SlideShare une entreprise Scribd logo

Noinject

Justin Swanhart
Justin Swanhart

This talk describes SQL injection and how to avoid it.

Technologie
1  sur  54
Télécharger pour lire hors ligne
Detecting (and even preventing) SQL Injection Using the Percona Toolkit and Noinject! Justin Swanhart Percona Live, April 2013
INTRODUCTION 2
Introduction • Who am I? • What do I do? • Why am I here? 3
The tools • MySQL (5.0+) • Percona Toolkit – pt-query-digest – pt-fingerprint • MySQL Proxy (0.8.0+) • Apache and PHP 5.3+ 4
WHAT IS SQL INJECTION? 5
What is SQL injection? • SQL injection is an attack vector – An attacker modifies the SQL queries which will be executed by the server – But the attacker does not need to change the code on the server or get access to the server 6
What is SQL injection – interpolation (strings) $username = $_GET[‘username’]; $sql = “select 1 from users.users where admin_flag=true and username = ‘“ . $username . “’”; $ wget http://host/path.php?username=bob $ wget http://host/path.php?user_id=“' or '1'='1”  and username = ‘’ or ‘1’ = ‘1’ 7 SQL injection!
Escape strings, or use prepared statements! #escape string values $username = mysqli_real_escape_string($_GET[‘username’]); $sql = “select … and username = ‘“ . $username . “’”; #prepared statement $username = GET[‘username’]; $stmt = mysqli_stmt_init($conn); $sql = “select … and username = ?” mysqli_stmt_prepare($stmt, $sql); mysqli_stmt_bind_param($stmt, “s”, $username); mysqli_stmt_execute($stmt); mysqli_stmt_close($stmt); 8
What is SQL injection – interpolation (ints) $user_id = $_GET[‘user_id’]; $sql = “select 1 from users.users where admin_flag=true and user_id = “ . $user_id; … $ wget http://host/path.php?user_id=1 $ wget http://host/path.php?user_id=“1 or 1=1” 9 SQL injection!
Use type checking, or prepared statements! #check that integers really are integers! $user_id = GET[‘user_id’]; if(!is_numeric(user_id)) $user_id = “NULL”; $sql = “select … and user_id = “ . $user_id; #prepared statement $user_id = GET[‘user_id’]; $sql = “select … and user_id = ?” … mysqli_stmt_bind_param($stmt, “i”, $user_id); mysqli_stmt_execute($stmt); 10
When escaping can’t help • Some parts of a SQL statement can’t be manipulated using parameters • These include – ORDER BY columns – Variable number of items in an IN list – Adding SQL syntax like DISTINCT 11
Don’t use user input in the query #avoid using user input directly in ANY way $sql = “select * from listings where deleted = 0 and sold = 0 and open = 1”; if(!empty($_GET[‘ob’])) { $sql .= “ ORDER BY “ . $_GET[‘ob’]; } wget … ?ob=post_date wget … ?ob=“post_date union all (select * from listings)” 12 Now we can see all listings Bad!
Use whitelisting instead #avoid using user input directly in ANY way $sql = “select * from listings where deleted = 0 and sold = 0 and open = 1”; $allowed = array(‘post_date’,’neighborhood’,’etc’); if(!empty($_GET[‘ob’]) && is_string($_GET[‘ob’])) { if(in_array($_GET[‘ob’], $allowed)) { $sql .= “ ORDER BY “ . $_GET[‘ob’]; } } wget … ?ob=post_date wget … ?ob=“post_date union all (select * from listings)” 13 in_array() is the keeper of the gate
All that works great for the apps you control • BUT… – If you don’t have the source for an app, then you really can’t be sure it isn’t safe from SQL injection – Or maybe you have to support old apps – Or apps that were not developed rigorously – What do we do in these cases? 14
SQL INJECTION DETECTION USING PT-QUERY-DIGEST Out-of-band SQL injection detection 15
How to detect SQL injection? • Most applications only do a small number of things. – Add orders, mark orders as shipped, update addresses, etc. – The SQL “patterns” that identify these behaviors can be collected and whitelisted. – Queries that don’t match a known fingerprint may be investigated as SQL injection attempts 16
What is a query fingerprint? • A query fingerprinting algorithm transforms a query into a form that allows like queries to be grouped together and identified as a unit – In other words, these like queries share a fingerprint – Even though the queries differ slightly they still fingerprint to the same value – This is a heuristic based approach 17
Tools that support query fingerprints • Percona Toolkit tools – pt-query-digest – pt-fingerprint 18 Reads slow query logs and populates the whitelist table. Can also be used to display new queries that have not been marked as allowed. Takes a query (or queries) and produces fingerprints. Useful for third party tools that want to use fingerprints.
What is a query fingerprint (cont?) select * from some_table where col = 3 becomes select * from some_table where col = ? select * from some_table where col = IN (1,2) becomes select * from some_table where col IN (?) 19
Query fingerprints expressed as hashes pt-query-digest can provide short hashes of checksums select * from some_table where col = ? 982e5737f9747a5d (1631105377) select * from some_table where col = IN (?) 2da8ed487cdfc1c8 (1680229806268) 20 base 10
pt-query-digest • Normally used for profiling slow queries • Has a “SQL review” feature for DBAs – Designed to mark query fingerprints as having been reviewed – This feature can be co-opted to discover new query fingerprints automatically – New fingerprints are either new application code or SQL injection attempts 21
pt-query-digest – review feature • Need to store the fingerprints in a table – Known good fingerprints will be marked as reviewed – If pt-query-digest discovers new fingerprints you will be alerted because there will be unreviewed queries in the table 22
pt-query-digest - review table initialization Need to initialize the table pt-query-digest /path/to/slow.log --create-review-table --review “h=127.0.0.1,P=3306,u=percona,p=2un1c0rns,D=percona,t=whitelist” --sample 1 --no-report 23 Where to store fingerprints Don’t waste time on stats Don’t print report
pt-query-digest – command-line review pt-query-digest /path/to/slow.log --review “DSN…” --sample 1 --report --limit 0 24 Ensure that all unreviewed queries are shown Display the report of queries Don’t collect stats, just sample one of each new fingerprint How it knows which queries have already been reviewed
USING THE WHITELIST WITH SQL 25
Detecting new query fingerprints SELECT count(*) FROM percona.whitelist WHERE reviewed_by IS NULL; SELECT checksum, sample FROM percona.whitelist WHERE reviewed_by IS NULL; 26 Any new queries? percona.whitelist is just an example name, you can use any you like Get a list of the queries
Add a query fingerprint to the whitelist UPDATE percona.whitelist SET reviewed_by = ‘allow’, reviewed_on = now() WHERE checksum= 1680229806268; 27
Blacklist a query fingerprint You might also explicitly blacklist a fingerprint UPDATE percona.whitelist SET reviewed_by = ‘deny’, reviewed_on = now() WHERE checksum = 1631105377; 28
Web interface for whitelist management • The Noinject! project (discussed later) has a web interface that can be used to mark queries as reviewed • It can be with both the noinject.lua proxy script or with pt-query-digest 29
LIMITATIONS AND CAVEATS Out of band detection 30
Out-of-band detection • Some damage or information leakage may have already happened • To limit the extent of the damage send an alert as soon as a new pattern is detected – Ensure thorough application pattern detection in a test environment to avoid false positives 31
Get logs as fast as possible • Use tcpdump on a mirrored server port – Pipe the output to pt-query-digest • Use tcpdump on the database server – Adds some additional overhead from running the tools on the same machine – Possibly higher packet loss • Collect and process slow query logs frequently – Adds slow query log overhead to server – Longer delay before processing 32
FINDING THE VULNERABILITY What to do BEFORE a fishy fingerprint appears 33
Prepare for finding a vulnerability • Tracking down the vulnerable code fragment can be difficult if you have only the SQL statement • Not just a problem with SQL injection since it is usually convenient to see where a SQL statement was generated from 34
Add tracing comments to queries • A good approach is to modify the data access layer (DAL) to add SQL comments – Comments are preserved in the slow query log – Comments are displayed in SHOW commands • SHOW ENGINE INNODB STATUS • SHOW PROCESSLIST – Make sure your client does not strip comments! 35
Add tracing information • PHP can use debug_backtrace() for example • PERL has variables that point to the file and line • Investigate the debugging section of your langauge’s manual 36
What to place in the comment • Here are some important things to consider placing into the tracing comment – session_id (or important cookie info) – application file name, and line number – important GET, POST, PUT or DELETE contents – Any other important information which could be useful for tracking down the vector being used in an attack 37
Example comments in SQL queries select airport_name, count(*) from dim_airport join ontime_fact on dest_airport_id = airport_id where depdelay > 30 and flightdate_id = 20080101 /* webserver:192.168.1.3,file:show_delays.php,l ine:326,function:get_delayed_flights,user:ju stin,sessionid:7B7N2PCNIOKCGF */ 38 This comment contains all that you need
Most apps don’t do this out of the box • You can modify the application – If you have the source code (and it uses a DAL) • BUT… – There isn’t much you can do if • The application is closed source , or you can’t change the source • There is no DAL (code/query spaghetti) • For any other reason it is problematic to inject information into all SQL queries 39
If I can’t change the source? • You can’t fix the problems when you detect them. • Consider using an open source solution • Or consider in-band protection 40
SQL INJECTION PREVENTION In-band SQL injection detection 41
In-band protection • Using pt-query-digest to discover new query patterns is useful – But it doesn’t work in real time – It can’t block bad queries from actually executing 42
In-band protection • What is needed is a “man in the middle” that inspects each query to ensure it matches an allowed fingerprint. – MySQL proxy can be used for this purpose 43
MySQL Proxy • MySQL Proxy – Supports Lua scripting for easy development – Adds some latency to all queries – Considered “alpha” quality though for simple scripts it seems stable enough – Fingerprinting and checking database also adds latency. 3ms – 5ms per query is to be expected 44
Noinject! – The Lua script and PHP interface • http://code.google.com/p/noinject-mysql • The Lua script for MySQL proxy is pretty much drop-in. – Just modify it to point to your database server and specify credentials and other options. • PHP script is similarly easy to configure. – Drop in a directory on an Apache box – Modify the script to set the options. 45
The Lua proxy script – known queries • By default the script will retrieve all known good fingerprints and cache them locally when the first query is received from a client • Also by default, all queries that fail to pass the known whitelist check are logged in an exception table. 46 Both of these options can be changed easily
The Lua proxy script – known queries • Each query is fingerprinted – If the fingerprint is on the whitelist, the actual query is sent to the server – If the query is not on the whitelist the behavior varies depending on the proxy mode 47
Lua script – Proxy mode • permissive mode – Records the SQL fingerprint into the whitelist table but does not mark it as reviewed – Allows the query to proceed • restrictive mode – Records the SQL fingerprint into the whitelist table – Returns an empty set for the query 48
Why use permissive mode? • Permissive mode allows the collection of SQL fingerprints for an application dynamically – Just run the application with typical workload and the SQL queries will be recorded automatically – Eventually switch to restrictive mode 49
PHP Web interface • 1999 mode HTML interface  50 Query Sample Last action time with note White or black list the fingerprint
If you want something prettier • This is open source so… • If you want bug fixes or have feature requests – You can engage with Percona for development – You can contribute! – You can fork your own version  51
If the proxy overhead is too high • You could develop the functionality in MySQL – too bad the parser is not pluggable  • Try mysqlnd plugins – fingerprint queries in PHP – match them to a whitelist maintained in a serialized PHP array – reject queries that aren’t approved • Improve the proxy lua script – fingerprint process could probably be made faster 52
Percona Training Advantage • This presentation and the Noinject! tool were created by Justin Swanhart, one of Percona’s expert trainers – Check out http://training.percona.com for a list of training events near you – Request training directly by Justin or any of our other expert trainers by contacting your Percona sales rep today 53
54 Q/A

Recommandé

Flexviews materialized views for my sql
Flexviews materialized views for my sqlFlexviews materialized views for my sql
Flexviews materialized views for my sqlJustin Swanhart
 
Maximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestMaximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestPythian
 
Summary tables with flexviews
Summary tables with flexviewsSummary tables with flexviews
Summary tables with flexviewsJustin Swanhart
 
Why Use EXPLAIN FORMAT=JSON?
Why Use EXPLAIN FORMAT=JSON? Why Use EXPLAIN FORMAT=JSON?
Why Use EXPLAIN FORMAT=JSON? Sveta Smirnova
 
Preparse Query Rewrite Plugins
Preparse Query Rewrite PluginsPreparse Query Rewrite Plugins
Preparse Query Rewrite PluginsSveta Smirnova
 
MySQL Query tuning 101
MySQL Query tuning 101MySQL Query tuning 101
MySQL Query tuning 101Sveta Smirnova
 
New features in Performance Schema 5.7 in action
New features in Performance Schema 5.7 in actionNew features in Performance Schema 5.7 in action
New features in Performance Schema 5.7 in actionSveta Smirnova
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingSveta Smirnova
 

Recommandé

Flexviews materialized views for my sql
Flexviews materialized views for my sqlFlexviews materialized views for my sql
Flexviews materialized views for my sqlJustin Swanhart
 
Maximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestMaximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestPythian
 
Summary tables with flexviews
Summary tables with flexviewsSummary tables with flexviews
Summary tables with flexviewsJustin Swanhart
 
Why Use EXPLAIN FORMAT=JSON?
Why Use EXPLAIN FORMAT=JSON? Why Use EXPLAIN FORMAT=JSON?
Why Use EXPLAIN FORMAT=JSON? Sveta Smirnova
 
Preparse Query Rewrite Plugins
Preparse Query Rewrite PluginsPreparse Query Rewrite Plugins
Preparse Query Rewrite PluginsSveta Smirnova
 
MySQL Query tuning 101
MySQL Query tuning 101MySQL Query tuning 101
MySQL Query tuning 101Sveta Smirnova
 
New features in Performance Schema 5.7 in action
New features in Performance Schema 5.7 in actionNew features in Performance Schema 5.7 in action
New features in Performance Schema 5.7 in actionSveta Smirnova
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingSveta Smirnova
 
Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...Sveta Smirnova
 
PL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldPL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldMichael Rosenblum
 
SQL Tuning, takes 3 to tango
SQL Tuning, takes 3 to tangoSQL Tuning, takes 3 to tango
SQL Tuning, takes 3 to tangoMauro Pagano
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingSveta Smirnova
 
A New View of Database Views
A New View of Database ViewsA New View of Database Views
A New View of Database ViewsMichael Rosenblum
 
Moving to the NoSQL side: MySQL JSON functions
Moving to the NoSQL side: MySQL JSON functions Moving to the NoSQL side: MySQL JSON functions
Moving to the NoSQL side: MySQL JSON functionsSveta Smirnova
 
Troubleshooting MySQL Performance
Troubleshooting MySQL PerformanceTroubleshooting MySQL Performance
Troubleshooting MySQL PerformanceSveta Smirnova
 
Basic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsBasic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsSveta Smirnova
 
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...Michael Rosenblum
 
【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321
【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321
【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321maclean liu
 
Data Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseData Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
 
Developer's Approach to Code Management
Developer's Approach to Code ManagementDeveloper's Approach to Code Management
Developer's Approach to Code ManagementMichael Rosenblum
 
Mini Session - Using GDB for Profiling
Mini Session - Using GDB for ProfilingMini Session - Using GDB for Profiling
Mini Session - Using GDB for ProfilingEnkitec
 
Database administration commands
Database administration commands Database administration commands
Database administration commands Varsha Ajith
 
Troubleshooting MySQL Performance add-ons
Troubleshooting MySQL Performance add-onsTroubleshooting MySQL Performance add-ons
Troubleshooting MySQL Performance add-onsSveta Smirnova
 
你所不知道的Oracle后台进程Smon功能
你所不知道的Oracle后台进程Smon功能你所不知道的Oracle后台进程Smon功能
你所不知道的Oracle后台进程Smon功能maclean liu
 
Oracle ORA Errors
Oracle ORA ErrorsOracle ORA Errors
Oracle ORA ErrorsManish Mudhliyar
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDBEnkitec
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL Troubleshooting Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingSveta Smirnova
 
Full Table Scan: friend or foe
Full Table Scan: friend or foeFull Table Scan: friend or foe
Full Table Scan: friend or foeMauro Pagano
 
Query Optimization with MySQL 5.6: Old and New Tricks
Query Optimization with MySQL 5.6: Old and New TricksQuery Optimization with MySQL 5.6: Old and New Tricks
Query Optimization with MySQL 5.6: Old and New TricksMYXPLAIN
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak PROIDEA
 

Contenu connexe

Tendances

Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...Sveta Smirnova
 
PL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldPL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldMichael Rosenblum
 
SQL Tuning, takes 3 to tango
SQL Tuning, takes 3 to tangoSQL Tuning, takes 3 to tango
SQL Tuning, takes 3 to tangoMauro Pagano
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingSveta Smirnova
 
A New View of Database Views
A New View of Database ViewsA New View of Database Views
A New View of Database ViewsMichael Rosenblum
 
Moving to the NoSQL side: MySQL JSON functions
Moving to the NoSQL side: MySQL JSON functions Moving to the NoSQL side: MySQL JSON functions
Moving to the NoSQL side: MySQL JSON functionsSveta Smirnova
 
Troubleshooting MySQL Performance
Troubleshooting MySQL PerformanceTroubleshooting MySQL Performance
Troubleshooting MySQL PerformanceSveta Smirnova
 
Basic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsBasic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsSveta Smirnova
 
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...Michael Rosenblum
 
【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321
【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321
【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321maclean liu
 
Data Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseData Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
 
Developer's Approach to Code Management
Developer's Approach to Code ManagementDeveloper's Approach to Code Management
Developer's Approach to Code ManagementMichael Rosenblum
 
Mini Session - Using GDB for Profiling
Mini Session - Using GDB for ProfilingMini Session - Using GDB for Profiling
Mini Session - Using GDB for ProfilingEnkitec
 
Database administration commands
Database administration commands Database administration commands
Database administration commands Varsha Ajith
 
Troubleshooting MySQL Performance add-ons
Troubleshooting MySQL Performance add-onsTroubleshooting MySQL Performance add-ons
Troubleshooting MySQL Performance add-onsSveta Smirnova
 
你所不知道的Oracle后台进程Smon功能
你所不知道的Oracle后台进程Smon功能你所不知道的Oracle后台进程Smon功能
你所不知道的Oracle后台进程Smon功能maclean liu
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDBEnkitec
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL Troubleshooting Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingSveta Smirnova
 
Full Table Scan: friend or foe
Full Table Scan: friend or foeFull Table Scan: friend or foe
Full Table Scan: friend or foeMauro Pagano
 

Tendances (20)

Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...
 
PL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldPL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read World
 
SQL Tuning, takes 3 to tango
SQL Tuning, takes 3 to tangoSQL Tuning, takes 3 to tango
SQL Tuning, takes 3 to tango
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL Troubleshooting
 
A New View of Database Views
A New View of Database ViewsA New View of Database Views
A New View of Database Views
 
Moving to the NoSQL side: MySQL JSON functions
Moving to the NoSQL side: MySQL JSON functions Moving to the NoSQL side: MySQL JSON functions
Moving to the NoSQL side: MySQL JSON functions
 
Troubleshooting MySQL Performance
Troubleshooting MySQL PerformanceTroubleshooting MySQL Performance
Troubleshooting MySQL Performance
 
Basic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsBasic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database Administrators
 
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
 
【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321
【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321
【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321
 
Data Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseData Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your Database
 
Developer's Approach to Code Management
Developer's Approach to Code ManagementDeveloper's Approach to Code Management
Developer's Approach to Code Management
 
Mini Session - Using GDB for Profiling
Mini Session - Using GDB for ProfilingMini Session - Using GDB for Profiling
Mini Session - Using GDB for Profiling
 
Database administration commands
Database administration commands Database administration commands
Database administration commands
 
Troubleshooting MySQL Performance add-ons
Troubleshooting MySQL Performance add-onsTroubleshooting MySQL Performance add-ons
Troubleshooting MySQL Performance add-ons
 
你所不知道的Oracle后台进程Smon功能
你所不知道的Oracle后台进程Smon功能你所不知道的Oracle后台进程Smon功能
你所不知道的Oracle后台进程Smon功能
 
Oracle ORA Errors
Oracle ORA ErrorsOracle ORA Errors
Oracle ORA Errors
 
Profiling Oracle with GDB
Profiling Oracle with GDBProfiling Oracle with GDB
Profiling Oracle with GDB
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL Troubleshooting Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL Troubleshooting
 
Full Table Scan: friend or foe
Full Table Scan: friend or foeFull Table Scan: friend or foe
Full Table Scan: friend or foe
 

Similaire à Noinject

Query Optimization with MySQL 5.6: Old and New Tricks
Query Optimization with MySQL 5.6: Old and New TricksQuery Optimization with MySQL 5.6: Old and New Tricks
Query Optimization with MySQL 5.6: Old and New TricksMYXPLAIN
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak PROIDEA
 
Tony jambu (obscure) tools of the trade for tuning oracle sq ls
Tony jambu (obscure) tools of the trade for tuning oracle sq lsTony jambu (obscure) tools of the trade for tuning oracle sq ls
Tony jambu (obscure) tools of the trade for tuning oracle sq lsInSync Conference
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampFelipe Prado
 
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)Dave Stokes
 
Top 10 tips for Oracle performance
Top 10 tips for Oracle performanceTop 10 tips for Oracle performance
Top 10 tips for Oracle performanceGuy Harrison
 
Writing efficient sql
Writing efficient sqlWriting efficient sql
Writing efficient sqlj9soto
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers dofangjiafu
 
Beginner guide to mysql command line
Beginner guide to mysql command lineBeginner guide to mysql command line
Beginner guide to mysql command linePriti Solanki
 
HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)akirahiguchi
 
Sql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices ISql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices ICarlos Oliveira
 
DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2Alex Zaballa
 
DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2Alex Zaballa
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersJonathan Levin
 
Where the wild things are - Benchmarking and Micro-Optimisations
Where the wild things are - Benchmarking and Micro-OptimisationsWhere the wild things are - Benchmarking and Micro-Optimisations
Where the wild things are - Benchmarking and Micro-OptimisationsMatt Warren
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)ÇözümPARK
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Valeriy Kravchuk
 
Performance tuning
Performance tuningPerformance tuning
Performance tuningami111
 

Similaire à Noinject (20)

Query Optimization with MySQL 5.6: Old and New Tricks
Query Optimization with MySQL 5.6: Old and New TricksQuery Optimization with MySQL 5.6: Old and New Tricks
Query Optimization with MySQL 5.6: Old and New Tricks
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
 
Tony jambu (obscure) tools of the trade for tuning oracle sq ls
Tony jambu (obscure) tools of the trade for tuning oracle sq lsTony jambu (obscure) tools of the trade for tuning oracle sq ls
Tony jambu (obscure) tools of the trade for tuning oracle sq ls
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)
 
Top 10 tips for Oracle performance
Top 10 tips for Oracle performanceTop 10 tips for Oracle performance
Top 10 tips for Oracle performance
 
Writing efficient sql
Writing efficient sqlWriting efficient sql
Writing efficient sql
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 
PHP tips by a MYSQL DBA
PHP tips by a MYSQL DBAPHP tips by a MYSQL DBA
PHP tips by a MYSQL DBA
 
Beginner guide to mysql command line
Beginner guide to mysql command lineBeginner guide to mysql command line
Beginner guide to mysql command line
 
HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)
 
Sql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices ISql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices I
 
DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2
 
DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for Developers
 
Where the wild things are - Benchmarking and Micro-Optimisations
Where the wild things are - Benchmarking and Micro-OptimisationsWhere the wild things are - Benchmarking and Micro-Optimisations
Where the wild things are - Benchmarking and Micro-Optimisations
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)
 
Performance tuning
Performance tuningPerformance tuning
Performance tuning
 

Dernier

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Dernier (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

Noinject

  • 1. Detecting (and even preventing) SQL Injection Using the Percona Toolkit and Noinject! Justin Swanhart Percona Live, April 2013
  • 3. Introduction • Who am I? • What do I do? • Why am I here? 3
  • 4. The tools • MySQL (5.0+) • Percona Toolkit – pt-query-digest – pt-fingerprint • MySQL Proxy (0.8.0+) • Apache and PHP 5.3+ 4
  • 5. WHAT IS SQL INJECTION? 5
  • 6. What is SQL injection? • SQL injection is an attack vector – An attacker modifies the SQL queries which will be executed by the server – But the attacker does not need to change the code on the server or get access to the server 6
  • 7. What is SQL injection – interpolation (strings) $username = $_GET[‘username’]; $sql = “select 1 from users.users where admin_flag=true and username = ‘“ . $username . “’”; $ wget http://host/path.php?username=bob $ wget http://host/path.php?user_id=“' or '1'='1”  and username = ‘’ or ‘1’ = ‘1’ 7 SQL injection!
  • 8. Escape strings, or use prepared statements! #escape string values $username = mysqli_real_escape_string($_GET[‘username’]); $sql = “select … and username = ‘“ . $username . “’”; #prepared statement $username = GET[‘username’]; $stmt = mysqli_stmt_init($conn); $sql = “select … and username = ?” mysqli_stmt_prepare($stmt, $sql); mysqli_stmt_bind_param($stmt, “s”, $username); mysqli_stmt_execute($stmt); mysqli_stmt_close($stmt); 8
  • 9. What is SQL injection – interpolation (ints) $user_id = $_GET[‘user_id’]; $sql = “select 1 from users.users where admin_flag=true and user_id = “ . $user_id; … $ wget http://host/path.php?user_id=1 $ wget http://host/path.php?user_id=“1 or 1=1” 9 SQL injection!
  • 10. Use type checking, or prepared statements! #check that integers really are integers! $user_id = GET[‘user_id’]; if(!is_numeric(user_id)) $user_id = “NULL”; $sql = “select … and user_id = “ . $user_id; #prepared statement $user_id = GET[‘user_id’]; $sql = “select … and user_id = ?” … mysqli_stmt_bind_param($stmt, “i”, $user_id); mysqli_stmt_execute($stmt); 10
  • 11. When escaping can’t help • Some parts of a SQL statement can’t be manipulated using parameters • These include – ORDER BY columns – Variable number of items in an IN list – Adding SQL syntax like DISTINCT 11
  • 12. Don’t use user input in the query #avoid using user input directly in ANY way $sql = “select * from listings where deleted = 0 and sold = 0 and open = 1”; if(!empty($_GET[‘ob’])) { $sql .= “ ORDER BY “ . $_GET[‘ob’]; } wget … ?ob=post_date wget … ?ob=“post_date union all (select * from listings)” 12 Now we can see all listings Bad!
  • 13. Use whitelisting instead #avoid using user input directly in ANY way $sql = “select * from listings where deleted = 0 and sold = 0 and open = 1”; $allowed = array(‘post_date’,’neighborhood’,’etc’); if(!empty($_GET[‘ob’]) && is_string($_GET[‘ob’])) { if(in_array($_GET[‘ob’], $allowed)) { $sql .= “ ORDER BY “ . $_GET[‘ob’]; } } wget … ?ob=post_date wget … ?ob=“post_date union all (select * from listings)” 13 in_array() is the keeper of the gate
  • 14. All that works great for the apps you control • BUT… – If you don’t have the source for an app, then you really can’t be sure it isn’t safe from SQL injection – Or maybe you have to support old apps – Or apps that were not developed rigorously – What do we do in these cases? 14
  • 15. SQL INJECTION DETECTION USING PT-QUERY-DIGEST Out-of-band SQL injection detection 15
  • 16. How to detect SQL injection? • Most applications only do a small number of things. – Add orders, mark orders as shipped, update addresses, etc. – The SQL “patterns” that identify these behaviors can be collected and whitelisted. – Queries that don’t match a known fingerprint may be investigated as SQL injection attempts 16
  • 17. What is a query fingerprint? • A query fingerprinting algorithm transforms a query into a form that allows like queries to be grouped together and identified as a unit – In other words, these like queries share a fingerprint – Even though the queries differ slightly they still fingerprint to the same value – This is a heuristic based approach 17
  • 18. Tools that support query fingerprints • Percona Toolkit tools – pt-query-digest – pt-fingerprint 18 Reads slow query logs and populates the whitelist table. Can also be used to display new queries that have not been marked as allowed. Takes a query (or queries) and produces fingerprints. Useful for third party tools that want to use fingerprints.
  • 19. What is a query fingerprint (cont?) select * from some_table where col = 3 becomes select * from some_table where col = ? select * from some_table where col = IN (1,2) becomes select * from some_table where col IN (?) 19
  • 20. Query fingerprints expressed as hashes pt-query-digest can provide short hashes of checksums select * from some_table where col = ? 982e5737f9747a5d (1631105377) select * from some_table where col = IN (?) 2da8ed487cdfc1c8 (1680229806268) 20 base 10
  • 21. pt-query-digest • Normally used for profiling slow queries • Has a “SQL review” feature for DBAs – Designed to mark query fingerprints as having been reviewed – This feature can be co-opted to discover new query fingerprints automatically – New fingerprints are either new application code or SQL injection attempts 21
  • 22. pt-query-digest – review feature • Need to store the fingerprints in a table – Known good fingerprints will be marked as reviewed – If pt-query-digest discovers new fingerprints you will be alerted because there will be unreviewed queries in the table 22
  • 23. pt-query-digest - review table initialization Need to initialize the table pt-query-digest /path/to/slow.log --create-review-table --review “h=127.0.0.1,P=3306,u=percona,p=2un1c0rns,D=percona,t=whitelist” --sample 1 --no-report 23 Where to store fingerprints Don’t waste time on stats Don’t print report
  • 24. pt-query-digest – command-line review pt-query-digest /path/to/slow.log --review “DSN…” --sample 1 --report --limit 0 24 Ensure that all unreviewed queries are shown Display the report of queries Don’t collect stats, just sample one of each new fingerprint How it knows which queries have already been reviewed
  • 25. USING THE WHITELIST WITH SQL 25
  • 26. Detecting new query fingerprints SELECT count(*) FROM percona.whitelist WHERE reviewed_by IS NULL; SELECT checksum, sample FROM percona.whitelist WHERE reviewed_by IS NULL; 26 Any new queries? percona.whitelist is just an example name, you can use any you like Get a list of the queries
  • 27. Add a query fingerprint to the whitelist UPDATE percona.whitelist SET reviewed_by = ‘allow’, reviewed_on = now() WHERE checksum= 1680229806268; 27
  • 28. Blacklist a query fingerprint You might also explicitly blacklist a fingerprint UPDATE percona.whitelist SET reviewed_by = ‘deny’, reviewed_on = now() WHERE checksum = 1631105377; 28
  • 29. Web interface for whitelist management • The Noinject! project (discussed later) has a web interface that can be used to mark queries as reviewed • It can be with both the noinject.lua proxy script or with pt-query-digest 29
  • 30. LIMITATIONS AND CAVEATS Out of band detection 30
  • 31. Out-of-band detection • Some damage or information leakage may have already happened • To limit the extent of the damage send an alert as soon as a new pattern is detected – Ensure thorough application pattern detection in a test environment to avoid false positives 31
  • 32. Get logs as fast as possible • Use tcpdump on a mirrored server port – Pipe the output to pt-query-digest • Use tcpdump on the database server – Adds some additional overhead from running the tools on the same machine – Possibly higher packet loss • Collect and process slow query logs frequently – Adds slow query log overhead to server – Longer delay before processing 32
  • 33. FINDING THE VULNERABILITY What to do BEFORE a fishy fingerprint appears 33
  • 34. Prepare for finding a vulnerability • Tracking down the vulnerable code fragment can be difficult if you have only the SQL statement • Not just a problem with SQL injection since it is usually convenient to see where a SQL statement was generated from 34
  • 35. Add tracing comments to queries • A good approach is to modify the data access layer (DAL) to add SQL comments – Comments are preserved in the slow query log – Comments are displayed in SHOW commands • SHOW ENGINE INNODB STATUS • SHOW PROCESSLIST – Make sure your client does not strip comments! 35
  • 36. Add tracing information • PHP can use debug_backtrace() for example • PERL has variables that point to the file and line • Investigate the debugging section of your langauge’s manual 36
  • 37. What to place in the comment • Here are some important things to consider placing into the tracing comment – session_id (or important cookie info) – application file name, and line number – important GET, POST, PUT or DELETE contents – Any other important information which could be useful for tracking down the vector being used in an attack 37
  • 38. Example comments in SQL queries select airport_name, count(*) from dim_airport join ontime_fact on dest_airport_id = airport_id where depdelay > 30 and flightdate_id = 20080101 /* webserver:192.168.1.3,file:show_delays.php,l ine:326,function:get_delayed_flights,user:ju stin,sessionid:7B7N2PCNIOKCGF */ 38 This comment contains all that you need
  • 39. Most apps don’t do this out of the box • You can modify the application – If you have the source code (and it uses a DAL) • BUT… – There isn’t much you can do if • The application is closed source , or you can’t change the source • There is no DAL (code/query spaghetti) • For any other reason it is problematic to inject information into all SQL queries 39
  • 40. If I can’t change the source? • You can’t fix the problems when you detect them. • Consider using an open source solution • Or consider in-band protection 40
  • 41. SQL INJECTION PREVENTION In-band SQL injection detection 41
  • 42. In-band protection • Using pt-query-digest to discover new query patterns is useful – But it doesn’t work in real time – It can’t block bad queries from actually executing 42
  • 43. In-band protection • What is needed is a “man in the middle” that inspects each query to ensure it matches an allowed fingerprint. – MySQL proxy can be used for this purpose 43
  • 44. MySQL Proxy • MySQL Proxy – Supports Lua scripting for easy development – Adds some latency to all queries – Considered “alpha” quality though for simple scripts it seems stable enough – Fingerprinting and checking database also adds latency. 3ms – 5ms per query is to be expected 44
  • 45. Noinject! – The Lua script and PHP interface • http://code.google.com/p/noinject-mysql • The Lua script for MySQL proxy is pretty much drop-in. – Just modify it to point to your database server and specify credentials and other options. • PHP script is similarly easy to configure. – Drop in a directory on an Apache box – Modify the script to set the options. 45
  • 46. The Lua proxy script – known queries • By default the script will retrieve all known good fingerprints and cache them locally when the first query is received from a client • Also by default, all queries that fail to pass the known whitelist check are logged in an exception table. 46 Both of these options can be changed easily
  • 47. The Lua proxy script – known queries • Each query is fingerprinted – If the fingerprint is on the whitelist, the actual query is sent to the server – If the query is not on the whitelist the behavior varies depending on the proxy mode 47
  • 48. Lua script – Proxy mode • permissive mode – Records the SQL fingerprint into the whitelist table but does not mark it as reviewed – Allows the query to proceed • restrictive mode – Records the SQL fingerprint into the whitelist table – Returns an empty set for the query 48
  • 49. Why use permissive mode? • Permissive mode allows the collection of SQL fingerprints for an application dynamically – Just run the application with typical workload and the SQL queries will be recorded automatically – Eventually switch to restrictive mode 49
  • 50. PHP Web interface • 1999 mode HTML interface  50 Query Sample Last action time with note White or black list the fingerprint
  • 51. If you want something prettier • This is open source so… • If you want bug fixes or have feature requests – You can engage with Percona for development – You can contribute! – You can fork your own version  51
  • 52. If the proxy overhead is too high • You could develop the functionality in MySQL – too bad the parser is not pluggable  • Try mysqlnd plugins – fingerprint queries in PHP – match them to a whitelist maintained in a serialized PHP array – reject queries that aren’t approved • Improve the proxy lua script – fingerprint process could probably be made faster 52
  • 53. Percona Training Advantage • This presentation and the Noinject! tool were created by Justin Swanhart, one of Percona’s expert trainers – Check out http://training.percona.com for a list of training events near you – Request training directly by Justin or any of our other expert trainers by contacting your Percona sales rep today 53