advertisement

SQL INJECTION

50 %
50 %
advertisement
Information about SQL INJECTION
Education

Published on February 25, 2009

Author: useful

Source: authorstream.com

advertisement

SQL INJECTION : SQL INJECTION Presentation Outline : Presentation Outline SQL Injection Attacks Intent Input Source Type Countermeasures Conclusion Introduction : Introduction What is SQL? What is SQL Injection? : What is SQL Injection? Client supplied data passed to an application without appropriate validation. Processed as commands by the database. Example : Example A typical SQL statement looks like this: select id, forename, surname from authors select id, forename, surname from authors where forename = 'john' and surname = 'smith' Forename: jo'hn Surname: smith The 'query string' becomes this: select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith' Cont’ .. : Cont’ .. Error: Server: Msg 170, Level 15, State 1, Line 1 Line 1: Incorrect syntax near 'hn'. Input modified: Forename: jo'; drop table authors-- Vulnerable Application : Vulnerable Application Attack scenario : Attack scenario Normal Usage ¬User submits login “doe” and pin “123” ¬SELECT info FROM users WHERE login= `doe’ AND pin= 123 Attack scenario : Attack scenario Malicious Usage ¬Attacker submits “admin’ -- ” and pin of “0” ¬SELECT info FROM users WHERE login=‘admin’ -- ’ AND pin=0 Intent : Intent Extracting data Adding or modifying data Performing denial of service Bypassing authentication Executing remote commands Sources of SQL Injection : Sources of SQL Injection Injection through user input Malicious strings in web forms. Injection through cookies Modified cookie fields contain attack strings. Injection through server variables Headers are manipulated to contain attack strings. Second-order injection Trojan horse input seems fine until used in a certain situation. Second-Order Injection : Second-Order Injection Attack does not occur when it first reaches the database, but when used later on. Input: admin’-- ===> admin\’-- queryString = "UPDATE users SET pin=" + newPin + " WHERE userName=’" + userName + "’ AND pin=" + oldPin; queryString = “UPDATE users SET pin=’0’ WHERE userName= ’admin’--’ AND pin=1”; Types of SQL Injection : Types of SQL Injection Piggy-backed Queries Tautologies Alternate Encodings Inference Illegal/Logically Incorrect Queries Union Query Stored Procedures Type: Piggy-backed Queries : Type: Piggy-backed Queries Insert additional queries to be executed by the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; DROP database webApp” queryString = “SELECT info FROM userTable WHERE login=‘name' AND pin=0; DROP database webApp” Type: Tautologies : Type: Tautologies Create a query that always evaluates to true for entries in the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input login as “user’ or 1=1 --” queryString = “SELECT info FROM userTable WHERE login=‘user‘ or 1=1 --' AND pin=“ Type: Alternate Encodings : Type: Alternate Encodings Encode attacks in such a way as to avoid naïve input filtering. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; declare @a char(20) select @a=0x73687574646f776e exec(@a)“ “SELECT info FROM userTable WHERE login=‘user' AND pin= 0; declare @a char(20) select @a=0x73687574646f776e exec(@a)” Countermeasures : Countermeasures Prevention Augment Code Detect vulnerabilities in code Safe libraries Detection Detect attacks at Runtime Prevention Techniques : Prevention Techniques Defensive Coding Best Practices Penetration Testing Static Analysis of Code Safe Development Libraries Proxy Filters Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization • Dynamic Tainting Dynamic Tainting : Dynamic Tainting Detection Techniques : Detection Techniques Anomaly Based Intrusion Detection Instruction Set Randomization • Dynamic Tainting • Model-based Checkers Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Basic Insights 1. Code contains enough information to accurately model all legitimate queries. 2. A SQL Injection Attack will violate the predicted model. Solution: Static analysis => build query models Runtime analysis => enforce models Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Model-based Checkers: AMNESIA : Model-based Checkers: AMNESIA Conclusions : Conclusions 1. SQLIAs have: a) Many sources b) Many goals c) Many types 2. Detection techniques can be effective, but limited by lack of automation. 3. Prevention techniques can be very effective, but should move away from developer dependence.

Add a comment

Related presentations

Related pages

SQL-Injection – Wikipedia

SQL-Injection (dt. SQL-Einschleusung) bezeichnet das Ausnutzen einer Sicherheitslücke in Zusammenhang mit SQL-Datenbanken, die durch mangelnde Maskierung ...
Read more

SQL injection - Wikipedia, the free encyclopedia

SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field ...
Read more

PHP: SQL Injection - Manual

SQL Injection. Viele Entwickler sind sich nicht bewusst, wie man sich an SQL Abfragen zu schaffen machen kann und nehmen an, dass eine SQL Abfrage ein ...
Read more

SQL Injection - technet.microsoft.com

Bei einem SQL-Injection-Angriff wird ein bösartiger Code in Zeichenfolgen eingefügt, die später zur Analyse und Ausführung an eine Instanz von SQL ...
Read more

SQL Injection - W3Schools

Parameters for Protection. Some web developers use a "blacklist" of words or characters to search for in SQL input, to prevent SQL injection attacks.
Read more

SQL Injection - technet.microsoft.com

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.
Read more

SQL-Injection - Sicherheit - Tutorials, Tipps und Tricks ...

Kurze Beschreibung: SQL-Injection (dt. SQL-Einschleusung) bezeichnet das Ausnutzen einer Sicherheitslücke in Zusammenhang mit SQL-Datenbanken, die durch ...
Read more

What is SQL Injection (SQLi) and How to Fix It - Acunetix

SQL Injection (SQLi) is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common ...
Read more

[TuT] SQL-Injection Tutorial - Gehaxelts Blog

Ich habe mal ein Tutorial geschrieben, wie Angreifer eine SQL Injection durchführen können. Das Tutorial soll nicht zu Straftaten anstiften und ich …
Read more

Hackademy #5 - SQL-Injection (1) - CHIP

In der fünften Folge unseres monatlich erscheinenden Video-Formats "Hackademy" zeigt Ihnen Sicherheits-Experte Sebastian Schreiber, wie einfach ...
Read more