SQL Injection Lab
Try Hack Me | Self Guided Lab
Acted as a red-team lead – responsible for identifying vulnerable code in a “test-client” application suite and conducting penetration testing via SQL Injection.
My primary goal was to manipulate the ‘id’ number in the web address to inject malicious SQL code and potentially retrieve confidential information from the underlying database.
During the practical part of the lab, I experimented with the ‘id’ parameter in the URL to inject a Union-Based payload. For instance, changing the URL from
https://website.thm/blog?id=1
to
https://website.thm/blog?id=1 UNION SELECT 1, username, password FROM users–
was an attempt to reveal usernames and passwords from the ‘users’ table. The use of the UNION operator and comments in SQL statements enabled me to successfully exploit the vulnerability.
Additionally, I crafted queries causing errors and used the UNION operator to unveil the database name (‘sqli_one’) and list tables in it (‘article’ and ‘staff_users’). Further queries exposed the structure of the ‘staff_users’ table, revealing columns such as ‘id,’ ‘username,’ and ‘password.’
I also explored Blind SQL Injection – Boolean Based. This involved manipulating a URL parameter to check for the existence of a username (https://website.thm/checkuser?username=admin). This hands-on experience honed my skills in enumerating the database structure and contents using boolean responses.
In summary, this SQL Injection lab offered valuable insights into vulnerabilities in web applications. It emphasized the essential requirement for input validation and secure coding practices to prevent potential cyber threats.
Cybersecurity Risk Assessment Lab
TASK – Create a list of 20 recommendations for a power plant company to enhance their application security posture and resolve critical vulnerabilities.
- Regular Updates: Set up an automated system to regularly check for and apply software updates for all control systems, including operating systems, firmware, and application software.
- Strong Passwords: Enforce the use of complex passwords that include a mix of uppercase and lowercase letters, numbers, and special characters. Implement a password policy requiring password changes every 90 days.
- Custom Alerts for Safety: Customize error messages to avoid revealing sensitive information. For instance, replace generic error messages with specific messages like “Invalid username or password” instead of a generic “Login failed.”
- Secure Control Sessions: Implement secure session management by using secure tokens or session cookies with limited lifetimes. Regularly log out inactive users and ensure that sessions are properly terminated upon logout.
- API Control for Grids: Implement API rate limiting to control the number of requests a user or system can make within a specified time frame. This helps prevent API abuse or unauthorized access.
- Code Checks for System Integrity: Use static code analysis tools during the development process to identify and fix potential security vulnerabilities. Conduct regular code reviews with an emphasis on security best practices.
- Data Validation for Grid Info: Validate input data from sensors and external systems before processing it within the power plant control systems. Implement strict input validation to prevent injection attacks.
- Operator Cyber Training: Conduct regular cybersecurity training sessions for plant operators, covering topics such as recognizing phishing emails, secure password practices, and the importance of reporting suspicious activities.
- Enhanced Logging and Monitoring: Set up centralized logging for all control systems and establish real-time monitoring for unusual activities. Create alerts for specific events, such as multiple failed login attempts or unexpected system access.
- Routine Security Checks: Perform routine security assessments, including vulnerability scanning and penetration testing, to identify and address potential security weaknesses in the control systems.
- Emergency Response Plans: Develop and regularly update an incident response plan outlining specific steps to take in the event of a cybersecurity incident. Conduct regular drills to ensure a quick and coordinated response.
- Vulnerability Scans: Use automated vulnerability scanning tools to regularly scan control system networks for known vulnerabilities. Prioritize and remediate identified issues promptly.
- Robust Security Monitoring: Deploy intrusion detection and prevention systems (IDPS) to monitor network traffic for signs of suspicious or malicious activity. Configure alerts to notify security personnel in real-time.
- Container Security Measures: Implement container security practices, such as using only trusted container images, regularly scanning images for vulnerabilities, and applying runtime controls to restrict container privileges.
- Automated Dependency Scanning: Utilize automated tools to scan software dependencies for known vulnerabilities. Implement a process to track and update dependencies as needed.
- API Authentication and Authorization Control: Enforce strong authentication for API access, such as using API keys or OAuth tokens. Implement role-based access control (RBAC) to ensure that users have appropriate permissions.
- Encrypted Data Transfers: Enable SSL/TLS for encrypting data in transit between control systems and ensure that all communication channels use secure protocols to protect against eavesdropping.
- Multi-Factor Authentication : Implement MFA for user authentication, requiring an additional verification step, such as a one-time password or biometric authentication, in addition to a password.
- Secure File Uploads: Implement file upload checks to verify file types, scan for malware, and set size limitations. Restrict file uploads to only essential functionalities.
- Zero Trust Networking Principles: Adopt a zero-trust network architecture where each device and user is treated as untrusted, requiring continuous verification and authentication before granting access to critical systems. Implement micro-segmentation to limit lateral movement within the network.
Leave a Reply