180 likes | 380 Vues
Injection Rejection, or. How I Learned To Stop Worrying And Love Bobby Tables. What’s an “injection” attack?. An injection interprets user-supplied data—as malicious code. Attack surfaces. Direct user input. Filesystem. Environment variables. Database values.
E N D
Injection Rejection, or How I Learned To Stop Worrying And Love Bobby Tables
What’s an “injection” attack? An injection interprets user-supplied data—as malicious code.
Attack surfaces • Direct user input. • Filesystem. • Environment variables. • Database values. • Anything interpreted at runtime. • Anything “just-in-time” compiled. Injection Rejection
CGI example in Perl use CGI; use DBI; my @flagged = getFlaggedEntries(); my $bogus = join(',',@flagged); my $sql = "delete from student where id in ($bogus)\n"; my $sh = $db->prepare ($sql) || die "Couldn't prepare SQL statement: $!"; $sh->execute() || die "Couldn't execute SQL statement: $!"; Injection Rejection
What it’s supposed to do Sane input: 303,101,404 delete from student where id in (303,101,404) Injection Rejection
What it actually does Not-so-sane input: 303); truncate table users; -- delete from student where id in (303); truncate table users; --) Injection Rejection
Rubber, meet road # return array of CGI parameters named flag#### where # the #### indicates one or more characters. Strips the # “flag” prefix. sub getFlaggedEntries() { my @f = (); # return value foreach (keys %{$cgi->Vars()}) { next unless m/^flag(.+)$/; push @f, $1; } @f; # return value } Perl untainting Injection Rejection
A simple exploit $ curl ’http://example.com/cgi-bin/example.pl? flag303)%3B%20truncate%20table%20users%3B%20--=1’ Attacker’s payload Injection Rejection
Real-Life Applications Injection Rejection
“I hope you’ve learned to sanitize your database inputs.” • Don’t enumerate badness. • Precompiled code. Always. • Perl tainting: you still have to think. • LINQ has possibilities. • Parameterize your SQL. Injection Rejection
Parameterized SQL WRONG my $sh = db->prepare("insert into foo set name=$name, company=$company"); $sh->execute(); my $sh = db->prepare('insert into foo set name=?, company=?'); $sh->execute($name, $company); Injection Rejection
Injection’s not just for SQL I 01/06/2009 02:47 PM 20,104 CVSInstall.pdf 08/17/2008 07:41 PM 67 cweb.html 11/06/2006 02:56 AM 413,696 CWIMS.mdb 05/01/2008 01:35 PM 5,632 cwsl.dll 09/22/2007 07:07 PM 4,537 day.txt 04/14/2009 08:06 AM 5 dbappend(),fieldput('user','catfood') dbappend(),fieldput('user','catfood') Injection Rejection
Injection’s not just for SQL II $command = "nslookup -type=ptr $inputdomain"; system($command); I saw this in production code… actually straight C. But still. Injection Rejection
Making your project not suck! • Don’t hoard code. • Don’t optimize yet. • Review code constantly. • Let unit tests drive development. • Still don’t optimize yet. Injection Rejection
A few good URLs • 6 dumbest ideas in computer security: http://www.ranum.com/security/computer_security/editorials/dumb/ • SQL Injection basics: http://www.sitepoint.com/article/sql-injection-attacks-safe • Parameterized SQL basics: http://www.codinghorror.com/blog/archives/000275.html Injection Rejection
This is me.I make projects not suck. http://imakeyourprojectnotsuck.com Injection Rejection
Get these slides http://criticalresults.com/notacon6 Injection Rejection
Next! Here! Super Jason Scott Presentation 64 Injection Rejection