it on to the destination. What’s better is that it allows you to intercept HTTPS traffic. The ramifications of this tool should be crystal clear now. If you can get someone’s browser pointed toward your Burp Proxy port, you own them. If they go to their bank, you own it. If they check their Webmail accounts, you own it. Certainly there may be further attempts to help obfuscate passwords even in encrypted communications, but frankly, that doesn’t happen much. As well, banks and other high profile organizations may introduce further authentication mechanisms, but such a tool will produce an adequate bounty; especially if you are arp spoofing a network proxy server.

Database and SQL Injection Attacks

Many web applications rely on backend databases for information storage and retrieval. Sometimes a script will perform a database query using input supplied from a web page without first verifying that the input does not contain any escape characters. Consider the following example, which may be used to log a user on to a site:

query = “SELECT * FROM users WHERE username = '{$_POST['user']}’ AND password = '{$_POST['pass']}’ “;

The query string would be passed to a database holding usernames and passwords, and if a result were to be returned, it would imply that the username and password were both correct. Consider, however, if someone were to use a username of bob and a password of ‘ OR 1=1. The query string would turn into the following.

“SELECT * FROM users WHERE username = 'bob’ AND password = ‘’ OR 1=1 “;
>

In this case, the OR 1=1 would make the statement always true, meaning it would always return something. Therefore, the script could be fooled into thinking that the user had been authenticated. By injecting specially crafted queries, it is also possible to disclose potentially sensitive information from the database.

Web Exploitation Links

The best way to learn more about web hacking is to check out the following links:

Netcraft: Web Server Survey Archives

ASP Examples

ASP Basic Example -- Source code for clock

ASP Clock Running (source code is not visible)

Apache HTTP Server - Wikipedia, the free encyclopedia

The Apache Software Foundation

PHP - Wikipedia, the free encyclopedia

Recursive acronym

PHP Demos on the free T35 Server

Hello World in PHP (source code not visible)