Live Hacking: SQL Injection For Beginners (Part 1)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what is up people it's me teja and in this video we're going to talk about sql injection now we're going to cover a lot of things in this video we're going to first talk about what exactly is sql and what is sql injection i'm also going to practically demonstrate sql injection by doing it on a vulnerable application but hey the application that i'm using in this video is actually vulnerable by intention and it is actually generated so that security researchers or pen testers can improve their skills by testing the application for flaws and different kinds of vulnerabilities and this application also happened to have sql injection vulnerabilities and i'll be showing how to exploit sql injection vulnerabilities please be noted that this video is only for educational purpose trying to exploit uh bugs or vulnerabilities like sql injection vulnerabilities or even other vulnerabilities on websites that you do not have permission to is illegal and you will get into serious troubles for doing so so when you are practicing sql injection make sure you do that on your own website or websites that are intentionally made vulnerable so that you could test your skills and practice your pen testing skills so i'll be showing two such applications in this video and also show you how to get those applications uh on your system so that you can test on those applications and exploit different types of bugs but in this video we'll be talking about only sql injection before getting started i also want to thank the sponsors of this video sneak now i don't know how i end up getting such great sponsors every time and i'm glad to say that sneak is one of my most favorite tools that i've ever used in my whole career i don't know if i could call it as a carrier but in my experience i would say so what sneak does is it basically finds out vulnerabilities in your code it can automatically find out vulnerabilities in open source softwares or libraries that you use in your code and it will show you the metadata or the details of the libraries which are vulnerable and you could fix these vulnerabilities with sneak and the best part is sneak is free to use you could use sneak for free on your projects even if it is a private project in a private repository you can still use sneak to test your code and keep your code vulnerable free so i want to share my personal experience with sneak so i have this personal project of mine called secure text and it's basically a web application using which you can store your notes or texts securely and then encrypt them with the password and then access them whenever you like from wherever you are so a month back i used sneak to scan my project the project is uploaded to github so i used sneak to scan my github repository can do that directly from the web interface of sneak and sneak immediately scanned my project and it came up with some vulnerabilities that existed in my application and i did not even know that these vulnerabilities actually existed so i'll show you an example of that so you could see there are three pull requests opened by sneak i'll show you one of that so this one so it says sneak has created this pier to fix one or more vulnerable packages in the pip dependencies of this project so as you could see there are two vulnerabilities that sneak found out when i first scanned with it and the first one is called web catch poisoning and you also have a link to that vulnerability so that you can learn more about what is it which package has this vulnerability and how to fix this so sneak automatically told me that there is this vulnerability which has a medium severity and there's another vulnerability which sneak farm that with this is called the directory traversal vulnerability and if i go to this link it shows me all about this vulnerability and this also appears to be in the django framework so essentially any attacker could use this directory traversal vulnerability to read files on my web server that are not supposed to be read by any visitor but this vulnerability allows anyone to traverse through the directories on my web server and read sensitive files in the file system and i am so thankful to sneak right now because it helped me fix some serious issues on my project and i did not have any idea about it until sneak notified me so yeah it's just such a great tool and it's also free to use so i don't see why you should not try it so do check out sneak and try it it's a must-have tool for anyone who writes code and you can use my link in the description to try sneak for the first time it's free to use it's a great tool and trust me you will not regret using it so go ahead and check it out so without further ado let's get started so before talking about sql injection you must obviously know what sql is which you probably already do but for the sake of like going step by step let's talk about what sql is now sql stands for structured query language and it is a pretty popular language to deal with databases to be more precise to deal with data inside the databases so basically using sql you can deal with the data that is stored inside the database management system like you can create a new database create new tables add data to those tables and modify the data which is already existing in that tables like for example changing the value of a particular row or a particular column deleting a particular row or a table and so on basically you get the idea that we use sql to to deal with data inside a database management system now sql injection is a technique where an attacker can craft a malicious sql query or an sql statement and the attacker tries to inject this specially crafted sql statement into the pre-written sql statement on the back end of that web application now what happens is this specially crafted sql statement of the hacker or the attacker gets executed along with the pre-written or the hard-coded sql statement on the back end of the web application so this means that the attacker can execute sql queries on the back end of the website which means he could basically do anything with that particular database like he could read the values from a table or even update the values in the table create a new table or even worse you could just delete the whole database now sql injection is actually the top one osp security risk which means it is pretty common uh to find these vulnerabilities on websites and it also severely hurts your web application if your web application happens to be vulnerable to sql injection attacks so as i already promised in this video i'm going to try to practically exploit sql injection vulnerabilities on a vulnerable application so let's go ahead and do that so the application that i'll be testing is this one it is called juice shop and it is an intentionally vulnerable website it has many many vulnerabilities not only sql injection it has all the other vulnerabilities the top 10 os vulnerabilities to be precise and you could use this vulnerable application to test your pen testing skills and whatnot so so the easiest way to get this application working on your pc is to use docker so first obviously you need to have docker installed so you can go ahead and just google docker download or something like that and you could download docker for windows mac or linux and once you download it you know how to install it so once you have docker installed as you can see i'm running windows so i have docker for windows installed so once you have that you could just uh open up your windows terminal or your command prompt and then just get this image the juice shop image of docker so you can just copy this command and go to your terminal and just paste it and that's going to pull that juice shop image to your docker all right so there you go i have successfully downloaded the juice shop image to my pc now all i can do is i can start an instance or i can start a container of that image and i can do that simply by using this command right here so i'll just go ahead and put this command here as well just clear the terminal and put it so oh sorry yeah so what we're basically doing is we are uh running a container of that image and we are also exposing the port 3000 to our localhost so that uh when you go to localhost followed by 3000 we will be able to access that that web application that we are running so let's hit enter okay so it says that ports are not available it means that some other application or process is using the 3000 post so let me try to use another port right here okay so i finally got it working so i used a different port 8001 instead of 3000 and it worked so i'm guessing 3000 is being occupied by some other process anyway now it's running so i'll just go to um localhost 3000 what is that eight thousand one right so there you go this is owasp juice shop the vulnerable application that we are going to test in this video and the reason why i actually chose this application over other applications i mean there are plenty of other applications like bevap dbwa i actually will use dbwa later in this video but the reason i chose this application primarily is because it resembles a real-time application it doesn't seem like an application that is only made for pen testing like it looks like a real website it looks like a real juice shop website so there you go there are different products on the homepage if you click on the products shows some description and whatnot there's a login form and there's a registration form you could create a new account and register and whatnot so we're going to try to find out if there are any sql injection vulnerabilities so first we'll be looking into this login form so you could just give some email and just the password and it gives you an error message saying invalid email or password so we will first check if this this login form has any kind of any kind of like nsql injection vulnerability right now whenever i am testing an application for any sql injection box what i would like to do is i would like to like open up some text editor like notepad and try to figure out the sql query that might be hard coded on the backend so in this case we are testing this login form and think about what it does so you as a user you give in the email and the password and then you click on login and then what happens when you click on login is that these details are sent to the server where the server gets these details that are sent by you and now it has to validate if the email and password that you submitted is are valid or not right so what it has to do is it has to retrieve the correct email and password from the database and then it has to check the submitted email and password with the correct email and password and check if they match and if they match it means that the login is successful because the credentials are correct and if they do not match it means that you entered a wrong email or password so it would not allow you to log in so that's the functionality that's the basic functionality of any login form right so since we are retrieving the email and password from the database there is obviously the need for sql so there can be a potential sql injection vulnerability here so before getting started before trying to find out the sql injection vulnerability here what i would like to do is i would like to frame as an sql nsql query that is responsible to make this login form work so as i said this login form it involves uh getting the i mean retrieving the correct email and password from the database so let's try to write an sql query for that so i'll say select which is a statement used to you know get skate some get some basically get some data from a particular table so select email comma password now once again these column names might not be the exact names of the actual columns on the database these are just hypothetical i'm just trying to write the sql query that might be utilized on the backend so select email comma password from users where email equal to and then this should be the email that the user provided as an input so let's say that the name of that is submitted email and password equal to and this value should be the password that is submitted by the user and let me call that as a submitted password so this is the basic sql query that i can come up with which can perform the login operation which is checking if the email and password are valid or not basically so this submitted email and this submitted password are the user inputs which means we control these things we have total control over these two values because we are the ones who are sending it by using these fields so that means we could send whatever we like we could we could replace this to whatever we like so what i can do is i can uh give it a malicious input and see if i can change this hard-coded sql query in some way and see if it works so what i'll do is for the email email field for the email input i will give a single quote and i'm giving this single quote to close this opening single quote so basically what this does is this value i'm giving it as a single quote as you could see and what this does is it closes this opening single quote so now we have three single quotes and that should give you an error right because a string should start with a single code and end with a single code but we have an extra single quote and this this just violates the syntax of sql so what i'll do is simply i'll put dash dash here and dash dash is basically a comment in sql so what happens is uh this will get replaced by this input so now what we are doing is we are saying where email equal to an empty string because there is nothing inside this single course which means it's an empty string followed by dash dash anything after this dash dash will be a comment which means it will not be executed this portion of this sql query will just be rejected so let's try that user input here uh in in our login form and the password it doesn't really matter you could just give any string as a password because as you could see we are commenting out everything after this uh closing single code and this means that this password check is also being commented out so if i click login it still says invalid email or password so that means we did something wrong and let's try to figure out what what did we do wrong here okay so here is why it did not work so what we are basically doing here is we are selecting email and password uh fields from the users table where email is equal to an empty string and then we are commenting out the rest of the sql query and the reason this did not work is because there might not be a row in the users table where the email is an empty value so we will have to modify this statement or our input to be precise so that it will actually return something right so i'll just add an r statement and i'll say one equal to one followed by two dashes and i'll remove this comment from here because we don't want this posh this portion of the input to be commented out so what happens now is i'll just copy this and paste this in our input so what happens now is it's once again going to uh try to get an email and password fields from the users table where email is an empty string and then it's also going to say or followed by 1 equal to 1 which we know for a fact is true so this is going to return true and then we're commenting out obviously the rest of the sql query so what this does is it basically retrieves the first row in the users table and this means that this statement actually returns a row which means the login should be successful and we should be able to log in with the user whose record is the first row in that user's table so let's try that input value here just copy that paste it and i said the and as i said the password doesn't matter so i'll just give some string right here and there you go it seems like it logged in which it did as you could see we logged in with admin address juice sh dot copy now the reason we logged in with this account is because uh this user's record is the first row in that user's table and it worked that's great so now let's look at some of the other features or other functionalities in this website where there might be an sql injection bug so the first thing i notice is this search box here the search operation so if i search something it's going to show me uh the results that match my search query or my search string so if you think about it in a developer's perspective if you think about it how this would be implemented in the back end here is how it goes you i mean a user gives a string to search for and then in the back end this string must be searched in the database to see if there are any results that match this particular string so obviously there is the need for sql here so there is also a potential sql injection vulnerability here so let's try to do that uh but for this i'll be using burp suit to intercept my uh request and it basically makes it easier for me to modify my request to whatever i need and it also makes it easier to repeat the same kind of request and monitor the exact raw responses i received from the web server at the same time so i'm using burp suit for this so now i can intercept this request with verb so i'll just uh search for something like test and i'll make sure that my intercept is on in burp and when i hit enter you could see that this is there's a get request that's being sent to api slash quantity quantities but i don't think this is uh related to our search so let's forward this and there you go now we have another get request we are sending a get request to slash rest slash product slash search question mark queue is equal to and then followed by the search string so this is the request that we are sending whenever we are searching something so i'll send this to repeater so q is the parameter that we want to check uh for sql sqli vulnerabilities so first what i'll do is i will just put a single quote as the input and i'll send this request and the response we got is a success we got a json response which says status is equal to success and we did not get any data what if i just give a normal input and click send so i searched for the string test and it gave a state a success and in the data it gave me the search result that matches the string test uh so let's try with a single quote and then followed by a dash dash i guess like commenting out the rest of the things so if i click send all right so here we could see we got an error this time and we got a message that says sqlite error incomplete input now this means that this search functionality of this website is actually vulnerable to the sql injection and the type of sql injection we're dealing with here is called error-based sql injection the reason we call it error-based is because we were able to see the errors that that occurred uh while processing the sql query in the background in the back end i mean and based on these errors we could uh it is basically easier for us to read this to read these errors and improve our uh payloads or our inputs in other words here there is an sql field that shows you the sql query that is being executed in the backend so this made it easier for us because now we don't have to frame this sql query like how we did for the previous challenge so you can see it says select start from products where name and then they're using the like clause followed by so this is our input if you could notice this is the input that we are giving so it's basically enclosing this with two opening parenthesis and then followed by a single quote and inside the single quote there is our input so now we know uh that we need to escape one opening single quote and also we need to escape two opening parenthesis right so this time we will give it a single quote followed by two closing parenthesis and then followed by uh the comment because we want to comment out this all uh the rest of the statement which is which goes like our description like followed by something so yep ah so this should work because you could see we are first escaping the opening single quote and then we are escaping both the parentheses and then we are commenting out the rest of the query so if i click send you can see here that the status is success which means this time we did not encounter any error which means our sql injection worked we were able to modify the hard-coded sql query and it did not throw any error so these are the results so there are a lot of results and the reason why there are a lot of results is once again we are searching for an empty string we are not giving any any string to search for so it's basically going to return all the products all the products in the database so now that we know this is our payload that we'll be working with we can improve this to do something more uh so what if you want to uh what if you want to like know the version of the database now we know that this database is an sqlite database because in the previous error message that we've seen we have seen that it is an sqlite database so so what i'll do is i'll try to get the version of the sqlite database and how do i do that well let's ask google about it so i'll say how to get sqlite version sqlite version okay so this is a stack overflow page and uh someone answered that you could just use select sqlite version to um you know to get the version of the current sqlite right so let's try to do that let's go back to burp suit and here we want to insert this select statement before uh before the comment because we don't want that to be commented out so i'll just paste that over here and you could see with the color schema that something doesn't look right so i'll just show you if i click on send you could see that the response we get is bad request the reason why we are getting this is because we did not encode this input so since we are dealing with a get request the input we are sending is sent through the url so when you are sending some stuff through the url you have to make sure that you encode it you you have to url encode it so let's uh first url encode it you could do it in uh in burp suit i think there's a shortcut in burpseed using which you could uh like automatically encode it i don't know let me search for it keybind to url incurred okay it says ctrl shift e sorry ctrl shift u to url decode okay control u to url encode i guess so let's try that i'll select that and say control u and there you go now you can see that this uh this sql query is encoded so now we can send this if i click send all right we got another error message which means uh our query did not work but let's read the error message because as i said that's an advantage we get with error-based sql injection we will get to read the error messages and by reading that error messages we could craft a better version of our sql injection payload right so okay it says sqlite error select near select so let's uh go to the sql statement that's being i mean sql query that's being executed uh so it seems like we did uh properly escape the single quote and the two parenthesis but then yeah yeah this is not allowed in sql uh if you want if you want to have uh two select statements in a single sql query you have to use union so union is basically like joining two queries into one so uh in this case we are actually trying to execute two queries you could see the first query is this one select star from products where name like and this one right and the second thing we are executing i mean the second query that we are executing is this one so we can't just concatenate these two queries like that we have to use a union in between right so that's the error that's the that's the issue we are facing so here in my input i'm going to now add a union statement in between both these selects and burp should actually while you type eight verbs it automatically encodes this uh the input or whatever so now if i click send that should work right so it seems like we got another another error message this is a different error message from the previous one and it says selects to the left and right of union do not have the same number of result columns okay so what this means is that uh both these lx which are on the left side and the right side of the union statement both of them they should have the same number of columns only then the union statement will work so how do we fix this error uh in order to fix the error we obviously need to know how many columns we are actually dealing with because only then we will be able to bring in those number of required columns to the right select statement which is select sqlite version how do we know how many columns we are dealing with this first select which is returning all the columns from the products table uh we don't know how many columns it is actually returning because we don't know the schema of this table products so we have to somehow figure out how many columns we are dealing with in the first select statement here so how do we do that we can actually make use of the order by clause to do that so ordered by is when you want to order your results based on a particular column column number so what we can do is first i'll just remove all this union select everything because we want to make use of the order by clause to figure out the number of columns we're dealing with so i'll say order by followed by one and what this means is uh whatever the result set we are getting as the output for this sql query that is being executed in the back end we want to order it order the results with respect to the first column right so if i send it you could see that we did not get any error the execution is successful which means it works so now what i'll do is i'll keep incrementing this number this time i'll say order by two i'll send it again and you could see there is no error it says success so i'll just change this to three now send it again no error i'll keep it to five this time no error again and then seven uh no error again i'll just keep it eight no order again nine no error and then 10 this time it gave us an error it says first order by term out of range which means the number that we gave to the order by class which is 10 is out of bounds which means there is no 10th column for this table for the result set i mean so what we can make from this is that there are nine columns in the products table why because this query did not give an error until order by nine when we did order by ten it gave an error it's saying that it is out of range so we just figured out how many columns there actually are in in in the products table so now that we know that there are nine columns we can now frame an sql query uh that also has nine uh columns as the output so i'll say union again and i'll say select and i'll say one two three four five six seven eight and nine okay so what i'm trying to do here is the right select statement you can see i'm selecting just the numbers one okay i missed two there so yeah i'm selecting just the numbers one two three four five six seven eight nine i'm not doing anything so if i click send here again you could see there's success so this means that the number of columns in the right select statement equals the number of columns in the left select statements great so now coming back to our version number how do we get the version number of the current sqlite database so uh in one of these columns i could let's say for the first column i could insert a nested sql query which means i could give an open close parenthesis and inside this open close parenthesis i can type another individual select statement so i'll say we know the statement uh i mean we know the query to select the version right so it's select sqlite underscore version so this is the select statement we can use to get the version number of uh the sqlite database so i am actually nesting it in the first column of the write select statement it might be a little tricky but if you do know how sql works or if you have any little experience with sql it shouldn't be confusing at all it's pretty straightforward but if you do not have any prior knowledge with sql it's very very very easy to learn trust me it's very easy to learn you can just learn the basics of it in like one hour and you'll be fine you should be able to understand that so yeah anyway now if i click send here that's a good sign we did not get any error which means the query that we injected got executed so if i scroll down to these search results you can see the last search result right here it has the id as 3.34.0 that is the version of our sqlite database now the reason why it got assigned to this id field is because we are injecting this sql select sqlite version uh query to the first column of the select of the right select so just to demonstrate it to you if i just take this out and then put it sorry take this out and then put it in the second column make sure i follow the syntax correctly if i send it now so now you can see the version number got assigned to the second field which is name because we injected or we nested this sql query in the second column in the place of the second column so this means we are not only able to retrieve details or data from the products table but we're also able to retrieve data from other tables as well by using the union statement to combine multiple uh sql queries together and actually you could only combine multiple select queries and not any other queries like the update queries using union so should keep that in your mind so yep there are many things you could do like this but i don't have to manually craft these sql queries by myself because there is a tool that can automate all of this it's called sql map and it's used by almost all the pen testers it's an awesome tool so let me go ahead and show you how you can actually use that tool to automate the sql injection attack so you can just search for sql map the first one go to the first link it's uh sqlmap.org so it's it's written in python actually so you could just download the latest version of it i have already downloaded it let me show you how i actually use it all right so in order to run this as i said it's written in python so in order to run this you need to have python installed so say python sql map dot phi uh you also obviously have to give it some arguments so that it can process but if you want to just know the help if you want to see the help menu you can just give dash h for the help and it's going to show you a help screen showing you different types of commands and arguments you can pass to it obviously there are lots of ways you can make use of sql but this is how i like to use it because it's very easy to use this way so what i do first is i capture my http request using burp suit so this is the request we are dealing with so what i do is i intercept this request and then i copy all this request and then i open notepad and i paste this request into the notepad and there are a few things that i you need to change before you go ahead so in the first line in the get path you also need to include your domain name followed by your port so in this case i'm dealing with my local host on port where support i forgot the port 8001 so i'll say http localhost colon 8001 parameter we're looking for is this q parameter i'll i'll just tell sql map right away that this is the parameter i want to target and in order to do that you just type in a streak right here so this asterisk tells that this is the parameter that is vulnerable to the sql injection and so sql map will only test this parameter and that's it you now save this as a text file so i'll just save it as request.txt and now i can just give this request.txt file as an input to sqlmap and ask it to test for sql injection vulnerabilities and to do stuff so in order to do that i'll just say python sqlmap.pi tag r and then followed by the request.txt file that i just made okay yeah there you go the request.txt file that i just made and after this you could also give it the number of threads you wanted so the obviously the more number of threads the more faster it runs so i'm just going to give it like six threads so initially i want i want sql map to find out all the databases available so i'll i'll just give the command dash dash dbs and i guess that's it so if i hit enter it should start its thing so it returned with a message saying on sqlite it is not possible to enumerate databases so so it says use only tables so let's do that so instead of dbs i'll say tables and hit enter so once it's done you can see it lists out all the tables there you go there's addresses table there's basket items baskets alright so now let's go ahead and try to get all the data from the users table i will do that by using the by first actually specifying the name of the table by using the dash d argument and the name of the table here is users and then i'll say dash dash dump so what this is going to do is this is going to dump all the data inside the table which we have mentioned which in this case is the users table so when i hit enter uh it's going to go ahead and do that all right so we are done it has done dumping all the data inside the table and you could see it actually also saved that into a csv file located at this directory it also printed it to the terminal but it doesn't look pretty so we'll just open this file and see the table for ourself so there you go it seems like we have a total of 20 rows in in this table and you could see all the columns and the corresponding data yeah what we essentially did is we used a tool to automate this process of exploiting an sql injection bug which we found so we are done with the first type of sql injection which is error based sql injection and as i already said there is another type of sql injection called as blind sql injection and it is actually much more complex than error based sql injection it is more difficult to exploit blind sql injection bugs as compared to error-based sql injection bugs the reason is simple in error-based rescue injections you were able to see the error produced on the back end and you were able to read that error you were able to frame or construct a malicious input based on that error you see and that is easy that's a simple process but that's not the case when it comes to blind sql injection so in blind sql injection you do not get to see the error that is generated on the back end and obviously this takes a lot of patience a lot of trial and error methods uh in order to successfully be able to exploit a blind sql injection but before going further let's see if you can use sneak to automatically figure out or find out these bugs for example these sqlite bugs which we found out just now so let's do that so you can go to sneak.io and you will find everything you need to know about sneak here you can download sneak cli or you could just create an account here and then uh you could use sneak from the web interface as well but i do have like the sneak cli version you could actually easily install it with node so just say npm install g sneak and that's going to install sneak so there you go sneak is successfully installed so now i'll just uh go to the directory where the source code of juice shop is present in my computer so yeah this is the directory where the source code uh i mean all the files of juice shop are present so once i'm in this directory all i can do is type in sneak test so sneak is now going to go through these files and it's going to gather all the dependencies or all the libraries frameworks etc that are used in this project and it's going to query its vulnerable database to check if any of the open source libraries or frameworks used in this project are vulnerable so it's going to take a little bit of time to scan all these libraries so we have to wait a little bit all right so there you go it seems like sneak has done its job so let's go through the results it gave us on the terminal so it says that it tested 937 dependencies for known issues and it found 36 issues and 52 vulnerable paths so let's try to go through this so here are all the issues that it found you could see that these are all the vulnerabilities that actually exist in this application there are actually tons of vulnerabilities but it makes sense right because this application is supposed to be vulnerable so yeah these are all the vulnerabilities so for example there is this authorization bypass which is high severity and you also get a link to the vulnerable database which contains the data about this particular one library so if i just copy this link and go to this link in my browser i can see everything i need to know about this particular vulnerability so so in this case the vulnerability is authorization bypass and it is affecting express jwt package with versions less than 6.0.0 and here is a little bit of overview about it and here we also have a fix for this issue the fix in this case is to upgrade express jwt package to a version higher than 6.0.0 and similarly we have lots of other vulnerabilities here for example there's this rb3 code execution which caught my eye because arbitrary core execution is always always a very very serious vulnerability all right so that's great like seriously that's awesome but what if you want to fix these vulnerabilities automatically should you like go to each of these vulnerabilities read their description see how to fix them and then fix them manually should you should you actually do this manually the answer is no sneak can do this automatically for you with just one simple command and i'll show you that magical command right now and it goes like this sneak wizard that's it sneak wizard that's the magical command you need to fix all of these open source library vulnerabilities at once automatically you don't have to do anything just run sneak visit and hit enter and sneak is now going to fix all these dependency vulnerabilities for us and for each vulnerable dependency sneak also shows you like uh multiple remediation options so for example for this vulnerability in path pass trust me these are all the remediation options so this is the first one which is like reinstalling that package with a higher version uh triggers upgrade to path parts so basically i am upgrading path pass 1.0.6 to 1.0.7 so i'll choose the first one hit enter and it's going to fix that now it comes to the next vulnerable dependency and i once again have all these options and i will choose the first option again yeah i'll do the same for all the other things all right it seems like sneak is now done fixing all these vulnerable libraries by upgrading them to their latest versions and i also want to add that you could even use the github integration tool on the sneak dashboard itself if you're not really very fond of the command line interface which is understandable so all you need to do is login into your sneak dashboard and once you integrate your github account with sneak you can simply add a project and select github from the list of options and this will list out all your github repositories now you can simply choose the repository which you want to scan in this case i want to scan my forked juice shop repository and you can simply scan it and once the scan is done it's going to show me all of the vulnerable dependencies now this is exactly what you saw on the sneak cli as well but this is just a new way of doing it we are doing it directly on a github repository now once sneak lists out all the found vulnerabilities you could fix these vulnerabilities individually or you can fix all of these vulnerabilities together and what sneak does is it basically opens a pull request making necessary changes that are required to fix these vulnerabilities and as you can see sneak has indeed made a pull request on my repository and it also clearly explains what are all the changes it made in order to fix these certain vulnerabilities now all i have to do is merge this pull request and that's it my repository is now vulnerability free but the main topic of this video is sql injection so how can sneak contribute to finding sql injection bugs so as i already told this about sneak sneak can not only scan open source code it can scan your own code which is the code that is written by you so in order to demonstrate this i'll open the juice shop project in my visual studio code and i will install the sneak extension in visual studio code so here you go this is the sneak vulnerability scanner plugin for visual studio code it is available for other ides as well like eclipse and other popular ides but i'm using visual studio code now and i've already installed it so once you've installed it you could see this icon of sneak which is a dog i love docs and so what i can do right now is i can click on sneak and as soon as i click on that icon you can see that it is collecting all the files in the current directory which is the geoshop directory and it's going to scan all those files for us and show us any bad practices in the code so it's going to take some time not going to lie it's going to take like around 5 to 10 minutes so i'll just pause the video until sneak is done so sneak is done scanning all the files in my current project directory and since this is my first scan it's going to take a little longer but if you are scanning a project that has already been scanned then it's not going to take much time so remember that first scans are always going to take longer but all the other scans after the first scan are not going to take much time so as you can see once sneak is done scanning all these files it will show you the list of files which have issues in their code so you can see there are like a lot of files which have issues and it makes sense because this application is supposed to be vulnerable so if you for example like open one of the file uh it will show you a sub list which shows you all the issues that are available in it so for example if i go to let's say recycles.js it shows that there are two issues available so if i want to check out these issues i can just click on them and sneak will show me the line at which this issue exists and on the right side it will also show you what is the particular issue and it will show you more details about it but i want to see if sneak actually detected sql injection bugs so i will try to look for a login.js file here it is you can see it already has three issues if i extend it these are all the three issues the first issue says something about unsanitized input that looks interesting so let me check that out so if i click on it it shows you that on the 29th line which is where the hard-coded sql query is actually present it says that there is an issue here and on the right side you can see the message it gives you it says that there is a high severity for this issue and it also says that unsanitized input from the http request body is being utilized into the query and it also says that this might even result in an sql injection vulnerability this means that sneak actually automatically detected that there is going to be a potential sql injection bug because of this line over here you can also see that sneak shows you how other developers fixed this kind of issue you could see this issue was fixed by 91 projects so here you could see this is how one of the developer fixed it the red portion means that the line was removed and the green portion means that the line was added so you can like go through each of these examples provided by sneak and you can decide which one you want to use or which one you want to consider to fix that particular issue in your project so that's about a sneak extension this is how sneak can find out bad practices in your own code and it can also help you fix those bad practices since this video is getting long i had to split it up into two parts this will be the end of part one in part two we will be dealing with blind sql injection which is a little bit trickier when compared to error-based sql injections so make sure you watch the part 2 as well check out the description or the pinned comment of this video to get the link to the part two of the video so this is it for part one i will see you in the part two and before switching to part two make sure you like this video if you did like it and also leave a comment down in the comment section below please do also subscribe if you did not subscribe yet and also turn on the bell icon to receive instant updates from my channel so i'll see you in the part 2
Info
Channel: Tech Raj
Views: 93,601
Rating: undefined out of 5
Keywords: sql injection, penetration testing, hacking, ethical hacking, owasp, sqli, owasp juice shop, hacker, metasploit, vulnerabilities, snyk, website vulnerability, website vulnerability testing, dvwa, tech raj, part 1, sql injection part 1
Id: MWGHbTqY5FE
Channel Id: undefined
Length: 51min 16sec (3076 seconds)
Published: Tue Jun 22 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.