• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Presentation slides

Presentation slides






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Presentation slides Presentation slides Presentation Transcript

    • The Threat of SQL Injection Is your information safe? By: Jordon Janelle … …
    • Abstract
      • The purpose of our presentation and report.
        • Inform the user about SQL Injection.
        • Explain common mistakes and easy fixes to minimize risk.
        • Evaluate programs to actively detect when SQL injection attacks occur.
        • Review tools which can be used to identify weakness.
    • What is SQL Injection?
      • SQL Injection is when a malicious user attempted to run queries on a database that were not intended.
      • SQL Injection is only the first step.
        • Oracle
        • Select banner || '-' || (select banner from v$version where banner like 'Oracle%') from v$version where banner like 'TNS%'
        • http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
    • The History of SQL Injection • 1998 – rfp(rain forest puppy) writes article called “NT Web Technology Vulnerabilities” for Phrack 54 • February 1999 – Allaire release advisory – “Multiple SQL Statements in Dynamic Queries” • May 1999 – rfp and Matthew Astley release advisory with title “NT ODBC Remote Compromise” • February 2000 – “How I hacked Packetstorm – A look at hacking wwwthreads via SQL” – by rfp • September 2000 – “Application Assessments on IIS” – Blackhat – David Litchfield
    • The History of SQL Injection • October 2000 – SQL Injection FAQ – Chip Andrews – uses the first public usage of term “SQL Injection” in a paper • April 2001 – “Remote Web Application Disassembly with ODBC Error Messages” • January 2002 – Chris Anley releases “Advanced SQL Injection” • June 2002 – “(more) Advanced SQL” – Chris Anley – From: “SQL Injection and Data Mining through Inference”, David Litchfield
    • Examples of SQL injection
      • Mass hack infects tens of thousands of sites
        • Using the same malicious SQL Injection over 160,000 sites were infected.
        • http://www.computerworld.com.au/index.php/id;683627551
    • What is at risk?
      • PII systems, Personally Identifiable Information
        • Hospital Records
        • Government
        • Health Insurance
      • Financial Information
        • Credit Card Companies
        • Banks
        • Lenders
      • Any Sensitive or Private Information
    • Legal Ramifications for Lack of Precautions.
      • California
        • Online Privacy Protection Act
        • Not to be confused with the Children’s Online Privacy Protection Act
      • Germany
        • The Federal Data Protection Act
      • United States
        • Sarbanes-Oxley Act
    • Discover
      • How do you know your site is being compromised?
        • Input validation in web forms and cookies
        • Alerts to administrators
      • Watch for SQL specific characters such as “ ’ ” or “ -- “
      • Using some of the various programs discussed later
    • Discovered
      • Frequently simple form validation inadequate.
      • Practically impossible to evaluate every possible input.
      • Most injections are discovered after the fact.
      • Respond!
    • Respond
      • Inaction snowballs the problem for other companies.
      • The lure of anonymity of the internet.
      • What crimes would you commit if you were not going to be caught?
    • For Example
      • Music downloading
        • 14% of users admitted to downloading illegal songs in 2004.
        • Translates to 23 million American users who admit it
        • Regardless of controversy, RIAA lawsuits dropped pirated music downloads by six millions users (Pew internet study)
    • Know the Enemy
      • Catching a good hacker is not as easy as your average p2p user.
      • The date/time stamp of unauthorized entries into a database cross-referenced with IP address log of connections.
      • A hacker is not going to hand you their address.
    • What you see isn’t what you get.
      • IP Spoofing
      • Attacker’s packets bouncing around several different networks before reaching yours
      • You get to see the last location.
      • But is that all…
    • More Hops in Every Barrel
      • Hop Count Filtering
      • Hops cannot as of yet be altered
      • Blocking statistically spoofed IP’s
      • Promises close to 90% block of spoofed IP’s
    • Tracing
      • IP Traceback
        • Algebra and many matrix calculations, luckily we have computers
      • With a statistical sample, it has been suggested (Dean, D., et al) tracing paths of length 25 over 98% of the time
      • Drawback: needs thousands of packets to analyze.
      • Mostly for DOS attacks but still useful
    • Accountability
      • FBI threatening serious jail time for attackers of federal sites.
      • Attacking government sites is “cyber-terrorism” attacking private sites is just a nuisance.
      • Most attacks are not considered worth investigating, one possible cause for so many of them
    • Types of SQL Injections
      • Blind Injection
        • Conditional Responses
        • Conditional Errors
        • Time Delays
      • Code Injection
      • Code Execution
      • Buffer Overruns
    • Analysis Tools
      • Free Tools
        • Usually designed toward a specific back end database
        • Lack of product support
        • Lack of statistic collecting
        • Usability
      • Purchased Tools
        • Policy Based
        • Better support
        • Cost
    • Purchased Tools
      • N-Stalker
        • Policy Based Driven Engine
        • Able to create its own False Positive filter
        • Able to run reports and keep a database of vulnerabilities
        • GUI Based System
        • Requires a subscription service
    • Purchased Tools (Cont.)
      • Acunetix WVS
        • GUI Based
        • Requires an annual subscription service
        • Detailed Reporting
        • Not rule based
        • Does brute force
        • Scans for common mistakes
    • Free Tools
      • SQLIer
        • Command line driven
        • Only does True/False SQL injections
      • BobCat
        • Used only with MSSQL and .NET applications
      • SQLMap
        • Works on multiple DBMS systems
        • Blind and Inbound SQL injections
        • Developed in Python (Command line driven)