CEH.v10 Hacking Mobile Platforms and SQL Injection
Password Grabbing
'+login+'/'+password+'
Blind SQL Injection: Boolean Exploitation
(sometimes called inferential SQL Injection) this is performed by asking the right questions to the application database
Mobile Anti-Spyware
-Malwarebytes anti-malware mobile tool is a protection against malware, ransomware, and other growing threats to Android devices. Features: o Detects and removes adware and malware o Blocks malware and ransomware automatically o Conducts privacy audit for all apps o Safer browsing - AntiSpy Mobile - FREE Spyware & Malware Remover - D-Vasive Anti-Spy - SpyWare Removal
jSQL injection
A Java application for automatic SQL database injection. It is a lightweight application used to find database information from a distant server. Features o Multiple injection strategies: Normal, Error, Blind, and Time o Multiple injection structures: Standard, Zipped, Dump In One Shot o SQL engine to study and optimize SQL expressions o Injection of multiple targets o Creation and visualization of Web shell and SQL shell o Read and write files on host using injection
App sandboxing
A security mechanism that helps protect systems and users by limiting resources the app can access to its intended functionality on the mobile platform. Often, useful in executing untested code or untrusted programs from unverified third parties, suppliers, untrusted users, and untrusted websites
Rooting Androids using KingRot
A tool used to root android devices. This tool can be used with or without PC. KingoRoot helps users root their Android devices to the following: - Preserve battery life - Access root-only apps - Remove carrier "bloatware" - Customizable appearance - Attain admin level permission
The Network point of attack : SSLStrip
A type of MITM attack in which attackers exploit vulnerabilities in the SSL/TLS implementation on websites. It relies on the user validating the presence of the HTTPS connection. The attack invisibly downgrades connections to HTTP, without encryption,
FaceNiff
Allows you to sniff and intercept web session profiles over the wifi that your mobile is connected to It is possible to hijack sessions only when wifi is not using EAP, but it should work over any private networks
Perform Double Blind SQL Injection—Classical Exploitation (MySQL)
Also called time-based SQL injection In this SQL injection technique, entries are read symbol by symbol. In a typical attack, the functions benchmark() and sleep() are used to process the time delays.
Browser-Based Point of Attackk : Clickjacking
Also known as a user interface redress attack, is a malicious technique used to trick web users to click something different from what they think they are clicking.
Browser-Based Point of Attack : Buffer Overflow
An abnormality whereby a program, while writing data to a buffer, surfeits the intended limit and overwrites the adjacent memory.
zANTI
An android application which allows you to perform following attacks: o Spoof MAC address o Create malicious wifi hotspot o Scan for open ports o Exploit router vulnerabilities o Password complexity audits o Man in the middle attack o DoS attack o Hijack sessions
Union SQL Injection
An attacker combines a forged query with a query requested by the user by using a UNION clause.
Find & Bypass Admin Panel of a Website
Attackers try to find the admin panel of a website using simple Google dorks and bypass the administrator authentication using SQL injection attack An attacker generally uses Google dorks to find the URL of an admin panel
Bypass Website Logins Using SQL
Bypassing website logins is a fundamental and common malicious activity that an attacker can perform by using SQL injection. This is the easiest way to exploit any SQL injection vulnerability of the application. website login forms: o admin' -- o admin' # o admin'/* o ' or 1=1-- o ' or 1=1# o ' or 1=1/* o ') or '1'='1-- o ') or ('1'='1--
Web server-based attack : Cross site request forgery
CSRF attacks exploit web page vulnerabilities that allow an attacker to force an unsuspecting user's browser to send unintended malicious requests. The victim holds an active session with a trusted site and simultaneously visits a malicious site that injects an HTTP request for the trusted site into the victim's session, compromising its integrity.
Evasion Technique: In-line Comment
Evasion technique is successful when a signature filters white spaces in the input string Obscures input strings by inserting in-line comments between SQL keywords.
Evasion Technique: URL Encoding
It is performed by replacing the characters with their ASCII code in hexadecimal form preceding each code point with a percent sign "%".
SQL Injection Vulnerability Detection
Function testing -a type of software testing technique, where a software or a system is tested against a set of inputs according to the end user's needs. Fuzzing Testing -It is an adaptive SQL injection testing technique used to discover coding errors by inputting massive amount of random data and observing the changes in the output. Static/Dynamic Testing -Analyzes web application source code
Browser-Based Point of Attack : Framing
Involves a web page integrated into another web page using iFrame elements of HTML
Interacting with File System
LOAD_FILE() -MySQL is used to read and return the contents of a file located within the MySQL server OUTFILE() -n MySQL is often used to run a query, and dump the results into a file.
Countermeasures to Defend Against SQL Injection
Make no assumptions about the size, type, or content of the data that is received by your application Test the size and data type of input and enforce appropriate limits to prevent buffer overruns Test the content of string variables and accept only expected values Reject entries that contain binary data, escape sequences, and comment characters Never build Transact-SQL statements directly from user input and use stored procedures to validate user input Implement multiple layers of validation and never concatenate user input that is not validated Avoid constructing dynamic SQL with concatenated input values Ensure that the Web config files for each application do not contain sensitive information Use most restrictive SQL account types for applications Use Network, host, and application intrusion detection systems to monitor the injection attack
Application-based Point of Attack: Unintended Permissions
Misconfigured apps can at times open doors to attackers by providing unintended permissions.
Transfer DB to Attacker Machine
OPENROWSET on Remote port 80
Apple iOS
Operating system which supports Apple devices such as iPhone, iPod touch, iPad, and Apple TV The user interface is based on the concept of direct manipulation, using multi-touch gestures Applications: Cocoa Touch Media Core Services Core OS
Browser-Based Point of Attack
Phishing Framing Clickjacking Man in the middle mobile Buffer Overflow Data Caching
Interacting with OS
Read/Write System Files from disk Remote shell cmd
Network Reconnaissance
Reverse DNS lookups Reverse Ping OPENROWEST xp_cmdshell
Grabbing SQL Svr Hashes
SELECT password FROM master..sysxlogins Hex each hash
IBM Security AppScan
SQL Injection Detection Tool enhances web application security and mobile application security, improves application security, and strengthens regulatory compliance. Features o Identifies and fixes vulnerabilities o Maximizes remediation efforts o Decreases the likelihood of attacks
Source Code Analysis
Source code review - method that involves systematic examination of the source code for various types of vulnerabilities. - intended to detect and fix security mistakes made by the programmers during the development phase -A type of white-box testing Two types o Static o Dynamic
Testing for SQL Injection
String Concatenation o MySQL - ( concat(,) ) o MSSQL - ( + ) o MS Access - ( & ) o Oracle and PostgreSQL - ( || ) o DB2 - All except & Request Union and Sub-request o All Stored Procedure o Oracle, MSSQL and PostgreSQL - Yes o MySQL, MS Access, and DB2 - No String Comments o MySQL - (-) , (/* */) and ( # ) o MSSQL, Oracle and PostgreSQL - (-) and (/*) o MS Access - none o DB2 - (-)
Blind SQL Injection: Heavy Query
This can be used to perform time delay SQL injection attack without using time delay functions. Newest type of sql attack
Normal SQL Query
This include data selection, data retrieval, inserting/updating data, and creating data objects like databases and tables. Query statements begin with a command such as SELECT, UPDATE, CREATE, or DELETE. SELECT Count(*) FROM Users WHERE UserName='Jason' AND Password='Springfield'
Evasion Technique: String Concatenation
This technique breaks a single string into a number of pieces and concatenates them at the SQL level. attacker uses concatenation to break-up identifiable keywords to evade intrusion detection systems
Jailbreaking - iBoot Exploit
This type of exploit can be semi-tethered if the device has a new bootrom. An iboot jailbreak allows user-level access and iboot-level access. This exploit takes advantage of a loophole in iBoot (iDevice's third bootloader) to delink the code-signing appliance. Firmware updates can patch these types of exploits
Jailbreaking - Bootrom Exploit
Uses a loophole in the SecureROM (iDevice's first bootloader) to disable signature checks, which can be used to load patch NOR firmware. Firmware updates cannot patch these types of exploits. A bootrom jailbreak allows user-level access and iboot-level access. Only a hardware update of bootrom by Apple can patch this exploit.
Jailbreaking - Userland Exploit
Uses a loophole in the system application. It allows user-level access but does not allow iboot-level access. You cannot secure iOS devices against this exploit, as nothing can cause a recovery mode loop. Only firmware updates can patch these types of vulnerabilities
The Data enter/ CLOUD point of attack
Web server-based Database.
NetCut
Wifi killing application that allows the attackers to identify the target devices and *block the access of WiFi* to the victim devices in a network. Block wifi access: 1. download and install NetCut android application on your device 2. launch the NetCut app in the mobile 3. after opening, it automatically scans for all the devices accessing the wifi network and displays the list under CUT tab on the interface 4 identify the target device and tap on it to block the wifi access to the device. The wifi propagation symbol on the left of the blocked device name turns red from blue. You can confirm this by nabigating to the JAIL tab on the interface, where the list of blocked devices will be displayed.
Evasion Technique: Char Encoding
With the char() function, an attacker can encode a common injection variable present in the input string in an attempt to avoid detection in the signature of network security measures. This char() function converts hexadecimal and decimal values into characters that can easily pass through SQL engine parsing. Char() function can be used to inject SQL injection statements into MySQL without using double quotes.
Mole
an automatic SQL injection exploitation tool. uses a command-based interface, allowing the user to indicate the action he wants to perform easily. The CLI also provides auto completion on both commands and command arguments, making the user type as less as possible Features o Supports MySQL, Postgres, SQL Server, and Oracle o Automatic SQL injection exploitation using union technique o Automatic blind SQL injection exploitation o Exploits SQL injection in GET/POST/Cookie parameters
SQL Injection Tools for Mobile
o Andro Hackbar- is a web penetration tool built for Android where you can perform SQL injection, XSS, and LFI flaws o DroidSQLi - is the automated MySQL injection tool for Android. It allows you to test MySQL-based web application against SQL injection attacks. sqlmapchik - is a cross-platform sqlmap GUI for sqlmap tool. It is primarily aimed to be used on mobile devices.
(Bring Your Own Device) BYOD Policy Implementation
o Define your requirement o Select the devices of your choice and build a technology portfolio o Develop policies o Security o Support
Perform Blind SQL Injection
o Exploitation (MySQL) o Extract database user o Extract database name o Extract column name o Extract data from ROWS
iOS Device Tracking Tools
o Find My iPhone -allows you to use another iOS device to track a lost or misplaced mobile, iPhone, iPad, iPod touch, or Mac and protects its data. o Phonty o SpyBubble o GadgetTrak o iLocalis o GPS Tacker by FollowMee o iHound
Mobile Attack Vectors
o Malware o Data Ex filtration o Data Tampering o Data loss
Cloud: Web server-based attacks
o Platform vulnerabilities o Server misconfiguration o Cross site scripting o Cross site request forgery o Weak input validation o Weak input validation o Brute force attacks
SQL Injection Tools
o SQL Power Injector o sqlmap o Mole o jSQL injection
Cloud: Database Attacks
o SQL injection o Privilege escalation o Data dumping o OS command execution
Why are Web Applications Vulnerable to SQL Injection Attacks?
o The database server runs OS commands o They are using privileged account to connect to the database o They have error message revealing important information o No data validation at the server o To much privilege o Implementing Consistent Coding Standards o Not Firewalling the SQL Server
Android Vulnerability Scanners
o Threat Scan o Norton Halt exploit defender o Shellshock Scanner - Zimperium o Hackode o BlueBorne Vulnerability Scanner by Armis o EternalBlue Vulnerability Scanner
The Network point of attack
o Wifi weak encryption/ no encryption o Rogue access points o Packet sniffing o Man in the middle o Session hijacking o DNS poisoning o SSLStrip o Fake SSL Certificates
PL/SQL Exploitation
similar to stored procedure is vulnerable to various SQL injection attacks. Has same vulnerabilities similar to dynamic queries that integrate user input at run-time. Can be exploited in two different ways: -Exploiting Quotes - if an attacker injects malicious input such as 'x' OR '1'='1' into the user password field, the modified query given in the procedure returns a row without providing a valid password -Exploitation by Truncation -An attacker may use in-line comments to bypass certain parts of SQL statement. The attacker uses in-line comments along with username
Evasion Technique: Manipulating White Spaces
technique obfuscates input strings by dropping or adding white spaces between SQL keyword and string or number literals without altering execution of SQL statements. Adding white spaces using special characters such as tab, carriage return, or linefeeds makes an SQL statement completely untraceable without changing the execution of the statement
Jailbreaking iOS
Defined as the process of installing a modified set of kernel patches that allows users to run third-party applications not signed by the OS vendor Jailbreaking provides root access to the operating system and permits downloading of third-party applications, themes, extensions on iOS devices Jailbreaking removes sandbox restrictions, which enables malicious apps to access restricted mobile resources and info
Mobile Pen Testing Toolkit
Hackode - is the hacker's toolbox. It is an application for penetration testers, ethical hackers, IT administrators, and cyber security professionals to perform different tasks such as reconnaissance, scanning for exploits, and so on.
Browser-Based Point of Attack : Data Caching
In mobile devices this stores information that is often required by mobile devices to interact with web applications, thereby saving scarce resources and resulting in better response time for the client application.
Android Trojans
o GhostCtrl malware o Triada o AndroRAT o ZitMo (ZeuS-in-the-Mobile) o FakeToken o TRAMP.A o Fakedefender o Obad o FakeInst o OpFake o Dendroid
SQL Injection Query
An attacker submits a request with values that will execute normally but will return data from the database that attacker wants.
(Bring Your Own Device) BYOD Benefits
o Increased productivity: o Employee satisfaction: o Lower Cost o Work Flexibility
OWASP Top 10 Mobile Risks 2016
1. improper platform usage This category covers misuse of a platform feature or failure to use platform security controls. 2. insecure data storage This category covers misuse of a platform feature or failure to use platform security controls. 3. insecure communication This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, and so on 4. insecure authentication This category captures notions of authenticating the end user or bad session management 5. insufficient cryptography This category is for issues where cryptography was attempted, but it was not done correctly. 6. insecure authorization This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, and forced browsing) 7. client code quality This is the "Security Decisions Via Untrusted Inputs," one of our lesser-used categories. This would be the catch-all for code-level implementation problems in the mobile client, which is distinct from server-side coding mistakes. 8. code tampering This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification. 9. reverse engineering This category includes analysis of the final core binary to determine its source code, libraries, algorithms, and other assets. 10. extraneous functionality Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment
Android Trojans: BankBot
A banking Trojan that is comprised of sophisticated techniques is code obfuscation, payload dropping, and infection mechanism affecting android accessibility service This Trojan spreads by Jewel Star Classic android game application and after installing the app, the user will be tricked to enable malicious service and enter the credit card details.
Pangu Anzhuang
A simple application that allows you to install jailbreak apps for iOS 11.2.1 - iOS 10.2 versions. It is a No PC required jailbreak method. It is an online jailbreaking app installer for latest iOS versions. Anzhuang helps you to install jailbreak apps using the dev code extraction method. Specializes is that it perfectly works with all 64-bit and 32-bit devices. It allows you to install Cydia and popular Jailbreak apps to your latest iOS versions from developer code extraction method
Android Trojans: SpyDealer
A spying Trojan that ex-filtrates the private and sensitive data from 40 adroid applciations including WeChat, Facebook, WhatsApp, Skype, Line, Viber, QQ, Tango, Telegram, Sina Weibo, Tencent Weibo It employees exploits from a commercial rooting app Baidu Easy Root to gain root privilege It abuses the Android Accessibility Service feature It extracts info like phone number, IMEI, IMSI, SMS, MMS, contacts, accounts, phone call history, location, and connected wifi info.
Phone/SMS based Point of Attack: SMiShing or SMS phishing
A type of phishing fraud in which an attacker utilizes SMS to send text messages to a victim that contains a deceptive link of a malicious website or a telephone number.
Untethered Jailbreaking
An untethered jailbreak has the property that if the user turns the device off and back on, the device will start up completely, and the kernel will be patched without the help of a computer—in other words, it will be jailbroken after each reboot.
Application-based Point of Attack : Configuration Manipulation
Apps may use external configuration files and libraries, modifying those entities or affecting apps' capability of using those results in a configuration manipulation attack
Application-based Point of Attack : No Encryption/Weak Encryption
Apps that transmit data unencrypted or weakly encrypted are susceptible to attacks such as session hijacking.
Browser-Based Point of Attack : Man in the middle mobile
Attacker implants malicious code into the victim's mobile device to bypass password verification systems that send one-time passwords (OTPs) via Short Message Service (SMS) or voice calls.
Application-based Point of Attack : Escalated Privileges:
Attackers engage in privilege escalation attacks, which take advantage of design flaws, programming errors, bugs, or configuration oversights to gain access to resources usually protected from an application or user.
Phone/SMS based Point of Attack: Baseband Attacks
Attackers exploit vulnerabilities resident in a phone's GSM/3GPP baseband processor, which sends and receives radio signals to cell towers.
Application-based Point of Attack : Dynamic Runtime Injection:
Attackers manipulate and abuse the runtime of an application to circumvent security locks, logic checks, access privileged parts of an app, and even steal data stored in memory.
Pairing Mobile Devices on Open Bluetooth and Wi-Fi Connections
Attackers use this to their advantage to exploit and infect a mobile device with malware such as viruses and Trojans, or compromise unencrypted data being transmitted across untrusted networks o Bluesnarfing (Stealing Information via Bluetooth) o Bluebugging (Taking Over a device via Bluetooth
Phone/SMS based Attacks
Baseband attacks SMiShing
Android Security Tool: Find My Device
Find My Device helps you easily locate a lost Android device, and keeps your info safe and sound while you look. o Go to https://www.google.com/android/find and sign in to your Google Account -If you have more than one device, click the lost device at the top of the screen -The device gets a notification - On the map, see about where the device is -Pick what you want to do. -If needed, first click Enable lock & erase -Play sound: rings your device at full volume for 5 min o Lock: locks your device with your PIN, pattern, or password o Erase: permanently deletes all data on your device
Android Device Tracking Tools
Find My Phone - anti-theft, device recovery app for Android that helps you find your lost, stolen, misplaced mobile phone or tablet. Where's My Droid - device tracking tool that allows you to track your phone from anywhere, either with a text messaged attention word or through the online control center known as Commander. o Prey Anti-Theft: Find My Android and Mobile Security o iHound o Mobile Tracker for Android o Tech Expert o GadgetTrak Mobile Security o My Device o Lost Android
Mobile Spyware : FlexiSPY
FlexiSpy is the mobile monitoring software used to spy on mobile phones and tablets. It supports Android, iPhone, iPad, PC and Mac and it can silently monitor all communications, locations, and user behavior of a smartphone from any web browser. Features: o Spying On Instant Messages o Call Interception o SMS Tracker o Tap into the Room o Cell Phone Tracker o Spy On Mobile Phones o VoIP Call Recording o Spy Remotely
Examples of Web Apps Vulnerable to SQL Injection
For example, the following text entered into the txtFilter textbox may reveal the names of the user tables in the database: The UNION statement in particular is useful to a hacker because it splices the results of one query into another UNION SELECT id, name, '', 0 FROM sysobjects WHERE xtype ='U' -- BadProductList.aspx CertifiedHackerShop.com
HTTP POST Request
HTTP POST Request carries the requested data as a part of the message body. Thus, it is considered more secure than HTTP GET
Security Issues from App Stores
Insufficient or no vetting of apps leading to malicious and fake apps entering app marketplace App stores are common target for attackers to distribute malware and malicious apps Attackers can also social engineering users to download and run apps outside the official app stores Malicious apps can damage other applications and data, and send your sensitive data to attackers
Network Spoofer
Lets you change websites on other people's computers from an Android phone Features: o Flip pictures upside down o Flip text upside down o Make websites experience gravity o Redirect websites to other pages o Delete random words word from websites o Replace words on websites with others o Change all pictures to Trollface oWobble all pictures/ graphics around a bit
Mobile Protection Tools
Lookout Personal - helps to protect your device from security threats, loss, and theft, available for Android and iPhone devices. It provides mobile security, identity protection, and theft prevention in a single app Zimperium's zIPS - is the mobile intrusion prevention system app that provides comprehensive protection for iOS and Android devices against mobile network, device and application cyber attacks BullGuard Mobile Security - is an app for Android devices that provides total protection for mobile devices and personal data. It delivers complete mobile phone antivirus against all mobile phone viruses
Kaspersky Mobile Antivirus
Mobile antivirus is an Android security app focusing on anti-theft and virus protection for mobile and tablet devices. It is designed to help users find their device, step-by-step, in case if it is lost or stolen. It also protects the device against virus or malware attacks. Features o Antivirus protection o Background check o App Lock o Find my phone o Anti-Theft o Anti-Phishing o Call blocker o Web filter o Android 8 Support o Antivirus Database Expansion
Low Orbit Ion Cannon LOIC
Mobile application that allows the attacker to *perform DoS/ DDoS attacks* on the target IP address. This application can perform UDP, HTTP or TCP flood attacks Features: o Full control over traffic flow o Send data pcket to any IP address o Various methods to send data packets o Retrieve IP address from any real web-address o Send data packets to any port
SQL Injection
Passing SQL cmd through a web application for execution by a backend Database This is a textual language used by a database server. Its used to perform operations on the database include INSERT, SELECT, UPDATE, and DELETE. Programmers use these commands to manipulate data in the database server.
Mobile Device Management (MDM)
Provides platforms for over the air or wired distribution of applications, data and configuration setting for all types of mobile devices, including mobile phones, smartphones, tablet computers MDM helps in implementing enterprise-wide policies to reduce support costs, business discontinuity, and security risks It hlpes system administrators to deploy and manage software applocations across all enterprise mobile devices to secure, monitor, manage, and supports mobile devices
Orbot Proxy
Proxy app that empowers other apps to use the internet more privately It uses Tor to encrypt your internet traffic and then hides it by bouncing through a series of computers around the world Attackers can use this application to hide their identity while performing attacks or surfing through the target web applications
The System Point of Attack : Android Rooting:
Rooting allows Android users to attain privileged control (known as "root access") within Android's subsystem. Like jailbreaking, rooting can result in the exposure of sensitive data stored in the mobile device. Allows Android users to attain privileged control within Android's subsystem Rooting progress involves exploiting security vulnerabilities in the device firmware, and copying the subinary to a location in the current process's PATH and granting it executable permissions with the chmod command. process involves exploiting security vulnerabilities in the device's firmware, and copying the su binary to a location in the current process's PATH (e.g., /system/xbin/su) and granting it executable permissions with the chmod command
Android Vulnerability Scanner: X-Ray
Scans your Android device to determine whether there are vulnerabilities that remain unpatched by your carrier. It presents you with a list of vulnerabilities that it is able to identify and allows you to check for the presence of each vulnerability on your device X-Ray is automatically updated with the ability to scan for new vulnerabilities as they are discovered and disclosed
DroidSheep
Simple Android tool for web *session hijacking*. It listens for HTTP packets sent via a wireless network connection and extracts the session IDs from these packets in order to reuse them. o It can capture sessions using the libpcap library and supports: OPEN Networks, WEP encrypted networks, WPA and WPA2 encrypted networks o ("sidejacking"), using libpcap and arpspoof.
The System Point of Attack : Jailbreaking iOS
The process of removing security mechanisms set by Apple to prevent malicious code from running on the device. It provides root access to the OS and removes sandbox restrictions.
Android Device Administration API
These APIs allow developers to create security-aware applications that are useful in enterprise settings, in which IT professionals require rich control over employee devices. One can use a device administration ("admin") API to write device admin applications that users install on their devices. Policys supported o password enabled o Alphanumeric password required o Complex password required o Minimum length, letters, lowercase letters required in password o Minimum nonletter characters required in password o Minimum symbols, uppercase letters, numerical digits required in password o Password expiration timeout and history restriction o Maximum failed password attempts,inactivity time lock o Require storage encryption Disable camera
Semi-tethered Jailbreaking
This jailbreak has the property that if the user turns the device off and back on, the device will start up completely, it will no longer have a patched kernel, but it will still be usable for normal functions. To use jailbroken addons, the user need to start the device with the help of the jailbreaking tool.
Jailbreaking Techniques
Untethered Jailbreaking Semi-tethered Jailbreaking Tethered Jailbreaking
The System Point of Attack : User-initiated Code:
User-initiated code is an activity that tricks the victim to install malicious applications or clicking links where an attacker can install malicious code to exploit a user's browser, cookies, and security permissions.
Web server-based attack: Cross site scripting
XSS attacks exploit vulnerabilities in dynamically generated web pages, which enable malicious attackers to inject client-side script into web pages viewed by other users. It occurs when invalidated input data is included in dynamic content sent to the user's web browser for rendering.
Browser-Based Point of Attack : Phishing
emails or pop-ups redirect users to fake web pages of mimicking trustworthy sites that ask them to submit their personal information such as usernames, passwords, credit card details, address, and mobile number
Mobile Spyware : mSpy
mSpy is a mobile monitoring and spying application which runs on the target device to log all activities including call log history, GPS location, calendar updates, text messages, emails, web history, instant messenger chats, keystrokes, and so on and also can control applications. This product is useful to monitor versatile online/offline actions of employees and underage children. Features: o Monitor Internet Use (Browsing History, Website Bookmarks, Blocking Websites, Wi-Fi Networks, Keyword alerts) o Access Calendar and Address Book (Calendar Activities, Contacts) o Read Instant Messages (Skype, WhatsApp, iMessage, Social Network, Viber, Snapchat, LINE, Telegram, Tinder) o Control Apps and Programs (Installed Applications, Application blocking, Keylogger) o View Multimedia Files (Photos, Videos) o Remote Control (Device Wipeout, Locked Device, Additional Device Info, Control Panel)
Spy/ MobileSpy! iPhoneOS create files
o *System/Library/LaunchDaemons/com.ms.msd.plist*: this file ensures the msd daemon is run after reboot, and then run permanently. o *System/Library/LaunchDaemons/com.ms.mslocd.plist*: same but for the mslocd daemon. o *User/Library/SMS/sms.db*: this is a SQLite 3 database. messages, the spyware's version, and various internal counters. o *User/Library/CallHistory/call_history.db*: same as sms.db but for call logs. o *usr/libexec/msd*: the main spyware daemon o *usr/libexec/mdlocd*: location manager daemon o var/mobile/.ll.dat
iOS Trojans
o AceDeceiver -capable of conducting MITM attacks on any iPhone and is not limited to jailbroken devices - exploits design flaws in Apple's DROM mechanism o Spy/ MobileSpy! iPhoneOS -This malware allows an attacker to eavesdrop all incoming and outgoing calls, SMS, URLs and GPS position are logged to a remote server on the infected iOS device o DualToy Trojan o KeyRaider o XcodeGhost o AdThief/Spad o Trapsms o iKeyGuard o PawnStorm.B o WireLurker o Ikee/Eeki
Android Security Tools
o Avira Antivirus Security o Avast Antivirus & Security o McAfee Mobile Security & Lock o Lookout Security & Antivirus o Sophos Mobile Security o Malwarebytes for Android o AVG AntiVirus FREE for Android Security 2017 o TrustGo Mobile Security o 360 Security -Free Antivirus,Booster,Space Cleaner o Trend Micro Mobile Security & Antivirus o DroidSheep Guard oBull Guard Mobile Security o AVL Pro
iOS Devie Security Tools
o Avira Mobile Security -provides features such as web protection, identity safeguarding, identifies Phishing websites that target you personally, securing emails, tracking your device, identifying activities, organizing device memory, and backing up all your contacts, and so on for all iOS devices. o Norton Mobile Security o LastPass Password Manager o Lookout for iOS o SplashID Safe Password o Webrrot SecureWeb Browser o Wicker Me
Layers of Apple iOS
o Cocoa Touch: -This layer contains key frameworks that help in building iOS apps. These frameworks define the appearance of app, offers basic app infrastructure, and supports key technologies such as multitasking, touch-based input, push notifications, and many high-level system services. o Media: -This layer contains the graphics, audio, and video technologies that enable multimedia experiences in apps. o Core Services: -This layer contains fundamental system services for apps. Key among these services are Core Foundation and Foundation frameworks (defines the basic types that all apps use). Individual technologies that support features such as social media, iCloud, location, and networking belong to this layer. o Core OS: -This layer contains low-level features on which most other technologies are built. Frameworks in this layer are useful when dealing explicitly with security or communicating with an external hardware accessory.
Application Framework blocks
o Content Providers—Manages data sharing between applications. o View System—For developing lists, grids, text boxes, buttons, and so on. o Activity Manager—Controls the activity life cycle of applications. o Location Manager—Manages location, using GPS or cell towers. o Package Manager—Keeps track of the applications installed on the device. o Notification Manager—Helps applications display custom messages in a status bar. o Resource Manager—Manages various types of resources used. o Telephony Manager—Manages all voice calls. o Window Manager—Manages application windows.
iPhone Pen Testing
o Jailbreak the iPhone -Try to Jailbreak the iPhone using tools such as Cydia, Anzhuang, and so on. o Unlock the iPhone -Unlock the iPhone using tools such as iPhoneSimFree. o Use SmartCover to bypass passcode -Hold the power button of an iOS operating device until the power off message appears. Close the smart cover until the screen shuts down and opens the smart cover after few seconds. Press the cancel button to bypass the password code security. o Hack iPhone using Metasploit -Use the Metasploit tool to exploit the vulnerabilities in iPhone. Try to send malicious code as payload to the device to gain access to the device. o Check for access point -Setup an access point with the same name and encryption type. o Check iOS device data transmission on Wi-Fi networks -Perform MITM/SSL stripping attack by intercepting wireless parameters of iOS device on Wi-Fi network. Send malicious packets on Wi-Fi network using Cain & Abel tool. o Check whether the malformed data can be sent to the device -Use social engineering techniques such as sending emails and SMSs to trick the user to open links that contain malicious web pages.
Jailbreaking Tools
o Keen Jainbreak - unofficial Semi-tethered tool that was released for iOS 11 beta versions o Yalu o Velonzy o Pangu9 Jailbreak o TaiG o Pangu o JAILBREAK o Redsn0w o evasi0n7 o Geeksn0w o Sn0wbreeze o LimeRa1n o Blackra1n
Mobile Device Management Solutions
o MaaS360 - supports the complete MDM lifecycle for smartphones and tablets including iPhone, iPad, Android, Windows Phone, BlackBerry, and Kindle Fire o Citrix XenMobile contains MDM - mobile application management (MAM), mobile content management (MCM), secure network gateway, and enterprise-grade mobile productivity apps in one comprehensive enterprise mobility management solution. o VMware AirWatch o Sicap Device Management Centre o SOTI MobiControl o MobiLock Pro o ManageEngine Mobile Device Manager Plus o MobileIron's Mobile device management o Tangoe MDM
Mobile Platform Vulnerabilities and Risks
o Malicious apps in stores o Mobile malware o App sandboxing vulnerabilities o Weak device and app encryption o OS and app updates' issues o Jailbreaking and rooting o Mobile application vulnerabilities o Privacy issues (Geolocation) o Weak data security o Excessive permissions o Weak communication security o Physical attacks
Additional Mobile Protection Tools
o McAfee Mobile Security o Kaspersky Internet Security for Android o AVG AntiVirus Pro for Android o F-Secure Mobile Security o Avast Mobile Security o Trend Micro Mobile Security for Android o Norton Mobile Security o Comodo Mobile Security o ESET Mobile Security o Bitdefender Mobile Security o Sophos Mobile Security for Android o WISeID
SMS Phishing Countermeasures
o Never reply to a suspicious SMS without verifying the source o Do not click on any links included in the SMS o Never reply to a SMS that requires personal and financial information from you o Review the bank's policy on sending SMS o Enable the "block texts from the internet" feature from your provider o Never reply to a SMS that urges you to act or respond quickly o Never call a number left in a SMS o Do not fall for scams, gifts, and offers that seem to be unexpected o Attackers might send text messages through an Internet text relay service to conceal their identity; thus, it is best to avoid messages from nontelephonic numbers o Check for spelling mistakes, grammatical errors, or language inconsistency in text messages
The System Point of Attack
o No passcode/ weak passcode o iOS Jailbreaking o Android Rooting o OS data caching o Passwords and data accessible o Carrier-loaded software o User-initiated code
Android-based Sniffers
o Packet Sniffer o tPacketCapture o Android PCAP o Wicap. Sniffer Demo [ROOT] o Testeldroid o Postern o WiFinspect [Root] o SniffDroid
Android Phone Pen Testing
o Root an Android Phone -Try to Root an Android Phone to gain the administrative access to the Android devices using tools such as Kingo Android ROOT, TunesGo Root Android Tool, and so on. o Perform DoS and DDoS Attacks -Use tool LOIC, AnDOSid to perform DoS and DDoS attacks on Android phone. o Check for vulnerabilities in Android browser -Check whether cross-application-scripting error is present in the Android browser that allows hackers to easily hack the Android device and try to break down the web browser's sandbox using infected java script code. o Check for vulnerabilities in SQLite -Check whether email password is stored as plain text in the SQLite database and also check whether Skype on Android uses unencrypted SQLite database to store contacts, profile information and instant message logs. o Check for vulnerabilities in Intents -Try to exploit Android Intents to obtain the user's private information. You can use apset tool to detect application's communication vulnerabilities. o Detect capability leaks in Android devices -Use tool Co Checker, IntentFuzzer, and so on to detect capability leaks in Android devices.
Application based Point of Attack
o Sensitive data storage o No encryption/ weak encryption o Improper SSL Validation o Configuration manipulation o Dynamic runtime injection o Unintended permissions o Escalated Privileges
(Bring Your Own Device) BYOD Risks
o Sharing confidential data on unsecured network o Data leakage and endpoint security issues o Improperly disposing device o Support of many different devices o Mixing personal and private data o Lost or stolen devices o Lack of awareness o Ability to bypass organizations network policy rules o Infrastructure issues o Disgrunted employees
Mobile Spyware Applications
o Spyera o Highster Mobile o TeenSafe o MobiStealth o TheTruthSpy o FlexiSpy o mSpy
Android Rooting Tool
o TunesGo—This tool has an advanced android root module that recognizes and analyzes your Android device and chooses the appropriate Android-root-plan for it automatically o One Click Root is Android rooting software that supports the most devices and comes with extra fail-safes (like instant unrooting) feature and offers full technical support. o Unrevoked o MTK Droid o Superboot o Superuser X [Root] o Root Uninstaller o Root Browser File Manager o Titanium Backup Root
Basic Features of MDM software
o Use of a passcode to the device o Remotely lock the device if lost o Remotely wipe data in the lost or stolen device o Detects if the device is rooted or jailbroken o Enforce policies and track inventory o Perform real time monitoring and reportin
General Guidelines for Mobile Platform Security
o Use passcode o Update OS and Apps o Enable remote management and use remote wipe services o Do not allow Rooting or Jailbreaking o Encrypt storage o Perform periodic backup and synchronization o Filter e-mail forwarding barriers o Configure Application certification rules o Harden browser permission rules o Design and implement mobile device policies
Native libraries
o WebKit and Blink—web browser engine to display HTML content o Open Max AL—it is a companion API to OpenSL ES but is used for multimedia (video and audio) rather than audio only o Libc—Comprises System C libraries o Media Framework—provides media codecs that allows recording and playback of different media formats o Open GL | ES—is a 3D graphics library o Surface Manager—meant for display management o SQLite—a database engine used for data storage purposes o FreeType—meant for rendering fonts o SGL—is a 2D graphics library o SSL—meant for Internet security
Acunetix Web Vulnerability Scanner
SQL injection detection tool Vulnerability Scanner provides automated web application security testing with innovative technologies including: DeepScan and AcuSensor Technology. Features : o Crawl and scan HTML5 web applications, and execute JavaScript like a real browser o Detects advanced DOM-based Cross-site Scripting o Provides a stack-trace of the injected DOM-based XSS payload o Checks for blind XSS and XML External Entity Injection (XXE) o Checks for Server-Side Request Forgery (SSRF) and Host Header Attacks o Checks Email Header Injection and Password Reset Poisoning
SQL Injection & Server-side Technologies
Server-side technology smoothly accesses, delivers, stores, and restores information. Include -ASP -ASP.Net -Cold Fusion -JSP -PHP -Python -Ruby on Rails.
SQL Injection Black Box Pen Testing
Detecting SQL Injection Issues o Send single quotes and double quotes can be used as input data to finds where the user input is not sanitized Detecting Input Sanitization o Use right square bracket (the ] character) as the input data to catch instances where the user input is used as part of an SQL identifier without any input sanitization Detecting Truncation Issues o Send long strings of junk data, just as you would send strings to detect buffer overruns; this action might throw SQL errors on the page Detecting SQL Modification o Send long strings of single quote characters (or right square brackets or double quotes) o These max out the return values from REPLACE and QUOTEN
Testing MySQL & MSSQL
An attacker can identify blind SQL injection vulnerabilities just by testing the URLs of a target website. For example, consider the following URL: *shop.com/items.php?id=101* The corresponding SQL query is *( SELECT * FROM ITEMS WHERE ID = 101* )* Now, give a malicious input such as 1=0, to perform blind SQL injection *shop.com/items.php?id=101 and 1=0* The resultant SQL query is *( SELECT * FROM ITEMS WHERE ID = 101 AND 1 = 0 )* The above query will always return FALSE because 1 never equals to 0. Now, attackers try to obtain TRUE result by injecting 1=1 *(shop.com/items.php?id=101 and 1=1 The resultant SQL query is SELECT * FROM ITEMS WHERE ID = 101 AND 1 = 1 )* Finally, the shopping web application returns the original items page. With the above result, an attacker identifies that the above URL is vulnerable to blind SQL injection attack.
Export a Value via Regex Attack
An attacker performs SQL injection using regular expressions on a known table to learn values of confidential information such as passwords.
Evasion Technique: Null Byte
An attacker uses null byte (%00) character prior to a string in order to bypass detection mechanism
Even More Countermeasures to defend against SQL
Apply least privilege rule to run the applications that access the DBMS Validate user-supplied data as well as data obtained from untrusted sources on the server side Avoid quoted/delimited identifiers as they significantly complicate all whitelisting, black-listing and escaping efforts Use a prepared statement to create a parameterized query to block the execution of query Ensure that all user inputs are sanitized before using them in dynamic SQL statements Use regular expressions and stored procedures to detect potentially harmful code Avoid the use of any web application which is not tested by web server Isolate the web server by locking it in different domains Ensure all software patches are updated regularly Regular monitoring of SQL statements from database-connected applications to identify malicious SQL statements Use of Views should be necessary to protect the data in the base tables by restricting access and performing transformations Disable shell access to the database Do not disclose database error information to the end users Use safe API that offers a parameterized interface or that avoids the use of the interpreter completely
Out-of-Band SQL Injection
Attackers use different communication channels (such as database email functionality, or file writing and loading functions) to perform the attack and obtain the results difficult to perform because the attacker needs to communicate with the server and acquire features of the database server used by the web application. Attackers use DNS and HTTP requests to retrieve data from the database server
sqlmap
Automates the process of detecting and exploiting SQL injection flaws and taking over the database servers.Python Script, low failure rate and comes with w3af. Most important tool for injection testing/exploitation. Features o Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band o Support to directly connect to the database without passing via an SQL injection, by providing DBMS credentials, IP address, and port and database name o Support to enumerate users, password hashes, privileges, roles, databases, tables, and columns
Evasion Technique: Case Variation
Due to the case-insensitive option of regular expression signatures in the filters, attackers can mix uppercase and lowercase letters in an attack vector to bypass detection mechanism.
Evasion Technique: Declare Variable
During web sessions, an attacker carefully observes all the queries that can help him/her to acquire important data from the database. Using those queries, an attacker can identify a variable that can be used to pass a series of specially crafted SQL statements to create a sophisticated injection that can easily go undetected through the signature mechanism.
Two most common types of In-Based SQL
Error-Based -Attackers intentionally insert bad input into an application causing it to throw database errors. Union SQL - an attacker uses a UNION clause to append a malicious query to the requested query -attacker checks for the UNION SQL Injection vulnerability by adding a single quote character (') to the end of a ".php? id=" command.
Creating Server Backdoors
Getting OS shell o Using Outfile o Finding Directory Structure o Using Built-in DBMS Functions o Creating Database Backdoors -DB triggers
SQL Power Injector
Helps attackers find and exploit SQL injections on a web page. It is SQL Server, Oracle, MySQL, Sybase/Adaptive Server, and DB2 compliant, but it is possible to use it with any existing DBMS when using in-line injection (normal mode). It can also perform blind SQL injection. Features o Create/modify/delete loaded string and cookies parameters directly in the datagrids o Single and Blind SQL injection o Response of the SQL injection in a customized browser o Fine tuning parameters and cookies injection o Can parameterize the size of the length and count of the expected result to optimize the time taken by the application to execute the SQL injection
DB, Table & Column Enumeration
Identify User Level Privilege DB Administrators -include sa, system, sys, dba, admin, root, and many others. The dbo is a user that has implied permissions to perform all activities in the database. Discover DB Structure -Determine table and column names ' group by columnnames having 1=1 -- -Discover column name types ' union select sum(columnname ) from tablename -- -Enumerate user defined tables ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') -- Column Enumeration in DB o MySQL show columns from tablename o Oracle SELECT * FROM all_tab_columns WHERE table_name='tablename ' o DB2 SELECT * FROM syscat.columns WHERE tabname= 'tablename ' o Postgres SELECT attnum,attname from pg_class, pg_attribute WHERE relname= 'tablename ' AND pg_class.oid=attrelid AND attnum > 0
Peform Union SQL Injection
In UNION SQL injection, an attacker uses the UNION clause to concatenate a malicious query with the original query in order to retrieve results from the target database table. Extract Database Name *http://www.certifiedhacker.com/page.aspx?id=1 UNION SELECT ALL 1,DB_NAME,3,4-* [DB_NAME] Returned from the serve Extract Database Tables http://www.certifiedhacker.com/page.aspx?id=1 *UNION SELECT ALL 1,TABLE_NAME,3,4 from sysobjects where xtype=char(85)--* [EMPLOYEE_TABLE] Returned from the server Extract Table Column Names *( http://www.certifiedhacker.com/page.aspx?id=1 UNION SELECT ALL 1,column_name,3,4 from DB_NAME.information_schema.columns where table_name ='EMPLOYEE_TABLE'--[EMPLOYEE_NAME] Extract 1st Field Data *( http://www.certifiedhacker.com/page.aspx?id=1 UNION SELECT ALL 1,COLUMN-NAME-1,3,4 from EMPLOYEE_NAME -- )* [FIELD 1 VALUE] Returned from the server
Blind/Inferential SQL Injection
In case of SQL injection, no data is transmitted through the web application, and it is not possible for an attacker to retrieve the actual result of the injection; therefore, it is called blind SQL injection. takes longer time to execute because the result returned is generally in the form of boolean. Attackers can steal the data by asking a series of true or false questions through SQL statements. Used when database has custom error messages
Information Gathering Stage
In this stage, attackers try to gather information about the target database such as database name, version, users, output mechanism, DB type, user privilege level, and OS interaction level. 1. Identifying Data Entry Paths - analyze GET and POST requests -Tools- Tamper Data, Burp Suite 2. Extracting Info via Error Messages
Creating DB Accounts
Microsoft SQL Server -exec sp_addlogin 'victor', 'Pass123' exec sp_addsrvrolemember 'victor', 'sysadmin' Oracle -CREATE USER victor IDENTIFIED BY Pass123 TEMPORARY TABLESPACE temp Microsoft Access -CREATE USER victor IDENTIFIED BY 'Pass123' MySQL -INSERT INTO mysql.user (user, host, password) VALUES ('victor', 'localhost', PASSWORD('Pass123')
Bypass FW
Normalization Blind Injection -one of the easiest way to exploit the vulnerability as it replaces WAF signatures with their synonyms by using SQL functions. The following requests allow an attacker to perform SQL injection attack and bypass the firewall. HTTP Parameter Pollution (HPP) - is an easy and effective technique, which effects both server and client having feasibility to override or add HTTP GET/POST parameters by injecting delimiting characters in query strings. HTTP Parameter Fragmentation (HPF) -is basically used with the idea of bypassing security filters as it is capable of operating HTTP data directly. This technique can be used along with HPP by using UNION operator to bypass firewalls. Signature Bypass -An attacker can transform the signature of SQL queries in such a way that a firewall cannot detect them leading to malicious results.
Exploiting Second-Order SQL Injection
Ooccurs when data input is stored in database and used in processing another SQL query without validating or without using parameterized queries. -The attacker submits a crafted input in an HTTP request -The application saves the input in the database to use it later and gives response to the HTTP request -Now, the attacker submits another request -The web application processes the second request using the first input stored in database and executes the SQL injection query The results of the query in response to the second request are returned to the attacker, if applicable
Extracting Info via Error Messages
Parameter tampering- grouping error, type mismatch, blind injection -Parameter tampering- give the attacker information such as name of the database server, structure of the directory, and functions -Determining Database Engine Type -Determining a SELECT Query Structur -Injections -Grouping errors -Type Mismatch -Blind injection
The System Point of Attack : Carrier-loaded Software
Pre-installed software or apps on devices may contain vulnerabilities that an attacker can exploit to perform malicious activities such as delete, modify, or steal data on the device, eavesdrop on calls, and others.
Application-based Point of Attack : Improper SSL Validation
Security loopholes in an application's SSL validation process may allow attackers to circumvent the data security.
Evasion Technique: Sophisticated Match
Signature matches usually succeed in catching the most common classical matches, such as "OR 1=1".
Cydia
Software application for iOS that enables a user to find and install software packages on a jailbroken iPhone, iPod Touch, or iPad
Android OS
Software environment developed by Google for mobile devices that includes an operating system, middleware, and key applications. Architecture: o System applications o Java API framework o Native C/C++ Libraries o Android Runtime o Hardware Abstraction layer o Linux Kernel
Application-based Point of Attack : Sensitive Data Storage
Some apps installed and used by mobile users employ weak security in their database architecture, which make them targets for attackers to hack and steal sensitive user information stored in them
Two basic types of Source Code Review
Static Code Analysis -This type of source code analysis is performed to detect the possible vulnerabilities in source code when the code is not executing, that is, is static. -source code analysis is performed using techniques such as Taint Analysis, Lexical Analysis, and Data Flow Analysis. Dynamic Code Analysis -analysis, the source code of the application is analyzed during execution of the code. -Is capable of detecting SQL injection-related security flaws encountered due to interaction of the code with SQL databases, web services, and so on.
In-Band SQL Injection
These are error-based SQL injection and UNION SQL injection uses the same communication channel to perform the attack and retrieve the results These are commonly used and easy-to-exploit SQL injection attacks
Perform Error-Based SQL Injection
These messages help an attacker to build a vulnerability exploit request. There is even a potential to create automated exploits, depending on the error messages generated by the database server. Extract Database Name *( http://www.certifiedhacker.com/page.aspx?id=1 or 1=convert(int,(DB_NAME))-- )* -Syntax error converting the nvarchar value '[DB NAME]' to a column of data type int. Extract 1st Database Table *( http://www.certifiedhacker.com/page.aspx?id=1 or 1=convert(int,(select top 1 name from sysobjects where xtype=char(85)))-- )* -Syntax error converting the nvarchar value '[TABLE NAME 1]' to a column of data type int. Extract 1st Table Column Name *( http://www.certifiedhacker.com/page.aspx?id=1 or 1=convert(int, (select top 1 column_name from DBNAME.information_schema.columns where table_name='TABLE-NAME-1'))-- )* -Syntax error converting the nvarchar value '[COLUMN NAME 1]' to a column of data type int. Extract 1st Field of 1st Row (Data) *( http://www.certifiedhacker.com/page.aspx?id=1 or 1=convert(int, (select top 1 COLUMN-NAME-1 from TABLE-NAME-1))-- )* -Syntax error converting the nvarchar value '[FIELD 1 VALUE]' to a column of data type in
Blind SQL Injection: WAITFOR DELAY (YES or NO Response)
Time Delay SQL injection (sometimes called Time-based SQL injection) evaluates the time delay that occurs in response to true or false queries sent to the database A waitfor statement stops SQL Server for a specific amount of time
Evasion Technique: Obfuscated Code
Two ways o Wrapping: An attacker uses a wrap utility to obfuscate malicious SQL query, and then sends it to the database. An IDS signature will not detect such an obfuscated query and will allow it to pass through, as it does not match the IDS signature. o SQL string obfuscation: In the SQL string obfuscation method, SQL strings are obfuscated using a concatenation of SQL strings, encrypting or hashing the strings, and then decrypting them at runtime. -not detected in the IDS signature
Types of Jailbreaking
Userland Exploit iBoot Exploit Bootrom Exploit
Source Code Analysis Tools
Veracode (https://www.veracode.com) RIPS (http://rips-scanner.sourceforge.net) PVS studio (https://www.viva64.com) Coverity Code Advisor (https://scan.coverity.com) Parasoft Test (https://www.parasoft.com) CAST Application Intelligence Platform (AIP) (http://www.castsoftware.com) Klocwork (https://www.klocwork.com) SONAR Qube (https://www.sonarqube.org) Flawfinder (https://www.dwheeler.com) Roslyn Security Guard (https://dotnet-security-guard.github.io) FlexNet Code Insight (https://www.flexera.com) Find Security Bugs (http://find-sec-bugs.github.io) Brakeman (https://brakemanscanner.org) php-reaper (https://github.com) Yasca (http://www.scovetta.com) VisualCodeGrepper (https://sourceforge.net)
Tethered Jailbreaking
With this jailbreak, if the device starts up on its own, it will no longer have a patched kernel, and it may get stuck in a partially started state; in order for it to start completely and with a patched kernel, it essentially must be "re-jailbroken" with a computer (using the "boot tethered" feature of a jailbreaking tool) each time it is turned on.
SQL Injection Detection Tools
o IBM Security AppScan o Acunetix Web Vulnerability Scanner o Snort Netsparker Web Application Security Scanner (https://www.netsparker.com) w3af (http://w3af.org) Burp Suite (https://www.portswigger.net) NCC SQuirreL Suite (https://www.nccgroup.com) N-Stalker Web Application Security Scanner (https://www.nstalker.com) Fortify WebInspect (https://software.microfocus.com) WSSA - Web Site Security Scanning Service (https://www.beyondsecurity.com) SolarWinds® Log & Event Manager (https://www.solarwinds.com) AlienVault USM (https://www.alienvault.com) dotDefender (http://www.applicure.com
Types of In-Based SQL Injections
o Illegal/Logically Incorrect Query o Union SQL injection o Error-Based Injections o System Stores procedure o Tautology - uses OR o End-of-line Command -(--) show as o In-line Command - lots of inputs -This type of injections allows an attacker to bypass blacklisting, remove spaces, obfuscate, and determine database versions. o Piggybacked Query -also known as stacked query -adds addtional code to original
Three Main types of SQL Injections
o In-Based SQL Injection -uses the same communication channels -commonly used -generic error message o Blind/Inferential SQL Injection -Takes longer -results returned in boolean -can't see results o Out-of-Band SQL Injection -Different communication channels -Difficult to perform
Evasion Technique: IP Fragmentation
o Take a pause in sending parts of an attack with a hope that an IDS would time-out before the target computer does o Send the packets in reverse order o Send the packets in proper order except the first fragment which is sent in the last o Send the packets in proper order except the last fragment which is sent in the first o Send packets out of order or randomly
Types of Signature Evasion Techniques
o In-line Comment: Obscures input strings by inserting in-line comments between SQL keywords. o Char Encoding: Uses built-in CHAR function to represent a character. o String Concatenation: Concatenates text to create SQL keyword using DB specific instructions. o Obfuscated Codes: Obfuscated code is an SQL statement that has been made difficult to understand. o Manipulating White Spaces: Obscures input strings by dropping white space between SQL keyword. o Hex Encoding: Uses hexadecimal encoding to represent a SQL query string. o Sophisticated Matches: Uses alternative expression of "OR 1=1". o URL Encoding: Obscure input string by adding percent sign '%' before each code point. o Case Variation: Obfuscate SQL statement by mixing it with upper case and lower case letters. o Null Byte: Uses null byte (%00) character prior to a string in order to bypass detection mechanism. o Declare Variables: Uses variable that can be used to pass a series of specially crafted SQL statements and bypass detection mechanism. o IP Fragmentation: Uses packet fragments to obscure attack payload which goes undetected by signature mechanism.
More Countermeasures to Defend Against SQL Injection
o Perform automated blackbox injection testing, static source code analysis, and manual penetration testing to probe for vulnerabilities o Keep untrusted data separate from commands and queries o In the absence of parameterized API, use specific escape syntax for the interpreter to eliminate the special characters o Use a secure hash algorithm such as SHA256 to store the user passwords rather than in plaintext o Use data access abstraction layer application to enforce secure data access across an entire o Ensure that the code tracing and debug messages are removed prior to deploying an application o Design the code in such a way it traps and handles exceptions appropriately