Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation Injection Flaws.

Published byBathsheba Beverly McBride Modified over 9 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation Injection Flaws."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org Injection Flaws

2 The OWASP Foundation http://www.owasp.org ';';

3 The OWASP Foundation http://www.owasp.org Anatomy of SQL Injection Attack sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “’ AND password = ‘” & Request (“password”) & ”’” What the developer intended: username = john password = password SQL Query: SELECT * FROM user_table WHERE username = ‘john’ AND password = ‘password’

4 The OWASP Foundation http://www.owasp.org Anatomy of SQL Injection Attack

5 The OWASP Foundation http://www.owasp.org Example Attacks SELECT first_name, last_name FROM users WHERE user_id = '' UNION ALL SELECT load_file(‘C:\\app\\htdocs\\webapp\\.htaccess'), '1‘ SELECT first_name, last_name FROM users WHERE user_id ='' UNION SELECT '',' ' INTO OUTFILE ‘C:\\app\\htdocs\\webapp\\exploit.php';# Goto http://bank.com/webapp/exploit.php?cmd=dir

6 The OWASP Foundation http://www.owasp.org String Building to Call Stored Procedures  String building can be done when calling stored procedures as well sql = “GetCustInfo @LastName=“ + request.getParameter(“LastName”);  Stored Procedure Code CREATE PROCEDURE GetCustInfo (@LastName VARCHAR(100)) AS exec(‘SELECT * FROM CUSTOMER WHERE LNAME=‘’’ + @LastName + ‘’’’) (Wrapped Dynamic SQL) GO What’s the issue here………… If blah’ OR ‘1’=‘1 is passed in as the LastName value, the entire table will be returned  Remember Stored procedures need to be implemented safely. 'Implemented safely' means the stored procedure does not include any unsafe dynamic SQL generation.

7 The OWASP Foundation http://www.owasp.org Rails: ActiveRecord/Database Security Rails is designed with minimal SQL Injection problems. It is not recommended to use user data in a database query in the following manner: Project.where("name = '#{params[:name]}'") By entering a parameter with a value such as ‘ OR 1 -- Will result in: SELECT * FROM projects WHERE name = '' OR 1 --'

8 The OWASP Foundation http://www.owasp.org Active Record Other Injectable examples: Rails 2.X example: @projects = Project.find(:all, :conditions => "name like #{params[:name]}") Rails 3.X example: name = params[:name] @projects = Project.where("name like ' " + name + " ' ");

9 The OWASP Foundation http://www.owasp.org Active Record Countermeasure Ruby on Rails has a built-in filter for special SQL characters, which will escape ', ", NULL character and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure. Model.where("login = ? AND password = ?", entered_user_name, entered_password).first The "?" characters are placeholders for the parameters which are parameterised and escaped automatically. Important: Many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input. A list of them can be found here and such methods should be used with caution. http://rails-sqli.org/

10 The OWASP Foundation http://www.owasp.org Query Parameterization (PHP) $stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);

11 The OWASP Foundation http://www.owasp.org Query Parameterization (.NET) SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader();

12 The OWASP Foundation http://www.owasp.org Query Parameterization (Java) String newName = request.getParameter("newName") ; String id = request.getParameter("id"); //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employeeswhere id=:empId"); safeHQLQuery.setParameter("empId", id);

13 The OWASP Foundation http://www.owasp.org Query Parameterization (Cold Fusion) SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID =

14 The OWASP Foundation http://www.owasp.org Query Parameterization (PERL) my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )"; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz );

15 The OWASP Foundation http://www.owasp.org Command Injection Web applications may use input parameters as arguments for OS scripts or executables Almost every application platform provides a mechanism to execute local operating system commands from application code Most operating systems support multiple commands to be executed from the same command line. Multiple commands are typically separated with the pipe “|” or ampersand “&” characters  Perl: system(), exec(), backquotes(``)  C/C++: system(), popen(), backquotes(``)  ASP: wscript.shell  Java: getRuntime.exec  MS-SQL Server: master..xp_cmdshell  PHP : include() require(), eval(),shell_exec

16 The OWASP Foundation http://www.owasp.org 1616 LDAP Injection  https://www.owasp.org/index.php/LDAP_injection https://www.owasp.org/index.php/LDAP_injection  https://www.owasp.org/index.php/Testing_for_LDAP_Injection_ (OWASP-DV-006) https://www.owasp.org/index.php/Testing_for_LDAP_Injection_ (OWASP-DV-006) SQL Injection  https://www.owasp.org/index.php/SQL_Injection_Prevention_ Cheat_Sheet https://www.owasp.org/index.php/SQL_Injection_Prevention_ Cheat_Sheet  https://www.owasp.org/index.php/Query_Parameterization?_ Cheat_Sheet https://www.owasp.org/index.php/Query_Parameterization?_ Cheat_Sheet Command Injection  https://www.owasp.org/index.php/Command_Injection https://www.owasp.org/index.php/Command_Injection Where can I learn more?

Download ppt "The OWASP Foundation Injection Flaws."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Nick Tsamis University of Tulsa CS 7493 April 2013.

Nick Tsamis University of Tulsa CS 7493 April 2013.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx.

The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx.
Top 10 Defenses for Website Security Jim Manico VP of Security Architecture July 2012.

Top 10 Defenses for Website Security Jim Manico VP of Security Architecture July 2012.
Top 10 Defenses for Website Security Jim Manico VP Security Architecture.

Top 10 Defenses for Website Security Jim Manico VP Security Architecture.
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
1 Foundations of Software Design Lecture 27: Java Database Programming Marti Hearst Fall 2002.

1 Foundations of Software Design Lecture 27: Java Database Programming Marti Hearst Fall 2002.
SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.

SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
What is MySQL? MySQL is a database. The data in MySQL is stored in database objects called tables. A table is a collections of related data entries and.

What is MySQL? MySQL is a database. The data in MySQL is stored in database objects called tables. A table is a collections of related data entries and.
Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health.

Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Attacking Applications: SQL Injection & Buffer Overflows.

Attacking Applications: SQL Injection & Buffer Overflows.
Stored Procedures, Triggers, Program Access Dr Lisa Ball 2008.

Stored Procedures, Triggers, Program Access Dr Lisa Ball 2008.

Similar presentations

Ads by Google