Code Injection - PowerPoint PPT Presentation

code injection n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Code Injection PowerPoint Presentation
Download Presentation
Code Injection

play fullscreen
1 / 19
Code Injection
201 Views
Download Presentation
padma
Download Presentation

Code Injection

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Code Injection Cable Johnson

  2. Overview • Common Injection Types • Developer Prevention Code Injection

  3. “username” stored as string constant

  4. Insert source code into existing application • Single command • Entire script • Used by worms to propagate Overview

  5. SQL injection • Web injection/XSS • Shell injection Common Injection Types

  6. Infiltrate database • Dump data, alter data • Done at database level • Easily Automated • Attempted constantly • Average: 71 attempts/hr • Peak: 800-1300 attempts/hr SQL Injection

  7. SQL: database level • XSS: web level • PHP/ASP injection: server infiltration • HTML/Script injection: browser infiltration • Most common injection type today Web

  8. Targets machine rather than db or webpage • Done at shell (command line) level • Windows and UNIX • Typically used to escalate privileges Shell Injection

  9. Design • Input sanatization Prevention

  10. Blacklisting • Minimize use of user input • Limit database use • Disable unnecessary database functionality • Update regularly • Attack yourself Design

  11. Character exclusion • Signature exclusion • Prepared statements Sanitization

  12. ( ‘ ), ( \ ), ( ` ) • Require alphanumeric only • Limit string length to guard against complex queries • Easy to implement • Easily recognizable Character Exclusion

  13. UNION SELECT • OR 1=1 • EXEC SP_ (or EXEC XP_) • False positives come with large signature sets • Easily avoidable Signature Exclusion

  14. OR 1 = 1 • OR ‘str’ = ‘str’ • OR ‘str’ = ‘st’+’r’ • OR ‘str’ = N’str’ • OR ‘s’ IN (‘str’) • O/**/R ‘s’ < ‘z’ • Unreasonable to keep signatures for countless possible inputs Signature Weakness

  15. Efficient method of sanatization • Also a query optimization • Build the sql statement with minimal syntax • Run partial query (“prepare”) • Fill in user input after preparation Prepared Statements

  16. sql= “SELECT * FROM users WHERE username=$1 AND password=$2” statement = db.prepare(sql) username = input() password = input() statement.execute(username, password) Pseudo Code

  17. Seth • Amanda • George Bad Sanatization

  18. function checkForBadSql($sqlcode) • { • global $CONTEXT, $ERROR_TEXT; • $badSqlCode[] = 'create'; • $badSqlCode[] = 'database'; • $badSqlCode[] = 'table'; • $badSqlCode[] = 'insert'; • $badSqlCode[] = 'update'; • $badSqlCode[] = 'rename'; • $badSqlCode[] = 'replace'; • $badSqlCode[] = 'select'; • $badSqlCode[] = 'handler'; • $badSqlCode[] = 'delete'; • $badSqlCode[] = 'truncate'; • $badSqlCode[] = 'drop'; • $badSqlCode[] = 'where'; • $badSqlCode[] = 'or'; • $badSqlCode[] = 'and'; • $badSqlCode[] = 'values'; • $badSqlCode[] = 'set'; • //test if sql code is bad • if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode)) • { • //bad sql found -- hack attept! Abort • $ERROR_TEXT = "Invalid text was entered. Please correct."; • return 0; • } • return 1; • }

  19. Injection requires knowledge and craftiness on attacker’s part, but very deadly • SQL: database • XSS: web • Shell: machine • Several prevention tactics, but prepared statements win Review