SlideShare a Scribd company logo

Advanced Topics On Sql Injection Protection

A
amiable_indian

www.secguru.com

Technology
1 of 64
Advanced Topics on SQL Injection Protection Sam NG CISA, CISSP SQLBlock.com [email_address] Feb 27 th , 2006
Introduction ,[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 1: Input Validation ,[object Object],[object Object],[object Object]
Method 1: Input Validation (cont’d) ,[object Object],[object Object],[object Object],[object Object],[object Object]
1.1: Escape inputs properly ,[object Object],[object Object],[object Object]
Consider the following PHP code ,[object Object],[object Object],[PHP] $magic_quotes_runtime = “on” ; $url = urldecode ($_REQUEST [ ‘url’ ]); $query = “INSERT INTO tbl_links (type, url) VALUES(1, ‘ $url ’)” ;
1.2: Validate numeric fields ,[object Object],[object Object],[object Object],[ASP] Dim conn, rec, query, prod, price prod = Replace (Request. Form ( “prod” ), “’ ”, “’’” ) price = Replace (Request. Form (“price”), “’” , “’’” ) Set conn = CreateObject ("ADODB.Connection") conn.Open = "DSN=AccountDB;UID=sa;PWD=password;" query = “select * from sales where prod=’” & prod & “‘ and price > ” & price Set rec = conn.Execute(query)
However… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Table 1. SQL injection vulnerabilities found in BugTraq SecurityFocus 194 1 7 94 92 2005 Jan-Jun 57     29 28 2004 Jan-Jun Total Second Order StoredProc Numeric Field Others Period
Table 1 (cont’d) ,[object Object],[object Object],[object Object]
Prevent Numeric Field Injection 1 ,[object Object],[object Object],if ( $category > 0) { $categ = "AND catid=$category "; } elseif ( $category == 0) { .... } “ AND catid=2 union…”; Return true even if $category = “ 2 union … ”
Prevent Numeric Field Injection 2 ,[object Object],[object Object],[object Object],[object Object]
1.3 Column Names ,[object Object],[object Object],[object Object]
1.3 Column Names (cont’d) ,[object Object],Dim cat, orderBy, query cat = Replace ( Request .Form( “cat” ), “’” , “’’” ) orderBy = Replace ( Request .Form( “orderBy” ), “’” , “’’” ) query = “select * from tbl_prod ” & “where cat = ‘” & cat & “’ “ & “order by “ & orderBy
Prevent SQL injection in column names ,[object Object],[object Object],[object Object],[object Object],[object Object]
1.4 Prevent second order attacks Dim conn, rec, query1, query2, login_id, old_pass, new_pass login_id = Replace (Request. Form ( “login_id” ), “’” , “’’” ) old_pass = Replace (Request. Form ( “old_pass” ), “’” , “’’” ) new_pass = Replace (Request. Form ( “new_pass” ), “’” , “’’” ) Set conn = CreateObject ( "ADODB.Connection" ) conn.Open = "DSN=AccountDB;UID=sa;PWD=password;" query1 = “select * from tbl_user where login_id=’” & login_id & “’ and password=‘” & old_pass & “’” Set rec = conn.Execute(query1) If (rec.EOF) Then Response.Write "Invalid Password" Else query2 = “update from tbl_user set password=’” & new_pass & “’ where login_id=’” & rec.( “login_id” ) & “’” conn.Execute(query2) .. .. End If Unescaped data, read from database. But, what about if login_id = “foo’ union…. – ” All properly escaped
What is 2 nd Order SQL Injection? ,[object Object]
Prevent 2 nd Order SQL Injection ,[object Object],[object Object],[object Object],[object Object]
 PHP magic_quotes_gpc, magic_quotes_runtime ,[object Object],[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 2: Use Static Query Statement ,[object Object],[object Object],[object Object],[object Object]
2.1 parameterized stmt != static stmt [Java] String sql = “select * from product where cat=’” + request.get( “cat” ) + “’ and price > ?” ; PreparedStatement pstmt = con.prepare(sql); pstmt.setString(1, request.getParameter( “price” )); ResultSet rs = pstmt.executeQuery(); Obviously vulnerable to SQL injection Even this is called in a parameterized form Prepare statement
2.2 Stored Procedure != SAFE CREATE PROCEDURE sp_dynamic ( @name varchar(50) = '' ) AS DECLARE @Query varchar(500) SET @Query = 'SELECT * FROM userlist where name = ''' + @name + ''' EXEC( @Query ) GO Dangerous Function SQL style string concatenation [Solution] SET @name = REPLACE ( @name , '''' , '''''' ) Insert at HERE
2.3 Static query doesn’t always work ,[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 3: Least Privilege ,[object Object],[object Object],[object Object],[object Object],[object Object]
Invoker’s right for stored procedure ,[object Object],[object Object],[object Object]
However... ,[object Object],[object Object],[object Object],[object Object]
If the code DOES contain SQL Injection bug… ,[object Object],[object Object]
Conclusion ,[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 4: Verifies Your code ,[object Object],[object Object],[object Object]
4.1 Source Code Auditing ,[object Object],[object Object],[object Object]
Automatic Source Code Scanner [7] ,[object Object],[object Object],[object Object]
4.2 Web Application Vulnerability Scanner ,[object Object],[object Object],[object Object],[object Object],[object Object]
Semi-automatic tools: Web Proxy ,[object Object],[object Object],Edit Post Data Before Send
Automatic Source Code Scanner vs Automatic Vulnerability Scanner ,[object Object],[object Object],[object Object],[object Object]
Conclusion ,[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 5: Web Application Gateway (WAG) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The downside of WAG ,[object Object],[object Object],A new user register to a web portal application N oted the apostrophe But should we block this?
The downside of WAG (cont’d) ,[object Object],[object Object],[object Object]
The downside of WAP (cont’d) ,[object Object],[object Object],[object Object],[object Object]
Solution ,[object Object]
To make configuration easier: 1 st method ,[object Object],[object Object],[object Object],[object Object],[object Object]
To make configuration easier: 2 nd method ,[object Object],[object Object],[object Object]
To make configuration easier ,[object Object],[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Method 6: SQL Driver Proxy ,[object Object],[object Object],[object Object]
Architecture of a SQL Driver Proxy HTTP Client HTTP Server HTTP Server HTTP Client ODBC JDBC App Original Driver ODBC/JDBC Driver ODBC/JDBC App Analysis Analysis HTTP Proxy ODBC/JDBC Proxy HTTP Protocol HTTP Protocol API Calls API Calls
How SQL Driver Proxy works? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
How SQL Driver Proxy works? (cont’d) ,[object Object],SELECT * FROM tbl_user WHERE user_id = ‘<some thing>’ AND password = ‘<some thing>’ OR 1=1 --’ SELECT * FROM tbl_accounts WHERE user_id = ‘<some thing>’ UNION … UPDATE tbl_accounts SET balance = balance + <some value> WHERE account_id = ‘<some thing>’ ; DROP …
How SQL Driver Proxy works? (cont’d) ,[object Object],[object Object]
SQL Driver Proxy limitation ,[object Object]
SQL Driver Proxy limitation (cont’d) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase
Intrusion Detection System (IDS) ,[object Object],[object Object],[object Object]
Context-Sensitive String Evaluation [9] ,[object Object],[object Object],[object Object],[object Object]
Database Layer Protection ,[object Object],[object Object]
Conclusion ,[object Object],[object Object],[object Object],[object Object]
Reference ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Reference - 2 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Recommended

SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
Orange Tsai
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
amiable_indian
 

Recommended

SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
Orange Tsai
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
amiable_indian
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC
 
Sql injection
Sql injectionSql injection
Sql injection
Hemendra Kumar
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
Orange Tsai
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
Miroslav Stampar
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
OWASP Ottawa
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
MongoDB : The Definitive Guide
MongoDB : The Definitive GuideMongoDB : The Definitive Guide
MongoDB : The Definitive Guide
Wildan Maulana
 

More Related Content

What's hot

CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 

What's hot (20)

Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
Sql injection
Sql injectionSql injection
Sql injection
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 

Viewers also liked

MongoDB : The Definitive Guide
MongoDB : The Definitive GuideMongoDB : The Definitive Guide
MongoDB : The Definitive Guide
Wildan Maulana
 
Top 5 Javascript Frameworks for Web and Mobile App Development
Top 5 Javascript Frameworks for Web and Mobile App DevelopmentTop 5 Javascript Frameworks for Web and Mobile App Development
Top 5 Javascript Frameworks for Web and Mobile App Development
Ajeet Singh
 
Software Automation Testing Introduction
Software Automation Testing IntroductionSoftware Automation Testing Introduction
Software Automation Testing Introduction
Narayanan Palani
 
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
Anand Bagmar
 

Viewers also liked (14)

SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
MongoDB : The Definitive Guide
MongoDB : The Definitive GuideMongoDB : The Definitive Guide
MongoDB : The Definitive Guide
 
Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?Introduction to APIs & how to automate APIs testing with selenium web driver?
Introduction to APIs & how to automate APIs testing with selenium web driver?
 
Top 5 Javascript Frameworks for Web and Mobile App Development
Top 5 Javascript Frameworks for Web and Mobile App DevelopmentTop 5 Javascript Frameworks for Web and Mobile App Development
Top 5 Javascript Frameworks for Web and Mobile App Development
 
Software Automation Testing Introduction
Software Automation Testing IntroductionSoftware Automation Testing Introduction
Software Automation Testing Introduction
 
Selenium topic 3 -Web Driver Basics
Selenium topic 3 -Web Driver BasicsSelenium topic 3 -Web Driver Basics
Selenium topic 3 -Web Driver Basics
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
Selenium WebDriver FAQ's
Selenium WebDriver FAQ'sSelenium WebDriver FAQ's
Selenium WebDriver FAQ's
 
Introduction to Selenium Web Driver
Introduction to Selenium Web DriverIntroduction to Selenium Web Driver
Introduction to Selenium Web Driver
 
Java Basics for selenium
Java Basics for seleniumJava Basics for selenium
Java Basics for selenium
 
Automation Testing by Selenium Web Driver
Automation Testing by Selenium Web DriverAutomation Testing by Selenium Web Driver
Automation Testing by Selenium Web Driver
 
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 

Similar to Advanced Topics On Sql Injection Protection

How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
Hongyang Wang
 
8 sql injection
8 sql injection8 sql injection
8 sql injection
drewz lin
 

Similar to Advanced Topics On Sql Injection Protection (20)

How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
 
Asp
AspAsp
Asp
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
8 sql injection
8 sql injection8 sql injection
8 sql injection
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
ieee
ieeeieee
ieee
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your database
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Sql injection
Sql injectionSql injection
Sql injection
 
Web Security
Web SecurityWeb Security
Web Security
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacks
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 

More from amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
amiable_indian
 

More from amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 

Recently uploaded

A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
UXDXConf
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 

Recently uploaded (20)

THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelTHE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreel
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 

Advanced Topics On Sql Injection Protection

  • 1. Advanced Topics on SQL Injection Protection Sam NG CISA, CISSP SQLBlock.com [email_address] Feb 27 th , 2006
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11. Table 1. SQL injection vulnerabilities found in BugTraq SecurityFocus 194 1 7 94 92 2005 Jan-Jun 57     29 28 2004 Jan-Jun Total Second Order StoredProc Numeric Field Others Period
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18. 1.4 Prevent second order attacks Dim conn, rec, query1, query2, login_id, old_pass, new_pass login_id = Replace (Request. Form ( “login_id” ), “’” , “’’” ) old_pass = Replace (Request. Form ( “old_pass” ), “’” , “’’” ) new_pass = Replace (Request. Form ( “new_pass” ), “’” , “’’” ) Set conn = CreateObject ( &quot;ADODB.Connection&quot; ) conn.Open = &quot;DSN=AccountDB;UID=sa;PWD=password;&quot; query1 = “select * from tbl_user where login_id=’” & login_id & “’ and password=‘” & old_pass & “’” Set rec = conn.Execute(query1) If (rec.EOF) Then Response.Write &quot;Invalid Password&quot; Else query2 = “update from tbl_user set password=’” & new_pass & “’ where login_id=’” & rec.( “login_id” ) & “’” conn.Execute(query2) .. .. End If Unescaped data, read from database. But, what about if login_id = “foo’ union…. – ” All properly escaped
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24. 2.1 parameterized stmt != static stmt [Java] String sql = “select * from product where cat=’” + request.get( “cat” ) + “’ and price > ?” ; PreparedStatement pstmt = con.prepare(sql); pstmt.setString(1, request.getParameter( “price” )); ResultSet rs = pstmt.executeQuery(); Obviously vulnerable to SQL injection Even this is called in a parameterized form Prepare statement
  • 25. 2.2 Stored Procedure != SAFE CREATE PROCEDURE sp_dynamic ( @name varchar(50) = '' ) AS DECLARE @Query varchar(500) SET @Query = 'SELECT * FROM userlist where name = ''' + @name + ''' EXEC( @Query ) GO Dangerous Function SQL style string concatenation [Solution] SET @name = REPLACE ( @name , '''' , '''''' ) Insert at HERE
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52. Architecture of a SQL Driver Proxy HTTP Client HTTP Server HTTP Server HTTP Client ODBC JDBC App Original Driver ODBC/JDBC Driver ODBC/JDBC App Analysis Analysis HTTP Proxy ODBC/JDBC Proxy HTTP Protocol HTTP Protocol API Calls API Calls
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.