3. OVERVIEW
Introduction
SQL Injection
SQL Injection mitigation
Test SQL Injection Vulnerabilities (SQLIVs) in
Web Applications Based on Structure
Matching (SMART)
Conclusion
4. Web Applications
In computing, a web application is
any application that uses a web browser as a
client
With the rapid development of Internet, web
applications involving database component
become more and more popular.
Structured Query Language (SQL)is the major
language to interact with database systems ,
such as MS SQL Server, Oracle, Access, MySQL,
etc.
5. SQL injection
SQL injection is a code injection technique, used
to attack data driven applications, in which
malicious SQL statements are inserted into an
entry field for execution
SQL injection must exploit a security
vulnerability in an application's software
6. SQL injection
Ex: Suppose that a specific web application uses
the following code for user authentication:
String query = "SELECT accounts FROM users
WHERE login = ' " + login + "' AND pass= ' " +
pass + " ''';
7. Normal behavior
If the login and pass fields are filled with “Ali” and
”33214” the resulted query will be
SELECT accounts FROM users WHERE login = „Ali'
AND pass= „33214„
This query will return true only if the login name “Ali”
and the password “33214” exists in the DB
8. Injected SQL statement
If the login and pass fields are filled with “admin” and ” '
or '1'='1 ” the resulted query will be
SELECT accounts FROM users WHERE login='admin„
AND pass = „‟ or „1‟=„1‟
In this situation, the WHERE clause always has a true
value, and contributes to a query result of all the
accounts in table users
If the web application takes the first record to be the
authenticated user, the user authentication mechanism
would be broken by SQL injection
9. Injected SQL statement cont.
Imagine If we filled the pass field with the following
SQL statement
a„ ; DROP TABLE users; SELECT * FROM userinfo
WHERE 't' = 't
SELECT accounts FROM users WHERE
login='admin„ AND pass = „a‟ ; DROP TABLE users;
SELECT * FROM userinfo WHERE 't' = 't‟
10. SQL injection in URL
Ex: Suppose that a specific website have the following URL
for showing books review depending on book ID
Original URL:
http://books.example.com/showReview.php?ID=
5
Injected URL:
http://books.example.com/showReview.php?ID=5 AN
D 1=1
Resulted SQL query :
SELECT * FROM bookreviews WHERE ID = 5 AND 1=1;
11. Mitigation
1- Prepared statement
2- Escaping
Franks's Oracle site => Franks„‟s Oracle site
A ''double quoted'' word => A “”double quoted””
word
12. Test SQL Injection Vulnerabilities
(SQLIVs) in Web Applications Based
on Structure Matching (SMART)
Related Applications:
Paros : is an open-source security scanner for testing web
application vulnerabilities. It is a traditional penetration test which
automatically scans web applications with injected HTTP request. By
analyzing the response page,
JDBC checker : checks the type correctness of generated SQL
queries, in order to find SQLIVs caused by improper type checking.
Sania : proposes syntactic and semantic analysis of the parse tree of
intended SQL queries. After filling attack codes in leaf nodes, Sania
checks the differences between initially parse tree and modified
parse tree, and reports SQLIVs
13. Test SQLIVs in Web Applications
Based on Structure Matching
(SMART)
A. Structure definition ( According to the ANSI SQL
standard)
B. Structure extraction
C. Structure matching
D. Validation
14. Test SQLIVs in Web Applications Based on
Structure Matching (SMART)
A. Structure definition ( According to the ANSI SQL
standard)
1. Blank, includes space characters, tabs, carriage returns, line feeds,
2.
3.
4.
5.
6.
7.
etc.
Single-line comment, often lead by comment symbol "-Multiple-line comment, often cited by a pair of comment symbol
"/*" and "*/".
Keyword, pre-defined by SQL standard, which makes the SQL query
meaningful, such as "SELECT", "INSERT","GRANT", “OR” etc.
Punctuation, often used to separate SQL queries, or used in some
mathematical operations, such as "=", "(", ";", etc.
Identifier, often used to specify database name, table name,
variable name, etc.
Data, includes all kinds of data used in SQL standard,such as
integers, real numbers, strings, dates, times, etc.
15. Test SQLIVs in Web Applications Based
on Structure Matching (SMART) cont.
B. Structure extraction
1.
2.
3.
To describe the structure of SQL queries, SMART defines the
SQL structure features of SQL query Q as a string array S:
S=‘a1,a2,a3.. am’ (m≥1) where ai (1≤i≤m) is the ith keyword
or punctuation in query Q, and m is the total number of
keywords and punctuations.
Regular expressions analysis is used on the SQL query to
extract its structure features
For example, the structure features of query "SELECT
accounts FROM users WHERE login= 'admin' AND pass=
'admin ' " is: 'SELECT FROM WHERE = AND ='
16. Test SQLIVs in Web Applications Based
on Structure Matching (SMART) cont.
C. Structure matching
1.
2.
For a given structure features array S, we define three kinds
of operation to modify it: "add" an element into it, "delete"
an element from it, and "change" one of its elements into
another
Given SQL structure features SI=A[1..m], S2=B[1..n], we
define d(i, j)=δ (A[1..i], B[1..j]) as the least number of
modification operations required to transfer A[1..i] into
B[1..j].
17. Test SQLIVs in Web Applications Based
on Structure Matching (SMART) cont.
D. Validation
Web applications are usually composed by many web pages where each
web page has zero or more input parameters. For example, the following
HTTP request shows that the "Login.jsp" page has two input parameters
"login" and "pass", and their default values are "admin" and "admin":
HTTP://www.bookstore.com/Login.jsp?login=admin&pass=admin
1.
2.
we test the two input parameters in turn. If "login" parameter is the
current parameter being tested, we first send the above original
request over HTTP, and get all the SQL queries generated by it,
denoted as Q=Q1,Q2..Qm.
Then we get all the SQL queries generated by the injected request,
denoted as Q'=Q‘1Q‘2 .. Q’n.
18. Test SQLIVs in Web Applications Based
on Structure Matching (SMART) cont.
If m does not equal n, we cannot determine whether
SQL injection succeeds, because the SQL queries are
probably generated by different code branches
if m equals n, then we examine each pair of Qi, and
Q„i and extract their structure features, denoted as S1
and S2
1.
2.
3.
4.
If the extraction of S1 and S2 are both failed, we
cannot determine whether SQLIV exists.
If the extraction of S1 is failed and S2 is successful,
we believe that the injection has broken some
authentication mechanism, and alert it as a SQLIV
If the extraction of S1 is successful and S2 is failed,
we believe that the injection has broken the structure
of the generated SQL query, and also alert it as a
SQLIV
If the extraction of S1and S2 are both successful, we
19. Test SQLIVs in Web Applications Based
on Structure Matching (SMART) cont.
If matching_value(S1,S2) equal zero, we believe
that the structure of the SQL query doesn't change
so the SQL injection doesn't succeed
2. If matching_value(S1,S2) is larger than zero and not
larger than a given upper bound specified, we
believe that the SQL injection appears and changes
the structure of the SQL query, and alert it as a
SQLIV
3. if matching_value(S1,S2) is larger than the upper
bound, we believe that the change of the structure is
caused by executing different code branches
4. If we still cannot determine whether SQL injection
succeeds when finishing all the test cases, we
believe that the tested input parameter is probably
safe against SQL injection. Then we continue to test
next input parameter, until all the input parameters
are tested
1.
20. CONCLUSION
We presented SMART, a new method to
automatically test SQL injection vulnerabilities in
web applications. SMART tests each input
parameter of web applications, matches the SQL
queries generated by both original HTTP request
and injected HTTP request, and determines
whether it has SQL injection vulnerability.
22. OVERVIEW
INTRODUCTION
XSS VULNERABILITIES
A SOLUTION TO BLOCK CROSS SITE
SCRIPTING VULNERABILITIES
AVOIDING XSS VULNERABILITIES
CONCLUSION
23. CROSS-SITE SCRIPTING (XSS)
Cross-site scripting or XSS is a defined as a
computer security vulnerability found in web
applications.
XSS allows for code injection by malicious
web users into Internet pages viewed by other
users.
In an XSS attack, the attacker gains the ability
to see private user IDs, passwords, credit
card information and other personal
identification.
24. XSS VULNERABILITIES
There are Two types of XSS vulnerabilities:
Reflected (Non-Persistent)
Stored (Persistent)
25. Reflected (NON-PERSISTENT)
It occurs when data provided by a web client is used
immediately by server-side scripts to generate a page
of results for that user
An example could be when an attacker convinces a
user to follow a malicious URL that injects code into
the results page; thus giving the attacker full access
to that page's content.
27. Stored (PERSISTENT)
It occurs when the data provided by the
attacker is saved by the server (database, file
system, other location).
Then permanently displayed on "normal"
pages returned to other users in the course of
regular browsing,
29. A solution to block Cross Site
Scripting Vulnerabilities
30. A solution to block Cross Site
Scripting Vulnerabilities Cont.
31. Components interaction
The schema for each web page, where an
input control is present, is generated and
stored offline by the developer in a folder
structure or in a database.
When a request is received, the HTTP
request is passed on to the converter.
Converter converts the input to an XML object
and sends it to the validator.
32. Components interaction Cont.
Validator retrieves the corresponding schema
for the request and maps the XML object with
the schema document.
If the input maps with the schema then the
status is returned to the converter as „yes‟,
otherwise the status „no‟ is returned.
If the status „yes‟ then the request is
forwarded to the web application. Otherwise,
the request is forwarded to an error page.
34. ELIMINATING SCRIPTS
Some web applications are written to function
without the need for client-side scripts.
In this way users would not be susceptible to
XSS attacks.
35. COOKIE SECURITY
Because client-side scripts have access to
cookies, XSS exploits are able steal these
cookies and hinder business functions.
Web applications tie session cookies to the IP
address of the user who originally logged in;
only that IP address is permitted to use the
particular cookie.
36. INPUT VALIDATION
It helps decipher other injection attacks such
as SQL injection.
Effective for most types of input, yet when an
application by design must be able to accept
special HTML characters, HTML entity
encoding is the desired choice.
37. AVOIDING XSS
VULNERABILITIES
Do not follow links from sites that navigate to
security-sensitive pages referencing personal
or business information.
Always practice obtaining a list of attacks that
have occurred on particular sites or messages
boards.
38. AVOIDING XSS
VULNERABILITIES
User‟s can disable scripting when not required
in order to reduce an XSS-style attack.
Do not trust links given on other sites such as
e-mail or message boards.
Always access any site with sensitive
information through its address and not third
party sites
39. CONCLUISON
Always practice using testing tools during the
design phase to eliminate XSS holes in the
application.
Input validation and HTML escaping are
essential, yet that must be applied at all
application points accepting data.
41. Outlines
Abstract
Introduction
Motivation.
General Attack scenario.
Classification of DOS and DDOS attacks.
General attack classification
Definition for DOS and DDOS
Dos attack classification
From DOS to DDOS
How to protect.
Example of DOS using LOIC.
42. Abstract
Recently many prominent web sites face so
called Distributed Denial of Service Attacks
(DDoS). While former security threats could be
faced by a tight security policy and active
measures like using firewalls, vendor patches
etc. these DDoS are new in such way that
there is no completely satisfying protection yet,
in this part of presentation we will cover this
topic carefully.
We will classify types of attacks.
Explore different DDOS tools.
43. Introduction
Motivation
Security threats is as old as the internet it self, In
fact the first connection between computers in
the ARPAnet between SRI and UCLA resulted in
a crash of the receiving system due to some
bugs in the communication software a classical
Denial-of-Service attack.
44. General attack scenario
big web sites usually use more than one system running
their web server. The clients access these servers via a
load balancing server which redirects the HTTP requests
to one of the servers. Todays web servers don't work as
stand alone systems but need the support of a number
of backend systems (like database or le-servers) to fulll
their tasks. The whole LAN network where the site is
hosted is typically protected by a firewall system. On the
way the IP datagrams have to pass a num-ber of
routers. On each of these systems there is at least the
hardware, the operating system and (as part of the OS)
aTCP/IP protocol stack that can fall victim to attacks.
45.
46. Classification of DOS and DDOS
attacks.
a possible classification of IT attacks
according to the intention of the cracker could
be
Denial of Service attack
The main goal of the attack is the disruption of service,
this can be reached by a variety of ways.
Intrusion
Get access to a system and to circumvent certain
barriers .
Information Theft
Access to otherwise restricted, sensitive information.
Modification
Attacker try to alter information, the type of attack
increased lately
47. DOS definition according to
W3C
What is a Denial of Service attack?
Denial of Service (DoS) is an attack designed to
render a computer or network incapable of providing
normal services. The most common DoS attacks will
target the computer's network bandwidth or
connectivity. Bandwidth attacks flood the network
with such a high volume of traffic, that all available
network resources are consumed and legitimate
user requests can not get through. Connectivity
attacks flood a computer with such a high volume of
connection requests, that all available operating
system resources are consumed, and the computer
can no longer process legitimate user requests.
48. DDOS definition according to W3C
A Distributed Denial of Service (DDoS) attack uses
many computers to launch a coordinated DoS
attack against one or more targets. Using
client/server technology, the perpetrator is able to
multiply the effectiveness of the Denial of Service
significantly by harnessing the resources of
multiple unwitting accomplice computers which
serve as attack platforms. Typically a DDoS
master program is installed on one computer using
a stolen account. The master program, at a
designated time, then communicates to any
number of "agent" programs, installed on
computers anywhere on the internet. The agents,
when they receive the command, initiate the
attack. Using client/server technology, the master
program can initiate hundreds or even thousands
49. Definition of DOS and DOSS
Denial-Of-Service Attack = DOS Attack is a
malicious attempt by a single person or a
group of people to cause the victim, site or
node to deny service to it customers.
DoS = when a single host attacks
DDoS
= when
simultaneously
multiple
hosts
attack
50. DOS attack classification
DOS and DDOS usually used limited number
of well known attacks with names like Smurf,
teardrop, or SYN-Flood.
We will try to provide a classification in
categories according to specified criteria.
System attacked.
Part of the system attacked.
Bug or overload.
51. System attacked
According to general attack scenario we will
identify a number of attack points :
Attack clients themselves ( useless number of users
or large )
Attack the router that connects the site hosting the
webserver to its ISP ( Internet Service Provider ) this
will effectively cut off all access to the websites.
Attack the firewall system although firewalls should
be quite immune to direct attacks , firewalls is a
bottle nick all in and out bound connection go
through it, so if an attack with a high load will stop
them.
Attack the load balancer.
attack the servers it self ( will be hard )
52. Part of the system is attacked
Attacks forms can be further divided by the
part of the system that is attacked.
Attack depends on the hardware (rare),
theoretically CPU and network card could fail to
work due to some data in net work packages.
Attack based on the limitation of the hardware.
Attacks targeting the Operating systems or the
TCP/IP stacks of host.
For this type of attack some are bugs that can be fixed
some are fundamental limitation. What to do ?!!!
53. Bug or overload
In general one has to distinguish whether a DoS is
a cause of a specific bug or just an overload of
components that function according to their
specification. Although bugs are often more severe
in their effects, most of the time the vendors
quickly provide fixes. All the administrators have
to do is to apply them to their system in order to
avoid further attacks. Attacks that are based on an
overload are typically harder to cope with. Of
course you can buy new hardware, but as long as
an attacker finds enough resources to use as
relays in the Internet he will always bring your
system to a halt. Changing the specification or
protocols in order to fix the hole that allows the
DoS is nearly impossible as this would often mean
changing the software in millions of computers
54. Examples
Jolt2 is an attack targeting most of Microsoft windows
systems , jolt2 sends a continuous stream of ICMP
ECHO-REPLy
fragment
with
specially
tuned
fragmentation which almost cause consumption of
CPU and Memory 100% which render the system to
unusable.
SYN-Flooding attack is to generate many half open
TCP connections .
Smurf Attack
so called amplifier sites in order to
multiply the amount of traffic that hits the destination,
this attack ends ICMP_ECHO_REQUEST packets with
spoofed sender address to one or more subnet, subnet
broadcast addresses, the packets received and replied
by as many stations as are connected to the subnet.
55.
56.
57.
58. From DOS to DDOS
Major Internet websites like amazon or Yahoo
tend to have Internet connections with very
large bandwidth an server farms with lots of
components. Furthermore they are typically
protected by firewall systems that block the
known attacks that are based on malformed
packets .
Their fears about large-scale attacks were
proved soon later in February 2000 when
major Internet sites –ebay amazon…etc where under attack. There are currently a few
59. How the attack happens ?
The actual attack is carried out by so called
daemons – hidden programs – a number of
the daemon is controlled by handlers and
finally this handlers are activated by the
attacker using clients tools.
60.
61. How the intrusion to clients computers
happen ? (|)
Stolen account is setup as a repository for a daemons
program and attack tools .
Sniffers are used scan large ranges of network blocks to
identify potential targets . Targets will include (overflow ,
security bugs,…etc. ).
A list of vulnerable systems is then used to create a script
that perform exploit, set up command running under the root
account , that listen to TCP port and connects to this port to
confirm the success of the exploit .
From the list select one with the desired architecture ,Pre-
compiled binaries of the DDoS daemons and handlers
programs are created and stored on a stolen account
somewhere on the Interne.
62. How the intrusion to clients computers
happen ?( ||)
A script is then run which takes this list of "owned“
systems and produces yet another script to
automate the installation process, running each
installation in the background for maximum
multitasking. The result of this automation is the
ability for attackers to set up the denial of service
network in a very short time frame and on widely
dispersed systems whose true owners often don't
even realize the attack.
63. Protection from DDOS
General protection
Basic security measures are mandatory.
If a running system is hacked into, no more network
attacks are necessary, since local attacks ( processes
consuming , memory consuming or simply shutting down
)
A set of firewall should be used to separate the
interior net from the internet , the firewall rules
should include some sanity check for source and
destination addresses.
Intrusion detection systems should be used to
notify administrators of unusual activities.
64. Protection
IP verify unicast reverse-path( Smurf)
Use the IP verify unicast reverse-path interface command on the
input interface on the router at the upstream end of the connection.
This feature examines each packet received as input on that
interface. If the source IP address does not have a route in the CEF
tables that points back to the same interface on which the packet
arrived, the router drops the packet.
Configure rate limiting for SYN packets
Limit response time.
Apply ingress and egress filtering
Egress filtering helps ensure that unauthorized or malicious traffic
never leaves the internal network.
ingress filtering is a technique used to make sure that
incoming packets are actually from the networks that they claim to
be from.