DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com [email_address]

Session Agenda Introduction to SQL Injection How Do Attackers Do it? Advanced Attacks Solutions Least-privilege Access Parameterize DML Validating Input

Introduction to SQL Injection

How Do Attackers Do it?

Advanced Attacks

Solutions

Least-privilege Access

Parameterize DML

Validating Input

What is a SQL Injection? SQL statement(s) “injected” into an existing SQL command Injection occurs through malformed application input: Text box. Query string. Manipulated values in HTML. A good SQL injection attack can cripple and even destroy your database!

SQL statement(s) “injected” into an existing SQL command

Injection occurs through malformed application input:

Text box.

Query string.

Manipulated values in HTML.

A good SQL injection attack can cripple and even destroy your database!

SQL Injection Causes public void OnLogon(object src, EventArgs e){ SqlConnection con = new SqlConnection( "server=(local);database=myDB;uid=sa;pwd;" ); string query = String.Format( "SELECT COUNT(*) FROM Users WHERE " + "username='{0}' AND password='{1}'", txtUser.Text, txtPassword.Text ); SqlCommand cmd = new SqlCommand(query, con); conn.Open(); SqlDataReader reader = cmd.ExecuteReader(); try{ if(reader.HasRows()) IssueAuthenticationTicket(); else TryAgain(); } finally{ con.Close() } }

The Problem Expected: Username: doug Password: p@$$w0rd SELECT COUNT(*) FROM Users WHERE username='doug' and password='p@$$w0rd' Malicious: Username: ' OR 1=1 -- Password: SELECT COUNT(*) FROM Users WHERE username='' OR 1=1 -- and password='p@$$w0rd'

Basic SQL Injection

How Do Attackers Know? Insider Information Trial and Error Error message often reveal too much Malicious user can force an error to discover information about the database

Insider Information

Trial and Error

Error message often reveal too much

Malicious user can force an error to discover information about the database

It Gets Worse Once a malicious user can access the database, they are likely to use: xp_cmdshell xp_grantlogin xp_regread With the right privileges the user can access ALL databases on the server

Once a malicious user can access the database, they are likely to use:

xp_cmdshell

xp_grantlogin

xp_regread

With the right privileges the user can access ALL databases on the server

Extended Stored Procedures

Problem: Access Privileges Application is accessing database with: “ sa” account ASP.NET worker process account (added as admin) High-privilege user account

Application is accessing database with:

“ sa” account

ASP.NET worker process account (added as admin)

High-privilege user account

Solution: Limit Privileges Application should have least necessary privileges to access database Grant ASP.NET account access to database using an alias Create an account that has minimal privileges (EXEC-only)

Application should have least necessary privileges to access database

Grant ASP.NET account access to database using an alias

Create an account that has minimal privileges (EXEC-only)

MachineASPNET -- Windows 2000 / XP EXEC sp_grantlogin [MachineNameASPNET] EXEC sp_grantdbaccess [MachineNameASPNET], [Alias] GRANT EXECUTE ON [ProcedureName] TO [Alias] GO -- Windows Server 2003 EXEC sp_grantlogin [NT AUTHORITYNETWORK SERVICE] EXEC sp_grantdbaccess [NT AUTHORITYNETWORK SERVICE] GRANT EXECUTE ON [ProcedureName] TO [NT AUTHORITYNETWORK SERVICE] GO

Least Privilege

Problem: DML in Code Application code shouldn’t contain SQL Data Manipulation Language (DML) DML enables malicious input to be injected Eliminating DML should be part of your next security review

Application code shouldn’t contain SQL Data Manipulation Language (DML)

DML enables malicious input to be injected

Eliminating DML should be part of your next security review

Solution: Parameterize DML If DML is a requirement of the application add parameters to the SQL statements string sql = "SELECT * FROM Users " + "WHERE username=@Username " + "AND password= @Password"; SqlCommand command = new SqlCommand (sql, connection); command.Parameters.Add("@Username", SqlDbType.VarChar).Value = UserName.Text; command.Parameters.Add("@Password", SqlDbType.VarChar).Value = Password.Text;

If DML is a requirement of the application add parameters to the SQL statements

Solution: Stored Procedures Less vulnerable to SQL injection attacks Added security via EXECUTE permission SqlCommand command = new SqlCommand ("Users_GetUser", connection); command.CommandType = CommandType.StoredProcedure; SqlCommand command = new SqlCommand (sql, connection); command.Parameters.Add("@Username", SqlDbType.VarChar).Value = UserName.Text; command.Parameters.Add("@Password", SqlDbType.VarChar).Value = Password.Text;

Less vulnerable to SQL injection attacks

Added security via EXECUTE permission

Stored Procedures

Problem: User Input All user input is inherently evil Malicious input can: Inject SQL statements Execute arbitrary SQL Damage limited only by privilege of data account Alter application flow Attack other users (cross-site scripting) Read/write cookies Execute script, etc.

All user input is inherently evil

Malicious input can:

Inject SQL statements

Execute arbitrary SQL

Damage limited only by privilege of data account

Alter application flow

Attack other users (cross-site scripting)

Read/write cookies

Execute script, etc.

Solution: Input Validation All user input should be cleansed ASP.NET validation controls RegEx class Reject invalid input Encode any input that is echoed to the browser HttpUlitity.HtmlEncode() Always use parameterized SQL queries Parameterized commands (good) Parameterized stored procedures (better)

All user input should be cleansed

ASP.NET validation controls

RegEx class

Reject invalid input

Encode any input that is echoed to the browser

HttpUlitity.HtmlEncode()

Always use parameterized SQL queries

Parameterized commands (good)

Parameterized stored procedures (better)

ASP.NET Request Validation Validates query string, form data, cookies Developers still have responsibility to secure inputs Can be disabled at page-, application-, or machine-level

Validates query string, form data, cookies

Developers still have responsibility to secure inputs

Can be disabled at page-, application-, or machine-level

Input and Request Validation

SqlJunkies.com Online resource for DEVELOPERS using SQL Server DotNetJunkies.com Online resource for developers working with the .NET Framework Web Application Disassembly with ODBC Error Messages by David Litchfield http://www.nextgenss.com/papers/webappdis.doc

SqlJunkies.com

Online resource for DEVELOPERS using SQL Server

DotNetJunkies.com

Online resource for developers working with the .NET Framework

Web Application Disassembly with ODBC Error Messages by David Litchfield http://www.nextgenss.com/papers/webappdis.doc

Writing Secure Code (Second Edition) Michael Howard & David LeBlanc Microsoft Press, December 2002 Required reading at Microsoft!

Improving Web Application Security Building Secure ASP.NET Applications http://msdn.microsoft.com/security/default.aspx?pull= /library/en-us/dnnetsec/html/threatcounter.asp http://msdn.microsoft.com/security/default.aspx?pull= /library/en-us/dnnetsec/html/secnetlpmsdn.asp

Q1: Overall satisfaction with the session Q2: Usefulness of the information Q3: Presenter’s knowledge of the subject Q4: Presenter’s presentation skills Q5: Effectiveness of the presentation Please fill out a session evaluation on CommNet

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.