Presentation is loading. Please wait.

Presentation is loading. Please wait.

DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com

Published byMyron Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com"— Presentation transcript:

1 DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com dseven@dotnetjunkies.com

2 Session Agenda Introduction to SQL Injection How Do Attackers Do it? Advanced Attacks Solutions Least-privilege Access Parameterize DML Validating Input

3 What is a SQL Injection? SQL statement(s) “injected” into an existing SQL command Injection occurs through malformed application input: Text box. Query string. Manipulated values in HTML. A good SQL injection attack can cripple and even destroy your database!

4 SQL Injection Causes public void OnLogon(object src, EventArgs e){ SqlConnection con = new SqlConnection( "server=(local);database=myDB;uid=sa;pwd;" ); string query = String.Format( "SELECT COUNT(*) FROM Users WHERE " + "username='{0}' AND password='{1}'", txtUser.Text, txtPassword.Text ); SqlCommand cmd = new SqlCommand(query, con); conn.Open(); SqlDataReader reader = cmd.ExecuteReader(); try{ if(reader.HasRows()) IssueAuthenticationTicket(); else TryAgain(); } finally{ con.Close() }

5 The Problem Expected: Username: doug Password: p@$$w0rd SELECT COUNT(*) FROM Users WHERE username='doug' and password='p@$$w0rd' Malicious: Username: ' OR 1=1 -- Password: SELECT COUNT(*) FROM Users WHERE username='' OR 1=1 -- and password='p@$$w0rd'

6 Basic SQL Injection

7 How Do Attackers Know? Insider Information Trial and Error Error message often reveal too much Malicious user can force an error to discover information about the database

8 It Gets Worse Once a malicious user can access the database, they are likely to use: xp_cmdshellxp_grantloginxp_regread With the right privileges the user can access ALL databases on the server

9 Extended Stored Procedures

10 Problem: Access Privileges Application is accessing database with: “sa” account ASP.NET worker process account (added as admin) High-privilege user account

11 Solution: Limit Privileges Application should have least necessary privileges to access database Grant ASP.NET account access to database using an alias Create an account that has minimal privileges (EXEC-only)

12 Machine\ASPNET -- Windows 2000 / XP EXEC sp_grantlogin [MachineName\ASPNET] EXEC sp_grantdbaccess [MachineName\ASPNET], [Alias] GRANT EXECUTE ON [ProcedureName] TO [Alias] GO -- Windows Server 2003 EXEC sp_grantlogin [NT AUTHORITY\NETWORK SERVICE] EXEC sp_grantdbaccess [NT AUTHORITY\NETWORK SERVICE] GRANT EXECUTE ON [ProcedureName] TO [NT AUTHORITY\NETWORK SERVICE] GO

13 Least Privilege

14 Problem: DML in Code Application code shouldn’t contain SQL Data Manipulation Language (DML) DML enables malicious input to be injected Eliminating DML should be part of your next security review

15 Solution: Parameterize DML If DML is a requirement of the application add parameters to the SQL statements string sql = "SELECT * FROM Users " + "WHERE username=@Username " + "AND password= @Password"; SqlCommand command = new SqlCommand (sql, connection); command.Parameters.Add("@Username", SqlDbType.VarChar).Value = UserName.Text; command.Parameters.Add("@Password", SqlDbType.VarChar).Value = Password.Text;

16 Solution: Stored Procedures Less vulnerable to SQL injection attacks Added security via EXECUTE permission SqlCommand command = new SqlCommand ("Users_GetUser", connection); command.CommandType = CommandType.StoredProcedure; SqlCommand command = new SqlCommand (sql, connection); command.Parameters.Add("@Username", SqlDbType.VarChar).Value = UserName.Text; command.Parameters.Add("@Password", SqlDbType.VarChar).Value = Password.Text;

17 Stored Procedures

18 Problem: User Input All user input is inherently evil Malicious input can: Inject SQL statements Execute arbitrary SQL Damage limited only by privilege of data account Alter application flow Attack other users (cross-site scripting) Read/write cookies Execute script, etc.

19 Solution: Input Validation All user input should be cleansed ASP.NET validation controls RegEx class Reject invalid input Encode any input that is echoed to the browser HttpUlitity.HtmlEncode() Always use parameterized SQL queries Parameterized commands (good) Parameterized stored procedures (better)

20 ASP.NET Request Validation Validates query string, form data, cookies Developers still have responsibility to secure inputs Can be disabled at page-, application-, or machine-level

21 Input and Request Validation

22 SqlJunkies.com Online resource for DEVELOPERS using SQL Server DotNetJunkies.com Online resource for developers working with the.NET Framework Web Application Disassembly with ODBC Error Messages by David Litchfield http://www.nextgenss.com/papers/webappdis.doc

23 Writing Secure Code (Second Edition) Michael Howard & David LeBlanc Microsoft Press, December 2002 Required reading at Microsoft!

24 Improving Web Application Security Building Secure ASP.NET Applications http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec/html/threatcounter.asp http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec/html/secnetlpmsdn.asp

25 Q1:Overall satisfaction with the session Q2:Usefulness of the information Q3:Presenter’s knowledge of the subject Q4:Presenter’s presentation skills Q5:Effectiveness of the presentation Please fill out a session evaluation on CommNet

26 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Understand Database Security Concepts

Understand Database Security Concepts
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
DotNet Market Web Site “EMarket” Milena Natanov Project Supervisor: Victor Kulikov Lab Chief Engineer: Dr. Ilana David Semester spring, 2006 044167 – Project.

DotNet Market Web Site “EMarket” Milena Natanov Project Supervisor: Victor Kulikov Lab Chief Engineer: Dr. Ilana David Semester spring, – Project.
Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.

Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.
Managing Employee Earnings Statements: PAYSTUB 3.0 A centralized, intranet-based application used to view employee earnings statements online Published:

Managing Employee Earnings Statements: PAYSTUB 3.0 A centralized, intranet-based application used to view employee earnings statements online Published:
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
DEV450 Visual Studio: Best Practices For Debugging Managed Applications Habib Heydarian Scott Nonnenberg Program Managers Microsoft Corporation.

DEV450 Visual Studio: Best Practices For Debugging Managed Applications Habib Heydarian Scott Nonnenberg Program Managers Microsoft Corporation.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Similar presentations

Ads by Google