SQL Injection in short

What is SQL Injection?

It is a process of injecting SQL commands to retrieve data from the database that are not normally able to retrieve, it basically consist of SQL query that are injected via the input data from the client to application. This might include data belonging to other users.  SQL injection can exploit sensitive data from database, modify and moreover can delete the database.

Detection

SQL Injection attack can be detected by many ways some of which are listed below:

To check if sites accept SQL - 
Condition: password is known.

Username: (your username)

Password: Your password' and 1=1#  

Condition: password is unknown.

Username: admin

Password: [any alphabet]' OR 1=1#

Input: 'UNION SELECT username, password FROM users--

Example: SELECT * FROM users WHERE username = 'aditya' and password = 'agarwal'

                                                                    Now subverting

SELECT * FROM users WHERE username = 'Administrator'--' AND password = ' '

Types of SQL Injection

1) In-Band SQL Injection

In this type of SQL Injection attack the attacker can both launch the attack and collect result through same channel.

• Error Based: It obtain information about data structure from error messages issued by database servers.
• Union-based: It use 'UNION' SQL operator to aggreate the result of two or more SELECT queries into single result.

2) Inferential SQL (Blind SQL)

In this type of attack attacker will not be able to see the result of attack he has performed.

• Boolean Based Blind SQL: It basically tells 'TRUE' or 'False'. If error occurs then the site is vulnerable to SQL if not then site is safe from this vulnerability.
• Time Based Blind SQL: In this type of attack the attacket sets the time bound, if in that particular time the response comes then it is vulnerable to SQL Injection.

3) Out-of band SQL Injection

It is not a common type of SQL Injection attack, it depends on features of web application's database server.

Remediation

1) Parse the user input and checks the data that user submits.

2) Adopt the latest technologies.

3) Use atrong passwords so that it is difficult to break.

4) Implement firewall.

Clickjacking Attack

 

What is Clickjacking?

Clickjacking, also known as a “UI redress attack” is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website. In simple words, an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

How does Clickjacking work?

Clickjacking works by using an iframe to load a vulnerable website on top of an attacker’s controlled domain.

Severity

Clickjacking based vulnerabilities are one of the simple bugs to find and are classified into two types:

1. Clickjacking on Non-Sensitive Pages
2. Clickjacking on Sensitive Pages

Clickjacking on Non-Sensitive Pages are generally considered as Informational and categorized as P5 vulnerability where-as Clickjacking on Sensitive Pages are categorized as P4. Clickjacking on sensitive pages can also increase the impact of account takeover and hence can sometimes go up to P3 category.

How to demonstrate Clickjacking vulnerabilities

To demonstrate Clickjacking vulnerabilities, we first need to check for X-Frame-Options X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value “ X-Frame-Options: SAMEORIGIN “. To check if a website has X-Frame-Options set or not simply go to https://securityheaders.com/ Over here simply type-in the website you want to check for and hit Scan Below is an example of a website vulnerable to clickjacking.

Clickjacking on non-sensitive pages

To demonstrate clickjacking on non-sensitive pages replace {URL} with the URL of the vulnerable target in the below HTML file, save and run in the web browser. Take a snapshot as your proof of concept (POC)

<html>

<head>

<title>Clickjack test page</title>

</head>

<body>

<p>Website is vulnerable to clickjacking!</p>

<iframe src=”{URL}” width=”500" height=”500"></iframe>

</body>

</html>

Impact of Clickjacking

Attackers may abuse clickjacking vulnerabilities for many different purposes: 1. To gain followers on social media and then, possibly, sell the social media account/page for mass marketing.

2. To gain email or RSS subscribers for the same purpose as social media followers.

3. To use the fact that the user is logged into their e-commerce account and have them buy products on behalf of the attacker.

4. To have the user unknowingly transfer funds to the attacker.

5. To have the user download malware (e.g. a trojan).

In general, clickjacking uses depend only on the attacker’s imagination and on finding a vulnerable tool page to use for that purpose.

Clickjacking Prevention

Content Security Policy (CSP)

Content Security Policy (CSP) is a detection and prevention mechanism that provides mitigation against attacks such as XSS and clickjacking. CSP is usually implemented in the web server as a return header of the form:

Content-Security-Policy: policy

where policy is a string of policy directives separated by semicolons. The CSP provides the client browser with information about permitted sources of web resources that the browser can apply to the detection and interception of malicious behaviors. The recommended clickjacking protection is to incorporate the frame-ancestors directive in the application’s Content Security Policy. The frame-ancestors ‘none’ directive is similar in behavior to the X-Frame-Options deny directive. The frame-ancestors ‘self’ directive is broadly equivalent to the X-Frame-Options same origin directive.

X-Frame-Options Header Types

There are three possible values for the X-Frame-Options header:

1. DENY , which prevents any domain from framing the content. The DENY setting is recommended unless a specific need has been identified for framing.
2. SAMEORIGIN , which only allows the current site to frame the content.
3. ALLOW-FROM uri, which permits the specified ‘uri’ to frame this page. (e.g., ALLOW-FROM http://www.example.com ).