SlideShare une entreprise Scribd logo

Advanced Topics On Sql Injection Protection

A
amiable_indian

www.secguru.com

Technologie
1  sur  64
Advanced Topics on SQL Injection Protection Sam NG CISA, CISSP SQLBlock.com [email_address] Feb 27 th , 2006
Introduction ,[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 1: Input Validation ,[object Object],[object Object],[object Object]
Method 1: Input Validation (cont’d) ,[object Object],[object Object],[object Object],[object Object],[object Object]
1.1: Escape inputs properly ,[object Object],[object Object],[object Object]
Consider the following PHP code ,[object Object],[object Object],[PHP] $magic_quotes_runtime = “on” ; $url = urldecode ($_REQUEST [ ‘url’ ]); $query = “INSERT INTO tbl_links (type, url) VALUES(1, ‘ $url ’)” ;
1.2: Validate numeric fields ,[object Object],[object Object],[object Object],[ASP] Dim conn, rec, query, prod, price prod = Replace (Request. Form ( “prod” ), “’ ”, “’’” ) price = Replace (Request. Form (“price”), “’” , “’’” ) Set conn = CreateObject ("ADODB.Connection") conn.Open = "DSN=AccountDB;UID=sa;PWD=password;" query = “select * from sales where prod=’” & prod & “‘ and price > ” & price Set rec = conn.Execute(query)
However… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Table 1. SQL injection vulnerabilities found in BugTraq SecurityFocus 194 1 7 94 92 2005 Jan-Jun 57     29 28 2004 Jan-Jun Total Second Order StoredProc Numeric Field Others Period
Table 1 (cont’d) ,[object Object],[object Object],[object Object]
Prevent Numeric Field Injection 1 ,[object Object],[object Object],if ( $category > 0) { $categ = "AND catid=$category "; } elseif ( $category == 0) { .... } “ AND catid=2 union…”; Return true even if $category = “ 2 union … ”
Prevent Numeric Field Injection 2 ,[object Object],[object Object],[object Object],[object Object]
1.3 Column Names ,[object Object],[object Object],[object Object]
1.3 Column Names (cont’d) ,[object Object],Dim cat, orderBy, query cat = Replace ( Request .Form( “cat” ), “’” , “’’” ) orderBy = Replace ( Request .Form( “orderBy” ), “’” , “’’” ) query = “select * from tbl_prod ” & “where cat = ‘” & cat & “’ “ & “order by “ & orderBy
Prevent SQL injection in column names ,[object Object],[object Object],[object Object],[object Object],[object Object]
1.4 Prevent second order attacks Dim conn, rec, query1, query2, login_id, old_pass, new_pass login_id = Replace (Request. Form ( “login_id” ), “’” , “’’” ) old_pass = Replace (Request. Form ( “old_pass” ), “’” , “’’” ) new_pass = Replace (Request. Form ( “new_pass” ), “’” , “’’” ) Set conn = CreateObject ( "ADODB.Connection" ) conn.Open = "DSN=AccountDB;UID=sa;PWD=password;" query1 = “select * from tbl_user where login_id=’” & login_id & “’ and password=‘” & old_pass & “’” Set rec = conn.Execute(query1) If (rec.EOF) Then Response.Write "Invalid Password" Else query2 = “update from tbl_user set password=’” & new_pass & “’ where login_id=’” & rec.( “login_id” ) & “’” conn.Execute(query2) .. .. End If Unescaped data, read from database. But, what about if login_id = “foo’ union…. – ” All properly escaped
What is 2 nd Order SQL Injection? ,[object Object]
Prevent 2 nd Order SQL Injection ,[object Object],[object Object],[object Object],[object Object]
 PHP magic_quotes_gpc, magic_quotes_runtime ,[object Object],[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 2: Use Static Query Statement ,[object Object],[object Object],[object Object],[object Object]
2.1 parameterized stmt != static stmt [Java] String sql = “select * from product where cat=’” + request.get( “cat” ) + “’ and price > ?” ; PreparedStatement pstmt = con.prepare(sql); pstmt.setString(1, request.getParameter( “price” )); ResultSet rs = pstmt.executeQuery(); Obviously vulnerable to SQL injection Even this is called in a parameterized form Prepare statement
2.2 Stored Procedure != SAFE CREATE PROCEDURE sp_dynamic ( @name varchar(50) = '' ) AS DECLARE @Query varchar(500) SET @Query = 'SELECT * FROM userlist where name = ''' + @name + ''' EXEC( @Query ) GO Dangerous Function SQL style string concatenation [Solution] SET @name = REPLACE ( @name , '''' , '''''' ) Insert at HERE
2.3 Static query doesn’t always work ,[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 3: Least Privilege ,[object Object],[object Object],[object Object],[object Object],[object Object]
Invoker’s right for stored procedure ,[object Object],[object Object],[object Object]
However... ,[object Object],[object Object],[object Object],[object Object]
If the code DOES contain SQL Injection bug… ,[object Object],[object Object]
Conclusion ,[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 4: Verifies Your code ,[object Object],[object Object],[object Object]
4.1 Source Code Auditing ,[object Object],[object Object],[object Object]
Automatic Source Code Scanner [7] ,[object Object],[object Object],[object Object]
4.2 Web Application Vulnerability Scanner ,[object Object],[object Object],[object Object],[object Object],[object Object]
Semi-automatic tools: Web Proxy ,[object Object],[object Object],Edit Post Data Before Send
Automatic Source Code Scanner vs Automatic Vulnerability Scanner ,[object Object],[object Object],[object Object],[object Object]
Conclusion ,[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 5: Web Application Gateway (WAG) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The downside of WAG ,[object Object],[object Object],A new user register to a web portal application N oted the apostrophe But should we block this?
The downside of WAG (cont’d) ,[object Object],[object Object],[object Object]
The downside of WAP (cont’d) ,[object Object],[object Object],[object Object],[object Object]
Solution ,[object Object]
To make configuration easier: 1 st method ,[object Object],[object Object],[object Object],[object Object],[object Object]
To make configuration easier: 2 nd method ,[object Object],[object Object],[object Object]
To make configuration easier ,[object Object],[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 6: SQL Driver Proxy ,[object Object],[object Object],[object Object]
Architecture of a SQL Driver Proxy HTTP Client HTTP Server HTTP Server HTTP Client ODBC JDBC App Original Driver ODBC/JDBC Driver ODBC/JDBC App Analysis Analysis HTTP Proxy ODBC/JDBC Proxy HTTP Protocol HTTP Protocol API Calls API Calls
How SQL Driver Proxy works? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
How SQL Driver Proxy works? (cont’d) ,[object Object],SELECT * FROM tbl_user WHERE user_id = ‘<some thing>’ AND password = ‘<some thing>’ OR 1=1 --’ SELECT * FROM tbl_accounts WHERE user_id = ‘<some thing>’ UNION … UPDATE tbl_accounts SET balance = balance + <some value> WHERE account_id = ‘<some thing>’ ; DROP …
How SQL Driver Proxy works? (cont’d) ,[object Object],[object Object]
SQL Driver Proxy limitation ,[object Object]
SQL Driver Proxy limitation (cont’d) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Intrusion Detection System (IDS) ,[object Object],[object Object],[object Object]
Context-Sensitive String Evaluation [9] ,[object Object],[object Object],[object Object],[object Object]
Database Layer Protection ,[object Object],[object Object]
Conclusion ,[object Object],[object Object],[object Object],[object Object]
Reference ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Reference - 2 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Recommandé

SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
amiable_indian
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
Sanad Bhowmik
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 

Recommandé

SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
amiable_indian
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
Sanad Bhowmik
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
Raghav Bisht
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
Secure Code Warrior
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdf
Bhashit Pandya
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
MongoDB : The Definitive Guide
MongoDB : The Definitive GuideMongoDB : The Definitive Guide
MongoDB : The Definitive Guide
Wildan Maulana
 

Contenu connexe

Tendances

A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 

Tendances (20)

OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
SQL injection
SQL injectionSQL injection
SQL injection
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdf
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 

En vedette

MongoDB : The Definitive Guide
MongoDB : The Definitive GuideMongoDB : The Definitive Guide
MongoDB : The Definitive Guide
Wildan Maulana
 
Top 5 Javascript Frameworks for Web and Mobile App Development
Top 5 Javascript Frameworks for Web and Mobile App DevelopmentTop 5 Javascript Frameworks for Web and Mobile App Development
Top 5 Javascript Frameworks for Web and Mobile App Development
Ajeet Singh
 
Software Automation Testing Introduction
Software Automation Testing IntroductionSoftware Automation Testing Introduction
Software Automation Testing Introduction
Narayanan Palani
 
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
Anand Bagmar
 

En vedette (13)

SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
MongoDB : The Definitive Guide
MongoDB : The Definitive GuideMongoDB : The Definitive Guide
MongoDB : The Definitive Guide
 
Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?
 
Top 5 Javascript Frameworks for Web and Mobile App Development
Top 5 Javascript Frameworks for Web and Mobile App DevelopmentTop 5 Javascript Frameworks for Web and Mobile App Development
Top 5 Javascript Frameworks for Web and Mobile App Development
 
Software Automation Testing Introduction
Software Automation Testing IntroductionSoftware Automation Testing Introduction
Software Automation Testing Introduction
 
Selenium topic 3 -Web Driver Basics
Selenium topic 3 -Web Driver BasicsSelenium topic 3 -Web Driver Basics
Selenium topic 3 -Web Driver Basics
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
Selenium WebDriver FAQ's
Selenium WebDriver FAQ'sSelenium WebDriver FAQ's
Selenium WebDriver FAQ's
 
Introduction to Selenium Web Driver
Introduction to Selenium Web DriverIntroduction to Selenium Web Driver
Introduction to Selenium Web Driver
 
Java Basics for selenium
Java Basics for seleniumJava Basics for selenium
Java Basics for selenium
 
Automation Testing by Selenium Web Driver
Automation Testing by Selenium Web DriverAutomation Testing by Selenium Web Driver
Automation Testing by Selenium Web Driver
 
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 

Similaire à Advanced Topics On Sql Injection Protection

How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
Hongyang Wang
 
8 sql injection
8 sql injection8 sql injection
8 sql injection
drewz lin
 

Similaire à Advanced Topics On Sql Injection Protection (20)

How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
 
Asp
AspAsp
Asp
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
8 sql injection
8 sql injection8 sql injection
8 sql injection
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
ieee
ieeeieee
ieee
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your database
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Sql injection
Sql injectionSql injection
Sql injection
 
Web Security
Web SecurityWeb Security
Web Security
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacks
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 

Plus de amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
amiable_indian
 

Plus de amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 

Dernier

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

Advanced Topics On Sql Injection Protection

  • 1. Advanced Topics on SQL Injection Protection Sam NG CISA, CISSP SQLBlock.com [email_address] Feb 27 th , 2006
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11. Table 1. SQL injection vulnerabilities found in BugTraq SecurityFocus 194 1 7 94 92 2005 Jan-Jun 57     29 28 2004 Jan-Jun Total Second Order StoredProc Numeric Field Others Period
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18. 1.4 Prevent second order attacks Dim conn, rec, query1, query2, login_id, old_pass, new_pass login_id = Replace (Request. Form ( “login_id” ), “’” , “’’” ) old_pass = Replace (Request. Form ( “old_pass” ), “’” , “’’” ) new_pass = Replace (Request. Form ( “new_pass” ), “’” , “’’” ) Set conn = CreateObject ( &quot;ADODB.Connection&quot; ) conn.Open = &quot;DSN=AccountDB;UID=sa;PWD=password;&quot; query1 = “select * from tbl_user where login_id=’” & login_id & “’ and password=‘” & old_pass & “’” Set rec = conn.Execute(query1) If (rec.EOF) Then Response.Write &quot;Invalid Password&quot; Else query2 = “update from tbl_user set password=’” & new_pass & “’ where login_id=’” & rec.( “login_id” ) & “’” conn.Execute(query2) .. .. End If Unescaped data, read from database. But, what about if login_id = “foo’ union…. – ” All properly escaped
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24. 2.1 parameterized stmt != static stmt [Java] String sql = “select * from product where cat=’” + request.get( “cat” ) + “’ and price > ?” ; PreparedStatement pstmt = con.prepare(sql); pstmt.setString(1, request.getParameter( “price” )); ResultSet rs = pstmt.executeQuery(); Obviously vulnerable to SQL injection Even this is called in a parameterized form Prepare statement
  • 25. 2.2 Stored Procedure != SAFE CREATE PROCEDURE sp_dynamic ( @name varchar(50) = '' ) AS DECLARE @Query varchar(500) SET @Query = 'SELECT * FROM userlist where name = ''' + @name + ''' EXEC( @Query ) GO Dangerous Function SQL style string concatenation [Solution] SET @name = REPLACE ( @name , '''' , '''''' ) Insert at HERE
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52. Architecture of a SQL Driver Proxy HTTP Client HTTP Server HTTP Server HTTP Client ODBC JDBC App Original Driver ODBC/JDBC Driver ODBC/JDBC App Analysis Analysis HTTP Proxy ODBC/JDBC Proxy HTTP Protocol HTTP Protocol API Calls API Calls
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.