Lab Walkthrough - DynamoDB: SQL Injection
SQL injection is one of the most common, yet one of the most mischievous web security vulnerability that can be used to bypass the authentication on an application. Although DynamoDB is a NoSQL database, it is still vulnerable to SQL injection attacks with little help from PartiQL.
Image by Infosec Insights
Introduction: DynamoDB and SQL injection.
Amazon Web Services (AWS) is amongst the most popular and easy-to-use public cloud computing companies around the globe. Amidst its various lucrative services lies DynamoDB, a robust NoSQL database system that provides the user with an array of options like auto-scaling, fine-grained access control rules, and time-to-live (TTL) timestamps, and many more. Also, DynamoDB being a NoSQL model, increases the ability to handle less structured data more efficiently.
DynamoDB service supports PartiQL, a SQL-compatible query language, which is a tool created by Amazon that enables us to efficiently query any data, be it structured data from relational databases, semi-structured and nested data in open data formats, or even unstructured data in NoSQL databases like DynamoDB.
But just like any other database, as the prominence of DynamoDB grows, so do the attempts by malicious hackers to breach the database and exploit users’ data! SQL injection provides those hackers a clever way to enter a database and DynamoDB is no exception to it.
SQL injection attack is basically injecting a malicious code into the web page input that can make a gateway for the hacker to interfere with the queries that the application sends to its database. The usual cause for this vulnerability is when you ask the user for some input. Just imagine.. only a few simple commands and boom !!! the attacker gains unauthorized access to the database which can include sensitive user data like your passwords, accounts information, or other personal information. Isn’t it scary?
AWS has recently added PartiQL support to DynamoDB, allowing developers to perform a query, insert, update, and delete operations with the structured query language on the DynamoDB tables. So our objective here is to use SQL Injection and bypass the authentication on an application that uses DynamoDB as the database.
The Solution: Performing SQL injection and bypassing the authentication
STEP 1: Our first step will obviously be inspecting the web application on which we want to attack. For this purpose, we can fill out any dummy values in the username and password fields respectively.
The output would obviously be a failure to log in to the database. Any kind of SQL error in the response will most likely imply that the application is vulnerable to SQL injection. Even if it doesn’t, it may still be vulnerable so don’t give up just yet!
STEP 2: Now we can try out some simple SQL injection payload. Try injecting the following payload:
● Username: ' or '1'='1● Password: 'or '1'='1
It is actually quite simple but very effective. What we are basically doing is that we are passing an OR statement and passing a condition, 1=1 which will obviously be always true. Hence we don’t need the username or password to access the account. You might be thinking that why is the database considering our statement as an SQL command rather than a simple string input to the query. Well, that’s where the single quotes come into play.
Single quotes in SQL are used to mark the start and end of string values. While formulating the SQL statement, the application inserts the user input inside single quotes. If the user input is not properly sanitized/escaped, the input can manipulate the SQL statement. The single quote in the malicious payload marks the end of the string expected by the application, and the rest of the payload forms the always true condition.
You may get an error in this command, something like this:
Nothing to worry about here… this error actually hints that our SQL injection is working fine. The error arises because as we are starting our payload with single quotes, the attribute value becomes empty.
STEP 3: The above issue can be resolved very easily by simply inserting any string at the start of the payload to make sure that the attribute value isn’t empty. You can try out the following payload:
● Username: abcd' or '1'='1● Password: abcd' or '1'='1
Just pass this payload and boom… you have successfully bypassed the authentication and logged in as an authenticated user.
You must be thinking about how easy it is to bypass authentication and get access to sensitive user data and to be honest, it is actually that easy. Hence everything we create must have security as its first priority such that these attacks can be prevented and the users’ privacy remains intact.
I hope you enjoyed reading this article and learning about one of the most common web security vulnerabilities: SQL injection.