The OWASP Foundation Injection Flaws.

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

Nick Tsamis University of Tulsa CS 7493 April 2013.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx.

Top 10 Defenses for Website Security Jim Manico VP of Security Architecture July 2012.

Top 10 Defenses for Website Security Jim Manico VP Security Architecture.

How Did I Steal Your Database Mostafa

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

1 Foundations of Software Design Lecture 27: Java Database Programming Marti Hearst Fall 2002.

SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

What is MySQL? MySQL is a database. The data in MySQL is stored in database objects called tables. A table is a collections of related data entries and.

Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Attacking Applications: SQL Injection & Buffer Overflows.

Stored Procedures, Triggers, Program Access Dr Lisa Ball 2008.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Introduction to MySQL Lab no. 10 Advance Database Management System.

Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

11 Using ADO.NET II Textbook Chapter Getting Started Last class we started a simple example of using ADO.NET operations to access the Addresses.

Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.

Injection CSC 482/582: Computer SecuritySlide #1.

SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting PHP & MySQL.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting MySQL – Inserting Data.

Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Adding Parameters to Commands ADO.NET - Lesson 06  Training time: 15 minutes.

Web Server Administration Chapter 7 Installing and Testing a Programming Environment.

WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.

1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.

JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.

CHAPTER 10 PHP MySQL Database

CSC 2720 Building Web Applications Accessing MySQL from PHP.

SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.

Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.

SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.

Radoslav Georgiev Telerik Corporation

SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.

1 c6212 Advanced Database and Client Server MS SQL Server 2000 Stored Procedures and Parameters What ? Why ? How ?

CS320 Web and Internet Programming Database Access with JDBC Chengyu Sun California State University, Los Angeles.

MySQL Security MySQL User Conference & Expo Tuesday, April 24 th, 2007 Sheeri Kritzer, MySQL DBA

Web Systems & Technologies

SQL Injection By Wenonah Abadilla.

Database System Implementation CSE 507

SQL Primer Boston University CS558 Network Security Fall 2015

CSC 482/582: Computer Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

CS320 Web and Internet Programming Database Access with JDBC

Example – SQL Injection

SQL INJECTION ATTACKS.

Introduction to Web programming

SQL Injection Attacks Many web servers have backing databases

Pengantar Keamanan Informasi

PHP: Security issues FdSc Module 109 Server side scripting and

امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری

Chapter 13 Security Methods Part 3.

Lecture 2 - SQL Injection

Introduction to Web programming

Presentation transcript:

The OWASP Foundation Injection Flaws

The OWASP Foundation ';';

The OWASP Foundation Anatomy of SQL Injection Attack sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “’ AND password = ‘” & Request (“password”) & ”’” What the developer intended: username = john password = password SQL Query: SELECT * FROM user_table WHERE username = ‘john’ AND password = ‘password’

The OWASP Foundation Anatomy of SQL Injection Attack

The OWASP Foundation Example Attacks SELECT first_name, last_name FROM users WHERE user_id = '' UNION ALL SELECT load_file(‘C:\\app\\htdocs\\webapp\\.htaccess'), '1‘ SELECT first_name, last_name FROM users WHERE user_id ='' UNION SELECT '',' ' INTO OUTFILE ‘C:\\app\\htdocs\\webapp\\exploit.php';# Goto

The OWASP Foundation String Building to Call Stored Procedures  String building can be done when calling stored procedures as well sql = + request.getParameter(“LastName”);  Stored Procedure Code CREATE PROCEDURE GetCustInfo VARCHAR(100)) AS exec(‘SELECT * FROM CUSTOMER WHERE LNAME=‘’’ + ‘’’’) (Wrapped Dynamic SQL) GO What’s the issue here………… If blah’ OR ‘1’=‘1 is passed in as the LastName value, the entire table will be returned  Remember Stored procedures need to be implemented safely. 'Implemented safely' means the stored procedure does not include any unsafe dynamic SQL generation.

The OWASP Foundation Rails: ActiveRecord/Database Security Rails is designed with minimal SQL Injection problems. It is not recommended to use user data in a database query in the following manner: Project.where("name = '#{params[:name]}'") By entering a parameter with a value such as ‘ OR 1 -- Will result in: SELECT * FROM projects WHERE name = '' OR 1 --'

The OWASP Foundation Active Record Other Injectable examples: Rails 2.X = Project.find(:all, :conditions => "name like #{params[:name]}") Rails 3.X example: name = = Project.where("name like ' " + name + " ' ");

The OWASP Foundation Active Record Countermeasure Ruby on Rails has a built-in filter for special SQL characters, which will escape ', ", NULL character and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure. Model.where("login = ? AND password = ?", entered_user_name, entered_password).first The "?" characters are placeholders for the parameters which are parameterised and escaped automatically. Important: Many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input. A list of them can be found here and such methods should be used with caution.

The OWASP Foundation Query Parameterization (PHP) $stmt = $dbh->prepare(”update users set =:new_ where id=:user_id”); $stmt->bindParam(':new_ ', $ ); $stmt->bindParam(':user_id', $id);

The OWASP Foundation Query Parameterization (.NET) SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name AND Password objConnection); NameTextBox.Text); PassTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader();

The OWASP Foundation Query Parameterization (Java) String newName = request.getParameter("newName") ; String id = request.getParameter("id"); //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employeeswhere id=:empId"); safeHQLQuery.setParameter("empId", id);

The OWASP Foundation Query Parameterization (Cold Fusion) SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID =

The OWASP Foundation Query Parameterization (PERL) my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )"; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz );

The OWASP Foundation Command Injection Web applications may use input parameters as arguments for OS scripts or executables Almost every application platform provides a mechanism to execute local operating system commands from application code Most operating systems support multiple commands to be executed from the same command line. Multiple commands are typically separated with the pipe “|” or ampersand “&” characters  Perl: system(), exec(), backquotes(``)  C/C++: system(), popen(), backquotes(``)  ASP: wscript.shell  Java: getRuntime.exec  MS-SQL Server: master..xp_cmdshell  PHP : include() require(), eval(),shell_exec

The OWASP Foundation LDAP Injection   (OWASP-DV-006) (OWASP-DV-006) SQL Injection  Cheat_Sheet Cheat_Sheet  Cheat_Sheet Cheat_Sheet Command Injection  Where can I learn more?