Difference between revisions of "Unsecure Webservices: bWAPP vs. JuiceShop"
| Line 33: | Line 33: | ||
=== bWAPP Challenge === | === bWAPP Challenge === | ||
STEP 1: | '''<br>STEP 1: Select a challenge</br>''' | ||
The challenge is selected first. Afterwards, the user is redirected to the next web page to be able to execute the challenge. | The challenge is selected first. Afterwards, the user is redirected to the next web page to be able to execute the challenge. | ||
| Line 45: | Line 45: | ||
[[File:2nebenan.png|500px]] | [[File:2nebenan.png|500px]] | ||
STEP 2: Try out some SQL-Statements | '''<br>STEP 2: Try out some SQL-Statements</br>''' | ||
If you enter a search term such as 'iron', for example, all data will be displayed as follows. | If you enter a search term such as 'iron', for example, all data will be displayed as follows. | ||
| Line 55: | Line 55: | ||
[[File:Bild2SQLSyntaxFehler.PNG|500px]] | [[File:Bild2SQLSyntaxFehler.PNG|500px]] | ||
STEP 3: Potential outcomes | '''<br>STEP 3: Potential outcomes</br>''' | ||
After recognizing a syntax error the URL is edited; action=search is deleted and replaced by order by 1 -- -. | After recognizing a syntax error the URL is edited; action=search is deleted and replaced by order by 1 -- -. | ||
| Line 67: | Line 67: | ||
[[File:Bild5ErgebnisURL1.PNG|500px]] | [[File:Bild5ErgebnisURL1.PNG|500px]] | ||
STEP 4: Trying to find out how many columns are there | '''<br>STEP 4: Trying to find out how many columns are there</br>''' | ||
Try the numbers until a so-called out of table message is displayed. After a short time of trying - by increasing the number by 1 again and again until an error message is displayed - it is recognized that there are 7 columns. In this case it is shown that there are 7 columns. | Try the numbers until a so-called out of table message is displayed. After a short time of trying - by increasing the number by 1 again and again until an error message is displayed - it is recognized that there are 7 columns. In this case it is shown that there are 7 columns. | ||
| Line 87: | Line 87: | ||
[[File:Bild10URL.PNG|500px]] | [[File:Bild10URL.PNG|500px]] | ||
STEP 5: Further possible results | '''<br>STEP 5: Further possible results</br>''' | ||
The result ejects the character bWAPP. | The result ejects the character bWAPP. | ||
| Line 96: | Line 96: | ||
[[File:Bild12URL.PNG|500px]] | [[File:Bild12URL.PNG|500px]] | ||
[[File:Bild13ErgebnisURL.PNG|500px]] | [[File:Bild13ErgebnisURL.PNG|500px]] | ||
| Line 123: | Line 124: | ||
[[File:Bild20URL.PNG|800px]] | [[File:Bild20URL.PNG|800px]] | ||
[[File:Bild21Ergebnis.PNG| | [[File:Bild21Ergebnis.PNG|1000px]] | ||
The goal is to get the password, therefore the URL is changed so that at best the login and password of the user are displayed. The result gives some interesting values. The database is exploited by retrieving confidential data. The value of the password is stored in a hash state and cannot yet be retrieved. | The goal is to get the password, therefore the URL is changed so that at best the login and password of the user are displayed. The result gives some interesting values. The database is exploited by retrieving confidential data. The value of the password is stored in a hash state and cannot yet be retrieved. | ||
| Line 129: | Line 130: | ||
[[File:Bild22URL.PNG|800px]] | [[File:Bild22URL.PNG|800px]] | ||
[[File:Bild23PWErgebnis.PNG| | [[File:Bild23PWErgebnis.PNG|1000px]] | ||
STEP 6: Cracking the hashed password with John the Ripper | '''<br>STEP 6: Cracking the hashed password with John the Ripper</br>''' | ||
To crack the hashed password, the next step is to use a password cracker software such as John the Ripper. John the Ripper is a popular open source password cracking software. A number of password crackers are combined in one package. Password hash types are detected automatically, the password's output in clear text. | To crack the hashed password, the next step is to use a password cracker software such as John the Ripper. John the Ripper is a popular open source password cracking software. A number of password crackers are combined in one package. Password hash types are detected automatically, the password's output in clear text. | ||
[[File:Challenge1.9bWAPP.png|700px]] | [[File:Challenge1.9bWAPP.png|700px]] | ||
--- | |||
=== Juice Shop Challenge === | === Juice Shop Challenge === | ||
At OWASP Juice Shop there is a separate website where the Challenges are listed. You have to search for the possibility of executing these Challenges. If a Challenge was successful, a notification will appear on the screen. | |||
[[File: JuiceShopPlattform.png|500px]] | |||
The following command is used to attempt to log in as Admin: ''' 'or true - -'''. Within a short period of time it was possible to log in as Admin using this SQL command and a randomly chosen password. '''True''' as an SQL command means that this result is always true. The double hyphen after it means that all characters after true are comments. In this case the Login worked uncomplicated and fast. | |||
[[File: juice4.PNG|500px]] | |||
[[File: juice3.PNG|500px]] | |||
After Login.. | |||
Eggy Pic | |||
[[File:UserDaten.PNG|500px]] | |||
== Conclusion == | == Conclusion == | ||
Revision as of 20:08, 28 January 2020
Introduction
The number of users of online services has increased significantly in the last years. Nowadays web applications represent a fundamental part in information technologies. Therefore the danger of attacks on the internet are growing and make so-called penetration tests necessary. A penetration test comprises a series of activities with which security gaps are recorded and identified. In the following seminar paper, two intentionally insecure web services are compared with each other. The focus of the practical part includes the testing of the world's most frequently used SQL-injection Attack. In this case attackers take advantage of specific weaknesses in order to gain access to confidential information. A variation of this SQL injection attack is described.
Author
Melanie Kaimer
Web Security Test-Application
Penetrating Testing
Penetrating testing is a targeted, permitted attempt to penetrate an IT system. The main objective is to detect and eliminate vulnerabilities in order to improve IT security. Vulnerabilities should be identified before they arise. Methods such as SQL injection, XML external entities (XEE) and cross-Site scripting (XSS) are very popular by hackers. For web applications, the Open Web Application Security Project (OWASP) offers materials for pentests.
SQL Injection Vulnerability
With the growing popularity of the World Wide Web, there was an increasing use for advanced technology and dynamic websites.
SQL injection vulnerability is one of the greatest dangers to confidentiality and integrity in Web applications and thus has been included in the OWASP Top 10 list as one of the most common vulnerabilities since its introduction. For example, attackers can insert malware into an SQL statement through an SQL injection vulnerability. The practical part of this thesis deals with the SQL injection attack. Attackers gain the ability to perform a series of actions if an SQL injection is applied to a vulnerable page. By exploiting this vulnerability, database contents can be added, edited, deleted or read.
bWAPP
The term bWAPP stands for buggy Web Applications. bWAPP belongs to the ITSEC-Games-Project and describes a deliberately extremely faulty web application. It was designed with the goal of ensuring IT security. Furthermore, it has a gaming character and should serve as a fun factor in addition to training.
OWASP Juice Shop
At first glance, the OWASP Juice Shop looks like an inconspicuous online shop for fruit juices. The Juice Shop was designed in 2014 and is a so-called 'online juice shop' for safety training. Two years after its foundation, Juice Shop was submitted and accepted as an OWASP tool project. This step made the Juice Shop accessible to a large community of users within a very short time.
Practical demonstration Step-by-Step guideline
For the practical demonstrations SQL injection is chosen. This hacking method will be tested on both insecure web applications to get a clear comparison. SQL-Injection is one of the most common methods on the top 10 list of OWASP and therefore it is considered as a very serious threat.
bWAPP Challenge
STEP 1: Select a challenge
The challenge is selected first. Afterwards, the user is redirected to the next web page to be able to execute the challenge.
In order to be able to select a challenge, there is a registration requirement. However, users have the possibility to register with any data they wish. Afterwards, an SQL injection task can be selected from various 'bugs'. For the selected (GET/SEARCH) SQL-Injection, information about available movies is displayed in a table when entering a movie title. Here you can search for one or more movies. As a result of the search, the movie details are displayed. If the input button is clicked without entering a search term, all movies are displayed. The set goal is to get a user password.
STEP 2: Try out some SQL-Statements
If you enter a search term such as 'iron', for example, all data will be displayed as follows.
A wrong input like 1' leads to an syntax error. As a result, you can see that the URL parameter 1' is definitely vulnerable to an SQL injection:
STEP 3: Potential outcomes
After recognizing a syntax error the URL is edited; action=search is deleted and replaced by order by 1 -- -.
From the output you can see that the URL parameters are definitely vulnerable to an SQL injection.
STEP 4: Trying to find out how many columns are there
Try the numbers until a so-called out of table message is displayed. After a short time of trying - by increasing the number by 1 again and again until an error message is displayed - it is recognized that there are 7 columns. In this case it is shown that there are 7 columns.
The attempt to display confidential information begins with an SQL Union statement. This statement allows you to merge database tables. First you must ensure that the same number of columns is used as in the original SQL statement.
The result shows that column 5 corresponds to one character.
Again, the URL is changed to access the desired password.
STEP 5: Further possible results
The result ejects the character bWAPP.
From this point on it is possible to visualize the current database version:
Table names should be printed:
Certain characters of the table should now be printed.
Linking table names from the database.
In the following step the contents of the columns-output is 'User'.
The goal is to get the password, therefore the URL is changed so that at best the login and password of the user are displayed. The result gives some interesting values. The database is exploited by retrieving confidential data. The value of the password is stored in a hash state and cannot yet be retrieved.
STEP 6: Cracking the hashed password with John the Ripper
To crack the hashed password, the next step is to use a password cracker software such as John the Ripper. John the Ripper is a popular open source password cracking software. A number of password crackers are combined in one package. Password hash types are detected automatically, the password's output in clear text.
---
Juice Shop Challenge
At OWASP Juice Shop there is a separate website where the Challenges are listed. You have to search for the possibility of executing these Challenges. If a Challenge was successful, a notification will appear on the screen.
The following command is used to attempt to log in as Admin: 'or true - -. Within a short period of time it was possible to log in as Admin using this SQL command and a randomly chosen password. True as an SQL command means that this result is always true. The double hyphen after it means that all characters after true are comments. In this case the Login worked uncomplicated and fast.
After Login.. Eggy Pic
Conclusion
Tools like bWAPP and OWASP Juice Shop are very helpful and interesting to try out hacking tasks in different levels of difficulty in a playful manner. With the unstoppable development of technology and today's abundance of information it becomes more important to be well informed about the dangers that came with the World Wide Web.
Further information to this article can be found in my paper: seminar paper