DEV Community: Lindsey Fonnesbeck

SQL Injection Attacks and How Developers Can Prevent Them

Lindsey Fonnesbeck — Mon, 20 Sep 2021 21:01:09 +0000

This week during my 100 Days of Hacking challenge, I learned how hackers can infiltrate applications that are vulnerable to SQL injection attacks, the side effects of these attacks, and how web developers can prevent them from happening. I believe that every developer should learn more about security. That being said, learning security should be more accessible to developers. So, let's go over the basics!

What is a database?

A database is how information can be stored and organized, so that it can later be accessed, managed, and updated. The most universal example of the type of data stored in a database is user information. When you register on a website you fill out a form that asks for information such as your name, username, email address, and password. After you click sign up this information is sent as a request to your backend, and your backend will communicate with the database on how to store this information. Now that the data is stored, this enables users to be able to sign into their account the next time they access the website. When the user goes to login, clicking the login button will submit a request to your backend, which will communicate with the database to make sure the input username exists in the database and that the input password matches the stored password associated with that username.

What is SQL?

SQL (Structured Query Language) is a language that is used to communicate with relational databases, meaning a data table structured with rows & columns. Using SQL queries you can retrieve, update, insert, or delete data from your database. If you want to learn more about how exactly to write SQL queries, I loved learning through SQL Zoo. It is important to note that using a NoSQL database does not mean it is safe from injection attacks! We can cover more about that in another article.

What is SQL Injection?

Because SQL databases are so common, SQL injection attacks are one of the biggest risks to websites. If you are not taking proactive steps to prevent SQL injection in your application, an attacker will be able to input their own query to your application. This means they could essentially have full access to your database and will have the ability to read, update, insert, or delete anything that they want! A bit frightening, but the goal of an attacker accessing the database isn't always just to gain sensitive information such as usernames, passwords, or payment information. Imagine if you worked for a healthcare company and your company's database was vulnerable to SQL injections. The attacker could alter patient information, which would be very dangerous! Whether they are retrieving, inserting, updating, or deleting data these could all have very serious implications for any company.

As a developer, it is important to understand how these injection attacks are discovered and performed so that you can defend against them. Let's step into the attacker's perspective to see how this is done.

How is a SQL Injection Attack Performed?

The first step is checking if the application is vulnerable to SQL injection. In this example, we are trying to log in to an account as the administrator user. By simply submitting a single quotation mark as the username, we receive an internal server error. This is a sign that the application is vulnerable! If the application wasn't vulnerable we would get back a handled error response such as 'Invalid username or password'.

To understand why this is happening let's break down what the SQL query may potentially look like for a login feature. In this scenario, if the input is administrator for the username and the password input is admin the SQL query would look like this:

However, when we just use a single quote as the input instead of valid input our SQL query looks like this:

By using a quote as the input, our SQL query is now trying to retrieve an empty input (WHERE username='') but then it runs into an additional quotation mark and the server is unable to handle it properly so it breaks the application and throws an unhandled error.

What can be done with this, now that we know the application is not properly handling user input? In SQL we have the ability to comment out part of the code, just like we do in other languages like JavaScript or Python. By commenting out part of the code, the portion that is commented out will be completely ignored. We know that our server throws an error when it reaches the additional quotation mark, so if we comment out that quotation mark and everything past it, our query that is sent to the database would look more like this:

For most databases, to write a comment we just have to input a double dash. So we will use a quote after the username to close off the query and use the double dashes to have the rest of the the query ignored.

Logging in as a user is only a small piece of all the possibilities with SQL injections. If an application is vulnerable to SQL injection attacks, an attacker is able to find out which database is being used (i.e. Oracle, MySQL, PostgreSQL), what tables exist in the database, what columns exist within the tables, and could also retrieve data from different tables within the database called a UNION attack. Even if the application doesn't return visible results of a SQL injection on the page or in the response, attackers can still access the database by using Boolean based logic, triggering time delays in processing the query, or by triggering out-of-band network interactions. These techniques can get fairly in-depth but are really interesting to learn about as you can see exactly how attackers can get around your application's defenses if they are not secured correctly.

How Can Developers Prevent SQL Injection Attacks?

The good news is that securing your application against SQLi attacks is fairly straightforward. As a developer, you should never directly execute a user's input. The best prevention method is using parameterized queries. A parameterized query is when you pass in a parameter into the query, rather than passing in the user's input directly. By doing this the query inserts the values of the parameters being passed in and it will search the database for the parameter or stores it rather than just executing the query in blind faith.

In the example above we are making a POST request to add a new company to our database. Our query to the database takes the code, name, and description that were in the request body and directly inserts them into the database. This is the incorrect way to write a query and will allow SQL injection vulnerabilities.

In this example we are correctly using parameter queries to prevent SQL injection. Rather than directly inserting the variables into the query, use $1, $2, $3 as placeholders to represent the variables that will be passed in. After the query statement, pass an array of values as the second argument to the query. In this case our array of values consists of the code, name, and description variables that we retrieved from the request body. These variables are 1-indexed and the order matters, so $1 represents the code and $3 represents the description.

Defense in Depth

Because a defender has to cover all security flaws to be successful and an attacker needs to only find one single flaw, it is best to implement multiple security practices. This is called defense in depth. If you were to own a jewelry store, you wouldn't consider it safe enough to just have a single lock on the front door. You would implement multiple security strategies such as cameras, a burglar alarm, or a guard dog! The same concept applies to defending you application. While parameter queries are the #1 recommended method of defense against SQLi vulnerabilities, there are cases there you cannot use a parameter query. Parameter queries will not work if you are trying to dynamically add a table name, column name, or SQL keyword into your query. In this instance, you would want to use a whitelist map, where you specifically only allow certain keywords. If a word is not in the whitelist, the query is rejected rather than executed. Additionally, it is recommended to follow the principle of least privilege. This means that every process only runs with the lowest level of permissions needed to perform its functionality. By doing this, it is ensured that if an attacker were to perform a SQL injection the damage would be limited . For example, web servers generally don't require permissions to execute CREATE, DROP, and MODIFY statements so don't grant them these permissions at runtime. Lastly, while we already mentioned that attackers are still able to find ways around it if your application isn't returning visible results or errors, we don't want to make it easy for them! By utilizing custom error messages rather than errors generated by our database that reveal crucial details, we can limit the amount of information that is given away about our database.

If you are interested in learning more about SQL injection vulnerabilities, exploitation, and prevention here are some resources that I recommend:

Next week I will be covering another web application vulnerability and prevention methods, so stay tuned! In the meantime, let me know if you learned anything new about SQL injection vulnerabilities and if there are any resources that you'd like to share.

Why Every Web Developer Should Learn About Security

Lindsey Fonnesbeck — Tue, 07 Sep 2021 00:47:04 +0000

This past week during my 100 days of hacking challenge, I started to dive deeper into the fundamentals of security and exactly why we as developers should learn to implement security into our code. Cybersecurity and software engineering are commonly seen as two separate specialties without much overlap, other than maybe an intro class or two for Computer Science students and a few dedicated minutes in a lecture for bootcamp grads if they're lucky.

When I initially started to learn to code, I tried to ask around for advice on how I could integrate my passion for web security with software engineering. The general consensus that I received at that time, was that they are two separate things and that the frameworks learned in school were enough and that I didn't need to concern myself with the security aspect. Something about that just didn't sit right with me, and as I've started to learn more about breaking applications through Bugcrowd's bug bounty mentorship program, my stance that all developers should learn more about implementing security in their code is enforced.

Using a framework is a common practice during development, because they abstract a lot of logic, in turn, saving a lot of time. However, using a framework without an understanding of how it works or the potential risks can put the security of your application in jeopardy. A single line of defective code can render an organization's internal systems to vulnerabilities. Many companies use the same frameworks and dependencies. This means when a vulnerability is discovered within these tools it puts all of the companies using them at risk. More so if they aren't making sure to update their dependencies and taking action against these risks. While efficiency and agility often take priority during development, without security built into the application the attack surface is greatly increased.

When developing an application, you should consider things like:

What should this application do?
How should this application behave?
What are my inputs? (form fields, query parameters, local storage, embedded css, etc)
What are my outputs?
What potential weaknesses could be taken advantage of by a hacker?

While software engineering and cybersecurity should still be viewed as their own specialties, there are many benefits for developers learning the basics of integrating security into their coding practices. By having developers be part of the solution, in taking responsibility for their code, users and companies will be less likely to be involved in a data breach that exposes confidential data. It may take time to see a change in curriculum to include secure software development practices. Depending on the size of the company, their level of concern with security and budget, companies may rectify this by implementing a DevSecOps team, a security champion, or by hiring developers who are more aware of security practices compared to those who aren't familiar with security concepts. The goal of integrating security with web development is to prevent common vulnerabilities in your application, which protects the users, the companies, and lessens the likelihood of having to backpedal in the event of a costly & time expansive security breach.

Interested in learning more? Several resources that you may find beneficial include:

Web Security for Developers by Malcolm McDonald
Alice & Bob Learn Application Security by Tanya Janca or the author has a YouTube playlist reading of the book
Learn Enough Frontend Security to Be Dangerous webinar hosted by Mintbean
MicroFocus Lunch & Learn DevSecOps hosted by Black Girls Hack

I will be studying a different web vulnerability each week during my 100 days of hacking and I look forward to sharing in more detail about common vulnerabilities and how we as developers can defend against them. In the meantime, let me know what your thoughts are on web developers learning more about security & any resources you find interesting!

My 100 Days of Hacking !

Lindsey Fonnesbeck — Mon, 30 Aug 2021 02:22:42 +0000

I am excited to announce my journey as I begin a '100 Days of Hacking' challenge. Several weeks ago, I was elated to have been been 1 of 5 people globally who was accepted into Bugcrowd's Bug Bounty Mentorship program. In this program we are paired with a bug bounty hunter/ethical hacker expert for a mentor and are learning how to succeed at bug bounty hunting. My initial interest in tech began with an interest in cybersecurity, but I wasn't sure what path to take to be able to incorporate that interest into a career. Shortly after beginning my Software Engineering bootcamp, I realized that security is not something that is heavily discussed or taught as we are learning to build applications. The more I learn about how to break into an application, the more that I want to make sure that I know how to make my applications as secure as possible!

My goal during this '100 days of Hacking' challenge is to continue learning about web application vulnerabilities, and not only how to exploit them but how to prevent them! I look forward to sharing each week what I have learned in order to spread more awareness about what steps a developer should take to ensure the safety and security of data.

To hold myself accountable to my goals and in case anyone wants to join in on the '100 Days of Hacking' challenge, here are the rules that I have set up for myself:

Monday - Friday : 40 minutes daily of learning about a specific vulnerability for the week (utilize purchased books, PortSwigger, PentesterLab, etc). Keep notes daily on what was learned.
Saturday : 4 hours to finish up learning whatever topic that I was learning in the middle of the week. Search for bugs in a real application, specifically ones related to the vulnerability learned during the week.
Sunday: 4 hours to search for bugs open to any vulnerabilities learned up to this point. Write a blog post about what I've learned and/or found during this week.
Goal by end of 100 days of hacking: FIND A BUG & RECEIVE A BOUNTY! 🐛 💻

More Ways to Iterate in JavaScript for Newbies

Lindsey Fonnesbeck — Wed, 25 Aug 2021 22:52:08 +0000

In this article, we are going to talk about methods in JavaScript to iterate (perform an action multiple times)! If you haven't read my 'For loops for Newbies' article yet, I highly suggest it as it's a great starting point.

While often the first iteration option that beginners are taught, is the 'for loop', using methods to loop is a lot more common. I appreciated being taught the 'for loop' first, because it really helped me understand what was happening before I moved on to learning other forms of iteration.

Referencing our original for loop where we printed out the names of each Sailor Guardian, we can actually do this several other ways that can save even more time than writing out a traditional 'for loop'.

Let's start with a very common array iteration method, forEach.
To use the forEach method, you will call it upon the array that you are working with, and it will run a function for each item in that array. Some great things about using forEach include shorter syntax, along with having access to both the index and array like you would if you were using a traditional 'for loop'.

Using an arrow function, we can put our entire function into a single line and have it give us the same result! Here you will see exactly what we are having our forEach method do; print out the individual sailor, the index of that sailor, and the array that we are calling the method on. The index and array values are optional, and if you don't specifically need access to them in your function, feel free to leave them out.

Another benefit of using the forEach method is that we can either use an anonymous function to have our forEach directly perform the desired action, or you can pass in an already defined function. Check this out:

This is basically saying "for each sailor in my array, run the transformationSparkles function".

Similar to the forEach method, is the map method. Map takes the same parameters but the difference is that it gives you a new array. This comes in handy if you don't want your function to alter the original array. Here you can see that our newSailors array is now a completely different array, and we didn't change the values in the original sailors array.

Besides those two popular methods, other options are 'for..of' loops and 'for..in' loops. Don't worry if you get confused on which does what, I find myself still Googling when I can't remember for sure! The 'for..of' loop iterates over the values in an iterable object such as an array, string, or NodeList. The 'for..in' loop iterates over the property keys of an object rather than the value itself, so if you were to use it on an array, it would return the index rather than the
value held in that index position. If you're using it on an object it will return the keys in the key-value pair.

Above shows how each would work with an array. The 'for..of' loop is returning the array values, while the 'for..in' is just returning the indexes. For this reason, the 'for..in' is more useful when working with objects. Since 'for..in' loops gives us access to each key, we can access the values in an object by referencing the key.

If you were to try using a 'for..of' loop, you would get the following error "TypeError: sailorsObj is not iterable". This is because objects are not considered iterable, so a 'for..of' loop cannot access each value in an object. Because a 'for..in' loop accesses the key, you are able to access the values in that way.

Thanks for reading! Feel free to fork a copy of the code if you want to test out what else you can do with these iteration methods.

JavaScript 'for loops' for Newbies

Lindsey Fonnesbeck — Wed, 11 Aug 2021 04:05:41 +0000

When I first started to learn how to code, I remember the concept of loops having me stumped for what felt like the longest time. No matter how many videos I watched and materials that I read, I couldn't get the concept to click in my mind. My biggest frustration was that it felt like no one remembered what it was like to be a beginner and not know anything about code, all the explanations used technical terms that made it feel more confusing than it really was. I vowed that one day I would write my own explanation on loops, that explains loops the way that I wish they were explained to me!

The purpose of a for loop is when you want to repeat an action multiple times.

Without using a loop, if you wanted to console.log a phrase 10 times you could do it like so:

Whew! That definitely takes up a lot of space, and could be made a lot easier. What if we had to do that 100, or 1000 times?? Or what if we were wanting to console.log each value in an array (a list of values) with a lot of values in it?

In comes the power of the loop!
A for loop consists of 3 parts: the initial expression, the condition expression, and the increment expression.

All for loops will start the same way.

Don't panic! These are the technical terms that I mentioned had me feeling flustered when I was trying to learn.
The initial expression is the count that you want your loop to start at. Usually this is 0, but you can start it at any number you want. You will declare the value that you are starting at as a variable, in this case you will use 'let' instead of 'const' because the value will be changing each time the loop runs.

A common variable name used for the initial expression is 'i'. This typically stands for index (as in the index value of an array) but you can name it whatever you want as long as you keep using that same variable name that you assigned the initial expression to. Again, 'i' is just the name of the variable, it doesn't do anything special other than name the variable so that we can keep using it.

One way that I liked to do was refer to 'i' as the loop itself. So if we assign let i = 0, in my mind I knew that meant the loop itself is starting at 0.

Next we have the condition expression. All this means is; how many times do you want the loop to run? If we want our loop to run 10 times (aka our action to happen 10 times), we just say it like this:

By saying that we want the loop to run while 'i' is less than 10, this will have our loop run until it reaches 10 since the value starts at 0 and increases each time the loop performs it's action. This is where you need to be careful to not create an infinite loop on accident!

If we were to write it like this:

We would have big problems here! Our loop starts at the count of 0, and then we are telling the loop that we want it to run while the loop's count is greater than 10. Once our loop runs 10 times, it will keep running because it will always be greater than 10 after that point. This can cause your browser to crash from running the loop for so long, but everyone has to create an accidental infinite loop at least once to remember why to double check how many times we are really looping.

Next we have our increment expression. Remember how I said our 'i' variable will increase each time that the loop runs? The increment expression is what causes 'i' to increase. A lot of the time, we will increase it's value by 1 each time that the loop runs, but you can increase it's value by whatever you want. Or even decrease it if you are starting 'i' at a value larger than 0.
So now all put together we have:

If you aren't familiar with the ++ operator, it adds 1 to our value and then returns the previous value of 'i' + 1.

Now that we have our loop constructed, we just have to do something with it! Remember the curly braces, and insert inside whatever you want to happen for the duration of your loop.

As you can see here, we have our phrase printing to us 10 times, and we are also printing the value of 'i' so that you can visually see that 'i' is increasing in value each time that our loop runs

I mentioned previously that another use of for loops is to loop through an array's values. To do so, all we would need to do is reference the array's length property instead of hardcoding the condition expression to a specific number. We would then be able to use 'i' as the index value, so that each index in our array is utilized.

When applying these concepts to a real scenario, you likely won't just be printing out values to the console. But now you can take these same concepts of creating a for loop and apply them if you need a function to run a certain amount of times, or if you need access to the index value in your loop.

Let me know how you decide to implement a for loop in your project!