SQL INJECTION : SQL INJECTION
Presentation Outline : Presentation Outline SQL Injection Attacks
Intent
Input Source
Type
Countermeasures
Conclusion
Introduction : Introduction What is SQL?
What is SQL Injection? : What is SQL Injection? Client supplied data passed to an application without appropriate validation.
Processed as commands by the database.
Example : Example A typical SQL statement looks like this:
select id, forename, surname from authors
select id, forename, surname from authors where forename = 'john' and surname = 'smith'
Forename: jo'hn
Surname: smith
The 'query string' becomes this:
select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith'
Cont’ .. : Cont’ .. Error:
Server: Msg 170, Level 15, State 1, Line 1
Line 1: Incorrect syntax near 'hn'.
Input modified:
Forename: jo'; drop table authors--
Vulnerable Application : Vulnerable Application
Attack scenario : Attack scenario Normal Usage
¬User submits login “doe” and pin “123”
¬SELECT info FROM users WHERE login= `doe’ AND pin= 123
Attack scenario : Attack scenario Malicious Usage
¬Attacker submits “admin’ -- ” and pin of “0”
¬SELECT info FROM users WHERE login=‘admin’ -- ’ AND
pin=0
Intent : Intent Extracting data
Adding or modifying data
Performing denial of service
Bypassing authentication
Executing remote commands
Sources of SQL Injection : Sources of SQL Injection Injection through user input
Malicious strings in web forms.
Injection through cookies
Modified cookie fields contain attack strings.
Injection through server variables
Headers are manipulated to contain attack strings.
Second-order injection
Trojan horse input seems fine until used in a
certain situation.
Second-Order Injection : Second-Order Injection Attack does not occur when it first reaches
the database, but when used later on.
Input: admin’-- ===> admin\’--
queryString =
"UPDATE users SET pin=" + newPin +
" WHERE userName=’" + userName + "’ AND pin=" + oldPin;
queryString =
“UPDATE users SET pin=’0’
WHERE userName= ’admin’--’ AND pin=1”;
Types of SQL Injection : Types of SQL Injection Piggy-backed Queries
Tautologies
Alternate Encodings
Inference
Illegal/Logically Incorrect Queries
Union Query
Stored Procedures
Type: Piggy-backed Queries : Type: Piggy-backed Queries Insert additional queries to be executed
by the database.
queryString = “SELECT info FROM userTable WHERE” +
“login=‘” + login + “' AND pin=” + pin;
Input pin as “0; DROP database webApp”
queryString = “SELECT info FROM userTable WHERE
login=‘name' AND pin=0; DROP database webApp”
Type: Tautologies : Type: Tautologies Create a query that always evaluates to
true for entries in the database.
queryString = “SELECT info FROM userTable WHERE” +
“login=‘” + login + “' AND pin=” + pin;
Input login as “user’ or 1=1 --”
queryString = “SELECT info FROM userTable WHERE login=‘user‘ or 1=1 --' AND pin=“
Type: Alternate Encodings : Type: Alternate Encodings Encode attacks in such a way as to avoid
naïve input filtering.
queryString = “SELECT info FROM userTable WHERE” +
“login=‘” + login + “' AND pin=” + pin;
Input pin as “0; declare @a char(20) select
@a=0x73687574646f776e exec(@a)“
“SELECT info FROM userTable WHERE
login=‘user' AND pin= 0;
declare @a char(20) select @a=0x73687574646f776e exec(@a)”
Countermeasures : Countermeasures Prevention
Augment Code
Detect vulnerabilities
in code
Safe libraries Detection
Detect attacks at
Runtime
Prevention Techniques : Prevention Techniques Defensive Coding Best Practices
Penetration Testing
Static Analysis of Code
Safe Development Libraries
Proxy Filters
Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection
Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection
Instruction Set Randomization
Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection
Instruction Set Randomization
• Dynamic Tainting
Dynamic Tainting : Dynamic Tainting
Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection
Instruction Set Randomization
• Dynamic Tainting
• Model-based Checkers
Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Basic Insights
1. Code contains enough information to
accurately model all legitimate queries.
2. A SQL Injection Attack will violate the
predicted model.
Solution:
Static analysis => build query models
Runtime analysis => enforce models
Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA String queryString = "SELECT info FROM userTable WHERE ";
if ((! login.equals("")) && (! pin.equals(""))) {
queryString += "login='" + login + "' AND pin=" + pin ;
} else {
queryString+="login='guest'";
}
ResultSet tempSet = stmt.execute(queryString);
Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA
Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA
Conclusions : Conclusions 1. SQLIAs have:
a) Many sources
b) Many goals
c) Many types
2. Detection techniques can be effective,
but limited by lack of automation.
3. Prevention techniques can be very
effective, but should move away from
developer dependence.