Web site security Part 2 : Defending Against SQL Injection - PowerPoint PPT Presentation

web site security part 2 defending against sql injection n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Web site security Part 2 : Defending Against SQL Injection PowerPoint Presentation
Download Presentation
Web site security Part 2 : Defending Against SQL Injection

play fullscreen
1 / 38
Web site security Part 2 : Defending Against SQL Injection
232 Views
Download Presentation
tegan
Download Presentation

Web site security Part 2 : Defending Against SQL Injection

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Web site security Part 2 : Defending Against SQL Injection Reporter : James Chen

  2. Outline • What is SQL Injection? • SQL Injection Testing Methodology • SQL Injection Defense • SQL injection detection method and tools • My Automatic Anti-SQL Injection Method features • Summary

  3. What is SQL Injection? • The ability to inject SQL commands into the database enginethrough an existing application

  4. How common is it? • It is probably the most common Website vulnerability today! • It is a flaw in "web application" development, it is not a DB or web server problem • Most programmers are still not aware of this problem • A lot of the tutorials & demo “templates” are vulnerable • Even worse, a lot of solutions posted on the Internet are not good enough • In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection

  5. Vulnerable Applications • Almost all SQL databases and programming languages are potentially vulnerable • MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc • Accessed through applications developed using: • Perl and CGI scripts that access databases • ASP, JSP, PHP • XML, XSL and XSQL • Javascript • VB, MFC, and other ODBC-based tools and APIs • DB specific Web-based applications and API’s • Reports and DB Applications • 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) • many more

  6. SQL Injection Characters • ' or" character String Indicators • -- or # single-line comment • /*…*/ multiple-line comment • + addition, concatenate (or space in url) • || (double pipe) concatenate • % wildcard attribute indicator • ?Param1=foo&Param2=bar URL Parameters • PRINT useful as non transactional command • @variable local variable • @@variable global variable • waitfor delay '0:0:10' time delay

  7. 2) Info. Gathering 3) 1=1 Attacks 5) OS Interaction 4) Extracting Data 6) OS Cmd Prompt 7) Expand Influence SQL Injection Testing Methodology 1) Input Validation

  8. 1) Input Validation :Discovery of Vulnerabilities • Vulnerabilities can be anywhere, we check all entry points: • Fields in web forms • Script parameters in URL query strings • Values stored in cookies or hidden fields • By "fuzzing" we insert into every one: • Character sequence: ' " ) # || + > • SQL reserved words with white space delimiters • %09select (tab%09, carriage return%13, linefeed%10 and space%32 with and, or, update, insert, exec, etc) • Delay query ' waitfor delay '0:0:10'--

  9. 2) Information Gathering • We will try to find out the following: • Understand the query • Output mechanism • Determine database type • Find out user privilege level

  10. 3) 1=1 Attacks • Discover DB structure • Enumerating table columns in different DBs • Database Enumeration

  11. 4) Extracting Data • Password grabbing • Create DB Accounts • Grabbing MS SQL Server Hashes • Brute forcing Passwords • Transfer DB structure and data • Create Identical DB Structure • Transfer DB

  12. 5) OS Interaction • Interacting with the OS • Assessing Network Connectivity • Gathering IP information through reverse lookups • Network Reconnaissance

  13. Web Server Application Server Database Server WebPageAccess InputValidationFlaw Injected SQLExecution! Architecture • To keep in mind always! • Our injection most times will be executed on a different server • The DB server may not even have Internet access

  14. 6) OS Cmd Prompt • Jumping to the OS • Using ActiveX Automation Scripts • Retrieving VNC Password from Registry

  15. 7) Expand Influence • Hopping into other DB Servers • Linked Servers • Executing through stored procedures remotely • Uploading files through reverse connection • Uploading files through SQL Injection

  16. Evasion Techniques • Input validation or IDS Signature Evasion • Evading ' OR 1=1signature • ' OR 'something' like 'some%‘ • use PHP addslashes() function to escape characters • This can be easily evaded by using replacements for any of characters in a numeric field • To be circumvented by encoding or using Char() • Using white spaces, comments, string concatenation, variables, hex value

  17. SQL Injection Defense • It is quite simple: input validation • The real challenge is making best practices consistent through all your code • Enforce "strong design" in new applications • You should audit your existing websites and source code • Even if you have an air tight design, harden your servers

  18. Strong Design • Define an easy "secure" path to querying data • Use stored procedures for interacting with database • Call stored procedures through a parameterized API • Validate all input through generic routines • Use the principle of "least privilege" • Define several roles, one for each kind of query

  19. Input Validation • Define data types for each field • Implement stringent "allow only good" filters • If the input is supposed to be numeric, use a numeric variable in your script to store it • Reject bad input rather than attempting to escape or modify it • Implement stringent "known bad" filters • For example: reject "select", "insert", "update", "shutdown", "delete", "drop", "--", "'"

  20. Harden the Server • Run DB as a low-privilege user account • Remove unused stored procedures and functionality or restrict access to administrators • Change permissions and remove "public" access to system objects • Audit password strength for all user accounts • Remove pre-authenticated linked servers • Remove unused network protocols • Firewall the server so that only trusted clients can connect to it (typically only: administrative network, web server and backup server)

  21. Detection and Dissuasion • You may want to react to SQL injection attempts by: • Logging the attempts • Sending email alerts • Blocking the offending IP • Sending back intimidating error messages: • "WARNING: Improper use of this application has been detected. A possible attack was identified. Legal actions will be taken." • Check with your lawyers for proper wording • This should be coded into your validation scripts

  22. SQL injection detection method has introduced • Typical validation procedure • Anti-SQL-Injection.php • To take the popular open-source IDS Snort • WAVES—Black-box approach

  23. WAVES—Black-box approach • Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. “Web Application Security Assessment by Fault Injection and Behavior Monitoring.” In Proc. 12th Int’l World Wide Web Conference, p.148-159, Budapest, Hungary, 2003. • Using crawler to discover all pages in a Web site that contain HTML forms. • HTML forms are parsed and stored in XML format. • To inject malicious SQL patterns into the server-side program that processes the form’s input. • If the filtering mechanism is provided on a global scale, then injection will fail.

  24. Automatic black-box method features • Complete crawling • Bypass the validation procedure • Test set and injection patterns Automatic generation (self-learning) • Output analysis according output error messages

  25. Other sql injection tools introduction • Absinthe • WebScarab • WebGoat

  26. Absinthe (字典攻擊)

  27. Absinthe (cont.)

  28. Web Scarab • WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. • It is written in Java, and is thus portable to many platforms. • WebScarab records the conversations (requests and responses) that it observes. • To allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.

  29. WebScarab plugin • WebScarab provides a number of plugins: • Fragments - extracts Scripts and HTML comments from HTML pages. • Proxy - observes traffic between the browser and the web server • Manual intercept • Reveal hidden fields • Spider - identifies new URLs on the target site, and fetches them on command. • Parameter fuzzer - performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.

  30. WebScarab Feature • WebScarab is extensible. • Each feature above is implemented as a plugin, and can be removed or replaced. • New features can be easily implemented as well . • WebScarab is intended to become the tool of choice for serious Web debugging.

  31. WebScarab-selfcontained.jar

  32. WebScarab snapshot

  33. WebGoat • Web application security is difficult to learn and practice. • WebGoat is a full J2EE web application designed to teach web application security lessons.

  34. My Automatic Anti-SQL Injection Method features • 不需要重新改寫網頁 • 不需調整資料庫安全權限 • 不需透過IDS或其他網路防禦設備 • 不針對字典攻擊做防禦 • 自動加入 input vlidation or filter function於網頁中

  35. How to insert validation function • Using crawler to discover all pages in a Web site that contain HTML forms. • HTML forms are parsed and stored in XML format. • To inject validation function into the server-side program that processes the form’s input. • If SQL injection fail, my solutioin is success.

  36. How to implement my solution • UsingWeb Scarabas platform. • UsingWeb Scarab’s Spider to identifies new URLs on the target site, and fetches them on command. • To inject validation function into the server-side program that processes the form’s input. • Testing:usingWeb Scarab’s Parameter fuzzer to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.

  37. Summary • SQL Injection is a dangerous vulnerability • All programming languages and all SQL databases are potentially vulnerable • Protecting against it requires Input validation, IDS detection AND strong database and OS hardening must be used together. • We try to implement a anti-SQL Injection system to insert correct input validation function automatically.

  38. Reference • Advanced SQL Injection, Victor Chapela , http://www.owasp.org/docroot/owasp/misc/Advanced_SQL_Injection.ppt