1
00:00:00,090 --> 00:00:03,480
‫So here there's a typical sequel injection example.

2
00:00:03,780 --> 00:00:08,460
‫We are in an online shopping site and would like to see a laptop.

3
00:00:09,030 --> 00:00:11,730
‫The URL for the laptop can be seen on the slide.

4
00:00:12,360 --> 00:00:18,990
‫The sequel query to bring the details of the laptop will be something like this with an unexpected parameter.

5
00:00:19,410 --> 00:00:22,140
‫The skull query becomes just like this.

6
00:00:22,200 --> 00:00:27,390
‫Now what if we tamper with the ID parameter and send the ID string like this?

7
00:00:29,280 --> 00:00:32,520
‫OK, suppose that we have a method to authenticate user log in.

8
00:00:35,440 --> 00:00:37,570
‫Now, it looks like Java code, but it's not.

9
00:00:37,990 --> 00:00:42,010
‫It gives errors if you try to compile the method in any language.

10
00:00:42,520 --> 00:00:44,590
‫Please just for now, focus on the algorithm.

11
00:00:44,980 --> 00:00:51,760
‫The method takes username and password as a parameters and decides if the user can log into the application.

12
00:00:52,000 --> 00:00:57,430
‫It returns true if the user is valid, otherwise it returns false.

13
00:00:58,660 --> 00:01:03,760
‫So let's build the school query using the parameters which come from the log in form.

14
00:01:21,910 --> 00:01:22,780
‫The single quotes.

15
00:01:23,740 --> 00:01:31,150
‫Or to start and end the string values in a sequel, string plus signs are for the string concatenation.

16
00:01:32,730 --> 00:01:37,860
‫School string is executed and corresponding records create the result set.

17
00:01:39,420 --> 00:01:46,530
‫The method returns false if no records are found, otherwise returns true, and that's the user log

18
00:01:46,530 --> 00:01:46,770
‫in.

19
00:01:48,780 --> 00:01:53,940
‫If we enter user one as a username and one two three four is a password.

20
00:01:55,220 --> 00:02:03,950
‫We ask you, Elstree will be select star from users where username equals user one and password equals

21
00:02:04,160 --> 00:02:05,450
‫one two three four.

22
00:02:05,660 --> 00:02:13,130
‫And the method will return true if there is a record matched, which means if there is a user named

23
00:02:13,130 --> 00:02:17,630
‫user one and if this user's password is one two three four.

24
00:02:22,790 --> 00:02:28,420
‫Now, suppose we enter one single quote or one equals one.

25
00:02:29,400 --> 00:02:31,080
‫Double dash as a password.

26
00:02:33,530 --> 00:02:35,240
‫Now, the sequel starring will be.

27
00:02:36,900 --> 00:02:43,680
‫Select star from users where username equals user one and password equals.

28
00:02:45,530 --> 00:02:50,210
‫One or one equals one double dash.

29
00:02:51,130 --> 00:02:58,240
‫In SQL queries, double dash means that the rest of the line is the comment and will not be executed.

30
00:02:58,720 --> 00:03:04,480
‫Here we use a double dash to get rid of the redundant single quote, since one equals one is always

31
00:03:04,480 --> 00:03:10,840
‫true and the logical operator is or where clause will match for all the records of the user's table,

32
00:03:10,840 --> 00:03:17,680
‫which means the size of the results set will be the total number of records in the table, and the method

33
00:03:17,710 --> 00:03:21,130
‫will let us log in even though we don't know the password.

34
00:03:21,160 --> 00:03:23,770
‫So let's make an SQL injection example.

35
00:03:23,800 --> 00:03:31,540
‫So for this demo, we use them vulnerable web applications go to the OWASP Broken Web Applications Home

36
00:03:31,540 --> 00:03:31,930
‫page.

37
00:03:36,300 --> 00:03:39,720
‫Log in of the application using user user credential.

38
00:03:39,750 --> 00:03:41,370
‫Go to SQL injection page.

39
00:03:43,530 --> 00:03:50,940
‫Now on this page, when we submit the user ID, that user's name and surname are displayed, if we try

40
00:03:50,940 --> 00:03:58,350
‫to submit a single quote with the ID number, we get a syntax error message and we see that the database

41
00:03:58,350 --> 00:04:00,070
‫system is my you well.

42
00:04:00,420 --> 00:04:07,740
‫And there is a redundant single quote in the actual string, which means our input is not sanitized

43
00:04:07,920 --> 00:04:10,770
‫and a single quote has arrived in the database.

44
00:04:10,980 --> 00:04:16,350
‫Now, if we succeed to create a valid SQL string, we may get the results of that query.

45
00:04:17,250 --> 00:04:23,900
‫So let's submit this one single quote or one equals one double dash space.

46
00:04:24,840 --> 00:04:30,900
‫The database system of the application my sequel requires space characters after the double dash, so

47
00:04:30,900 --> 00:04:33,600
‫don't forget to put a space after the double dash.

48
00:04:34,410 --> 00:04:35,640
‫And what do we have here?

49
00:04:35,940 --> 00:04:40,800
‫Now we have the name and surname information of all records.