 So we're looking at the top 10 risks for web applications as denoted by OWASP, this organization. And in the previous lecture we looked at some simple risks, but today we'll try and demonstrate some of the more complex ones. And let's look at them. First one, we'll try and do what's called injection or specifically regarding on an SQL based website, SQL injection. So to understand this attack we need to understand a little bit about what that web application does. So let's use it and let you try and use the web application and then we'll look at some of the code and then we'll do the attack. So node one is our web browser, our normal web browser and for this attack we can, we'll just use a simple text based web browser. We'll use Firefox later. And to access the website, we'll use links and the domain of the website which is actually node four is MyUNI. So you should do this.edu and slash grades. So it's the grading system for at my university and you can log in. There are two users, there's two student users. The one that we'll start with is what five followed by nine zeros. It's like the SIT student ID but it's just five followed by nine zeros, five zero, then eight more zeros. And there's another one, five zero, then one through to eight. What's their passwords? Anyone want to guess? You'll try and guess, okay? Try and guess their passwords. So access the website, what's happened? Yours should work, correct? Mine didn't because I forgot to run a command. What I've done already on yours is deployed the web demos. So I've already set up the nodes. You don't have to do this because we've already done it for you. But these nodes, some of them run web servers so I need to deploy the web servers. Which just installs the web servers on node four and five and sets up a few other things. So you don't need to do that now, I've done it already. Let's try. Can anyone get to the website? Okay, and log in. Log in as one of the student users and just explore. To follow links in links, just use your arrow keys or the enter key. To follow a link and up and down to move between the links. So let's try this user. And the password, there's nine zeros, five followed by nine zeros. Those user names and passwords are actually listed in the ITS 335 notes. The password is student and log in. And it'll prompt you down the bottom. Do you want to allow the cookie? And yes, or I'll do A for always so it doesn't prompt me again. A for always. And the website eventually, the web server redirects me to the welcome page and I can view the grades, view my own grades. I can optionally specify a course code. I could try a different student ID, but the web system set up such that I cannot view the grades of other students. That's the goal. You can try it. Okay, try a different student ID, but it should return an error saying you cannot access those grades. We'll see that later. And submit. So this tries to see my grades for ITS 335 and it shows me B+. So just explore the website a little bit and now we'll look at the code of the web server. Let's try and view someone else's. We shouldn't be able to. If we view the grades again and if I change that, the other student is 1234567850 by 1 to 8. So I'm logged in as the all zeros student, but I'm trying to see another student's grade. Submit. No, you cannot. You can only view your own grades. So there's some authentication mechanism implemented in the website to try and check that the user logged in has a particular ID. They can only view the grades for that particular user. So what we would like to do as a particular student to defeat the security of this web application, we would like to see other students' grades. If we can, then we've performed some successful attack. So if our user can see other students' grades, then we have a problem. So let's try. And before we try the attack, let's have a look at the source code of the application. So if you move to node 4, that is the web server. So if we, on node 4, if we change into the directory which has the web pages slash var slash www and then slash grades, this is the website. And if you ls, you'll see a bunch of files, some HTML files like the, some of them are just instructions. These help files are just instructions. The index page and a lot of them are PHP. So they implement the web application. There's some configuration of the database, viewing the grades, view.php. There's one we'll use later, update grade. If the faculty member wants to change a student's grade, they can do so, query and so on. If you want to see the source, I would like to know the URL of this view grades. And to view the source of the page, you press backslash, not forward slash, backslash. And it will show you the source code. And if you look through there, it's not so easy to see, but I can notice that the link view grades, so backslash key in links will show you the source code. The thing that I'm interested in is that the query.php, the query.php is the one that shows me the grades. It submits a query to the database. Backslash is the one leaning back at the top. It's above the enter key. And if you want to go back to the HTML, press backslash again. But the point is that I'm looking for the query.php code. So on our server, let's have a look at the code and see how someone implemented this query. So open up query.php in your editor while it is here. The color coding is not so good. I'll just change back to the original just for a moment so I can see everything. This is the code for doing the query. And we will not go through all of it, but just a little bit. So these two lines just include some of the other functions. So include the code that creates the header of the file and the footer and includes the code to do logins. This if-else statement is a check if the cookie is set for that username. So the cookie parameter is provided by PHP. And if the current ID matches the username in the cookie, remember the way that cookies work is that the browser sends the cookie value to the server. And we saw yesterday that the cookie value includes the username. So when I log in as the all zeros user and I send a request to the server, the username value should be this five zero and eight more zeros. So this is the checking that we're checking that the current ID or setting the current ID to the logged in user. So current ID in our case would equal to five followed by nine zeros. This checks if that user is logged in. So if the server knows that this user, five followed by nine zeros is currently logged in from the previous login webpage, then there's a form. So the view grades, you notice that you can specify the student ID and the course code. And that's the form here, the student ID and the course code. And when someone presses the submit button, it calls the view.php code. Okay, so we'll look at that in a moment, view.php. And it posts. So this is what we call a HTTP post message. It will send the values of these form fields in the request to the server. So now let's look at view.php. And the values will see there should be a value of ID and course. ID will be the student ID in that field in the form and course will be the course that they typed in. So let's close this and look at view.php. That's the code that shows the grades. So it will do an SQL query to extract the grades from a database and show them on the webpage. There's some code to check that this user is logged in. And this is extracting the... from the post request that the web server receives, there should be an ID field and we'll set that to the variable ID and there should be a course field. We'll set to the variable called course. So the way that the code works at the server is when someone submits the form, it sends a post message to the server and the server extracts those two fields from the post message. There's some debugging code, not so important. The faculty member is not so important at this stage. Let's go to the general code. Let's find it. The query. Let's find the SQL query. It is here. This is the query. So there are two cases. If the course code is empty, it will do one query. If it's not empty, it will do the second query. If you know SQL, we can select from the database. And if we have a look at that query, the first one says, select everything from course grades where the student ID in the table is equal to the ID in the post request. So when someone enters the ID in the form field, it will be used in the SQL query and ordered by course code and student ID. So that's when there's no course entered. When there is a course code entered, the query is select everything from course grades where student ID matches the ID in the form and course code matches the course in the form. The web form has two fields, ID and course code. So the values of those two fields will be used in the query at the web server. So when we switch between them, when we search again just for our own grades and ITS 335, those two values will be used in that SQL query when we press submit and it shows us our own grades. Now how can we use this in an attack? An SQL injection intact, or an injection intact attack in general, is really sending data to the server to get the server to do something unexpected. And here we're going to send some data to the server and get the server to show us the grades of other students. I shouldn't be able to see the grades of other students. And the way that we'll do it is take advantage of the poor coding of the web application. And looking at the query here, and we'll show you how to do it and then we'll explain. So normally we just specify the course code, ITS 335. But the attacker, what they're going to do is add some other options here in this input. So what I'll do is say, ITS 335, close that string. And with SQL we can do AND. So when you create a query you can do this condition and this condition, or ORs, this condition or this condition. So what we're going to do is search for course code ITS 335, OR. And remember with OR, either of those conditions need to be matched to be returned true. We'll create a special case which will always return true. OR 1 equals 1. When does 1 equal 1? Always. So this SQL condition here compares 1 to 1. And 1 to 1 is 1 and 1 are always equal. So this condition will return true. So true OR something will always return true. True OR false is true. True OR true is true. So it doesn't matter what the previous condition is, this query is always going to return true. Now what happens? So let's submit that and see what happens. I now see the grades of all students. I'm logged in as the student 5 with all zeros. The system should be set up such that I can only see my own grades. But by submitting that course code, that special string, I've done an attack where I can now see the grades of my grades for the two courses plus the grades of the other student. So this is compromise the security of our web application. How did it work? Again, let's look at this and look at it from the web application perspective. I'll copy that and see what from the web application perspective what it becomes. So in our query, and I'll just wrap this across some lines so it's a bit easier to see. You don't need to do this. So that's the original query. Select everything from course grades where student ID equals the value submitted. What was the value submitted? 5 followed by 9 zeros. So when the query is executed, it will be replaced with that value. What was the value of course? Well that string we entered, I'll paste it here, it was that ITS 335 single quote or 1 equals 1. So we replace that variable with the value that was submitted. And now look at the query. Select everything from course grades where student ID equals this and course code equals ITS 335 or 1 equals 1. Of these three conditions, student ID and course code or 1 equals 1, 1 equals 1 is true. So if we all with true, it will return true. So in effect it's not checking these first two conditions. The logic is that it will select all rows from that table. And that's what we get when we submit. It sends that value to the web application, it executes the query and the query returns all rows from the table including those grades for other students. So this is an example of a SQL injection attack. Don't think injection means injecting data into the database, it means sending something to the server to get the server to do something different, unexpected. Here we're sending a string to the server and we know that that string is used in the query to extract data from the database. So the unexpected thing is that we get to view the grades of other students. Any questions on this injection attack? So I created a query or I created that course code in a special way such that I knew that it would cause the web server, the application to return unexpected data. And this is a common way to do an SQL injection, just attach this all one equals one because it always returns true. How do you prevent that attack? How would you create your web application such that that attack is not possible? What would you try to do? There are different ways, but a simple way for this application, any suggestions? Look at the web browser, look what the attacker had to do. They submitted a value for the course code, which wasn't really a course code, it was some string which contained the special SQL characters, so the single quotes or and so on. One simple way to prevent such attacks is to check the input when someone submits something. So what happened is that the user on the web browser submitted some string in the value of course code. But we know when we create the web application that the course code should never be this string. There's no such course code. Course code should be limited to say six characters, maybe five also for SIT, and some structure that is the first two or three characters from A to Z and the last three are numbers. A course code never contains a single quote. It never contains an equal sign. So one way to prevent such attacks is in your application when someone submits data to validate that data. If we go back to the code of the server, this is where the view.php code receives the data. So post, actually the post course one, try to sit down the front, it may be a little bit easier. Those two computers, another one or close and in a couple of minutes we'll come and explain how to set up. Let's finish this attack on SQL injection and we'll give you a chance to do another one. So this variable post course takes the value of whatever the user enters in the form. And in our application all we do is we take those values as is. The validation of what that value is. What I really should do here is check. Does this variable contain only the characters that I expect? If it contains a single quote or an equal sign, reject that. Don't process it. Don't use it in the query. So what you should do whenever someone submits data to your website, validate that data. Input validation it's called. Just check that the data that is submitted is of the format that you expect. In this case with a course code we know that it should be of a particular format. Similar with a student ID. The student ID should not contain any letters. We know the particular format so that our web application should validate the input before it uses that. And that's a common thing to do to solve many web attacks. Input validation. If someone sends something to your server, check it. Don't trust them. Because if you trust them, then they may do something like this. Send some string which causes your web application to do something unexpected. There are other ways to prevent SQL injection and there are many programming environments like PHP, Java, ASP and so on provide some different APIs that will do the validation for you or ensure that you or make it very hard for someone to submit unexpected data. So there are some ways to implement your application that make it safer and less likely for injection attacks to work. But injection is listed as number one in security risks. It's quite easy to do if the website is poorly coded and this demo website is poorly coded. It was written by me. So be careful with first thing, input validation and even better, use the features of the language that you're using to support your web application.