SQL Injection - Mozilla Security Learning Center

8,577 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
8,577
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
71
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • SQL Injection - Mozilla Security Learning Center

    1. 1. MozillaSecurityLearning CenterSQL Injection
    2. 2. Intro • Michael Coates • Infrastructure Security • mcoates@mozilla.com - @_mwc • Questions / comments during presentation? • Use IRC at air.mozilla.org
    3. 3. Agenda• Business risk of XSS• Understanding the vulnerability• Attack scenarios• Mitigation techniques
    4. 4. Agenda• Business risk of SQL Injection• Understanding the vulnerability• Attack scenarios• Mitigation techniques
    5. 5. Risks of SQL Injection • Injection attacks (SQL, LDAP, OS, etc) - #1 Issue on OWASP Top 10 • Impact: Vulnerability allows attacker to change intent of SQL statement • Business Impact: • Theft of sensitive/PII data (account data, password hashes) • Data Corruption • Unauthorized application/feature access • Inject other attacks (XSS) into databases
    6. 6. SQL Injection in the News
    7. 7. Setup• http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation• http://bit.ly/MozLab• Download Virtual Box, OWASP Broken Web App VM
    8. 8. Agenda• Business risk of SQL Injection• Understanding the vulnerability• Attack scenarios• Mitigation techniques
    9. 9. Fundamental Problem• User controlled data improperly used with SQL statements• Example Vulnerable Query: sqlQ = “Select user from UserTable where name= +username + and pass = +password+ ” Login: ___ My username is o’malley ? Pass: ____
    10. 10. Fundamental Problem• User controlled data improperly used with SQL statements• o’malley scenario Select user from UserTable where name= omalley and pass = foo• Result: Error, syntax is not valid Error: Invalid syntax
    11. 11. Agenda• Business risk of SQL Injection• Understanding the vulnerability• Attack scenarios• Mitigation techniques
    12. 12. SQL Attack Examples• Basic SQL Injection Tests: OR 1=1 -- OR 1= 1--• Select user from UserTable where name= joe and pass = OR 1= 1-- • Looks for username of joe and password of (blank || TRUE)
    13. 13. Variations • SQL Injection • Error message or different text returned based on SQL statement results • Example: Error message, db data displayed in page • Blind SQL Injection • No visible response to user indicating success of fail of query
    14. 14. Blind SQL Injection • Use time of results to deduce boolean • Injected SQL uses IF statements and delays to enumerate data, 1 char at a time
    15. 15. Blind SQL Examples mysql> select * from example; +----+-----------------+------+ | id | name | age | +----+-----------------+------+ | 1 | Timmy Mellowman | 23 | Text| | 2 | Sandy Smith | 21 +----+-----------------+------+ 2 rows in set (0.00 sec)
    16. 16. Blind SQL Examples• mysql> SELECT IF( name = Sandy Smith, BENCHMARK(1000000,MD5( x )),NULL) FROM example; • Command line result - 2 rows in set (5.25 sec)• mysql> SELECT IF( name = Joe Bob, BENCHMARK(1000000,MD5( x )),NULL) FROM example; • Command line result - 2 rows in set (0.00 sec)• The actual data returned is not important the delay indicates True of False +----+-----------------+------+ | 1 | Timmy Mellowman | 23 | | 2 | Sandy Smith | 21 | +----+-----------------+------+
    17. 17. Blind SQL Injection • mysql> select headerName from header_store UNION select IF(SUBSTRING(name, 1,1)=T,BENCHMARK(1000000,MD5( x )),y) from example where age=23 limit 1; • 1 row in set (6.01 sec) • Test if the first character of "name" from the example table (where age=23) is the letter T. +----+-----------------+------+ | 1 | Timmy Mellowman | 23 |
    18. 18. WebGoat• Click First Link - OWASP WebGoat version 5.3.x• Username / Password is guest / guest
    19. 19. Setup• http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation• http://bit.ly/MozLab• Download Virtual Box, OWASP Broken Web App VM
    20. 20. Using A Proxy• Burp - Configure to listen on 8080 • Ensure “loopback only” is checked (will be by default)
    21. 21. Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences -> Advanced -> Network -> Settings • Set HTTP Proxy • Important - clear “No Proxy for” line
    22. 22. Confirm Setup Works• Refresh Web Browser - it should hang• Go to Burp -> Proxy -> Intercept (they are highlighted)• Click “Forward” for all messages• Should now see page in browser
    23. 23. Confirm Setup Works• Intercept is on • Each request will be caught by proxy • Requires you to hit forward each time• Intercept is off • Requests sent through proxy automatically • Logged in tab “proxy”->”history”
    24. 24. “Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue Attacker’s euS euS Web Proxy Web Server Browser
    25. 25. SQL Injection • Problem: User controlled data improperly used with SQL statements • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests: OR 1=1 -- OR 1= 1-- • Example Vulnerable Query: sqlQ = “Select user from UserTable where name= +username+ and pass = +password+ ”
    26. 26. Lab! - SQL Lesson
    27. 27. SQL Injection • Lesson: Injection Flaws -> Lab: SQL Injection -> Stage 1: String SQL Injection • Proxy Needed • Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
    28. 28. SQL Injection • HTTP Post employee_id=112&password=x OR 1=1&action=Login • Vulnerable SQL Select user from UserTable where name= +username+ and pass = +password+ Select user from UserTable where name= 112 and pass = x OR 1=1 • Result: ... name = 112 and pass = x OR TRUE
    29. 29. Agenda• Business risk of SQL Injection• Understanding the vulnerability• Attack scenarios• Mitigation techniques
    30. 30. SQL Injection • Parameterized Queries No confusion with control characters • Input Validation Are special characters needed for most fields? What about non-printable characters %00-%0A? Just a layer of defense - remember o’malley example
    31. 31. Parameterized Query• HTTP Post employee_id=112&password=x OR 1=1&action=Login• Parameterized Query Look for employee_id 112 with password of x OR 1=1• Result: Login fail - password is foo not x OR 1=1
    32. 32. Language Examples• User data + string concatenation == SQL injection disaster• DJANGO • Model Query API-> Safe • raw() manager -> Dangerous, Avoid!• Java String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( );
    33. 33. Additional Resources• OWASP SQL Prevention Cheat Sheet • https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet• 10 Minute Crash Course • Episode 3 - http://www.youtube.com/user/ AppsecTutorialSeries
    34. 34. Questions• Next Events• Aug 24 - CEF Logging for Attack Aware Applications• Aug 25 - OWASP Bay Area Chapter Meeting• https://wiki.mozilla.org/index.php? title=WebAppSec#Schedule

    ×