1 00:00:00,930 --> 00:00:06,110 And this lecture we're going to go and have a look on the high security level and we'll see why it's 2 00:00:06,110 --> 00:00:07,910 an injectable. 3 00:00:07,910 --> 00:00:13,800 So let's go ahead first and said the security level too high. 4 00:00:13,930 --> 00:00:20,200 Now I'm going to go back to my skill injection and let's make sure that the page works first. 5 00:00:20,210 --> 00:00:25,210 I'm just going to put number one like we always did. 6 00:00:25,440 --> 00:00:27,180 And as you can see now the page works. 7 00:00:27,180 --> 00:00:32,670 Now let's try to inject it after the one after the ID parameter like we always did and I'm going to 8 00:00:32,690 --> 00:00:36,450 put and one is equal to one so I'm putting a true statement. 9 00:00:36,660 --> 00:00:39,530 And as you can see now the page doesn't really work. 10 00:00:39,690 --> 00:00:45,470 So let's try to put a single quote here to close it like we did with the low level. 11 00:00:45,480 --> 00:00:50,430 And again this injection doesn't work either even though we're given a true statement that shouldn't 12 00:00:50,430 --> 00:00:53,240 interfere with the current request. 13 00:00:53,280 --> 00:00:58,080 We usually don't look at the code when we're trying to hack but as I said this is an injectable. 14 00:00:58,170 --> 00:01:03,450 So let's have a look at the code and we're going to compare it with the code used for the medium security 15 00:01:03,450 --> 00:01:09,150 level and we'll see what the difference is between the two codes so that we can learn how to secure 16 00:01:09,150 --> 00:01:10,270 our websites. 17 00:01:10,320 --> 00:01:15,210 So I'm going to search and change the security level to medium here just so that we can compare the 18 00:01:15,210 --> 00:01:21,780 two codes and I'm going to go back to the skill injection and I'm going to view the source as well. 19 00:01:23,910 --> 00:01:28,540 And God put them beside each other. 20 00:01:28,730 --> 00:01:36,290 So in here in the medium security level you can see that the idea is being read in here and installed 21 00:01:36,320 --> 00:01:37,690 in the ID variable. 22 00:01:37,880 --> 00:01:42,110 And then there is an app function called my Eskew the real escape. 23 00:01:42,110 --> 00:01:48,290 So what this function does it all go through every character in the ID variable and it'll look for special 24 00:01:48,290 --> 00:01:52,090 characters such as single quotes and double quotes and remove them. 25 00:01:52,260 --> 00:01:59,200 Therefore any quotation marks used or injected in the ID variable will actually be removed at this line 26 00:01:59,900 --> 00:02:03,430 because of the use of my obscure the real escape strain. 27 00:02:03,860 --> 00:02:10,700 Now the thing is once we go down to the skills statement you'll see that we actually don't need to use 28 00:02:10,970 --> 00:02:17,390 any quotes to inject code into the statements our statement is select first name last name from users 29 00:02:17,620 --> 00:02:20,240 where a user ID is equal to ID. 30 00:02:20,570 --> 00:02:23,210 So we actually don't need to close any quotes. 31 00:02:23,210 --> 00:02:26,290 We don't need to inject quotes in the ID variable. 32 00:02:26,300 --> 00:02:32,150 All we have to do is just put any idea like we did in the last video so we can put just number one and 33 00:02:32,150 --> 00:02:35,770 then inject code straight away after the number one. 34 00:02:35,780 --> 00:02:41,900 So when we use this code right here we're basically we we didn't use the quotes in the media. 35 00:02:41,900 --> 00:02:44,710 So we are literally just giving the ID as number one. 36 00:02:44,840 --> 00:02:49,880 And then we're saying Union select column name whatever from information schema tables. 37 00:02:49,880 --> 00:02:56,990 So the code has just been injected straight away after the ID and then the database will read it and 38 00:02:57,020 --> 00:02:58,160 executed. 39 00:02:58,340 --> 00:03:03,980 No need to use quotes again because the code doesn't use any single code so the code just says user 40 00:03:03,980 --> 00:03:06,490 ID is equal to ID. 41 00:03:06,500 --> 00:03:11,720 Now comparing this with the code that we have for the high security level you'll see that it uses the 42 00:03:11,720 --> 00:03:17,320 same function to skip special characters but it's implemented in the right way. 43 00:03:17,570 --> 00:03:25,620 And that's by using single quotes in the Escurial statement around the idea therefore because the code 44 00:03:25,620 --> 00:03:32,070 is keep in the quotes that we put and because they're using quotes in there any code that we try to 45 00:03:32,070 --> 00:03:37,130 inject in here will actually be considered as if it's part of the ID. 46 00:03:37,260 --> 00:03:43,440 So when we use this code right here so if we just use the code as it is without a quote then obviously 47 00:03:43,440 --> 00:03:48,850 it will just be inserted instead of the ID variable between the two single quotes. 48 00:03:48,990 --> 00:03:51,790 So it'll just be considered as the ID. 49 00:03:52,020 --> 00:03:58,290 Whereas if we inject that code in here it'll actually be executed as part of the kill statement. 50 00:03:58,290 --> 00:04:04,320 So let's have a look on what the askew statement will look like when we inject our code in both in the 51 00:04:04,320 --> 00:04:06,840 media and in the high security level. 52 00:04:06,840 --> 00:04:15,170 So I'm just going to bring down the techs here so we have the best statement for the medium here and 53 00:04:15,180 --> 00:04:22,890 the skill statement for the high security level and we'll just try to inject and one is equal to 1 because 54 00:04:22,950 --> 00:04:28,230 as we've seen if you can inject that then you can inject anything you want to really and get it executed 55 00:04:28,260 --> 00:04:29,260 on the database. 56 00:04:30,800 --> 00:04:31,120 OK. 57 00:04:31,130 --> 00:04:37,070 So looking at the medium statement we're going to copy this code. 58 00:04:37,250 --> 00:04:42,850 Now this code will actually go and pass through the my and real escape character. 59 00:04:43,010 --> 00:04:48,590 So it will be removed from any single code that it has but it has nothing and the code will look like 60 00:04:48,590 --> 00:04:49,290 one. 61 00:04:49,640 --> 00:04:51,770 And one is equal to one. 62 00:04:51,830 --> 00:04:56,740 So this statement is valid and wants equal to and will be injected. 63 00:04:56,780 --> 00:05:02,300 Now looking at the high security level notice this use of the single quote which will mean that the 64 00:05:02,370 --> 00:05:05,700 user ID is equal to one and one is equal to one. 65 00:05:05,900 --> 00:05:11,480 So and one is equal to and will not be considered as part of the OR statement but it will be considered 66 00:05:11,540 --> 00:05:15,310 as part of the user ID. 67 00:05:15,310 --> 00:05:21,050 Now let's try to add the single quote and see what effect would that have on the screen or statements. 68 00:05:22,000 --> 00:05:26,740 I'm actually going to get rid of this statement because we managed to inject it and we're only going 69 00:05:26,740 --> 00:05:30,800 to focus on the highs in the statements used in the high security level. 70 00:05:31,240 --> 00:05:36,410 So we're using a single quote here to close it and we're going to copy this. 71 00:05:36,460 --> 00:05:40,930 Now this will actually pass through the screen and will escape strength. 72 00:05:41,200 --> 00:05:45,150 So the single quote that we're using here will actually be removed. 73 00:05:45,430 --> 00:05:52,170 And this line will become one and one is equal to one so it's going to be equal or exactly the same 74 00:05:52,170 --> 00:05:54,890 as the line we used before. 75 00:05:54,900 --> 00:05:59,570 Now one wants this is substituted in here again. 76 00:05:59,700 --> 00:06:06,480 The one and one is equal to and will be considered as part of the Z of the user ID and it won't be considered 77 00:06:06,540 --> 00:06:09,090 as part of the escarole statement. 78 00:06:09,090 --> 00:06:14,190 From this we can see that the use of the my s q r the real escape strength is not enough. 79 00:06:14,240 --> 00:06:20,850 It has to be used with the single quotes right here and combined with that function then this specific 80 00:06:20,850 --> 00:06:24,870 as kill statement becomes an injectable. 81 00:06:24,880 --> 00:06:30,130 Now in future lectures we're actually going to discuss a better way to build web applications so that 82 00:06:30,130 --> 00:06:33,100 they can't be injected with SKM statements. 83 00:06:33,280 --> 00:06:38,710 But if you needed a quick solution then you can go for this until you have time and you can change the 84 00:06:38,710 --> 00:06:41,980 implementation of your website so that it can't be injected.