1 / 10

SQL Injection

SQL Injection. A SPILABS Whitepaper. Are Your Web Applications Vulnerable?. Presentation by Joe Combs 29 March 2006. Agenda. SQL Injection Defined What Can Attackers Accomplish? Solutions A Surprising Example. What is SQL Injection?. Database layer vulnerability

orpah
Télécharger la présentation

SQL Injection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SQL Injection A SPILABS Whitepaper Are Your Web Applications Vulnerable? Presentation by Joe Combs 29 March 2006

  2. Agenda • SQL Injection Defined • What Can Attackers Accomplish? • Solutions • A Surprising Example

  3. What is SQL Injection? • Database layer vulnerability • Characters like ’ and ; have special meaning to SQL engine String myQuery = “SELECT credit_card_nbr ” + “FROM cust_acct “ + “WHERE cust_id = ‘” + custIDVar + “’”; • What if custIDVar is passed something like this? ’;drop table cust_acct--

  4. Why SQL Injection? • Footprinting allows an attacker to systematically deduce the structure of your database through carefully crafted injections • Unauthorized data access • Execute arbitrary commands

  5. Solutions • Security through obscurity is a first (weak) step • use original (harder to guess) table & column names • name form fields different from column names • use aliases for table names

  6. Solutions • Strip risky characters from data passed in from outside. • Better yet - filter with a default-deny regular expression • Stored Procedures • may hide some of the details of your database but once an attacker has a successful injection they can leave you wide open - see xp_cmdshell in MS SQLServer.

  7. Solutions • Limit the rights of the database user to prevent running of system stored procedures • Prepared Queries - bind variables String myQuery = “SELECT credit_card_nbr ” + “FROM cust_acct “ + “WHERE cust_id = :1”;

  8. An Unexpected Twist • RFID! • Use of RFID increasingly common thanks to major push from corporations like Wal-Mart • RFID tag reports inventory lot number or some other relevant data - what if a devious person doctored a tag to include extra characters in that stock number?

  9. Conclusions • Don’t trust user supplied data • Do more than scrub risky characters - use regular expressions to black list or better yet white list data • Be leery of stored procedures • Use prepared queries both to boost performance and ensure query execution doesn’t get hijacked

  10. References • Stephen Kost, “An Introduction to SQL Injection Attacks for Oracle Developers”, http://www.integrigy.com/info/IntegrigyIntrotoSQLInjectionAttacks.pdf, 2004 • Various Authors, Wikipedia article, http://en.wikipedia.org/wiki/SQL_injection • Stuart McDonald, “SQL Injection: Modes of attack, defence, and why it matters”, http://www.sans.org/rr/whitepapers/securecode/23.php, 2002 • Colin Angus Mackay, SQL Injection Attacks and Some Tips on How to Prevent Them, http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp?df=100&forumid=146482&exp=0&select=1112305, 2005 • http://www.rfidvirus.org/

More Related