SQL INJECTION

Information about SQL INJECTION

Published on February 25, 2009

Author: useful

Source: authorstream.com

Content

SQL INJECTION : SQL INJECTION Presentation Outline : Presentation Outline SQL Injection Attacks Intent Input Source Type Countermeasures Conclusion Introduction : Introduction What is SQL? What is SQL Injection? : What is SQL Injection? Client supplied data passed to an application without appropriate validation. Processed as commands by the database. Example : Example A typical SQL statement looks like this: select id, forename, surname from authors select id, forename, surname from authors where forename = 'john' and surname = 'smith' Forename: jo'hn Surname: smith The 'query string' becomes this: select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith' Cont’ .. : Cont’ .. Error: Server: Msg 170, Level 15, State 1, Line 1 Line 1: Incorrect syntax near 'hn'. Input modified: Forename: jo'; drop table authors-- Vulnerable Application : Vulnerable Application Attack scenario : Attack scenario Normal Usage ¬User submits login “doe” and pin “123” ¬SELECT info FROM users WHERE login= `doe’ AND pin= 123 Attack scenario : Attack scenario Malicious Usage ¬Attacker submits “admin’ -- ” and pin of “0” ¬SELECT info FROM users WHERE login=‘admin’ -- ’ AND pin=0 Intent : Intent Extracting data Adding or modifying data Performing denial of service Bypassing authentication Executing remote commands Sources of SQL Injection : Sources of SQL Injection Injection through user input Malicious strings in web forms. Injection through cookies Modified cookie fields contain attack strings. Injection through server variables Headers are manipulated to contain attack strings. Second-order injection Trojan horse input seems fine until used in a certain situation. Second-Order Injection : Second-Order Injection Attack does not occur when it first reaches the database, but when used later on. Input: admin’-- ===> admin\’-- queryString = "UPDATE users SET pin=" + newPin + " WHERE userName=’" + userName + "’ AND pin=" + oldPin; queryString = “UPDATE users SET pin=’0’ WHERE userName= ’admin’--’ AND pin=1”; Types of SQL Injection : Types of SQL Injection Piggy-backed Queries Tautologies Alternate Encodings Inference Illegal/Logically Incorrect Queries Union Query Stored Procedures Type: Piggy-backed Queries : Type: Piggy-backed Queries Insert additional queries to be executed by the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; DROP database webApp” queryString = “SELECT info FROM userTable WHERE login=‘name' AND pin=0; DROP database webApp” Type: Tautologies : Type: Tautologies Create a query that always evaluates to true for entries in the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input login as “user’ or 1=1 --” queryString = “SELECT info FROM userTable WHERE login=‘user‘ or 1=1 --' AND pin=“ Type: Alternate Encodings : Type: Alternate Encodings Encode attacks in such a way as to avoid naïve input filtering. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; declare @a char(20) select @a=0x73687574646f776e exec(@a)“ “SELECT info FROM userTable WHERE login=‘user' AND pin= 0; declare @a char(20) select @a=0x73687574646f776e exec(@a)” Countermeasures : Countermeasures Prevention Augment Code Detect vulnerabilities in code Safe libraries Detection Detect attacks at Runtime Prevention Techniques : Prevention Techniques Defensive Coding Best Practices Penetration Testing Static Analysis of Code Safe Development Libraries Proxy Filters Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization • Dynamic Tainting Dynamic Tainting : Dynamic Tainting Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization • Dynamic Tainting • Model-based Checkers Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Basic Insights 1. Code contains enough information to accurately model all legitimate queries. 2. A SQL Injection Attack will violate the predicted model. Solution: Static analysis => build query models Runtime analysis => enforce models Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Conclusions : Conclusions 1. SQLIAs have: a) Many sources b) Many goals c) Many types 2. Detection techniques can be effective, but limited by lack of automation. 3. Prevention techniques can be very effective, but should move away from developer dependence.

Related presentations


Other presentations created by useful

HACKING
25. 02. 2009
0 views

HACKING