Web Applications Security: SQL Injection Attack S. C. Kothari CPRE 556: Slide Set 3, January 27, 2005 Electrical and Computer Engineering Dept. Iowa State.

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

Lectures on File Management
Understand Database Security Concepts
Introduction The concept of “SQL Injection”
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
SQL Injection and Buffer overflow
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
DAY 21: MICROSOFT ACCESS – CHAPTER 5 MICROSOFT ACCESS – CHAPTER 6 MICROSOFT ACCESS – CHAPTER 7 Akhila Kondai October 30, 2013.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
A First Program Using C#
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
MIS Week 11 Site:
Advanced Web 2012 Lecture 4 Sean Costain PHP Sean Costain 2012 What is PHP? PHP is a widely-used general-purpose scripting language that is especially.
A Guide to SQL, Eighth Edition Chapter Three Creating Tables.
Session 5: Working with MySQL iNET Academy Open Source Web Development.
Server-side Scripting Powering the webs favourite services.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
What is Sure BDCs? BDC stands for Batch Data Communication and is also known as Batch Input. It is a technique for mass input of data into SAP by simulating.
MySQL + PHP.  Introduction Before you actually start building your database scripts, you must have a database to place information into and read it from.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
PHP meets MySQL.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.
(Chapter 10 continued) Our examples feature MySQL as the database engine. It's open source and free. It's fully featured. And it's platform independent.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
ASP.NET The Clock Project. The ASP.NET Clock Project The ASP.NET Clock Project is the topic of Chapter 23. By completing the clock project, you will learn.
SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
INFO1408 Database Design Concepts Week 15: Introduction to Database Management Systems.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Introduction to JavaScript CS101 Introduction to Computing.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
M1G Introduction to Programming 2 5. Completing the program.
IS2803 Developing Multimedia Applications for Business (Part 2) Lecture 1: Introduction to IS2803 Rob Gleasure
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
SQL Injection Attacks An overview by Sameer Siddiqui.
MICROSOFT ACCESS – CHAPTER 5 MICROSOFT ACCESS – CHAPTER 6 MICROSOFT ACCESS – CHAPTER 7 Sravanthi Lakkimsety Mar 14,2016.
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel.
M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
SQL Injection Attacks.
Protecting Memory What is there to protect in memory?
Chapter 7: Identifying Advanced Attacks
Common Methods Used to Commit Computer Crimes
Protecting Memory What is there to protect in memory?
SQL and SQL*Plus Interaction
SQL Injection.
Protecting Memory What is there to protect in memory?
Unix System Administration
SQL Injection Attacks Many web servers have backing databases
Pengantar Keamanan Informasi
Intro to PHP & Variables
ISC440: Web Programming 2 Server-side Scripting PHP 3
PHP: Security issues FdSc Module 109 Server side scripting and
Lecture 2 - SQL Injection
Presentation transcript:

Web Applications Security: SQL Injection Attack S. C. Kothari CPRE 556: Slide Set 3, January 27, 2005 Electrical and Computer Engineering Dept. Iowa State University

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 2 SQL Injection: What is it A technique for exploiting web applications that use client-supplied data in SQL queries, but without first stripping potentially harmful special characters. Despite being simple to protect against, many web applications are vulnerable to the attack. Similar to the Buffer Overflow, the attack is possible because the input is not properly checked. While similar, the buffer overflow and SQL Injection require very different checks for inputs.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 3 Rain Forest Puppy Description on Linux Security Site: He's nice-looking, polite and very intelligent. He goes by the name Rain Forest Puppy, RFP for short. It's a name that might suggest environmental leanings, but that would be a serious miscalculation. RFP may turn out to be the software industry's worst nightmare. He is credited with the earliest SQL Injection attack. He used a vulnerability in the wwwthreads package to gain administrative access and some 800 passwords to PacketStorm's discussion forum. RFP Exploits: /msg00041.htmlhttp://lists.virus.org/isn- 0012/msg00041.html Interview with RFP:

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 4 SQL Injection by Example Next, we will show how an hacker uses SQL injection. The examples are from the paper: SQL Injection Attacks By Example, injection.html injection.html

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 5 The Scenario Attacker has no prior knowledge of the application or access to the source code. The login page had a traditional username-and- password form, but also an -me-my- password link. The attacker decided to exploit the latter link. Game plan: discover the internals of the system by submitting different inputs. It takes some intelligent guesswork.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 6 Initial Guess The attacker speculates that the underlying SQL code looks something like this: SELECT fieldlist FROM table WHERE field = '$ '; Here, $ is the address submitted on the form by the user, and the quotation marks around it set it off as a literal string.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 7 Step 1: check if input is sanitized Objective: check if the web application constructs an SQL string literally without sanitizing. The way to check: enter a single quote as part of the data. The attacker enters - note the closing quote mark. This yields: SELECT fieldlist FROM table WHERE field = The SQL parser find the extra quote mark and aborts with a syntax error. The error response is often a dead giveaway that user input is not being sanitized properly and that the application is ripe for exploitation.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 8 Step 1: Output The web application responds with a 500 error (server failure). This suggests that the "broken" input is actually being parsed literally. The attacker knows that he/she has good opportunities ahead.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 9 Step 2: exploit WHERE clause Objective: give legal input and learn more. Since the data appears to be going into the WHERE clause, change the nature of that clause in an SQL legal way and see what happens. Enter anything' OR 'x'='x SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x'; A single-component WHERE clause into a two- component one, and the 'x'='x' clause is guaranteed to be true no matter what the first clause is.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 10 Step 2: Output Unlike the "real" query, which should return only a single item each time, this version is likely to return every item in the members database. The only way to find out what the application will do in this circumstance is to try it. In this case, the web application responds: Your login information has been mailed to The attacker guesses that it's the first record returned by the query.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 11 The attacker knows.. He can manipulate the query to his own ends. He has observed two different responses: –Server error –"Your login information has been mailed to " The first response is for bad SQL while the latter is to a well-formed SQL. This distinction will be very useful when trying to guess the structure of the query.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 12 Step 3: guessing field names The attacker guesses as the name of the field. The way to check: This yields: SELECT fieldlist FROM table WHERE field = ' x' AND IS NULL; -- '; The intent is to use a proposed field name ( ) in the constructed query and find out if the SQL is valid or not. The attacker does not care about matching the address (which is why he uses a dummy 'x'), and the -- marks the start of an SQL comment. This is an effective way to "consume" the final quote provided by application and not worry about matching them.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 13 Step 3: Output If the server responds with an error message, it means the SQL is malformed and a syntax error was thrown. It's most likely due to a bad field name. Any kind of valid response implies that the field name is correct. This is the case whether we get the " unknown" or "password was sent" response. The use of the AND conjunction instead of OR is intentional. The attacker does not want random users inundated with "here is your password" s from the web application. Using the AND conjunction with an address that couldn't ever be valid, the attacker makes sure that the query will always return zero rows.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 14 Going Forward The attacker may have to try different field names _address or mail or the like. This process could involve quite a lot of guessing. Let us suppose that the application responds: " address unknown" Now the attacker knows that the address is stored in a field .

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 15 Step 4: guessing more field names Next the attacker guesses other field names like password, user ID, name and validates his guesses by submitting queries one at a time for each guess. For example: SELECT fieldlist FROM table WHERE field = ' x' AND userid IS NULL; -- '; Suppose the attacker found other field names: , passwd, login_id, full_name.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 16 Step 5: guessing the Table name There are several approaches. This one relies on a subselect. For example, A standalone query: SELECT COUNT(*) FROM tabname returns the number of records in that table, and of course fails if the table name is unknown. SELECT , passwd, login_id, full_name FROM table WHERE = ' x' AND 1=(SELECT COUNT(*) FROM tabname); -- '; The attacker does not care how many records are there, only whether the table name is valid or not.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 17 Step 5: Output Let us suppose that by iterating over several guesses, the attacker eventually determined that members was a valid table in the database. But is it the table used in this query? For that we need yet another test using table.field notation. It only worksfor tables that are actually part of this query, not merely that the table exists. For example: SELECT , passwd, login_id, full_name FROM members WHERE = ' x' AND members. IS NULL; -- ';

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 18 The attacker knows.. At this point the attacker has a partial idea of the structure of the members table. He knows of one username: the random member who got initial "Here is your password" . Note that the attacker never received the message itself, only the address it was sent to. Next, the attacker wants to get some more names to work with, preferably those likely to have access to more data.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 19 Step 6: Using the LIKE clause to get more names SELECT , passwd, login_id, full_name FROM members WHERE = ' x' OR full_name LIKE '%Bob% ';

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 20 Guessing the password The attacker can certainly attempt brute force guessing of passwords at the main login page, but many systems make an effort to detect or even prevent this. There could be log files, account lockouts, or other devices that would substantially impede such efforts, but because of the non-sanitized inputs, the attacker has another avenue that is much less likely to be so protected.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 21 Step 7: guess the password SELECT , passwd, login_id, full_name FROM members WHERE = ' AND passwd = 'hello123 '; The attacker knows he has found the password when he receives the "your password has been mailed to you" message. His target has now been tipped off, but he does have his password.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 22 Important Discovery: The database isn't read only So far, the attacker has done nothing but query the database, and even though a SELECT is read only, that doesn't mean that SQL is. Drastic example: SELECT , passwd, login_id, full_name FROM members WHERE = ' x'; DROP TABLE members; -- '; This one attempts to drop (delete) the entire members table. This shows that not only can the attacker run separate SQL commands, but he can also modify the database.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 23 Step 8: add a new member The attacker adds a new record to that table and simply logs in directly with his newly-inserted credentials. SELECT , passwd, login_id, full_name FROM members WHERE = ' x'; INSERT INTO members (' ','passwd','login_id','full_name') VALUES Friedl');-- ';

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 24 Attacker faces roadblocks 1.There may not be enough room in the web form to enter this much text directly. 2.The web application user might not have INSERT permission on the members table. 3.There are other fields in the members table, and some may require initial values, causing the INSERT to fail. 4.The application itself might not behave well due to the auto-inserted NULL fields. 5.A valid "member" might require not only a record in the members table, but associated information in other tables (say, "access rights"), so adding to one table alone might not be sufficient.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 25 Other Approaches Use xp_cmdshell: Microsoft's SQL Server supports a stored procedure xp_cmdshell that permits what amounts to arbitrary command execution, and if this is permitted to the web user, complete compromise of the web server is inevitable.xp_cmdshell This particular application provided a rich post-login environment that was enough for the attacker. In other cases the attacker can probably gather more hints about the structure from other aspects of the website (e.g., is there a "leave a comment" page? Are there "support forums"?). Clearly, this is highly dependent on the application and it relies very much on making good guesses.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 26 What steps to take for ensuring security Sanitize the input –Insure that inputs do not contain dangerous codes, whether to the SQL server or to HTML itself. –Check: Input from users, parameters from URL, values from cookie –Strip out "bad stuff", such as quotes or semicolons or escapes. It is hard to point to all of them. The language of the web is full of special characters and strange markup (including alternate ways of representing the same characters), and efforts to authoritatively identify all "bad stuff" are unlikely to be successful. –Rather than "remove known bad data", it's better to "remove everything but known good data“. Should consult internet message standard RFC2822.RFC2822

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 27 What steps to take for ensuring security Use bound parameters (the PREPARE statement) –There may be fields that must be allowed to contain these "dangerous“ characters. Another approach is the use of bound parameters, which are supported by essentially all database programming interfaces. In this technique, an SQL statement string is created with placeholders - a question mark for each parameter - and it's "compiled" ("prepared", in SQL parlance) into an internal form. An example in perl: $sth = $dbh->prepare("SELECT , userid FROM members WHERE = ? ;" $sth->execute( $ );

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 28 What steps to take for ensuring security Limit database permissions and segregate users –In the case at hand, we observed just two interactions that are made not in the context of a logged-in user: "log in" and "send me password". The web application ought to use a database connection with the most limited rights possible: query-only access to the members table, and no access to any other table. –Once the web application determined that a set of valid credentials had been passed via the login form, it would then switch that session to a database connection with more rights.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 29 What steps to take for ensuring security Use stored procedures for database access –When the database server supports them, use stored procedures for performing access on the application's behalf, which can eliminate SQL entirely (assuming the stored procedures themselves are written properly). –By encapsulating the rules for a certain action - query, update, delete, etc. - into a single procedure, it can be tested and documented on a standalone basis and business rules enforced (for instance, the "add new order“ procedure might reject that order if the customer were over his credit limit). –NOTE: It's always possible to write a stored procedure that itself constructs a query dynamically: this provides no protection against SQL Injection - it's only proper binding with prepare/execute or direct SQL statements withbound variables that provide this protection.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 30 What steps to take for ensuring security Isolate the web server –Even having taken all these mitigation steps, it's nevertheless still possible to miss something and leave the server open to compromise. One ought to design the network infrastructure to assume that the bad guy will have full administrator access to the machine, and then attempt to limit how that can be leveraged to compromise other things.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 31 What steps to take for ensuring security Configure error reporting –The default error reporting for some frameworks includes developer debugging information, and this cannot be shown to outside users. Imagine how much easier a time it makes for an attacker if the full query is shown, pointing to the syntax error involved. This information is useful to developers, but it should be restricted - ifpossible - to just internal users. –Note that not all databases are configured the same way, and not all even support the same dialect of SQL (the "S" stands for "Structured", not "Standard"). For instance, most versions of MySQL do not support subselects, nor do they usually allow multiple statements.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 32 Expected Work After the Lecture Learning more about one or more of the following: –Explores and report on tools for web application security such the SPI Dynamics’ WebInspect™. How do they work? What are their capabilities? Refer to the guidelines on the course website for exploring tools. dex.html dex.html – Read and prepare a presentation on how to build secure web applications, refer to the free guide, _v2a1.pdf _v2a1.pdf

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 33 Expected Work After the Lecture You should report your interesting findings in class or by sending me an . If you send , identify the lecture number and your last name in the subject line (e.g. Lecture 2-Smith) and also within your message. Give proper references for each of your findings. This will be considered as a part of class participation.

Lecture Notes - Copyright © S. C. Kothari, All rights reserved. 34 References The primary references are in the main body of the presentation. White paper on SQL Injection, /WhitepaperSQLInjection.pdf /WhitepaperSQLInjection.pdf A SQL Injection Walkthrough, ws/5DP0N1P76E.html ws/5DP0N1P76E.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.