logging in or signing up SQL INJECTION useful Download Post to : URL : Related Presentations : Let's Connect Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Copy embed code: Embed: Flash iPad Dynamic Copy Does not support media & animations Automatically changes to Flash or non-Flash embed WordPress Embed Customize Embed URL: Copy Thumbnail: Copy The presentation is successfully added In Your Favorites. Views: 7029 Category: Education License: All Rights Reserved Like it (2) Dislike it (0) Added: February 25, 2009 This Presentation is Public Favorites: 4 Presentation Description DESCRIBES HOW SQL INJECTION IS PERFORMED, Comments Posting comment... Premium member Presentation Transcript SQL INJECTION : SQL INJECTION Presentation Outline : Presentation Outline SQL Injection Attacks Intent Input Source Type Countermeasures Conclusion Introduction : Introduction What is SQL? What is SQL Injection? : What is SQL Injection? Client supplied data passed to an application without appropriate validation. Processed as commands by the database. Example : Example A typical SQL statement looks like this: select id, forename, surname from authors select id, forename, surname from authors where forename = 'john' and surname = 'smith' Forename: jo'hn Surname: smith The 'query string' becomes this: select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith' Cont’ .. : Cont’ .. Error: Server: Msg 170, Level 15, State 1, Line 1 Line 1: Incorrect syntax near 'hn'. Input modified: Forename: jo'; drop table authors-- Vulnerable Application : Vulnerable Application Attack scenario : Attack scenario Normal Usage ¬User submits login “doe” and pin “123” ¬SELECT info FROM users WHERE login= `doe’ AND pin= 123 Attack scenario : Attack scenario Malicious Usage ¬Attacker submits “admin’ -- ” and pin of “0” ¬SELECT info FROM users WHERE login=‘admin’ -- ’ AND pin=0 Intent : Intent Extracting data Adding or modifying data Performing denial of service Bypassing authentication Executing remote commands Sources of SQL Injection : Sources of SQL Injection Injection through user input Malicious strings in web forms. Injection through cookies Modified cookie fields contain attack strings. Injection through server variables Headers are manipulated to contain attack strings. Second-order injection Trojan horse input seems fine until used in a certain situation. Second-Order Injection : Second-Order Injection Attack does not occur when it first reaches the database, but when used later on. Input: admin’-- ===> admin\’-- queryString = "UPDATE users SET pin=" + newPin + " WHERE userName=’" + userName + "’ AND pin=" + oldPin; queryString = “UPDATE users SET pin=’0’ WHERE userName= ’admin’--’ AND pin=1”; Types of SQL Injection : Types of SQL Injection Piggy-backed Queries Tautologies Alternate Encodings Inference Illegal/Logically Incorrect Queries Union Query Stored Procedures Type: Piggy-backed Queries : Type: Piggy-backed Queries Insert additional queries to be executed by the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; DROP database webApp” queryString = “SELECT info FROM userTable WHERE login=‘name' AND pin=0; DROP database webApp” Type: Tautologies : Type: Tautologies Create a query that always evaluates to true for entries in the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input login as “user’ or 1=1 --” queryString = “SELECT info FROM userTable WHERE login=‘user‘ or 1=1 --' AND pin=“ Type: Alternate Encodings : Type: Alternate Encodings Encode attacks in such a way as to avoid naïve input filtering. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; declare @a char(20) select @a=0x73687574646f776e exec(@a)“ “SELECT info FROM userTable WHERE login=‘user' AND pin= 0; declare @a char(20) select @a=0x73687574646f776e exec(@a)” Countermeasures : Countermeasures Prevention Augment Code Detect vulnerabilities in code Safe libraries Detection Detect attacks at Runtime Prevention Techniques : Prevention Techniques Defensive Coding Best Practices Penetration Testing Static Analysis of Code Safe Development Libraries Proxy Filters Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization • Dynamic Tainting Dynamic Tainting : Dynamic Tainting Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization • Dynamic Tainting • Model-based Checkers Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Basic Insights 1. Code contains enough information to accurately model all legitimate queries. 2. A SQL Injection Attack will violate the predicted model. Solution: Static analysis => build query models Runtime analysis => enforce models Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Conclusions : Conclusions 1. SQLIAs have: a) Many sources b) Many goals c) Many types 2. Detection techniques can be effective, but limited by lack of automation. 3. Prevention techniques can be very effective, but should move away from developer dependence. You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
SQL INJECTION useful Download Post to : URL : Related Presentations : Let's Connect Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Copy embed code: Embed: Flash iPad Dynamic Copy Does not support media & animations Automatically changes to Flash or non-Flash embed WordPress Embed Customize Embed URL: Copy Thumbnail: Copy The presentation is successfully added In Your Favorites. Views: 7029 Category: Education License: All Rights Reserved Like it (2) Dislike it (0) Added: February 25, 2009 This Presentation is Public Favorites: 4 Presentation Description DESCRIBES HOW SQL INJECTION IS PERFORMED, Comments Posting comment... Premium member Presentation Transcript SQL INJECTION : SQL INJECTION Presentation Outline : Presentation Outline SQL Injection Attacks Intent Input Source Type Countermeasures Conclusion Introduction : Introduction What is SQL? What is SQL Injection? : What is SQL Injection? Client supplied data passed to an application without appropriate validation. Processed as commands by the database. Example : Example A typical SQL statement looks like this: select id, forename, surname from authors select id, forename, surname from authors where forename = 'john' and surname = 'smith' Forename: jo'hn Surname: smith The 'query string' becomes this: select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith' Cont’ .. : Cont’ .. Error: Server: Msg 170, Level 15, State 1, Line 1 Line 1: Incorrect syntax near 'hn'. Input modified: Forename: jo'; drop table authors-- Vulnerable Application : Vulnerable Application Attack scenario : Attack scenario Normal Usage ¬User submits login “doe” and pin “123” ¬SELECT info FROM users WHERE login= `doe’ AND pin= 123 Attack scenario : Attack scenario Malicious Usage ¬Attacker submits “admin’ -- ” and pin of “0” ¬SELECT info FROM users WHERE login=‘admin’ -- ’ AND pin=0 Intent : Intent Extracting data Adding or modifying data Performing denial of service Bypassing authentication Executing remote commands Sources of SQL Injection : Sources of SQL Injection Injection through user input Malicious strings in web forms. Injection through cookies Modified cookie fields contain attack strings. Injection through server variables Headers are manipulated to contain attack strings. Second-order injection Trojan horse input seems fine until used in a certain situation. Second-Order Injection : Second-Order Injection Attack does not occur when it first reaches the database, but when used later on. Input: admin’-- ===> admin\’-- queryString = "UPDATE users SET pin=" + newPin + " WHERE userName=’" + userName + "’ AND pin=" + oldPin; queryString = “UPDATE users SET pin=’0’ WHERE userName= ’admin’--’ AND pin=1”; Types of SQL Injection : Types of SQL Injection Piggy-backed Queries Tautologies Alternate Encodings Inference Illegal/Logically Incorrect Queries Union Query Stored Procedures Type: Piggy-backed Queries : Type: Piggy-backed Queries Insert additional queries to be executed by the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; DROP database webApp” queryString = “SELECT info FROM userTable WHERE login=‘name' AND pin=0; DROP database webApp” Type: Tautologies : Type: Tautologies Create a query that always evaluates to true for entries in the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input login as “user’ or 1=1 --” queryString = “SELECT info FROM userTable WHERE login=‘user‘ or 1=1 --' AND pin=“ Type: Alternate Encodings : Type: Alternate Encodings Encode attacks in such a way as to avoid naïve input filtering. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; declare @a char(20) select @a=0x73687574646f776e exec(@a)“ “SELECT info FROM userTable WHERE login=‘user' AND pin= 0; declare @a char(20) select @a=0x73687574646f776e exec(@a)” Countermeasures : Countermeasures Prevention Augment Code Detect vulnerabilities in code Safe libraries Detection Detect attacks at Runtime Prevention Techniques : Prevention Techniques Defensive Coding Best Practices Penetration Testing Static Analysis of Code Safe Development Libraries Proxy Filters Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization • Dynamic Tainting Dynamic Tainting : Dynamic Tainting Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization • Dynamic Tainting • Model-based Checkers Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Basic Insights 1. Code contains enough information to accurately model all legitimate queries. 2. A SQL Injection Attack will violate the predicted model. Solution: Static analysis => build query models Runtime analysis => enforce models Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Conclusions : Conclusions 1. SQLIAs have: a) Many sources b) Many goals c) Many types 2. Detection techniques can be effective, but limited by lack of automation. 3. Prevention techniques can be very effective, but should move away from developer dependence.