SQL INJECTION

Views:
 
Category: Education
     
 

Presentation Description

DESCRIBES HOW SQL INJECTION IS PERFORMED,

Comments

Presentation Transcript

SQL INJECTION : 

SQL INJECTION

Presentation Outline : 

Presentation Outline SQL Injection Attacks Intent Input Source Type Countermeasures Conclusion

Introduction : 

Introduction What is SQL?

What is SQL Injection? : 

What is SQL Injection? Client supplied data passed to an application without appropriate validation. Processed as commands by the database.

Example : 

Example A typical SQL statement looks like this: select id, forename, surname from authors select id, forename, surname from authors where forename = 'john' and surname = 'smith' Forename: jo'hn Surname: smith The 'query string' becomes this: select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith'

Cont’ .. : 

Cont’ .. Error: Server: Msg 170, Level 15, State 1, Line 1 Line 1: Incorrect syntax near 'hn'. Input modified: Forename: jo'; drop table authors--

Vulnerable Application : 

Vulnerable Application

Attack scenario : 

Attack scenario Normal Usage ¬User submits login “doe” and pin “123” ¬SELECT info FROM users WHERE login= `doe’ AND pin= 123

Attack scenario : 

Attack scenario Malicious Usage ¬Attacker submits “admin’ -- ” and pin of “0” ¬SELECT info FROM users WHERE login=‘admin’ -- ’ AND pin=0

Intent : 

Intent Extracting data Adding or modifying data Performing denial of service Bypassing authentication Executing remote commands

Sources of SQL Injection : 

Sources of SQL Injection Injection through user input Malicious strings in web forms. Injection through cookies Modified cookie fields contain attack strings. Injection through server variables Headers are manipulated to contain attack strings. Second-order injection Trojan horse input seems fine until used in a certain situation.

Second-Order Injection : 

Second-Order Injection Attack does not occur when it first reaches the database, but when used later on. Input: admin’-- ===> admin\’-- queryString = "UPDATE users SET pin=" + newPin + " WHERE userName=’" + userName + "’ AND pin=" + oldPin; queryString = “UPDATE users SET pin=’0’ WHERE userName= ’admin’--’ AND pin=1”;

Types of SQL Injection : 

Types of SQL Injection Piggy-backed Queries Tautologies Alternate Encodings Inference Illegal/Logically Incorrect Queries Union Query Stored Procedures

Type: Piggy-backed Queries : 

Type: Piggy-backed Queries Insert additional queries to be executed by the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; DROP database webApp” queryString = “SELECT info FROM userTable WHERE login=‘name' AND pin=0; DROP database webApp”

Type: Tautologies : 

Type: Tautologies Create a query that always evaluates to true for entries in the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input login as “user’ or 1=1 --” queryString = “SELECT info FROM userTable WHERE login=‘user‘ or 1=1 --' AND pin=“

Type: Alternate Encodings : 

Type: Alternate Encodings Encode attacks in such a way as to avoid naïve input filtering. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; declare @a char(20) select @a=0x73687574646f776e exec(@a)“ “SELECT info FROM userTable WHERE login=‘user' AND pin= 0; declare @a char(20) select @a=0x73687574646f776e exec(@a)”

Countermeasures : 

Countermeasures Prevention Augment Code Detect vulnerabilities in code Safe libraries Detection Detect attacks at Runtime

Prevention Techniques : 

Prevention Techniques Defensive Coding Best Practices Penetration Testing Static Analysis of Code Safe Development Libraries Proxy Filters

Detection Techniques : 

Detection Techniques Anomaly Based Intrusion Detection

Detection Techniques : 

Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization

Detection Techniques : 

Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization • Dynamic Tainting

Dynamic Tainting : 

Dynamic Tainting

Detection Techniques : 

Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization • Dynamic Tainting • Model-based Checkers

Model-based Checkers: AMNESIA : 

Model-based Checkers: AMNESIA Basic Insights 1. Code contains enough information to accurately model all legitimate queries. 2. A SQL Injection Attack will violate the predicted model. Solution: Static analysis => build query models Runtime analysis => enforce models

Model-based Checkers: AMNESIA : 

Model-based Checkers: AMNESIA String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString);

Model-based Checkers: AMNESIA : 

Model-based Checkers: AMNESIA

Model-based Checkers: AMNESIA : 

Model-based Checkers: AMNESIA

Conclusions : 

Conclusions 1. SQLIAs have: a) Many sources b) Many goals c) Many types 2. Detection techniques can be effective, but limited by lack of automation. 3. Prevention techniques can be very effective, but should move away from developer dependence.