TechTalk - SQL Injection Exploitation Techniques
Upcoming SlideShare
Loading in...5

TechTalk - SQL Injection Exploitation Techniques



During this TechTalk, Jürgen Kranz, Head of Architecture and Development at axxessio, elaborated on SQL Injection Exploitation Techniques.

During this TechTalk, Jürgen Kranz, Head of Architecture and Development at axxessio, elaborated on SQL Injection Exploitation Techniques.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

TechTalk - SQL Injection Exploitation Techniques TechTalk - SQL Injection Exploitation Techniques Presentation Transcript

  • SQL Injection Exploitation Techniques TechTalk NOVEMBER 2013 DEPARTMENT: ARCHITECTURE AND DEVELOPMENT
  • Table of Contents » » » » ^ Definition of Terms How to Inject Exploitation Techniques How to Protect Yourself 2
  • Definition of Terms SQL, Injection and OWASP View slide
  • SQL ^ » SQL stands for Structured Query Language » Allows us to access a database » ANSI and ISO standard computer language » The most current standard is SQL99 » SQL can: » » » » » execute queries against a database retrieve data from a database insert new records in a database delete records from a database update records in a database 4 View slide
  • SQL ^ » There are many different versions of the SQL language » They support the same major keywords in a similar manner (such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others) » Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard 5
  • SQL ^ » Data Manipulation Language » SELECT - extracts data » UPDATE - updates data » INSERT INTO - inserts new data » DELETE - deletes data » Data Definition Language » CREATE TABLE - creates a new database table » ALTER TABLE - alters (changes) a database table » DROP TABLE - deletes a database table 6
  • SQL ^ » A relational database contains one or more tables identified each by a name » Tables contain records (rows) with data » For example, the following table is called "users" and contains data distributed in rows and columns: 7
  • SQL ^ » With SQL, we can query a database and have a result set returned » Using the previous table, a query looks like this: SELECT LastName FROM users WHERE UserID = 1; » Gives a result set like this: LastName -------------Smith 8
  • Injection ^ What is Injection ? » Technique often used to attack data driven applications » There are many kind of Injections What is SQL Injection ? » The ability to inject SQL commands into the database engine through an existing application 9
  • Injection ^ What is SQL Injection ? » Easy to exploit » Common in Web Apps » Can produce severe impact 10
  • OWASP ^ » The Open Web Application Security Project (OWASP) » Worldwide not-for-profit charitable organization » Focused on improving the security of software Mission: » Make software security visible, » so that individuals and organizations worldwide can make informed decisions about true software security risks. Everyone is free to participate 11
  • OWASP Top Ten ^ OWASP Top 10 – 2013 (current version) A1 Injection A2 Broken Authentification and Session Management A3 Cross Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Action Control A8 Cross Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards 12
  • How to Inject Are You Vulnerable? SQL Payload
  • Are You Vulnerable? ^ Find a Web Application » Understand when/how the application interacts with a DB Server » Authentication forms » Search engines » E-Commerce sites 14
  • Are You Vulnerable? ^ » List all input fields whose values could be used in crafting a SQL query » Including the hidden fields of POST requests » Then test them separately trying to interfere with the query and to generate an error » Consider also HTTP Headers and Cookies 15
  • Are You Vulnerable? ^ » Add a single quote (') or a semicolon (;) to the field or parameter under test » Also comment delimiters (-- or /* */, …) » SQL keywords like 'AND' and 'OR' can be used to try to modify the query » Insert a string where a number is expected » In order to generate an Error 16
  • Are You Vulnerable? ^ 17
  • SQL Payload ^ 18
  • Exploitation techniques Union Exploitation Technique Boolean Exploitation Technique Time Delay Exploitation Technique Automated Exploitation
  • Union Exploitation ^ What is the right numbers of columns in the SELECT statement ? » Success » Fails 20
  • Union Exploitation ^ What is the right numbers of columns in the SELECT statement? » Success » The select statement has the given number of column or more » Fails » Increase the given number 21
  • Boolean Exploitation ^ » With this technique: » nothing is known on the outcome of an operation » The main objective: » carrying out a series of boolean queries to the server » observing the answers and finally deducing the meaning of such answers 22
  • Time Delay ^ Objectives » Nothing is known on the outcome of an operation » Sending an injected query and in case the conditional is true, the tester can monitor the time taken to for the server to respond » If there is a delay, the tester can assume the result of the conditional query is true » Example using MySQL 5 1' union select 1, SUBSTRING((SELECT first_name FROM users LIMIT 1),1,1) =‘a' and sleep(5) or null # 23
  • How to Protect Yourself
  • Prevent SQL Injection ^ » Use dynamic SQL only if absolutely necessary » Tip: prepared statements, parameterized queries, or stored procedures » Java : PreparedStatement() with bind variables » .Net : parameterized queries sSqlCommand() or OleDbCommand() with bind variables » PHP : PDO with strongly typed parameterized queries (using bindParam()) 25
  • Prevent SQL Injection ^ » Install patches regularly and timely » The database server, the operating system, or the development tools you use can have vulnerabilities » Use APIs » OWASP ESAPI 26
  • Prevent SQL Injection ^ » Remove all functionality you don't use » ”As far as security is concerned, more is not better.” » MS_SQL for example has xp_cmdshell that gives access to the shell (hackers dream) » Use automated test tools for SQL injections » To check for SQL injections or vulnerabilities 27
  • Story: Student has a Problem ^ 28
  • Story: Student Has a Problem ^ Is there any Ultimate Solution ? NO! Why? Nobody is perfect. Only our Holy God What should I do ? Look first for the kingdom of heaven, the rest will be given I… 29
  • Thank you for your attention!
  • Additional Information ^ » Prevent SQL-Injection by Joanna on: » OWASP Enterprise Security API: » OWASP_Top_Ten_Cheat_Sheet 31
  • Reference List ^ » PHP. SQL Injection 666x205 [Image file] Retrieved from: [12.12.2013] » OWASP - the free and open software security community. Top 10 2013-Release Notes. Retrieved from: [12.12.2013] 32