03 Aug 2017
I was listening to one of my favourite podcasts that morning, MS DEV Show. They interviewed Troy Hunt about internet security. Everything from password security to data breaches and even how IOT is now in adult toys. One thing that did pique my interest was the site which Troy has built to allow you to hack it. It's called http://hack-yourself-first.com It's got about 50 vulnerabilities and bad practices on it. He challenged us to try to spot the vulnerabilities and see if we could hack it ourselves.
I've not done much hacking myself, but I recognise that as a web developer I should know about the hacking vulnerabilities my sites could face. Therefore I need to be able to defend against them. Troy has a pluralsight course which guides you through all of the vulnerabilities in if you want to find out all of them.
I showed it to my colleagues and we had a team meeting to see what we could spot. We saw basic errors like storing passwords and emails as cookies, and changing url values to see other user details etc. I won't mention too many of them because I think it is valuable to go through it yourself. We were looking at it for a while and most of the vulnerabilities were pretty basic and we didn't think it reflected real life, but we have to remember that these are examples of the errors people really do make. We were at least pleased that our sites didn't have any of these vulnerabilities.
I was testing out the registration form so I put my name and work email address in and there wasn't a way to edit it in the user profile screen. I was able to hack the site to give myself admin permissions. I could see a full list of all users and their passwords, including mine. Which meant that other hackers could see my work email address too. I was worried it might make me a target to hackers. So it was in our interest to learn SQL Injection in order to remove the email address I had entered.
The only way we could think of removing my email address was by using SQL Injection. SQL Injection has been the top vulnerability in websites for a long time. Surely Troy must have left this site open to SQL Injection, otherwise what is the point to this site if it can't demonstrate the biggest problem. We weren't getting very far. We started by changing a URL to make it return all the results instead of just by the value in the query string. We tried several different variations and finally managed to get it to work, which meant we were in.
This url uses SQL Injection to get all results
To be able to update my email address, we first needed to know what the table was called. With a bit of SQL knowledge and googling we managed to get it to list out all of the table names in the database. This felt amazing. We were becoming l33t hackers. Next we needed to work out which table my email address was stored in. We tried a few of the membership tables but didn't get any luck with the username or email colmumn. Then we realised it must be stored in the user profile table. We wrote a query to tell us what the column names were in the user profile table and sure enough it had an email column. Bingo. We wrote a query to update my email address to something different. It was such a good feeleing when we queried the table to see the email addresses and mine was no longer there, but my new one was.
Did we leave it at that? Of course not. When do you ever get the chance to break someone else's real website without them getting mad at you? After all that was his challenge. We tried to truncate and drop some tables and it didn't let us. So we changed to just deleting records. We managed to delete all records from the main table in the site. It worked. After that the data had gone. The site didn't work properly anymore and we felt so proud of ourselves.
This was a great team exercise to do as a group of developers. We all chipped in with ideas and we all learned a lot. You should definitely take a look at the site to see what vulnerabilities you can spot. I've purposely not given you the details on how we did what we did because it was a learning exercise and I think you won't learn if I just give you the answers. If you are struggling to spot the vulnerabilities or you want to find out how to do SQL Injection, you might want to do the pluralsight course, you can get a free 10 day trial.