SQL Injection
SQL Injection SQL Injection is ranked number one in the CWE/SANS list of the top 25 most dangerous software errors!
SQL Injection: Basic Idea An application sends a form to user. An attacker submits form with SQL exploit data. The application builds string with exploit data. (does not filter the data) The application sends SQL query to a relational DBMS. The DBMS executes query, including exploit, sends data back to application. The application returns data to user.
Example: SQL Injection Form for “Email me my password” Assume that the application takes the user input and creates a SQL statement of the form select <fieldlist> from <table> where <field> = '<%=email%>'; Consider what would happen if the user entered the following into the form anything' or 'x' = 'x Email Address: value entered into form by the user
Example: SQL Injection (continued) SQL statement becomes select <fieldlist> from <table> where <field> = 'anything' or 'x' = 'x'; Note that the second statement is guaranteed to be true, and therefore the select statement would return the entire table. What if the response to submitting the form was something like At this point we know that the web site is subject to an SQL injection attack. Your login information has been mailed to john.doe@example.com
Exploits of a Mom
Finding SQL Injection Bugs Submit a single quote as input. If an error results, the application is vulnerable. If no error, check for any output changes. Submit two single quotes. Databases use two single quotes to represent the literal ' If an error disappears, the application is vulnerable. Try string or numeric operators. Oracle: '||'FOO MS-SQL: '+'FOO MySQL: ' 'FOO 2-2 81+19 49-ASCII(1)
Make Guesses for Field Names Enter data so that query becomes something like select ... where <field> = 'x' and email is null; -- Can try various values for field names such as email – email_addr email_address – mail Repeat on other forms to guess field names for password – pwd user_id – login_id name – last_name guess for field name comments out any remaining SQL parts
Make Guesses for Table Name Use a subquery. Enter data so that the query becomes something like select ... where email = 'x' and 1 = (select count(*) from users); --; Try different guesses. When the query returns “Email unknown”, we know that the SQL was well-formed and that we have guessed the table name. guess for table name
Impact of SQL Injection Leakage of sensitive information. Reputation decline. Modification of sensitive information. Loss of control of db server. Data loss. Denial of service.
Mitigating SQL Injection Use blacklists (a.k.a., filtering). filter out potentially bad characters such as a single quote Use whitelists. restrict input to only allowable characters such as letters, numbers, @ sign, etc. Process SQL queries using prepared statements, parameterized queries, or stored procedures. the user input is supplied as a value for the parameter Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid; e.g., Hibernate or Enterprise Java Beans.
Blacklists (a.k.a., Filtering) Filter out or sanitize known bad SQL meta-characters such as single quotes. Problems: Numeric parameters don’t use quotes. URL escaped metacharacters. Unicode encoded metacharacters. Did you miss any metacharacters? Although it’s easy to point out some dangerous characters, it’s harder to point to all of them.
JavaServer Pages (JSP) Filters in Java Filters can be used in a web application to intercept, examine, and possibly transform requests or responses associated with servlets, JSP pages, HTML pages, etc. Filters can be used to query the request and act accordingly block the request and response pair from passing any further modify the request headers and data, providing a customized version of the request modify the response headers and data, providing a customized version of the response. Think of filters as a chain of steps that requests and responses must go through before reaching a servlet, JSP page, or HTML page. ©SoftMoore Consulting
Filters in Action Server Filter 1 HTML Page Client (browser) JSP Page HTTP Request Filter 1 HTML Page Client (browser) HTTP Response JSP Page HTTP Request Client (browser) Filter 2 Servlet HTTP Response ©SoftMoore Consulting
BadInputFilter revisited BadInputFilter provides a frontline of defense against common web application security exploits such as SQL injection attacks and cross-site scripting. Unfortunately, BadInputFilter was designed for a specific version of Tomcat (a Java web server), and it breaks silently in newer versions of Tomcat. This paper provided an update and correction to BadInputFilter that should run correctly in any Java web server. John I. Moore, Jr.
Whitelist Reject input that doesn’t match your list of safe characters to accept. Identify which characters should be allowed for each input field. Reject input instead of attempting to repair. Might still need to handle some potentially dangerous characters such as single quotes in a name (e.g., O’Neill).
Prepared Statements in Java String query = "SELECT email FROM members WHERE name = ?"; PreparedStatement ps = connection.prepareStatement(query); ps.setString(1, formField); ResultSet rs = ps.executeQuery(); Since a prepared statement is parsed only once, there could also be performance benefits if it is reused multiple times (e.g., in a loop), but the performance benefits are minor compared to the security benefits.
Relevant Links SQL Injection Attacks by Example http://www.unixwiz.net/techtips/sql-injection.html SQL Injection (Wikipedia) https://en.wikipedia.org/wiki/SQL_injection BadInputFilter revisited (John Moore, JavaWorld) http://www.javaworld.com/article/2078901/open-source-tools/badinputfilter-revisited.html 2011 CWE/SANS Top 25 Most Dangerous Software Errors http://cwe.mitre.org/top25/ ©SoftMoore Consulting