1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

CS 142 Lecture Notes: Injection AttacksSlide 1 Unsafe Server Code advisorName = params[:form][:advisor] students = Student.find_by_sql( "SELECT students.*
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Project 7 Discussion Section XSS and SQL Injection in Rails.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Multiple Tiers in Action
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
Workshop 3 Web Application Security Li Weichao March
PHP Security.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Crash Course in Web Hacking
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
CS 142 Lecture Notes: Injection AttacksSlide 1 xkcd.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
CS 142 Lecture Notes: Injection AttacksSlide 1 Unsafe Server Code advisorName = params[:form][:advisor] students = Student.find_by_sql( "SELECT students.*
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Web Application Security Part I Tyler Moore Based on Slides developed John Mitchell for Stanford CS155 CS 7403 Spring 2016.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
CSE509 System Security Attacks against the server-side of web applications Nick Nikiforakis
Building Secure ColdFusion Applications
Web Application Security
SQL Primer Boston University CS558 Network Security Fall 2015
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
CS 371 Web Application Programming
SQL Injection Attacks Many web servers have backing databases
Cross-Site Forgery
Intro to Web Security Kevin Zeng
Tyler Moore Some slides developed by John Mitchell for Stanford CS155
Web Application Security
Chapter 13 Security Methods Part 3.
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Web Application Security
Protecting Against Common Web Application Vulnerabilities
Lecture 27 Security I April 4, 2018 Open news web sites.
Web Application Security
Presentation transcript:

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009

Common vulnerabilities SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query XSS – Cross-site scripting Bad web site sends innocent victim a script that steals information from an honest web site CSRF – Cross-site request forgery Bad web site sends request to good web site, using credentials of an innocent victim who “visits” site Other problems HTTP response splitting, bad certificates, … 2 Sans Top 10

: : General code injection attacks Enable attacker to execute arbitrary code on the server Example: code injection based on eval (PHP) (server side calculator) $in = $_GET[‘exp']; eval('$ans = '. $in. ';'); Attack: 10 ; system(‘rm *.*’) ” 3 (URL encoded)

Code injection using system() Example: PHP server-side code for sending Attacker can post OR $ = $_POST[“ ”] $subject = $_POST[“subject”] system(“mail $ –s $subject < /tmp/joinmynetwork”) & subject=foo < /usr/passwd; ls echo “evil::0:0:root:/:/bin/sh">>/etc/passwd; ls

SQL injection 5

6 Database queries with PHP (the wrong way) Sample PHP $recipient = $_POST[‘recipient’]; $sql = "SELECT PersonID FROM People WHERE Username='$recipient' "; $rs = $db->executeQuery($sql); Problem: Untrusted user input ‘recipient’ is embedded directly into SQL command

Basic picture: SQL Injection 7 Victim Server Victim SQL DB Attacker post malicious form unintended SQL query receive valuable data 1 2 3

8 CardSystems Attack CardSystems credit card payment processing company SQL injection attack in June 2005 put out of business The Attack 263,000 credit card #s stolen from database credit card #s stored unencrypted 43 million credit card #s exposed

April 2008 SQL Vulnerabilities

Main steps in this attack Use Google to find sites using a particular ASP style vulnerable to SQL injection Use SQL injection on these sites to modify the page to include a link to a Chinese site nihaorr1.com Don't visit that site yourself! The site (nihaorr1.com) serves Javascript that exploits vulnerabilities in IE, RealPlayer, QQ Instant Messenger Steps (1) and (2) are automated in a tool that can be configured to inject whatever you like into vulnerable sites 10

11 Example: buggy login page (ASP) set ok = execute( "SELECT * FROM Users WHERE user=' " & form(“user”) & " ' AND pwd=' " & form(“pwd”) & “ '” ); if not ok.EOF login success else fail; Is this exploitable?

Web Server Web Browser (Client) DB Enter Username & Password SELECT * FROM Users WHERE user='me' AND pwd='1234' Normal Query

13 Bad input Suppose user = “ ' or 1=1 -- ” (URL encoded) Then scripts does: ok = execute( SELECT … WHERE user= ' ' or 1=1 -- … ) The “--” causes rest of line to be ignored. Now ok.EOF is always false and login succeeds. The bad news: easy login to many sites this way.

14 Even worse Suppose user = “ ′ ; DROP TABLE Users -- ” Then script does: ok = execute( SELECT … WHERE user= ′ ′ ; DROP TABLE Users … ) Deletes user table Similarly: attacker can add users, reset pwds, etc.

15

16 Even worse … Suppose user = ′ ; exec cmdshell ′ net user badguy badpwd ′ / ADD -- Then script does: ok = execute( SELECT … WHERE username= ′ ′ ; exec … ) If SQL server context runs as “sa”, attacker gets account on DB server.

17 Getting private info

“SELECT pizza, toppings, quantity, date FROM orders WHERE userid=”. $userid. “AND order_month=”. _GET[‘month’] SQL Query What if: month = “ 0 AND 1=0 UNION SELECT name, CC_num, exp_mon, exp_year FROM creditcards ”

19 Results Credit Card Info Compromised

Preventing SQL Injection Never build SQL commands yourself ! Use parameterized/prepared SQL Use ORM framework

21 Parameterized/prepared SQL Builds SQL queries by properly escaping args: ′  \′ Example: Parameterized SQL: (ASP.NET 1.1) Ensures SQL arguments are properly escaped. SqlCommand cmd = new SqlCommand( "SELECT * FROM UserTable WHERE username AND password ", dbConnection); ", Request[“user”] ); ", Request[“pwd”] ); cmd.ExecuteReader(); In PHP: bound parameters -- similar function

22 0x 5c  \ 0x bf 27  ¿′ 0x bf 5c  PHP addslashes () PHP: addslashes ( “ ’ or 1 = 1 -- ”) outputs: “ \’ or 1=1 -- ” Unicode attack: (GBK) $user = 0x bf 27 addslashes ($user)  0x bf 5c 27  Correct implementation: mysql_real_escape_string() ′

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.