1 / 18

Code Injection

Code Injection. Cable Johnson. Overview Common Injection Types Sanitization Techniques Developer Prevention. Code Injection. “username” stored as string constant. I nsert source code into existing application Single command Entire s cript Used by worms to propagate . Overview.

toki
Download Presentation

Code Injection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Code Injection Cable Johnson

  2. Overview • Common Injection Types • Sanitization Techniques • Developer Prevention Code Injection

  3. “username” stored as string constant

  4. Insert source code into existing application • Single command • Entire script • Used by worms to propagate Overview

  5. SQL injection • Web injection/XSS • Shell injection Common Injection Types

  6. Infiltrate database • Dump data, alter data • Done at database level • Easily Automated • Attempted constantly • Average: 71 attempts/hr • Peak: 800-1300 attempts/hr SQL Injection

  7. SQL: database level • XSS: web level • PHP/ASP injection: server infiltration • HTML/Script injection: browser infiltration Web

  8. Targets machine rather than db or webpage • Done at shell (command line) level • Windows and UNIX • Typically used to escalate privileges Shell Injection

  9. Design • Input sanatization Prevention

  10. Blacklisting • Minimize use of user input • Limit database use • Disable unnecessary database functionality Design

  11. Character exclusion • Signature exclusion • Prepared statements Sanitization

  12. ( ‘ ), ( \ ), ( ` ), require alphanumeric only • Easy to implement • Easily recognizable Character Exclusion

  13. UNION SELECT • OR 1=1 • EXEC SP_ (or EXEC XP_) • False positives come with large signature sets • Easily avoidable Signature Exclusion

  14. OR 1 = 1 • OR ‘str’ = ‘str’ • OR ‘str’ = ‘st’+’r’ • OR ‘str’ = N’str’ • OR ‘s’ IN (‘str’) • O/**/R ‘s’ < ‘z’ • Unreasonable to keep signatures for countless possible inputs Signature Weakness

  15. Efficient method of sanatization • Also a query optimization • Build the sql statement with minimal syntax • Run partial query (“prepare”) • Fill in user input after preparation Prepared Statements

  16. username = input() password = input() sql = “SELECT * FROM users WHERE username=$1 AND password=$2” statement = db.prepare(sql) statement.execute(username, password) Pseudo Code

  17. Seth • Amanda • George Bad Sanatization

  18. function checkForBadSql($sqlcode) • { • global $CONTEXT, $ERROR_TEXT; • $badSqlCode[] = 'create'; • $badSqlCode[] = 'database'; • $badSqlCode[] = 'table'; • $badSqlCode[] = 'insert'; • $badSqlCode[] = 'update'; • $badSqlCode[] = 'rename'; • $badSqlCode[] = 'replace'; • $badSqlCode[] = 'select'; • $badSqlCode[] = 'handler'; • $badSqlCode[] = 'delete'; • $badSqlCode[] = 'truncate'; • $badSqlCode[] = 'drop'; • $badSqlCode[] = 'where'; • $badSqlCode[] = 'or'; • $badSqlCode[] = 'and'; • $badSqlCode[] = 'values'; • $badSqlCode[] = 'set'; • //test if sql code is bad • if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode)) • { • //bad sql found -- hack attept! Abort • $ERROR_TEXT = "Invalid text was entered. Please correct."; • return 0; • } • return 1; • }

More Related