1 / 38

Web site security Part 2 : Defending Against SQL Injection

Web site security Part 2 : Defending Against SQL Injection. Reporter : James Chen. Outline. What is SQL Injection? SQL Injection Testing Methodology SQL Injection Defense SQL injection detection method and tools My Automatic Anti-SQL Injection Method features Summary.

tegan
Download Presentation

Web site security Part 2 : Defending Against SQL Injection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web site security Part 2 : Defending Against SQL Injection Reporter : James Chen

  2. Outline • What is SQL Injection? • SQL Injection Testing Methodology • SQL Injection Defense • SQL injection detection method and tools • My Automatic Anti-SQL Injection Method features • Summary

  3. What is SQL Injection? • The ability to inject SQL commands into the database enginethrough an existing application

  4. How common is it? • It is probably the most common Website vulnerability today! • It is a flaw in "web application" development, it is not a DB or web server problem • Most programmers are still not aware of this problem • A lot of the tutorials & demo “templates” are vulnerable • Even worse, a lot of solutions posted on the Internet are not good enough • In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection

  5. Vulnerable Applications • Almost all SQL databases and programming languages are potentially vulnerable • MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc • Accessed through applications developed using: • Perl and CGI scripts that access databases • ASP, JSP, PHP • XML, XSL and XSQL • Javascript • VB, MFC, and other ODBC-based tools and APIs • DB specific Web-based applications and API’s • Reports and DB Applications • 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) • many more

  6. SQL Injection Characters • ' or" character String Indicators • -- or # single-line comment • /*…*/ multiple-line comment • + addition, concatenate (or space in url) • || (double pipe) concatenate • % wildcard attribute indicator • ?Param1=foo&Param2=bar URL Parameters • PRINT useful as non transactional command • @variable local variable • @@variable global variable • waitfor delay '0:0:10' time delay

  7. 2) Info. Gathering 3) 1=1 Attacks 5) OS Interaction 4) Extracting Data 6) OS Cmd Prompt 7) Expand Influence SQL Injection Testing Methodology 1) Input Validation

  8. 1) Input Validation :Discovery of Vulnerabilities • Vulnerabilities can be anywhere, we check all entry points: • Fields in web forms • Script parameters in URL query strings • Values stored in cookies or hidden fields • By "fuzzing" we insert into every one: • Character sequence: ' " ) # || + > • SQL reserved words with white space delimiters • %09select (tab%09, carriage return%13, linefeed%10 and space%32 with and, or, update, insert, exec, etc) • Delay query ' waitfor delay '0:0:10'--

  9. 2) Information Gathering • We will try to find out the following: • Understand the query • Output mechanism • Determine database type • Find out user privilege level

  10. 3) 1=1 Attacks • Discover DB structure • Enumerating table columns in different DBs • Database Enumeration

  11. 4) Extracting Data • Password grabbing • Create DB Accounts • Grabbing MS SQL Server Hashes • Brute forcing Passwords • Transfer DB structure and data • Create Identical DB Structure • Transfer DB

  12. 5) OS Interaction • Interacting with the OS • Assessing Network Connectivity • Gathering IP information through reverse lookups • Network Reconnaissance

  13. Web Server Application Server Database Server WebPageAccess InputValidationFlaw Injected SQLExecution! Architecture • To keep in mind always! • Our injection most times will be executed on a different server • The DB server may not even have Internet access

  14. 6) OS Cmd Prompt • Jumping to the OS • Using ActiveX Automation Scripts • Retrieving VNC Password from Registry

  15. 7) Expand Influence • Hopping into other DB Servers • Linked Servers • Executing through stored procedures remotely • Uploading files through reverse connection • Uploading files through SQL Injection

  16. Evasion Techniques • Input validation or IDS Signature Evasion • Evading ' OR 1=1signature • ' OR 'something' like 'some%‘ • use PHP addslashes() function to escape characters • This can be easily evaded by using replacements for any of characters in a numeric field • To be circumvented by encoding or using Char() • Using white spaces, comments, string concatenation, variables, hex value

  17. SQL Injection Defense • It is quite simple: input validation • The real challenge is making best practices consistent through all your code • Enforce "strong design" in new applications • You should audit your existing websites and source code • Even if you have an air tight design, harden your servers

  18. Strong Design • Define an easy "secure" path to querying data • Use stored procedures for interacting with database • Call stored procedures through a parameterized API • Validate all input through generic routines • Use the principle of "least privilege" • Define several roles, one for each kind of query

  19. Input Validation • Define data types for each field • Implement stringent "allow only good" filters • If the input is supposed to be numeric, use a numeric variable in your script to store it • Reject bad input rather than attempting to escape or modify it • Implement stringent "known bad" filters • For example: reject "select", "insert", "update", "shutdown", "delete", "drop", "--", "'"

  20. Harden the Server • Run DB as a low-privilege user account • Remove unused stored procedures and functionality or restrict access to administrators • Change permissions and remove "public" access to system objects • Audit password strength for all user accounts • Remove pre-authenticated linked servers • Remove unused network protocols • Firewall the server so that only trusted clients can connect to it (typically only: administrative network, web server and backup server)

  21. Detection and Dissuasion • You may want to react to SQL injection attempts by: • Logging the attempts • Sending email alerts • Blocking the offending IP • Sending back intimidating error messages: • "WARNING: Improper use of this application has been detected. A possible attack was identified. Legal actions will be taken." • Check with your lawyers for proper wording • This should be coded into your validation scripts

  22. SQL injection detection method has introduced • Typical validation procedure • Anti-SQL-Injection.php • To take the popular open-source IDS Snort • WAVES—Black-box approach

  23. WAVES—Black-box approach • Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. “Web Application Security Assessment by Fault Injection and Behavior Monitoring.” In Proc. 12th Int’l World Wide Web Conference, p.148-159, Budapest, Hungary, 2003. • Using crawler to discover all pages in a Web site that contain HTML forms. • HTML forms are parsed and stored in XML format. • To inject malicious SQL patterns into the server-side program that processes the form’s input. • If the filtering mechanism is provided on a global scale, then injection will fail.

  24. Automatic black-box method features • Complete crawling • Bypass the validation procedure • Test set and injection patterns Automatic generation (self-learning) • Output analysis according output error messages

  25. Other sql injection tools introduction • Absinthe • WebScarab • WebGoat

  26. Absinthe (字典攻擊)

  27. Absinthe (cont.)

  28. Web Scarab • WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. • It is written in Java, and is thus portable to many platforms. • WebScarab records the conversations (requests and responses) that it observes. • To allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.

  29. WebScarab plugin • WebScarab provides a number of plugins: • Fragments - extracts Scripts and HTML comments from HTML pages. • Proxy - observes traffic between the browser and the web server • Manual intercept • Reveal hidden fields • Spider - identifies new URLs on the target site, and fetches them on command. • Parameter fuzzer - performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.

  30. WebScarab Feature • WebScarab is extensible. • Each feature above is implemented as a plugin, and can be removed or replaced. • New features can be easily implemented as well . • WebScarab is intended to become the tool of choice for serious Web debugging.

  31. WebScarab-selfcontained.jar

  32. WebScarab snapshot

  33. WebGoat • Web application security is difficult to learn and practice. • WebGoat is a full J2EE web application designed to teach web application security lessons.

  34. My Automatic Anti-SQL Injection Method features • 不需要重新改寫網頁 • 不需調整資料庫安全權限 • 不需透過IDS或其他網路防禦設備 • 不針對字典攻擊做防禦 • 自動加入 input vlidation or filter function於網頁中

  35. How to insert validation function • Using crawler to discover all pages in a Web site that contain HTML forms. • HTML forms are parsed and stored in XML format. • To inject validation function into the server-side program that processes the form’s input. • If SQL injection fail, my solutioin is success.

  36. How to implement my solution • UsingWeb Scarabas platform. • UsingWeb Scarab’s Spider to identifies new URLs on the target site, and fetches them on command. • To inject validation function into the server-side program that processes the form’s input. • Testing:usingWeb Scarab’s Parameter fuzzer to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.

  37. Summary • SQL Injection is a dangerous vulnerability • All programming languages and all SQL databases are potentially vulnerable • Protecting against it requires Input validation, IDS detection AND strong database and OS hardening must be used together. • We try to implement a anti-SQL Injection system to insert correct input validation function automatically.

  38. Reference • Advanced SQL Injection, Victor Chapela , http://www.owasp.org/docroot/owasp/misc/Advanced_SQL_Injection.ppt

More Related