8 High-impact Bugs and How HackerOne Customers Avoided a Breach: SQL Injection
This blog series counts down 8 high-impact vulnerability types, along with examples of how HackerOne helped avoid breaches associated with them. This blog, the third in the series, looks at SQL Injection, which tops the OWASP Top 10 2017 list and ranks fifth in HackerOne’s recent analysis of the Top 10 Most Impactful and Rewarded Vulnerability Types.
SQL injection can be used to attack applications by inserting malicious SQL statements into an entry field for execution. According to OWASP, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and, in some cases, issue commands to the operating system.
HackerOne ranked SQL injection fifth overall on our list of top ten most impactful and rewarded vulnerabilities. In our analysis, the healthcare and aviation/aerospace industries in our sample rewarded hackers for this type of vulnerability the most, at 12% and 27% respectively.
Let’s look at two disclosed reports from Hacktivity, one from Starbucks and the other from the U.S. DoD, to show how hackers @spaceraccoon and @alyssa_herrera kept these organizations safe from potential SQL injection breaches.
How Starbucks and the US Department of Defense Avoided SQL Injection Breaches
Next time you and your posse go in for some orange mocha frappuccinos, ask them to hold the malicious SQL. In response to the barista's querulous look, say, “Oh, nevermind, SpaceRaccoon got you, my bad.” That should clear things right up.
On April 8, 2019, @spaceraccoon reported a SQL Injection vulnerability to Starbucks. The report provides an excellent example of the kind of persistence and creativity that security teams only get with hackers.
In the February/March time frame, @spaceraccoon came upon a promising-looking endpoint using subdomain enumeration. “It looked like an extremely promising target: a simple HTML file upload form. I began by testing for unrestricted file uploads with PHP shells and such, but it quickly became clear from the verbose error messages that while the files were being sent to the server, they were being processed as XML files and were not saved on the server.”
The error messages helped @spaceraccoon craft a properly-formatted XML file that was accepted by the server. This revealed nodes with names like MainAccount, Credit, Debit, Invoice, etc., and the error messages included references to Microsoft Dynamics AX, an enterprise financial/accounting software platform. This led @spaceraccoon to begin attempting some XML External Entity attacks, but these only exposed a billion laughs DoS attack which, in @spaceraccoon’s words “wasn't good enough, so after several more days of trying, I eventually moved on to other targets.”
About one month later @spaceraccoon came back with the hypothesis that if the XML input was being entered into a database, they should test SQL injections, “in particular in the MainAccount because it accepted a numerical ID like <MainAccount>123456</MainAccount> and was perhaps used in a WHERE SQL query.” After researching XML syntax, the server returned a database error message, indicating they were on the right path.
With a bit more manual testing, I realized it was possible to craft a time-based SQL injection. I then switched to sqlmap with the --tamper htmlencode flag to automate my attack. After a few minutes, sqlmap confirmed the exploit and returned the database version: Microsoft SQL Server 2012.
@spaceraccoon submitted the report on April 8th and communicated through the day with a member of the HackerOne services team. The bug was triaged on April 9th and just 2 days later, Starbucks awarded a $4,000 bounty for this critical (9.3) vulnerability.
Potential Business Impact
@spaceraccoon enumerates several ways this vulnerability could have resulted in significant loss for Starbucks. “There were almost a million entries up to the previous year that included real accounting information. I immediately stopped testing and wrote my report.”
2. U.S. Department of Defense
In Initially I discovered a Defunct admin panel with default credentials, admin/admin. This was vulnerable to a blind SQL Injection but I wasn't able to successfully exploit the login panel. I later google dorked for PHP files on the subdomain and ended up finding another end point that was vulnerable to SQLI.
I then used SQLMap to exploit and then read the banner and user name of the website. I ended up discovering this sub domain and the previous SQL injection shared the same database. I later google dorked the end point and found another subdomain using the same end point and exploited it in a similar fashion to this one.
In an excellent show of responsiveness, DoD triaged the report on February 5, just 2 days after submission.
By harnessing the creativity and persistence of hackers, Starbucks and DoD avoided potentially significant financial and national security damage. @alyssa_herrera and @spaceraccoon employed similar techniques to demonstrate these SQLI vulnerabilities.