DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Understand Database Security Concepts

ASP.NET Web Application Security Hannes Preishuber ppedv AG

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.

DotNet Market Web Site “EMarket” Milena Natanov Project Supervisor: Victor Kulikov Lab Chief Engineer: Dr. Ilana David Semester spring, – Project.

Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.

Managing Employee Earnings Statements: PAYSTUB 3.0 A centralized, intranet-based application used to view employee earnings statements online Published:

SQL Injection and Buffer overflow

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

DEV450 Visual Studio: Best Practices For Debugging Managed Applications Habib Heydarian Scott Nonnenberg Program Managers Microsoft Corporation.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Secure Software Engineering: Input Vulnerabilities

Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Chapter 9 Using the SqlDataSource Control. References aspx.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

© 2008 Dr. Paul Walcott – The University of the West Indies: Cave Hill CampusDr. Paul Walcott COMP6325 Advanced Web Technologies Dr. Paul Walcott The University.

August 1, The Software Security Problem August 1, 2006.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Web Server Administration Chapter 7 Installing and Testing a Programming Environment.

Attacking Applications: SQL Injection & Buffer Overflows.

Sofia, Bulgaria | 9-10 October Writing Secure Code for ASP.NET Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA) Stephen Forte CTO,

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

11 Using ADO.NET II Textbook Chapter Getting Started Last class we started a simple example of using ADO.NET operations to access the Addresses.

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

ASP.NET The Clock Project. The ASP.NET Clock Project The ASP.NET Clock Project is the topic of Chapter 23. By completing the clock project, you will learn.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Okalo Daniel Ikhena Dr. V. Z. Këpuska December 7, 2007.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.

DEV 301 Visual Studio Team System Tom Arnold Program Manager Microsoft Corporation “Enabling Better Software through Better Testing”

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Building Secure Web Applications With ASP.Net MVC.

ADO.NET connections1 Connecting to SQL Server and Oracle.

Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.

ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.

1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

DAT325 SQL Server 2005 (Codenamed “Yukon”): Using the Service Broker To Build Asynchronous, Queued Database Applications Roger Wolter Program Manager.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

Oracle 11g: SQL Chapter 7 User Creation and Management.

Anatomy of a Network Hack: How To Get Your Network Hacked in Ten Easy Steps! Jesper M. Johansson Senior Security Strategist Microsoft Corporation

DAT 378 SQL Server 2000 Bringing The Best of Reporting Services and Analysis Services Together Sean Boon Program Manager, BI Systems

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

ASP Mr. Baha & Dr.Husam Osta  What is ASP?  Internet Information Services  How Does ASP Differ from HTML?  What can ASP do for you?  ASP Basic.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

ASP.NET Programming with C# and SQL Server First Edition

Group 18: Chris Hood Brett Poche

Module: Software Engineering of Web Applications

Introduction to Dynamic Web Programming

Static Detection of Cross-Site Scripting Vulnerabilities

SQL Injection Attacks Many web servers have backing databases

SQL commands from C# and ASP.net

11/12/2018 6:58 PM © 2004 Microsoft Corporation. All rights reserved.

Изграждане на сигурни уеб приложения - заплахи и методи на защита

Lecture 2 - SQL Injection

Presentation transcript:

DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com

Session Agenda Introduction to SQL Injection How Do Attackers Do it? Advanced Attacks Solutions Least-privilege Access Parameterize DML Validating Input

What is a SQL Injection? SQL statement(s) “injected” into an existing SQL command Injection occurs through malformed application input: Text box. Query string. Manipulated values in HTML. A good SQL injection attack can cripple and even destroy your database!

SQL Injection Causes public void OnLogon(object src, EventArgs e){ SqlConnection con = new SqlConnection( "server=(local);database=myDB;uid=sa;pwd;" ); string query = String.Format( "SELECT COUNT(*) FROM Users WHERE " + "username='{0}' AND password='{1}'", txtUser.Text, txtPassword.Text ); SqlCommand cmd = new SqlCommand(query, con); conn.Open(); SqlDataReader reader = cmd.ExecuteReader(); try{ if(reader.HasRows()) IssueAuthenticationTicket(); else TryAgain(); } finally{ con.Close() }

The Problem Expected: Username: doug Password: SELECT COUNT(*) FROM Users WHERE username='doug' and Malicious: Username: ' OR 1=1 -- Password: SELECT COUNT(*) FROM Users WHERE username='' OR 1=1 -- and

Basic SQL Injection

How Do Attackers Know? Insider Information Trial and Error Error message often reveal too much Malicious user can force an error to discover information about the database

It Gets Worse Once a malicious user can access the database, they are likely to use: xp_cmdshellxp_grantloginxp_regread With the right privileges the user can access ALL databases on the server

Extended Stored Procedures

Problem: Access Privileges Application is accessing database with: “sa” account ASP.NET worker process account (added as admin) High-privilege user account

Solution: Limit Privileges Application should have least necessary privileges to access database Grant ASP.NET account access to database using an alias Create an account that has minimal privileges (EXEC-only)

Machine\ASPNET -- Windows 2000 / XP EXEC sp_grantlogin [MachineName\ASPNET] EXEC sp_grantdbaccess [MachineName\ASPNET], [Alias] GRANT EXECUTE ON [ProcedureName] TO [Alias] GO -- Windows Server 2003 EXEC sp_grantlogin [NT AUTHORITY\NETWORK SERVICE] EXEC sp_grantdbaccess [NT AUTHORITY\NETWORK SERVICE] GRANT EXECUTE ON [ProcedureName] TO [NT AUTHORITY\NETWORK SERVICE] GO

Least Privilege

Problem: DML in Code Application code shouldn’t contain SQL Data Manipulation Language (DML) DML enables malicious input to be injected Eliminating DML should be part of your next security review

Solution: Parameterize DML If DML is a requirement of the application add parameters to the SQL statements string sql = "SELECT * FROM Users " + "WHERE " + "AND SqlCommand command = new SqlCommand (sql, connection); SqlDbType.VarChar).Value = UserName.Text; SqlDbType.VarChar).Value = Password.Text;

Solution: Stored Procedures Less vulnerable to SQL injection attacks Added security via EXECUTE permission SqlCommand command = new SqlCommand ("Users_GetUser", connection); command.CommandType = CommandType.StoredProcedure; SqlCommand command = new SqlCommand (sql, connection); SqlDbType.VarChar).Value = UserName.Text; SqlDbType.VarChar).Value = Password.Text;

Stored Procedures

Problem: User Input All user input is inherently evil Malicious input can: Inject SQL statements Execute arbitrary SQL Damage limited only by privilege of data account Alter application flow Attack other users (cross-site scripting) Read/write cookies Execute script, etc.

Solution: Input Validation All user input should be cleansed ASP.NET validation controls RegEx class Reject invalid input Encode any input that is echoed to the browser HttpUlitity.HtmlEncode() Always use parameterized SQL queries Parameterized commands (good) Parameterized stored procedures (better)

ASP.NET Request Validation Validates query string, form data, cookies Developers still have responsibility to secure inputs Can be disabled at page-, application-, or machine-level

Input and Request Validation

SqlJunkies.com Online resource for DEVELOPERS using SQL Server DotNetJunkies.com Online resource for developers working with the.NET Framework Web Application Disassembly with ODBC Error Messages by David Litchfield

Writing Secure Code (Second Edition) Michael Howard & David LeBlanc Microsoft Press, December 2002 Required reading at Microsoft!

Improving Web Application Security Building Secure ASP.NET Applications

Q1:Overall satisfaction with the session Q2:Usefulness of the information Q3:Presenter’s knowledge of the subject Q4:Presenter’s presentation skills Q5:Effectiveness of the presentation Please fill out a session evaluation on CommNet

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.