OWASP-based demo of AcraCensor (SQL firewall) demonstrating SQLi prevention in Acra-protected web application.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.acraconfigs/acra-server
images
mutillidae
README.md
docker-compose.acra-censor-demo.yml

README.md

This project illustrates how to use AcraCensor as SQL firewall to prevent SQL injections. Target application is a well-known vulnerable web application OWASP Mutillidae 2.

The demo project has a Docker compose file that runs the following web infrastructure:

Acra works as a proxy between web and database. AcraCensor inspects every SQL query that runs from the web application to the database, and back.

Protecting OWASP web application: Acra architecture with AcraCensor

This is a slide from a talk by Cossack Labs' security software engineer Artem Storozhuk on building SQL firewalls, which illustrates how SQL firewalls can prevent more SQLi than WAF.

Screencast

Watch the video

How to run the demo

  1. Use docker-compose command to set up and run the whole infrastructure:
export ACRA_DOCKER_IMAGE_TAG='master'
docker-compose -f docker-compose.acra-censor-demo.yml up

  1. Check that the containers are up and running:
docker ps -a

  1. Open Mutillidae web portal at localhost:8080:

  1. The database is still empty so we need to fill it first by clicking on setup/reset the DB.

In the Docker console you should see SQL queries in Acra logs. After resetting the database, the main page of Mutillidae application looks like this:

How to perform SQL injections

  1. Start with selecting a vulnerable web page. In the menu on the left, go to "OWASP 2017" -> "A1 - Injection (SQL)" -> "SQLi - Extract data" -> User Info (SQL).

  1. Now, let's run an SQL injection. Try to login any name and password ' or 1='1.

This will construct an SQL query SELECT * FROM accounts WHERE username='' AND password='' or 1='1' — containing a typical SQL injection — to the database.

How AcraCensor prevents SQL injections

  1. Now, let's fine-tune AcraCensor for preventing this injection.

There are configuration files in ./.acraconfigs/acra-server/ folder:

  • acra-censor.norules.yaml (minimal configuration that simply creates valueless AcraCensor);
  • acra-censor.ruleset01.yaml (example: ruleset based on typical allowlist - allow some / deny any other);
  • acra-censor.ruleset02.yaml (example: ruleset based on typical denylist - deny some / allow any other);
  • acra-censor.yaml (active config, used by AcraCensor).

AcraCensor uses empty configuration file by default (no rules setup at all). We need to update the configuration file to change that.

Replace the active config with acra-censor.ruleset01.yaml (or acra-censor.ruleset02.yaml) and restart the acra-server container:

cp ./.acraconfigs/acra-server/acra-censor.ruleset01.yaml ./.acraconfigs/acra-server/acra-censor.yaml
docker restart <name or ID of acra-censor-demo_acra-server container>

In the docker log, you will see that AcraServer has restarted with an updated configuration file:

acra-server_1_979c50cd7b3e | time="2019-02-05T18:53:22Z" level=info msg="Server graceful shutdown completed, bye PID: 1"
acra-censor-demo-master_acra-server_1_979c50cd7b3e exited with code 0
  1. Test if the new AcraCensor configuration prevents injections.

On the same web page, try to login again using the password ' or 1='1.

You should see that the response from MySQL server is blocked. In Acra's console, you can see that the malicious query is forbidden:

  1. Try other SQL injections.

You can also test the process of blocking other injections (if applies to any of the provided rulesets):

  • into Name or Password textbox: qwerty' OR 6=6 -- ;
  • into Password textbox: ' union select ccid,ccnumber,ccv,expiration,null,null,null from credit_cards -- .
  1. Try other vulnerable web pages. Select one of the following:
  • OWASP 2017 -> A1 Injection (SQL) -> SQLi Bypass Authentication -> Login
  • OWASP 2017 -> A1 Injection (SQL) -> Blind SQL via Timing -> Login
  • OWASP 2017 -> A2 Broken authentication ... -> Authentication bypass -> via SQL injection -> Login

and try to use admin as a username and ' or 1='1 as a password.

What to do next

Let us know if you have any questions by dropping an email to dev@cossacklabs.com.

  1. Read more about how SQL firewall works and how it is different from WAF.
  2. See the slides about the developers' perspective on building SQL firewall.
  3. Visit cossacklabs/acra – the main Acra repository that contains tons of examples and documentation about Acra (full documentation for Acra is on the Documentation Server).
  4. Play around with other pre-built applications protected by Acra.

Resources