Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Injection.

Similar presentations


Presentation on theme: "SQL Injection."— Presentation transcript:

1 SQL Injection

2 SQL Injection SQL Injection is ranked number one in the CWE/SANS list of the top 25 most dangerous software errors!

3 SQL Injection: Basic Idea
An application sends a form to user. An attacker submits form with SQL exploit data. The application builds string with exploit data. (does not filter the data) The application sends SQL query to a relational DBMS. The DBMS executes query, including exploit, sends data back to application. The application returns data to user.

4 Example: SQL Injection
Form for “ me my password” Assume that the application takes the user input and creates a SQL statement of the form select <fieldlist> from <table> where <field> = '<%= %>'; Consider what would happen if the user entered the following into the form anything' or 'x' = 'x Address: value entered into form by the user

5 Example: SQL Injection (continued)
SQL statement becomes select <fieldlist> from <table> where <field> = 'anything' or 'x' = 'x'; Note that the second statement is guaranteed to be true, and therefore the select statement would return the entire table. What if the response to submitting the form was something like At this point we know that the web site is subject to an SQL injection attack. Your login information has been mailed to

6 Exploits of a Mom

7 Finding SQL Injection Bugs
Submit a single quote as input. If an error results, the application is vulnerable. If no error, check for any output changes. Submit two single quotes. Databases use two single quotes to represent the literal ' If an error disappears, the application is vulnerable. Try string or numeric operators. Oracle: '||'FOO MS-SQL: '+'FOO MySQL: ' 'FOO 2-2 81+19 49-ASCII(1)

8 Make Guesses for Field Names
Enter data so that query becomes something like select ... where <field> = 'x' and is null; -- Can try various values for field names such as – _addr _address – mail Repeat on other forms to guess field names for password – pwd user_id – login_id name – last_name guess for field name comments out any remaining SQL parts

9 Make Guesses for Table Name
Use a subquery. Enter data so that the query becomes something like select ... where = 'x' and 1 = (select count(*) from users); --; Try different guesses. When the query returns “ unknown”, we know that the SQL was well-formed and that we have guessed the table name. guess for table name

10 Impact of SQL Injection
Leakage of sensitive information. Reputation decline. Modification of sensitive information. Loss of control of db server. Data loss. Denial of service.

11 Mitigating SQL Injection
Use blacklists (a.k.a., filtering). filter out potentially bad characters such as a single quote Use whitelists. restrict input to only allowable characters such as letters, sign, etc. Process SQL queries using prepared statements, parameterized queries, or stored procedures. the user input is supplied as a value for the parameter Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid; e.g., Hibernate or Enterprise Java Beans.

12 Blacklists (a.k.a., Filtering)
Filter out or sanitize known bad SQL meta-characters such as single quotes. Problems: Numeric parameters don’t use quotes. URL escaped metacharacters. Unicode encoded metacharacters. Did you miss any metacharacters? Although it’s easy to point out some dangerous characters, it’s harder to point to all of them.

13 JavaServer Pages (JSP)
Filters in Java Filters can be used in a web application to intercept, examine, and possibly transform requests or responses associated with servlets, JSP pages, HTML pages, etc. Filters can be used to query the request and act accordingly block the request and response pair from passing any further modify the request headers and data, providing a customized version of the request modify the response headers and data, providing a customized version of the response. Think of filters as a chain of steps that requests and responses must go through before reaching a servlet, JSP page, or HTML page. ©SoftMoore Consulting

14 Filters in Action Server Filter 1 HTML Page Client (browser) JSP Page
HTTP Request Filter 1 HTML Page Client (browser) HTTP Response JSP Page HTTP Request Client (browser) Filter 2 Servlet HTTP Response ©SoftMoore Consulting

15 BadInputFilter revisited
BadInputFilter provides a frontline of defense against common web application security exploits such as SQL injection attacks and cross-site scripting. Unfortunately, BadInputFilter was designed for a specific version of Tomcat (a Java web server), and it breaks silently in newer versions of Tomcat. This paper provided an update and correction to BadInputFilter that should run correctly in any Java web server. John I. Moore, Jr.

16 Whitelist Reject input that doesn’t match your list of safe characters to accept. Identify which characters should be allowed for each input field. Reject input instead of attempting to repair. Might still need to handle some potentially dangerous characters such as single quotes in a name (e.g., O’Neill).

17 Prepared Statements in Java
String query = "SELECT FROM members WHERE name = ?"; PreparedStatement ps = connection.prepareStatement(query); ps.setString(1, formField); ResultSet rs = ps.executeQuery(); Since a prepared statement is parsed only once, there could also be performance benefits if it is reused multiple times (e.g., in a loop), but the performance benefits are minor compared to the security benefits.

18 Relevant Links SQL Injection Attacks by Example
SQL Injection (Wikipedia) BadInputFilter revisited (John Moore, JavaWorld) 2011 CWE/SANS Top 25 Most Dangerous Software Errors ©SoftMoore Consulting


Download ppt "SQL Injection."

Similar presentations


Ads by Google