Web site security Part 2 : Defending Against SQL Injection Reporter : James Chen
Outline • What is SQL Injection? • SQL Injection Testing Methodology • SQL Injection Defense • SQL injection detection method and tools • My Automatic Anti-SQL Injection Method features • Summary
What is SQL Injection? • The ability to inject SQL commands into the database enginethrough an existing application
How common is it? • It is probably the most common Website vulnerability today! • It is a flaw in "web application" development, it is not a DB or web server problem • Most programmers are still not aware of this problem • A lot of the tutorials & demo “templates” are vulnerable • Even worse, a lot of solutions posted on the Internet are not good enough • In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection
SQL Injection Characters • ' or" character String Indicators • -- or # single-line comment • /*…*/ multiple-line comment • + addition, concatenate (or space in url) • || (double pipe) concatenate • % wildcard attribute indicator • ?Param1=foo&Param2=bar URL Parameters • PRINT useful as non transactional command • @variable local variable • @@variable global variable • waitfor delay '0:0:10' time delay
2) Info. Gathering 3) 1=1 Attacks 5) OS Interaction 4) Extracting Data 6) OS Cmd Prompt 7) Expand Influence SQL Injection Testing Methodology 1) Input Validation
1) Input Validation :Discovery of Vulnerabilities • Vulnerabilities can be anywhere, we check all entry points: • Fields in web forms • Script parameters in URL query strings • Values stored in cookies or hidden fields • By "fuzzing" we insert into every one: • Character sequence: ' " ) # || + > • SQL reserved words with white space delimiters • %09select (tab%09, carriage return%13, linefeed%10 and space%32 with and, or, update, insert, exec, etc) • Delay query ' waitfor delay '0:0:10'--
2) Information Gathering • We will try to find out the following: • Understand the query • Output mechanism • Determine database type • Find out user privilege level
3) 1=1 Attacks • Discover DB structure • Enumerating table columns in different DBs • Database Enumeration
4) Extracting Data • Password grabbing • Create DB Accounts • Grabbing MS SQL Server Hashes • Brute forcing Passwords • Transfer DB structure and data • Create Identical DB Structure • Transfer DB
5) OS Interaction • Interacting with the OS • Assessing Network Connectivity • Gathering IP information through reverse lookups • Network Reconnaissance
Web Server Application Server Database Server WebPageAccess InputValidationFlaw Injected SQLExecution! Architecture • To keep in mind always! • Our injection most times will be executed on a different server • The DB server may not even have Internet access
6) OS Cmd Prompt • Jumping to the OS • Using ActiveX Automation Scripts • Retrieving VNC Password from Registry
7) Expand Influence • Hopping into other DB Servers • Linked Servers • Executing through stored procedures remotely • Uploading files through reverse connection • Uploading files through SQL Injection
Evasion Techniques • Input validation or IDS Signature Evasion • Evading ' OR 1=1signature • ' OR 'something' like 'some%‘ • use PHP addslashes() function to escape characters • This can be easily evaded by using replacements for any of characters in a numeric field • To be circumvented by encoding or using Char() • Using white spaces, comments, string concatenation, variables, hex value
SQL Injection Defense • It is quite simple: input validation • The real challenge is making best practices consistent through all your code • Enforce "strong design" in new applications • You should audit your existing websites and source code • Even if you have an air tight design, harden your servers
Strong Design • Define an easy "secure" path to querying data • Use stored procedures for interacting with database • Call stored procedures through a parameterized API • Validate all input through generic routines • Use the principle of "least privilege" • Define several roles, one for each kind of query
Input Validation • Define data types for each field • Implement stringent "allow only good" filters • If the input is supposed to be numeric, use a numeric variable in your script to store it • Reject bad input rather than attempting to escape or modify it • Implement stringent "known bad" filters • For example: reject "select", "insert", "update", "shutdown", "delete", "drop", "--", "'"
Harden the Server • Run DB as a low-privilege user account • Remove unused stored procedures and functionality or restrict access to administrators • Change permissions and remove "public" access to system objects • Audit password strength for all user accounts • Remove pre-authenticated linked servers • Remove unused network protocols • Firewall the server so that only trusted clients can connect to it (typically only: administrative network, web server and backup server)
Detection and Dissuasion • You may want to react to SQL injection attempts by: • Logging the attempts • Sending email alerts • Blocking the offending IP • Sending back intimidating error messages: • "WARNING: Improper use of this application has been detected. A possible attack was identified. Legal actions will be taken." • Check with your lawyers for proper wording • This should be coded into your validation scripts
SQL injection detection method has introduced • Typical validation procedure • Anti-SQL-Injection.php • To take the popular open-source IDS Snort • WAVES—Black-box approach
WAVES—Black-box approach • Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. “Web Application Security Assessment by Fault Injection and Behavior Monitoring.” In Proc. 12th Int’l World Wide Web Conference, p.148-159, Budapest, Hungary, 2003. • Using crawler to discover all pages in a Web site that contain HTML forms. • HTML forms are parsed and stored in XML format. • To inject malicious SQL patterns into the server-side program that processes the form’s input. • If the filtering mechanism is provided on a global scale, then injection will fail.
Automatic black-box method features • Complete crawling • Bypass the validation procedure • Test set and injection patterns Automatic generation (self-learning) • Output analysis according output error messages
Other sql injection tools introduction • Absinthe • WebScarab • WebGoat
Web Scarab • WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. • It is written in Java, and is thus portable to many platforms. • WebScarab records the conversations (requests and responses) that it observes. • To allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
WebScarab plugin • WebScarab provides a number of plugins： • Fragments - extracts Scripts and HTML comments from HTML pages. • Proxy - observes traffic between the browser and the web server • Manual intercept • Reveal hidden fields • Spider - identifies new URLs on the target site, and fetches them on command. • Parameter fuzzer - performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.
WebScarab Feature • WebScarab is extensible. • Each feature above is implemented as a plugin, and can be removed or replaced. • New features can be easily implemented as well . • WebScarab is intended to become the tool of choice for serious Web debugging.
WebGoat • Web application security is difficult to learn and practice. • WebGoat is a full J2EE web application designed to teach web application security lessons.
My Automatic Anti-SQL Injection Method features • 不需要重新改寫網頁 • 不需調整資料庫安全權限 • 不需透過IDS或其他網路防禦設備 • 不針對字典攻擊做防禦 • 自動加入 input vlidation or filter function於網頁中
How to insert validation function • Using crawler to discover all pages in a Web site that contain HTML forms. • HTML forms are parsed and stored in XML format. • To inject validation function into the server-side program that processes the form’s input. • If SQL injection fail, my solutioin is success.
How to implement my solution • UsingWeb Scarabas platform. • UsingWeb Scarab’s Spider to identifies new URLs on the target site, and fetches them on command. • To inject validation function into the server-side program that processes the form’s input. • Testing:usingWeb Scarab’s Parameter fuzzer to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.
Summary • SQL Injection is a dangerous vulnerability • All programming languages and all SQL databases are potentially vulnerable • Protecting against it requires Input validation, IDS detection AND strong database and OS hardening must be used together. • We try to implement a anti-SQL Injection system to insert correct input validation function automatically.
Reference • Advanced SQL Injection, Victor Chapela , http://www.owasp.org/docroot/owasp/misc/Advanced_SQL_Injection.ppt