Download presentation
Presentation is loading. Please wait.
1
{ Code Injection Cable Johnson
2
Overview Common Injection Types Developer Prevention Code Injection
3
{ “username” stored as string constant
4
Insert source code into existing application Single command Entire script Used by worms to propagate Overview
5
SQL injection Web injection/XSS Shell injection Common Injection Types
6
Infiltrate database Dump data, alter data Done at database level Easily Automated Attempted constantly Average: 71 attempts/hr Peak: 800-1300 attempts/hr SQL Injection
7
SQL: database level XSS: web level PHP/ASP injection: server infiltration HTML/Script injection: browser infiltration Most common injection type today Web
8
Targets machine rather than db or webpage Done at shell (command line) level Windows and UNIX Typically used to escalate privileges Shell Injection
9
Design Input sanatization Prevention
10
Blacklisting Minimize use of user input Limit database use Disable unnecessary database functionality Update regularly Attack yourself Design
11
Character exclusion Signature exclusion Prepared statements Sanitization
12
( ‘ ), ( \ ), ( ` ) Require alphanumeric only Limit string length to guard against complex queries Easy to implement Easily recognizable Character Exclusion
13
UNION SELECT OR 1=1 EXEC SP_ (or EXEC XP_) False positives come with large signature sets Easily avoidable Signature Exclusion
14
OR 1 = 1 OR ‘str’ = ‘str’ OR ‘str’ = ‘st’+’r’ OR ‘str’ = N’str’ OR ‘s’ IN (‘str’) O/**/R ‘s’ < ‘z’ Unreasonable to keep signatures for countless possible inputs Signature Weakness
15
Efficient method of sanatization Also a query optimization Build the sql statement with minimal syntax Run partial query (“prepare”) Fill in user input after preparation Prepared Statements
16
sql = “SELECT * FROM users WHERE username=$1 AND password=$2” statement = db.prepare(sql) username = input() password = input() statement.execute(username, password) Pseudo Code
17
Seth Amanda George Bad Sanatization
18
function checkForBadSql($sqlcode) { global $CONTEXT, $ERROR_TEXT; $badSqlCode[] = 'create'; $badSqlCode[] = 'database'; $badSqlCode[] = 'table'; $badSqlCode[] = 'insert'; $badSqlCode[] = 'update'; $badSqlCode[] = 'rename'; $badSqlCode[] = 'replace'; $badSqlCode[] = 'select'; $badSqlCode[] = 'handler'; $badSqlCode[] = 'delete'; $badSqlCode[] = 'truncate'; $badSqlCode[] = 'drop'; $badSqlCode[] = 'where'; $badSqlCode[] = 'or'; $badSqlCode[] = 'and'; $badSqlCode[] = 'values'; $badSqlCode[] = 'set'; //test if sql code is bad if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode)) { //bad sql found -- hack attept! Abort $ERROR_TEXT = "Invalid text was entered. Please correct."; return 0; } return 1; }
![ function checkForBadSql($sqlcode) { global $CONTEXT, $ERROR_TEXT; $badSqlCode[] = create ; $badSqlCode[] = database ; $badSqlCode[] = table ; $badSqlCode[] = insert ; $badSqlCode[] = update ; $badSqlCode[] = rename ; $badSqlCode[] = replace ; $badSqlCode[] = select ; $badSqlCode[] = handler ; $badSqlCode[] = delete ; $badSqlCode[] = truncate ; $badSqlCode[] = drop ; $badSqlCode[] = where ; $badSqlCode[] = or ; $badSqlCode[] = and ; $badSqlCode[] = values ; $badSqlCode[] = set ; //test if sql code is bad if (preg_match( /\s[ .implode( | ,$badSqlCode). ]+\s/i , $sqlcode)) { //bad sql found -- hack attept.](http://images.slideplayer.com./18/6146266/slides/slide_18.jpg "Abort $ERROR_TEXT = Invalid text was entered. Please correct. ; return 0; } return 1; }.")
19
Injection requires knowledge and craftiness on attacker’s part, but very deadly SQL: database XSS: web Shell: machine Several prevention tactics, but prepared statements win Review
Similar presentations
![Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.](/18/6171772/big_thumb.jpg "Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.>")
