This is the third in a series of five posts for the vulnerable web application Hacme Books. New posts for WebGoat will post every Monday.
Denial Of Service Attack
Security should provide CIA (Confidentiality, Integrity and Availability). When an attacker attacks the system he/she will compromise one or more of these attributes. In here I will be discussing the Denial of Service attack. I will be using SQL Injection as the basic attack techniques.
The attacker had the information on how to attack the Hypersonic SQL prior to starting the attack (Google is the best tool available to hackers) by using extensive searches on the target system. For example an attacker can search on Google about how to shut down Hypersonic SQL server.
Most of the SQL Injection vulnerabilities are a result of concatenating the SQL statements including the user input taken using the application interface. Let’s see what a normal SQL statement looks like where we will use a value that is to be input by user at run time:
String Query = “Select * From PRODUCTS Where Criteria = (USER INPUT Keyword)
The above code takes input from the user and processes the keywords into an SQL criteria via some method that iterates over the tokenized input. So the attacker can maliciously insert extra SQL statements.
In this case since we are creating a DoS attack, we will insert the SHUTDOWN command. A correct SQL statement code generated by the application would be like:
select * from products where title like ‘%USER KEY WORD%’ and like ‘%USER INPUTTED KEYWORDS%’
Planning the Attack The attacker know knows how the SQL statements works, the attacker can now start manipulating the user inputs in SQL statement. Now to make it an effective shutdown statement should be like:
select * from products where title like ‘%’; SHUTDOWN; –% and like ‘%USER INPUTTED KEYWORDS%’
In SQL the symbol ‘-‘ is used to mark comments so the statement after – will be ignored by the SQL interpreter and the result of the query would be a system shutdown. Here is how I used this to shutdown the system and achieved a DoS attack.
DoS Attack using SQL Injection
To start with, just type in user input parameter in the search box, but this will not work because it does not cause a DoS, to get around this problem we used the search engine properties, the search engines generally tokenize input into separate pieces for methods like createCriteria(), Since we know that using a ‘+’ symbol in a search engine make the engine treat the input as one keyword so to tweak the attack we just put a + symbol in the search box. As a result, the SQL attack that works is: ‘;+SHUTDOWN; –
You should see output that indicates the database has been shut down:
Data Tempering with SQL Injection
Note: For this section you will need a valid user account to continue. Use the Signup link on the main page to create a new user.
The Second type of attack I am going to work with is also a variant of SQL injection. This time we will not force the system shutdown but just modify the data; or Data Tempering. I will try to add a book title on the website (the book actually does not exist). This will cause a rather embarrassing situation for the website and online book store.
To modify the data within a database table the attacker must know the database schema which means that structure of the database table and organization of the data within the tables.
To add a new title in the database when there is no such title available, here again I used the SQL injection but I had more detailed information about the database schema.
Modify Data Using SQL Injection
I will search for a title that I know is there for sure for example I searched for a book with title “HACKING EXPOSED” and I get the above screen.
Now we have to add a new title. Look at the feedback section, a user can leave the feedback for the title there; I used the Feedback input box to enter a SQL query to add a new title to the products table. It a typical insert query used in SQL, all we need is the name of fields and data type so that we can add the information without causing any errors during the query execution.
Here is the command to use:
my feedback’, 735); insert into products (title, description, popularity,
price, vendor, category, publisher, isbn, author, imgurl, quantity)
values (‘Eat my shorts you pointy haired boss’,’A great
Wesley’,’1234567890123′,’Disgruntled Employee’,’http://’,1); –
The above query when executed will insert a new book in the table Products with
TITLE – Eat my Shorts you pointy haired boss
Description – A Great Book
Popularity – 4
Price – 29.95
Vendor – Amazon
Category – Technical
Publisher – Addison Wesley
ISBN – 1234567890102
In the SQL as I mentioned earlier the symbol ‘-‘is used to mark a comment, so everything after the – will be ignored by the SQL interpreter. Using the SQL injection I will search for the newly added title and find the entry for a book named “Eat My Shorts you Pointy Haired Boss”
Search Results for newly added Title
So the purpose of the attack was accomplished, we were able to add a title to the database of the book store. The newly added book does not even exist and has an embarrassing title. This will sure make people think whether they want to purchase a book from this site or not, because the integrity is compromised.
Join us next Monday for the fourth in the series on Hacme Books.