1 / 19

Code Injection

Code Injection. Cable Johnson. Overview Common Injection Types Developer Prevention. Code Injection. “username” stored as string constant. I nsert source code into existing application Single command Entire script Used by worms to propagate . Overview. SQL injection Web injection/XSS

padma
Télécharger la présentation

Code Injection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Code Injection Cable Johnson

  2. Overview • Common Injection Types • Developer Prevention Code Injection

  3. “username” stored as string constant

  4. Insert source code into existing application • Single command • Entire script • Used by worms to propagate Overview

  5. SQL injection • Web injection/XSS • Shell injection Common Injection Types

  6. Infiltrate database • Dump data, alter data • Done at database level • Easily Automated • Attempted constantly • Average: 71 attempts/hr • Peak: 800-1300 attempts/hr SQL Injection

  7. SQL: database level • XSS: web level • PHP/ASP injection: server infiltration • HTML/Script injection: browser infiltration • Most common injection type today Web

  8. Targets machine rather than db or webpage • Done at shell (command line) level • Windows and UNIX • Typically used to escalate privileges Shell Injection

  9. Design • Input sanatization Prevention

  10. Blacklisting • Minimize use of user input • Limit database use • Disable unnecessary database functionality • Update regularly • Attack yourself Design

  11. Character exclusion • Signature exclusion • Prepared statements Sanitization

  12. ( ‘ ), ( \ ), ( ` ) • Require alphanumeric only • Limit string length to guard against complex queries • Easy to implement • Easily recognizable Character Exclusion

  13. UNION SELECT • OR 1=1 • EXEC SP_ (or EXEC XP_) • False positives come with large signature sets • Easily avoidable Signature Exclusion

  14. OR 1 = 1 • OR ‘str’ = ‘str’ • OR ‘str’ = ‘st’+’r’ • OR ‘str’ = N’str’ • OR ‘s’ IN (‘str’) • O/**/R ‘s’ < ‘z’ • Unreasonable to keep signatures for countless possible inputs Signature Weakness

  15. Efficient method of sanatization • Also a query optimization • Build the sql statement with minimal syntax • Run partial query (“prepare”) • Fill in user input after preparation Prepared Statements

  16. sql= “SELECT * FROM users WHERE username=$1 AND password=$2” statement = db.prepare(sql) username = input() password = input() statement.execute(username, password) Pseudo Code

  17. Seth • Amanda • George Bad Sanatization

  18. function checkForBadSql($sqlcode) • { • global $CONTEXT, $ERROR_TEXT; • $badSqlCode[] = 'create'; • $badSqlCode[] = 'database'; • $badSqlCode[] = 'table'; • $badSqlCode[] = 'insert'; • $badSqlCode[] = 'update'; • $badSqlCode[] = 'rename'; • $badSqlCode[] = 'replace'; • $badSqlCode[] = 'select'; • $badSqlCode[] = 'handler'; • $badSqlCode[] = 'delete'; • $badSqlCode[] = 'truncate'; • $badSqlCode[] = 'drop'; • $badSqlCode[] = 'where'; • $badSqlCode[] = 'or'; • $badSqlCode[] = 'and'; • $badSqlCode[] = 'values'; • $badSqlCode[] = 'set'; • //test if sql code is bad • if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode)) • { • //bad sql found -- hack attept! Abort • $ERROR_TEXT = "Invalid text was entered. Please correct."; • return 0; • } • return 1; • }

  19. Injection requires knowledge and craftiness on attacker’s part, but very deadly • SQL: database • XSS: web • Shell: machine • Several prevention tactics, but prepared statements win Review

More Related