Airzero Sec

What Is SQL Injection?

SQL Injection is a type of cyber attack that makes it possible to execute criminal SQL statements. These statements control the database server behind any web application. Hackers can use SQL Injection vulnerabilities to destroy application security measures. They can go around authentication of a web page and retrieve the content of the whole SQL database. They can also use SQL Injection to add, delete and modify records in the database. The best cyber security company that you approach will always provide the best to protect your database from SQL injection and attacks.

An SQL Injection vulnerability may affect any website that uses an SQL database such as MySQL, Oracle, or others. Criminals may use it to gain unauthorized access to your personal and highly important data like:

• Customer information
• Personal data
• Trade secrets
• Intellectual property and more

SQL Injection attacks are one of the oldest and very dangerous web application vulnerabilities. Cyber security service providers will help you with this serious problem.

Why Laravel Framework?

Laravel is a web app development framework with expressive and royal syntax that makes the entire web development process faster, simple, and more enjoyable for developers by eliminating all the pain points associated with handling the most complex PHP code.

It simplifies some of the mostly executed tasks like routing, authentication, sessions, caching, and others so that developers can focus on building most business-related features of the web application. Laravel protects the web apps from SQL injection as long as you're using the fluent query builder.

Laravel does this by making secured and prepared statements that are going to escape any user input that may come in through the apps. If attackers add a new input to a form, they may try to insert a query and then run their own SQL query to damage your application database. However, this won't work while you are using Eloquent. Eloquent is going to protect from this SQL query and the invalid query will just be saved as text into your database.

What Are The Types Of SQL Injection Attack Vectors That Laravel Can’t Protect?

Developers usually make mistakes by thinking Laravel protects from all SQL injections and attacks, while there are some attack points that Laravel cannot protect, here are the most common causes of SQL injections that we saw in the latest Laravel applications during our security Checks.

SQL Injection via column name

The first common mistake that we see is that a lot of people think that Laravel would escape any dimension that is passed to Query Builder or Eloquent. But in reality, it’s not that safe to pass user-controlled column names to the query builder.

It’s important to mention that the demonstrated attack point is fixed on the Laravel versions, but still, Laravel warns developers even in the new documentation to not pass user-controlled column names to Query Builder without whitelisting.

Commonly, even if there is no chance to turn a custom column into an injected SQL string, we still do not recommend allowing to sort the data by any user-provided column name, since it can introduce a dangerous security issue.

SQL Injection via validation rules

Let’s take a look at the following simplified validation code:

$id = $request->route('id');
$rules = [ 'username' => 'required|unique:users,name,' . $id,];

$validator = Validator::make($request->post(), $rules);

Whether Laravel uses $id here to command that database and $id is not escaped, it will allow a hacker to perform an SQL injection.

How to prevent SQL injection in Laravel?

Laravel’s Eloquent ORM uses PDO binding that protects web apps from SQL injections. This relevant feature ensures that no client could modify the intent of the SQL queries.

Consider the example of the form used to collect users’ email addresses from a database. the form will search for an email address, for instance, “[email protected]”. Now imagine that the SQL query is modified to:

SELECT * FROM users WHERE email = '[email protected]' or 1=1

In the above example, 1=1 is a simple expression that always evaluates to be true. If it is attached to the above query with the OR condition, the query will fetch all records from the table because the SELECT condition will evolve to be always true.

Now consider another direction of the attack in which the query is modified directly to the command “drop table users” and instead of the email address, “[email protected]” is written. The query will look like this:

SELECT * FROM users WHERE email = '[email protected]'; drop table users;

When this query is executed, the table “users” will be deleted from the database.

When the PDO parameter binding is in place, the input is in quotes and the query will look like this:

SELECT * FROM users WHERE email = '[email protected] or 1=1'

Since no records will match with either the email or the “1=1”, the query will not be returning anything.

This framework provides other ways of talking to databases, such as raw SQL queries. Yet, Eloquent remains one of the most popular options.

Laravel framework uses PDO binding to prevent SQL injection attacks because no variable gets to the database without validation.

If this is the case, one should always use prepared SQL queries to prevent misplacement. Consider the following statement that looks ripe for SQL injection:

Route::get('this-is-prone-to-sql-injection', function() {
$name = "'ancy' OR 1=1";
return DB::select(
DB::raw("SELECT * FROM users WHERE name = $name"));});

Here the statement 1=1 used in the OR condition will result in returning all the rows in the user’s table. This can be prevented by using the following code instead:

Route::get('safe-from-sql-injection', function() {
$name = "'ancy' OR 1=1";
return DB::select(
DB::raw("SELECT * FROM users WHERE name = ?", [$name]));});

Laravel replaces the question marks with the query, automatically escaping the input variables. This protects the query from SQL injection attacks.

If you have any queries about this topic or have to get services and consultations against this serious cyber threat. Feel free to contact us. AIRZERO SEC will be your strong firewall.
E-mail id: [email protected]

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/
Email id: [email protected]

What Is SQL Injection?

SQL injection is specially referred to as SQLi, maybe it’s a common attack method that uses inappropriate SQL code for back-end database manipulation to access details that weren't intended to be displayed and are highly mentioned to be a secret. These details include many private and sensitive data. This sort of cybersecurity attack targets the confidential databases within the system to trick into doing unexpected and unwanted things. The best cybersecurity consulting company provides the best to protect the attackers to access the below data. It is very important to consult such companies.

Actions that successful attacks may take targets include:

• Bypass authentication
• Stealing data
• Modifying or corrupting data
• Deleting data
• Running arbitrary code
• Gaining root access to the system itself

What Is Codeigniter?

CodeIgniter is an MVC framework written in, and for, PHP. It is lightweight compared to other MVC frameworks that are used out there, at the cost of having less functionality, e.g. there will be no built-in authentication system that might be a part of other frameworks.

CodeIgniter is the best choice of frameworks for those who are starting out with MVC as it doesn't force you to use any particular standards for naming and structure of code, but it is also suitable for larger projects where a large range of features is contained in other frameworks that might not be needed in those projects.

How to avoid SQL injection in Codeigniter?

In Codeigniter, we no need to use the mysql_real_escape_string() function, Codeigniter provides inbuilt functions and libraries to generate SQL queries by using various methods or functions we can definitely avoid SQL injections. Here are the ways to prevent CodeIgniter from SQL injection. There are three methods to prevent SQL injections in the Codeigniter application, they are:

1. Escaping Queries
2. Query Binding
3. Active Record Class

Preventing SQL injection in Codeigniter by using Escaping Query Method

Example:

<?php $email= $this->input->post('email'); $query = 'SELECT * FROM subscribers_tbl WHERE user_name='.$this->db->escape($email); 
$this->db->query($query); ?>

<?php
$email= $this->input->post('email');
$query = 'SELECT * FROM subscribers_tbl WHERE user_name='.$this->db->escape($email);
$this->db->query($query);
?>

Here $this->db->escape() determines the data type so that it can escape only string data.

It also automatically adds single quotes around the data so you don’t have to think to do that as well.

Preventing SQL injection in Codeigniter by using Query Binding Method

<?php $sql = "SELECT * FROM subscribers_tbl WHERE status = ? AND email= ?"; $this->db->query($sql, array('active', ‘email’); ?>

db->query($sql, array('active', ‘email')); ?>

The question marks in the query are automatically replaced with the values in the array in the second parameter of every query function.

in the Query Binding Method, you don’t have to escape the values by yourself as it will automatically do that for you.

Preventing SQL injection in Codeigniter by using Active Record Class

Using Active Records, query syntax is generated by using each database adapter. It will also allows for safer queries, since the values are escaped automatically by the system.

<?php $this>db>get_where('subscribers_tbl',array('status' => 'active','email' => 'email')); ?>

db->get_where('subscribers_tbl',array('status' => 'active','email' => ‘email')); ?>

If you have any queries about this topic or have to get services and consultations against this serious cyber threat. Feel free to contact us. AIRZERO SEC will be your strong firewall. E-mail id: [email protected]

Author: Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc `
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

What is SQL Injection (SQLi)?

SQL injection is additionally referred to as SQLi, maybe a common attack method that uses inappropriate SQL code for back-end database manipulation to access information that wasn't intended to be displayed. This information includes many private and sensitive data. This sort of cybersecurity attack targets the confidential databases within the system to trick into doing unexpected and undesired things. The cybersecurity service company provides the best to protect the attackers to access the below data. It is very important to consult such companies.

Actions that successful attacks may take targets include:

• Bypass authentication
• Stealing data
• Modifying or corrupting data
• Deleting data
• Running arbitrary code
• Gaining root access to the system itself

What is SQL injection vulnerability?

The SQL injection vulnerability is one of the foremost terrific issues for data confidentiality and integrity in web applications and has been one of the foremost common and widely explained vulnerabilities since its inception.

Non-Technical Explanation Of SQL Injection Vulnerability For Understanding:

Imagine a totally automated and secured bus that functions to support the instruction given by the owner through a typical technical form. The instruction seems like this: Drive through the road route 66 and stop at bus stops if there are people at the bus stops. Values in bold are provided by the owner and instructed by the bus. Imagine a scene where someone manages to send these instructions: Drive through route 66 and don't stop at bus stops and ignore the remainder of this type if there are people at the bus stops.

The bus is fully automated. It does exactly what's instructed: it drives up route 66 and doesn't stop at any stop, even when there are people waiting. Such an injection is stable because the structure and therefore the supplied data aren't separated correctly. The automated bus doesn't differentiate between instructions and data, it simply parses anything it's fed.

SQL injection vulnerabilities have supported this idea. Attackers are ready to inject malicious instructions into corrupted ones, all of which are then sent to the database server through an internet application.

Types of SQL injection vulnerabilities

Traducer can exfiltrate data from servers by diminishing SQL Injection vulnerabilities in various ways they are:

• Error-Based SQL Injection
  When exploiting an error-based SQL Injection vulnerability, attackers can retrieve information like table names and content from visible database errors.
• Boolean-Based SQL Injection
  Sometimes there's no visible error message on the page when an SQL query fails, making it difficult for a hacker to urge information from the vulnerable application. However, there's still how to extract information.
  When an SQL query fails, sometimes some parts of the online page disappear or change, or the whole website can fail to load. These indications allow attackers to work out whether the input parameter is vulnerable and whether it allows extraction of knowledge.
• Time-Based SQL Injection
  In some cases, the vulnerable SQL query doesn't have any visible effect on the output of the page, it's still going to be possible to extract information from an underlying database.
  Hackers determine this by instructing the database to present a stated amount of your time before responding. If the page isn't vulnerable, it'll load quickly; if it's vulnerable it'll take longer than usual to load. This permits hackers to extract data, of course, there are not any visible changes on the page. The SQL syntax is often almost like the one utilized in the Boolean-Based SQL Injection Vulnerability.
• Out-of-Band SQL Injection Vulnerability
  Sometimes the sole way an attacker can retrieve information from a database is to use out-of-band techniques. Usually, these sorts of attacks involve sending the info directly from the database server to a machine that's controlled by the attacker. Attackers may use this method if an injection doesn't occur directly after supplied data is inserted, but at a later point in time.

What Can Attackers do after SQL Injection Attack?

To perform an SQL injection attack, an attacker must locate a vulnerable input during a web application or webpage. When an application or webpage contains a SQL injection vulnerability, it uses user input within the sort of an SQL query directly. The hacker can execute a specifically crafted SQL command as a malicious cyber intrusion. Then, leveraging malicious code, a hacker can acquire a response that gives a transparent idea about the database construction and thereby access to all or any of the knowledge within the database.

SQL is the way of communication to the database. SQL statements are wont to retrieve and update data within the database. Attackers use malicious SQL statements within the input box, and in response, the database presents sensitive information. This exploit of security aims at gaining access to the unauthorized data of an internet site or application. Several websites and web applications store data in SQL databases. For any of those applications, it becomes essential to perform vulnerability testing to make sure there are not any loopholes for executing SQL injection.

What is the impact of a successful SQL injection attack?

With no mitigating controls, SQL injection can leave the appliance at a high risk of compromise leading to an impression of the confidentiality, and integrity of knowledge also as authentication and authorization aspects of the appliance. An adversary can steal sensitive information stored in databases employed by vulnerable programs or applications like user credentials, trade secrets, or transaction records. SQL injection vulnerabilities should never be left open; they need to be fixed altogether under circumstances. If the authentication or authorization aspects of an application have affected an attacker could also be able to log in as the other user, like an administrator which elevates their privileges.

How to prevent SQL Injection Attacks?

Preventing SQL injection attacks is a lot about ensuring that none of the fields are vulnerable to invalid inputs and application execution. it is actually impossible to check every page and every application on the website, especially when updates are frequent and user-friendliness is the top priority.

Nonetheless, security analysts and seasoned developers recommend a variety of next points to guarantee your database area unit is well protected inside the confinement of the server.

1. Continuous Scanning and Penetration Testing
   The automated web application scanner has been the simplest option to mean vulnerabilities within the online applications for quite a while now. Now, with SQL injections getting smarter in exploiting logical flaws, website security professionals should explore manual testing with the assistance of a security vendor.
   They can authenticate user inputs against a group of rules for syntax, type, and length. It helps to audit application vulnerabilities discreetly so that you can patch the code before hackers exploit it to their advantage.
2. Restrict Privileges
   It is more of a database management function, but enforcing specific privileges to specific accounts helps prevent blind SQL injection attacks. Begin with no privileges account and advance to ‘read-only’, ‘edit’, ‘delete’, and similar privilege levels.
   Minimizing privileges to the appliance will make sure that the attacker, who gets into the database through the appliance, cannot make unauthorized use of specific data.
3. Use Query Parameters
   Dynamic queries create a lot of trouble for security professionals. They have to affect variable vulnerabilities in each application, which only gets worse with updates and changes. It is recommended that you prepare parameterized queries.
   These queries are simple, easy to write down, and only pass when each parameter in SQL code is clearly defined. This way, your info is furnished with weapons to differentiate between code and knowledge inputs.
4. Instant Protection
   A majority of organizations fail with problems like outdated code, scarcity of resources to test and make changes, no knowledge of application security, and frequent updates in the application. For these, web application protection is the best solution.
   A managed web application firewall can be deployed for immediate mitigation of such attacks. It contains custom policies to dam any suspicious input and denies information breach instantly. This way, you do not have to manually look for loopholes and mend problems afterward.

If you have any queries about this topic or have to get services and consultations against these serious cyber threats. Feel free to contact us. Always AIRZERO SEC will be your strong firewall. E-mail id: [email protected]

Author :
Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkdIn Profile: www.linkedin.com/in/johnsontaugustine/

The term ‘mobile payments’ refers simply to all payments that are made using your mobile device. Do you find it convenient to shop and bank online using mobile payment apps? Most would have ‘yes’ as an answer. But, are we letting ‘convenience’ overshadow ‘security’? An attacker can easily get hold of your personal and banking information if the app or the mobile site you are using is compromised. The chances of this happening significantly increases if your mobile device itself is infected. Mobile payments include the use of mobile wallets and mobile money transfers. There are two types of mobile payments: online or in-app purchases, and using a POS terminal in a bricks-and-mortar store. Here are some of the biggest mobile payment security risks, and steps you can take to protect yourself.

Losing your phone is like losing your credit card

Your smartphone is a small, slippery object that provides a huge window into your personal life. It contains the names and contact information of every key acquaintance in your life, your personal photo collection and social media apps. It also can provide access to credit and bank accounts via a mobile wallet and payment apps.

Most smartphones contain built-in protections that can prevent a phone thief from using your mobile wallet to rack up fraudulent charges. The best way to keep a thief out of your phone is to require two-factor authentication to unlock it – ideally, a PIN combined with a biometric method such as your fingerprint, facial recognition or an iris scan.

Weak Passwords

Being hacked due to weak passwords, or overused passwords, is one of the oldest forms of hacking. Even the strongest form of password hashing encryption, used by corporate security firms, can fail when it comes to cyber criminals decryption tools.

It may sound obvious, but don’t use the same password for everything, and try and change them once a month. Look into using a passwords manager such as LastPass. These online password resources will generate strong passwords using a combination of numbers, letters and special characters, and store them all in an encrypted vault.

Cyberthieves can ‘spoof’ your mobile wallet

When you add a credit or debit card to your mobile wallet, the card number is stored securely via encryption, which disguises it with a code created by an algorithm. Additionally, the major mobile wallet providers use randomly generated payment tokens to ensure your card information is not seen by merchants or even the wallet providers when you make purchases.

Load your cards into your mobile wallet while at home, using your own password-protected Wi-Fi network. If you need to manage your mobile wallet while away from your home, consider setting up a personal virtual private network (VPN) for your phone.

Using Public Wifi

Some of the most popular ways hackers can compromise public wifi are by creating fake connections and sidejacking. Fake connections are created by setting up an access point (AP), which can be done using any form of device with internet access, with the same name as a legitimate connection. Hackers then intercept any data in transit, such as a bank transfer or online payment.

Using a VPN, Virtual Private Network is one of the most secure forms of protection against hacking. A VPN establishes a level of encryption between your device and the website you’re browsing, so any data transmitted is unreadable without the a unique decryption key. Be careful when choosing a VPN, as even these can be compromised or faked.

Your phone can become infected with malware

Cyber criminals use malware to remotely commandeer computers, smartphones and other devices or steal users’ passwords and other private information. Malware infection typically results from an unwitting user clicking on a sketchy ad or a phony link sent by a malicious third party. Computers are generally more vulnerable than cellphones, but mobile malware is a growing threat.

A bank or card issuer can employ security features on its own payment or banking app, but it can’t control the security features of third-party browsers where many customers manage their online accounts.

Nevertheless, avoid clicking on links included in suspicious ads, email or text messages from unfamiliar sources. And Clyde recommends installing anti-virus software on your phone as an extra safeguard.

Human Error

Human error or carelessness has been cited as the number one contributor to security breaches. Hackers rely on human error when planning some form of cyber attack as they count on user to click on insecure links, open emails containing security threats and accidentally downloading malware.

When it comes to protecting yourself against phishing, malware, and identity fraud, it almost always comes down to using common sense. As mentioned above, don’t click on any links in emails from unknown senders or sources, be vigilant with your passwords and how you store them. If you want to start using a mobile wallet, load your cards into your phone at home using your own private wifi. As this is password protected it is much safer than doing this at work or in public.

So, to help you avoid such a disaster, here are 9 safety steps for making secure mobile payments.

1. Download mobile payment apps only from official stores such as Google Play and Apple Store.

2. Before you download any app, verify the publisher. The ‘Top Developer’ badge (in Google Play) is usually a good sign that the app is safe. Read its user reviews and just Google “Is (app name) safe?”.

3. Carefully read the permissions that the app asks for. If you think a mobile payment app is asking for more than what is required, do not install it. If you have any doubts regarding the permissions, just contact the app’s manufacturer via their Twitter handle.

4. Never visit an online banking or shopping website by clicking on a link received in an email or text message.

5. Always choose a strong password for accounts for net banking or online payment apps. It should be a mix of uppercase and lowercase letters and special characters.

6. Do not use unsecured, public Wi-Fi networks for onling banking or shopping. Doing so may let an attacker steal your information.

7. Only use established and well-known websites to for online shopping and paying for utilities.

8. Ensure your banking transactions are OTP (one time password) enabled. While paying a purchase through net banking, debit/credit card, you will enter your login ID and password (or card details) and also an OTP (code sent to your registered mobile number) before you can make the final payment. So, even if an attacker manages to steal your net banking/card details, payment won’t go through without the OTP.

9. Install a mobile security app that is built with multiple layers of security. The Quick Heal Total Security App comes with SafePe besides other advanced features. SafePe is especially designed to secure your financial information when you use mobile payment apps for online shopping, banking, paying bills, etc.

Conclusion

Mobile payment security concerns are still at large amongst businesses and consumers alike. However, with the correct education and proper training, mobile payments could see a dramatic current and future growth opportunities. Retailers could finally, collectively, see the huge benefits of going cardless, cashless and paperless, if only to reduce queues at the counter.

Android is a Linux platform programmed with Java and enhanced with its own security mechanisms tuned for a mobile environment. As a developer writing for Android, you will need to consider how you will keep users safe as well as how to deal with constrained memory, processing and battery power. You must protect any data users input into their device with your application, and not allow malware to access the application’s special permissions. How you achieve this is partly related to which features of the platform you use.

Android Permissions Review

Applications need approval to do things their owner might object to, like sending SMS messages, using the camera or accessing the owner’s contact database. Android uses manifest permissions to track what the user allows applications to do. An application’s permission needs are expressed in its AndroidManifest.xml and the user agrees to them upon install.

Encrypt Data on External Storage

The internal storage capacity of an Android device is often limited. Therefore, at times, you might have no choice but to store sensitive data on external storage media, such as a removable SD card.

Because data on external storage media can be directly accessed by both users and other apps on the device, it is important that you store it in an encrypted format. One of the most popular encryption algorithms used by developers today is AES, short for Advanced Encryption Standard, with a key size of 256 bits.

Writing code to encrypt and decrypt your app's data using the javax.crypto package, which is included in the Android SDK, can be confusing. Therefore, most developers prefer using third party libraries, such as Facebook's Conceal library, which are usually much easier to work with.

Use Intents for IPC

Experienced programmers who are new to Android application development often try to use sockets, named pipes, or shared files to asynchronously communicate with other apps installed on an Android device. These approaches are not only hard and inelegant, but also prone to threats. An easier and more secure approach to interprocess communication on the Android operating system is to use intents.

To send data to a specific component of an app, you must create a new instance of the Intent class and use its setComponent() method to specify both the package name of the app and the name of the component. You can then add data to it using the putExtra() method.

Use HTTPS

All communications between your app and your servers must be over an HTTPS connection, preferably using the HttpsURLConnection class. If you think using HTTP for data that is not confidential is fine, think again.

Many Android users connect to several open Wi-Fi hotspots in public areas every day. Some of those hotspots could be malicious. A malicious hotspot can easily alter the contents of HTTP traffic to make your app behave in an unexpected manner, or worse still, inject ads or exploits into it.

Use GCM Instead of SMS

ack when GCM, short for Google Cloud Messaging, didn't exist, many developers were using SMS to push data from their servers to their apps. Today, this practice is largely gone.

If you are one of those developers who still hasn't made the switch from SMS to GCM, you must know that the SMS protocol is neither encrypted nor safe against spoofing attacks. What's more, an SMS can be read by any app on the user's device that has the READ_SMS permission.

GCM is a lot more secure and is the preferred way to push messages to an app because all GCM communications are encrypted. They are authenticated using regularly refreshed registration tokens on the client side and a unique API key on the server side.

Use ProGuard Before Publishing

Security measures built into an Android app can be severely compromised if attackers are able to get their hands on the source code. Before you publish your app, it is recommended to make use of a tool called ProGuard, which is included in the Android SDK, to obfuscate and minify source code.

Android Studio automatically includes ProGuard in the build process if the buildType is set to release. The default ProGuard configuration available in the Android SDK's proguard-android.txt file is sufficient for most apps. If you want to add custom rules to the configuration, you can do so inside a file named proguard-rules.pro, which is a part of every Android Studio project.

Conclusion

Android applications have their own identity enforced by the system. If you use one of these mechanisms you need to be sure you are talking to the right entity — you can usually validate it by knowing the permission associated with the right you are exercising. If you are exposing your application for programmatic access by others, make sure you enforce permissions so that unauthorized applications can’t get the user’s private data or abuse your program. Make your applications security as simple and clear as possible.