he second part of this series has accomplished a lot, and we now have a good and relatively secure login system, in our opinion. But as an ancient Arab poet said in one of his greatest poems: <center>**What a person hopes to realize often does not come to pass, as the winds blow in a way that ships do not desire.**</center> Your professor at the university, the quality officer at your company, or even your mother—I don’t care who it is, but someone asked you the following question: <center>**What makes you sure this system is secure?**</center> This question suddenly makes you feel as if someone has thrown cold water on your head. It reminds you that before using the system and being proud of your work, you must test it thoroughly. You try to explain, justify, and evade, but eventually, you're forced to examine it. This task exceeds your level of experience and intelligence, so you immediately turn to YouTube, ChatGPT, and Google to find out how to do it. Unfortunately for you, your university professor catches you in the act. He reprimands you severely and makes you stand in front of your classmates on one foot without pants. Then, he directs you to read the following book:[Web Application Security: Exploitation and Countermeasures](https://www.amazon.com/Web-Application-Security-Exploitation-Countermeasures/dp/1492053112) As for me, since I don't care about you or your future, and because I've lost hope in you, I'll quickly share some tools you can use to check the security level of the system: **1- OWASP ZAP**: An open-source tool for finding security vulnerabilities in web applications during runtime. **2- Burp Suite**: A powerful tool for web application security testing with features like scanning, crawling, and manual testing. **3- Netsparker**: Automatically detects vulnerabilities like SQL injection and XSS in web applications. **4- Contrast Security**: Integrates into your application to provide real-time vulnerability analysis. **5- Veracode**: Offers IAST capabilities along with SAST and DAST to cover multiple aspects of security testing. **6- Snyk**: Identifies vulnerabilities in open-source libraries and provides fixes. **7- WhiteSource**: Scans dependencies for security vulnerabilities and licensing issues. **8- Metasploit**: A framework for finding and exploiting vulnerabilities in your web application. **9- Nmap**: A network scanner that can identify open ports and services on your server. **10- Nessus**: Scans for known vulnerabilities in network services and applications. **11- OpenVAS**: An open-source vulnerability scanner that provides a comprehensive assessment of security issues. **12- Splunk**: Collects and analyzes security-related data and provides insights into potential threats. **13- ELK Stack (Elasticsearch, Logstash, Kibana)**: A suite for monitoring and analyzing security logs and events. **14- Wapiti**: A web application vulnerability scanner that performs black-box testing. **15- Acunetix**: Scans websites for vulnerabilities and provides detailed reports and remediation suggestions. **16- SQLmap**: An excellent tool specifically designed for detecting and exploiting SQL injection vulnerabilities in web applications. All of the above tools are used to examine the security level of web applications, but not all of them are suitable for testing the login system we created in the previous part of this series. Since I don't have as much time as you do, I'll show you how to use SQLmap here. I ask that you choose one of the mentioned tools to test the login system and provide comments on the results so we can enhance the system in the next part. **1- Install SQLmap**: ```cmd pip install sqlmap ``` ![Description](https://i.ibb.co/n82sT4G/sqlmap-0.png) **2- Simple Attack**: I will use a very simple method to attack the system and reach the database. I will type: ```cmd sqlmap -u http://127.0.0.1/login/index.php?id=1 --dbs ``` (Note: you have to understand the concept of SQLi, and maybe I will talk about it later.) ![Description](https://i.ibb.co/vLQCQnc/sqlmap-1.png) As you can see in the previous image, the simple attack method did not work with our login system, so let's try another method. I will test all endpoints, not just the login. SQL injection can be present in any part of your application where user input is used in SQL queries.: ```cmd sqlmap -u http://127.0.0.1/login/index.php?id=1 --dbs --random-agent --tamper=space2comment --risk 3 --level 5 sqlmap -u http://127.0.0.1/register/index.php --data="username=test&password=test" --dbs --random-agent --tamper=space2comment --risk 3 --level 5 ``` The result "[16:51:36] [WARNING] parameter 'Host' does not seem to be injectable" and "[16:51:36] [CRITICAL] all tested parameters do not appear to be injectable" indicates that the `sqlmap` tool did not find any SQL injection vulnerabilities in the specified parameters of your endpoints. Specifically, the parameter 'Host' and all other tested parameters were examined for potential vulnerabilities, but no exploitable SQL injection points were discovered. This is a positive outcome, suggesting that your current input handling mechanisms effectively prevent SQL injection attacks. So, I will try to Automatically identify the database management system. ```cmd sqlmap -u http://127.0.0.1/login/index.php?id=1 --dbms="MySQL" --dbs --random-agent --tamper=space2comment --risk 3 --level 5 ``` The result "[17:00:07] [WARNING] parameter 'Host' does not seem to be injectable" and "[17:00:07] [CRITICAL] all tested parameters do not appear to be injectable" indicates that `sqlmap` was unable to find any SQL injection vulnerabilities in the specified parameters of your endpoints. Specifically, during the test to identify the type of database management system (DBMS) in use, `sqlmap` examined the 'Host' parameter and all other tested parameters for potential vulnerabilities but did not find any that could be exploited. This outcome suggests that your application effectively handles input in a way that prevents SQL injection attacks. Now, I will use the `sqlmap` command to thoroughly assess the security of my web application by testing for SQL injection vulnerabilities. Specifically, I will direct the test at the URL `http://127.0.0.1/login/index.php?id=1`, focusing on the `id` parameter to uncover potential weaknesses. To simulate a real login attempt, I will include POST data with `username=admin&password=admin`, and I will incorporate the session cookie `PHPSESSID=your_session_id` to maintain an authenticated session throughout the test. The command will enumerate databases using the `--dbs` flag, which will list all available databases if SQL injection is present. To avoid detection and mimic requests from different browsers, I will randomize the User-Agent header with the `--random-agent` option. Additionally, I will apply the `space2comment` tamper script to obfuscate payloads by replacing spaces with comments, aiding in evading certain security filters. To conduct a more aggressive and comprehensive test, I will set the risk and level parameters to 3 and 5, respectively. This ensures that the testing methods are both deep and broad. I will employ multiple SQL injection techniques—Boolean-based, Error-based, Union-based, Stacked queries, and Time-based—using the `--technique=BEUSTQ` option. For a clearer understanding of the test results, I will enable verbose output with a level of 3, which provides detailed information about the payloads sent and the responses received. To further bypass potential filters, I will specify a custom User-Agent and referrer URL. Finally, I will set a delay of 10 seconds for time-based injections and run the test with 10 concurrent threads to improve efficiency and speed up the process. This comprehensive approach will help ensure my web application is well-protected against SQL injection attacks. ```cmd sqlmap -u http://127.0.0.1/login/index.php?id=1 --data="username=admin&password=admin" --cookie="PHPSESSID=your_session_id" --dbs --random-agent --tamper=space2comment --risk 3 --level 5 --technique=BEUSTQ --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" --referer="http://google.com" --time-sec=10 --threads=10 ``` ![Description](https://i.ibb.co/LJpy80W/sqlmap-2.png) The result "[17:20:02] [CRITICAL] all tested parameters do not appear to be injectable" indicates that the `sqlmap` tool did not detect any SQL injection vulnerabilities in the parameters tested during the assessment. This suggests that the parameters are well-protected against SQL injection attacks, meaning that the current security measures and input handling in place are effective. Additionally, the message suggests that the string used to identify successful responses may not have been accurate. To address this, the tool recommends rerunning the test with a valid value for the `--string` option. This option allows you to specify a string that should appear in the response if the SQL injection is successful, helping the tool to better identify potential vulnerabilities. Finally, I will follow the tool recommends rerunning the test with a valid value for the `--string` option. ```cmd sqlmap -u http://127.0.0.1/login/index.php?id=1 --data="username=admin&password=admin" --cookie="PHPSESSID=your_session_id" --dbs --random-agent --tamper=space2comment --risk 3 --level 5 --technique=BEUSTQ --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" --referer="http://google.com" --time-sec=10 --threads=10 --string="Invalid username or password" ``` Based on this outcome, your login page's security is likely high, around 90-95%, though ongoing security practices and regular audits are still important. Test it yourself using any tool and let us know if you find any security concerns in the comments.
there are a bunch of security issues that need fixing to keep the system safe from potential hacks. First off, using `SELECT *` in SQL queries is a waste because it grabs all columns from the users table, even if you don't need them all. This can slow things down and use up resources, especially with big tables. While this doesn't mean the system is hacked, it can expose more data if an attacker uses SQL injection to run their own queries. Next, not having automatic rehashing for sensitive data like passwords is a security risk. If you're using outdated hashing methods, it's easier for attackers to crack passwords if they get their hands on the hashed data. Regularly updating hashes with more secure algorithms helps to avoid this. Another problem is keeping a database connection open all the time, even when it's not needed. This wastes resources and increases the attack surface, making it easier for hackers to exploit vulnerabilities and cause denial of service. It's better to open connections only when needed and close them right after. Lastly, not limiting login attempts is a big risk for brute force attacks. Letting someone try unlimited passwords gives them a much better chance of eventually guessing the right one and getting in. Setting a limit on login attempts, like account lockout or adding delays after several failed tries, is key to preventing these attacks. search for more, where are you?!
But there are many times when, even if we test thoroughly, there are things we can miss when it comes to the security of our applications. I believe that feedback from other users who utilise the service makes teams improve their security tools and not only their security tools, but also their security tools.
Note: If you think that I’ve explained everything about SQL injection tools and that you can use this article to hack other websites with SQLmap, you’re mistaken. I haven’t covered everything, and the SQLmap commands mentioned in this post, such as `PHPSESSID=your_session_id`, are not the exact ones I used for testing.
good! i think you did the right thing. sites that don't allow such actions do so in order not to encourage people of bad faith to do such things.