{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

Web Security Never, ever, trust user inputs Supankar.
Understand Database Security Concepts
How Did I Steal Your Database Mostafa
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Introduction The concept of “SQL Injection”
Let’s try Oracle. Accessing Oracle The Oracle system, like the SQL Server system, is client / server. For SQL Server, –the client is the Query Analyser.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
SQL Injection and Buffer overflow
MIS2502: Data Analytics MySQL and SQL Workbench David Schuff
SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
SQL Injection Timmothy Boyd CSE 7330.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
1 IT420: Database Management and Organization Database Security 5 April 2006 Adina Crăiniceanu
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
MySQL Database Connection
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Oracle 11g DATABASE DEVELOPMENT LAB1. Introduction  Oracle 11g Database:-  Oracle 11g database is designed for some features, which helps to the organizations.
SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.
 CONACT UC:  Magnific training   
Slide Set #24: Database security SY306 Web and Databases for Cyber Operations.
SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.
1 c6212 Advanced Database and Client Server MS SQL Server 2000 Stored Procedures and Parameters What ? Why ? How ?
SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
SQL Injection Attacks.
Database System Implementation CSE 507
Group 18: Chris Hood Brett Poche
Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Introduction to Dynamic Web Programming
Theodore Lawson CSCE548 Student Presentation, Topic #2
Unix System Administration
SQL INJECTION ATTACKS.
SQL Injection Attacks Many web servers have backing databases
Computer Security Fundamentals
Defense in Depth Web Server Custom HTTP Handler Input Validation
PHP: Security issues FdSc Module 109 Server side scripting and
Chapter 13 Security Methods Part 3.
Lecture 2 - SQL Injection
Presentation transcript:

{ Code Injection Cable Johnson

 Overview  Common Injection Types  Developer Prevention Code Injection

{ “username” stored as string constant

 Insert source code into existing application  Single command  Entire script  Used by worms to propagate Overview

 SQL injection  Web injection/XSS  Shell injection Common Injection Types

 Infiltrate database  Dump data, alter data  Done at database level  Easily Automated  Attempted constantly  Average: 71 attempts/hr  Peak: attempts/hr SQL Injection

 SQL: database level  XSS: web level  PHP/ASP injection: server infiltration  HTML/Script injection: browser infiltration  Most common injection type today Web

 Targets machine rather than db or webpage  Done at shell (command line) level  Windows and UNIX  Typically used to escalate privileges Shell Injection

 Design  Input sanatization Prevention

 Blacklisting  Minimize use of user input  Limit database use  Disable unnecessary database functionality  Update regularly  Attack yourself Design

 Character exclusion  Signature exclusion  Prepared statements Sanitization

 ( ‘ ), ( \ ), ( ` )  Require alphanumeric only  Limit string length to guard against complex queries  Easy to implement  Easily recognizable Character Exclusion

 UNION SELECT  OR 1=1  EXEC SP_ (or EXEC XP_)  False positives come with large signature sets  Easily avoidable Signature Exclusion

 OR 1 = 1  OR ‘str’ = ‘str’  OR ‘str’ = ‘st’+’r’  OR ‘str’ = N’str’  OR ‘s’ IN (‘str’)  O/**/R ‘s’ < ‘z’  Unreasonable to keep signatures for countless possible inputs Signature Weakness

 Efficient method of sanatization  Also a query optimization  Build the sql statement with minimal syntax  Run partial query (“prepare”)  Fill in user input after preparation Prepared Statements

sql = “SELECT * FROM users WHERE username=$1 AND password=$2” statement = db.prepare(sql) username = input() password = input() statement.execute(username, password) Pseudo Code

 Seth  Amanda  George Bad Sanatization

 function checkForBadSql($sqlcode)  {  global $CONTEXT, $ERROR_TEXT;  $badSqlCode[] = 'create';  $badSqlCode[] = 'database';  $badSqlCode[] = 'table';  $badSqlCode[] = 'insert';  $badSqlCode[] = 'update';  $badSqlCode[] = 'rename';  $badSqlCode[] = 'replace';  $badSqlCode[] = 'select';  $badSqlCode[] = 'handler';  $badSqlCode[] = 'delete';  $badSqlCode[] = 'truncate';  $badSqlCode[] = 'drop';  $badSqlCode[] = 'where';  $badSqlCode[] = 'or';  $badSqlCode[] = 'and';  $badSqlCode[] = 'values';  $badSqlCode[] = 'set';   //test if sql code is bad  if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode))  {  //bad sql found -- hack attept! Abort  $ERROR_TEXT = "Invalid text was entered. Please correct.";  return 0;  }  return 1;  }

 Injection requires knowledge and craftiness on attacker’s part, but very deadly  SQL: database  XSS: web  Shell: machine  Several prevention tactics, but prepared statements win Review