SlideShare a Scribd company logo

Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

ā€¢
ā€¢
Pablo OrduƱa
Pablo OrduƱa

Presenation at JSWEB2010, Valencia, September 2010

Technology
1 of 25
Download to read offline
Introduction Vulnerable code samples Addressing code injection Conclusions Addressing Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages Pablo OrduĖœa, Aitor Almeida, Unai Aguilera, Xabier Laiseca, n Diego LĀ“pez-de-IpiĖœa, Aitor GĀ“mez-Goiri o n o September 9th, 2010 Future Internet - Elkarlaneko ikerkuntza estrategikorako programa; ETORTEK 2008 img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Introduction The Semantic Web is based on a set of technologies: XML RDF OWL ... img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Query Languages New technologies have been developed to query the ontologies later later RDQL āˆ’ āˆ’ SPARQL āˆ’ āˆ’ SPARUL āˆ’ā†’ āˆ’ā†’ These new query languages are based on SQL RDQL and SPARQL ā†’ Read-only query languages introduces SPARUL (SPARQL/Update) āˆ’ āˆ’ āˆ’ āˆ’ modiļ¬cation āˆ’ āˆ’ āˆ’ā†’ capabilities SPARQL Sample: 1 PREFIX injection: <http://www.morelab.deusto.es/ injection.owl#> 2 SELECT ?p1 3 WHERE { 4 ?p1 a injection:Person . 5 } img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Security issues The use of these new query languages introduce vulnerabilities already found in a bad use of query languages Attacks like SQL Injection, LDAP Injection or even XPath Injection are already well known Libraries provide tools to sanitize user input in these languages A proper usage of the query languages is required in order to face new techniques, including: (Blind) SPARQL Injection SPARUL Injection img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection The following query is assumed to retrieve the friends of a user whom fullName is provided by the variable name The ontology is available in http://www.morelab.deusto.es/injection.owl img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 " + 4 "WHERE {" + 5 " ?p1 a injection:Person . " + 6 " ?p2 a injection:Person . " + 7 " ?p1 injection:fullName ā€™" + name + "ā€™ . " + 8 " ?p1 injection:isFriendOf ?p2 . " + 9 " ?p1 injection:fullName ?name1 . " + 10 " ?p2 injection:fullName ?name2 . " + 11 "}"; 12 Query query = QueryFactory.create(queryString); img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection This code can be exploited to retrieve any information in the ontology The problem is that the variable name has not been sanitized This variable can include SPARQL code, and thus modify the query itself A variable with malicious content can be found in the next slide img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ā€™" + name + "ā€™ . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 " ?p1 injection:fullName ?name1 . " + 9 " ?p2 injection:fullName ?name2 . " + 10 "}"; 11 String name = "Pablo Ordunaā€™ . " + 12 "?b1 a injection:Building . " + 13 "?b1 injection:name ?name1 . " + 14 "} #"; img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ā€™" + "Pablo Ordunaā€™ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + "ā€™ . " + 10 " ?p1 injection:isFriendOf ?p2 . " + 11 " ?p1 injection:fullName ?name1 . " + 12 " ?p2 injection:fullName ?name2 . " + 13 "}"; img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The ļ¬nal query 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ā€™Pablo Ordunaā€™ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + /* From this point everything 10 is commented and thus ignored */ "ā€™ . " + 11 " ?p1 injection:isFriendOf ?p2 . " + 12 " ?p1 injection:fullName ?name1 . " + 13 " ?p2 injection:fullName ?name2 . " + 14 "}"; img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection This code will return the name of the building instead of the name of a user It is possible to use the ļ¬‚exibility of SPARQL to perform other kind of queries retrieving any information in the ontology img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Introducing Blind SPARQL Injection The previous sample was especially vulnerable since it returned a string It is possible to retrieve any information as a string Strings are usually not retrieved in SPARQL, but individuals What if the returning value is an individual? Itā€™s still possible to retrieve any information If itā€™s possible to know if a given query is true or false, itā€™s possible to iteratively retrieve any information The following code retrieves the individuals themselves Itā€™s possible to know if the query provided or not the individuals img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 4 "SELECT ?p1 ?p2 " + 5 "WHERE {" + 6 " ?p1 a injection:Person . " + 7 " ?p2 a injection:Person . " + 8 " ?p1 injection:fullName ā€™" + name + "ā€™Ė†Ė†xsd :string . " + 9 " ?p1 injection:isFriendOf ?p2 . " + 10 "}"; 11 Query query = QueryFactory.create(queryString); img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Once again, the variable name has not been sanitized So itā€™s still possible to inject SPARQL code The injected code canā€™t return a building or the building name But, adding a condition like ā€œdoes the building name start by this letterā€ we will get: The common results ā†’ so the building name starts by that letter No results ā†’ so the building name does not start by that letter img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = /* PREFIXES ... */ 2 "SELECT ?p1 ?p2 " + 3 "WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ā€™" + name + "ā€™Ė†Ė†xsd :string . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 "}"; 9 String name = "Pablo Ordunaā€™ . " + 10 "?b1 a injection:Building . " + 11 "?b1 injection:name ?buildingName . " + 12 "FILTER regex(?buildingName, "Ė†" + s + ".*") . " + 13 "} #"; // }:-D img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The ļ¬nal query would be. . . 1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?p1 ?p2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ā€™Pablo Ordunaā€™ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?buildingName . " + 9 " FILTER regex(?buildingName, "Ė†" + s + ".*") . " + 10 " } #" + /* from here ignored*/ "ā€™Ė†Ė†xsd:string . " + 11 " ?p1 injection:isFriendOf ?p2 . }"; img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Querying recursively. . . 1 public static String recursively(String letters) throws Exception{ 2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++ i){ 3 char c = POSSIBLE_LETTERS.charAt(i); 4 if(tryBlind(letters + c)){ 5 System.out.println(c); 6 return "" + c + recursively(letters + c); 7 } 8 } 9 return ""; 10 } img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection It is possible to optimize this system using binary search Performing queries using Regular Expressions like Ė†[A-M].* to know if the char is between the char A and M Given a charset of length 64, we would reduce the number of iterations from 64 times 10 (640) to 6 times 10 (60) Using the whole UTF-16 charset, it would reduce the number of iterations from 65536 times 10 (655360) to 16 times 10 (160) The point is that itā€™s possible to retrieve any information in the ontology independently from the values returned by the query img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection Introducing SPARQL/Update Injection All the previous examples are executed in read-only query languages SPARUL introduces the chance to modify the ontology INSERT, MODIFY and DELETE statements are available The following sample modiļ¬es the fullName of the resource injection:Pablo, setting it to the value of the variable name img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String updateString = "PREFIX injection: <http:// www.morelab.deusto.es/injection.owl#> " + 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "DELETE {" + 4 " injection:Pablo injection:fullName ?name1 "+ 5 "} WHERE {" + 6 " injection:Pablo injection:fullName ?name1" + 7 "}n INSERT {" + 8 " injection:Pablo injection:fullName ā€™" + name + "ā€™Ė†Ė†xsd:string" + 9 "}"; 10 UpdateRequest update = UpdateFactory.create( updateString); img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String name = "Pablo Ordunyaā€™Ė†Ė†xsd:string" + 2 "} n " + 3 "INSERT {" + 4 " injection:Pablo injection:isFriendOf injection:EvilMonkey" + 5 "} #"; // }:-D 6 String result = sample.run(name); With this vulnerability, it is possible to modify the whole ontology. img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Addressing code injection Mechanisms provided by the library must be used (if provided) Not as simple as scaping the ā€™ characters: the string u0027 is a simple quote, just as in Java 1 System.out.println("au0022.length() + u0022b".length()); 2 // This code prints "2", the result of ("a".length() + "b".length()) 3 // since u0022 will be replaced by " even if it is commented or inside 4 // String img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Frameworks In Jena, the initialBinding argument can be used in the QueryExecutionFactory 1 // initial binding 2 QuerySolutionMap initialBinding = new QuerySolutionMap(); 3 RDFNode parameterizedName = model.createLiteral( name); 4 initialSetting.add("thename", parameterizedName); 5 6 // Perform the query 7 Query query = QueryFactory.create(queryString); 8 QueryExecution qe = QueryExecutionFactory.create( query, model, initialBinding); 9 ResultSet results = qe.execSelect(); img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Addressing code injection Conclusions Conclusions Not sanitizing the user input might add a set of security vulnerabilities in our systems In the paper it is presented how new query languages inherit security issues present in older query languages, and therefore they should also be taken into account when working with them img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Addressing code injection Conclusions Questions? DeustoTech - Internet http://www.morelab.deusto.es Pablo OrduĖœan pablo.orduna@deusto.es Aitor Almeida aitor.almeida@deusto.es Unai Aguilera unai.aguilera@deusto.es Xabier Laiseca xabier.laiseca@deusto.es Diego LĀ“pez-de-IpiĖœa o n dipina@deusto.es Aitor GĀ“mez-Goiri o aitor.gomez@deusto.es img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .

Recommended

Rr 7944
Rr 7944Rr 7944
Rr 7944
fangjiafu
Ā 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
Alex Senkevitch
Ā 
Research Overview
Research OverviewResearch Overview
Research Overview
avinashvarna
Ā 
Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)
johnwilander
Ā 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Alex Senkevitch
Ā 
Designing Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote LaboratoriesDesigning Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote Laboratories
Pablo OrduƱa
Ā 
Taller Ria
Taller RiaTaller Ria
Taller Ria
Pablo OrduƱa
Ā 
Mumbai Moods
Mumbai MoodsMumbai Moods
Mumbai Moods
rajshah
Ā 

Recommended

Rr 7944
Rr 7944Rr 7944
Rr 7944
fangjiafu
Ā 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
Alex Senkevitch
Ā 
Research Overview
Research OverviewResearch Overview
Research Overview
avinashvarna
Ā 
Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)
johnwilander
Ā 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Alex Senkevitch
Ā 
Designing Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote LaboratoriesDesigning Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote Laboratories
Pablo OrduƱa
Ā 
Taller Ria
Taller RiaTaller Ria
Taller Ria
Pablo OrduƱa
Ā 
Mumbai Moods
Mumbai MoodsMumbai Moods
Mumbai Moods
rajshah
Ā 
Taller Test Driven Development
Taller Test Driven DevelopmentTaller Test Driven Development
Taller Test Driven Development
Pablo OrduƱa
Ā 
GWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouGWT 2 Is Smarter Than You
GWT 2 Is Smarter Than You
Robert Cooper
Ā 
WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]
Pablo OrduƱa
Ā 
DeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectDeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS project
Pablo OrduƱa
Ā 
MVP mit dem Google Web Toolkit
MVP mit dem Google Web ToolkitMVP mit dem Google Web Toolkit
MVP mit dem Google Web Toolkit
Cenarion Information Systems GmbH
Ā 
GWT ā€“ Google Web Toolkit in der Praxis
GWT ā€“ Google Web Toolkit in der PraxisGWT ā€“ Google Web Toolkit in der Praxis
GWT ā€“ Google Web Toolkit in der Praxis
Cenarion Information Systems GmbH
Ā 
SPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionSPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL Injection
MoreLab
Ā 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In Code
Samuele Reghenzi
Ā 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
Dileep Kalidindi
Ā 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
Antonio Fontes
Ā 
Pangolin whitepaper
Pangolin whitepaperPangolin whitepaper
Pangolin whitepaper
mattotamhe
Ā 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
DefCamp
Ā 
163 166
163 166163 166
163 166
Editor IJARCET
Ā 
163 166
163 166163 166
163 166
Editor IJARCET
Ā 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
Ā 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101
Mario-Leander Reimer
Ā 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
Marco Morana
Ā 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
Ā 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
Ā 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
Ā 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
Ā 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
Ayanda Demilade
Ā 

More Related Content

Viewers also liked

Viewers also liked (6)

Taller Test Driven Development
Taller Test Driven DevelopmentTaller Test Driven Development
Taller Test Driven Development
Ā 
GWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouGWT 2 Is Smarter Than You
GWT 2 Is Smarter Than You
Ā 
WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]
Ā 
DeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectDeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS project
Ā 
MVP mit dem Google Web Toolkit
MVP mit dem Google Web ToolkitMVP mit dem Google Web Toolkit
MVP mit dem Google Web Toolkit
Ā 
GWT ā€“ Google Web Toolkit in der Praxis
GWT ā€“ Google Web Toolkit in der PraxisGWT ā€“ Google Web Toolkit in der Praxis
GWT ā€“ Google Web Toolkit in der Praxis
Ā 

Similar to Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
DefCamp
Ā 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
Ā 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101
Mario-Leander Reimer
Ā 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
Marco Morana
Ā 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
Ā 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
Ā 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
Ayanda Demilade
Ā 

Similar to Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages (20)

SPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionSPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL Injection
Ā 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In Code
Ā 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
Ā 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
Ā 
Pangolin whitepaper
Pangolin whitepaperPangolin whitepaper
Pangolin whitepaper
Ā 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
Ā 
163 166
163 166163 166
163 166
Ā 
163 166
163 166163 166
163 166
Ā 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
Ā 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101
Ā 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
Ā 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
Ā 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
Ā 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
Ā 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
Ā 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
Ā 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web Applications
Ā 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
Ā 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
Ā 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
Ā 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
Ā 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
Ā 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
Ā 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Ā 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
Ā 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
Ā 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Ā 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Ā 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(ā˜Žļø+971_581248768%)**%*]'#abortion pills for sale in dubai@
Ā 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Ā 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
Ā 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Ā 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
Ā 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Ā 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Ā 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
Ā 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
Ā 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Ā 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Ā 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Ā 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Ā 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
Ā 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Ā 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Ā 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Ā 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Ā 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Ā 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Ā 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Ā 

Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

  • 1. Introduction Vulnerable code samples Addressing code injection Conclusions Addressing Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages Pablo OrduĖœa, Aitor Almeida, Unai Aguilera, Xabier Laiseca, n Diego LĀ“pez-de-IpiĖœa, Aitor GĀ“mez-Goiri o n o September 9th, 2010 Future Internet - Elkarlaneko ikerkuntza estrategikorako programa; ETORTEK 2008 img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 2. Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Introduction The Semantic Web is based on a set of technologies: XML RDF OWL ... img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 3. Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Query Languages New technologies have been developed to query the ontologies later later RDQL āˆ’ āˆ’ SPARQL āˆ’ āˆ’ SPARUL āˆ’ā†’ āˆ’ā†’ These new query languages are based on SQL RDQL and SPARQL ā†’ Read-only query languages introduces SPARUL (SPARQL/Update) āˆ’ āˆ’ āˆ’ āˆ’ modiļ¬cation āˆ’ āˆ’ āˆ’ā†’ capabilities SPARQL Sample: 1 PREFIX injection: <http://www.morelab.deusto.es/ injection.owl#> 2 SELECT ?p1 3 WHERE { 4 ?p1 a injection:Person . 5 } img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 4. Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Security issues The use of these new query languages introduce vulnerabilities already found in a bad use of query languages Attacks like SQL Injection, LDAP Injection or even XPath Injection are already well known Libraries provide tools to sanitize user input in these languages A proper usage of the query languages is required in order to face new techniques, including: (Blind) SPARQL Injection SPARUL Injection img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 5. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection The following query is assumed to retrieve the friends of a user whom fullName is provided by the variable name The ontology is available in http://www.morelab.deusto.es/injection.owl img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 6. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 " + 4 "WHERE {" + 5 " ?p1 a injection:Person . " + 6 " ?p2 a injection:Person . " + 7 " ?p1 injection:fullName ā€™" + name + "ā€™ . " + 8 " ?p1 injection:isFriendOf ?p2 . " + 9 " ?p1 injection:fullName ?name1 . " + 10 " ?p2 injection:fullName ?name2 . " + 11 "}"; 12 Query query = QueryFactory.create(queryString); img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 7. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection This code can be exploited to retrieve any information in the ontology The problem is that the variable name has not been sanitized This variable can include SPARQL code, and thus modify the query itself A variable with malicious content can be found in the next slide img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 8. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ā€™" + name + "ā€™ . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 " ?p1 injection:fullName ?name1 . " + 9 " ?p2 injection:fullName ?name2 . " + 10 "}"; 11 String name = "Pablo Ordunaā€™ . " + 12 "?b1 a injection:Building . " + 13 "?b1 injection:name ?name1 . " + 14 "} #"; img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 9. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ā€™" + "Pablo Ordunaā€™ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + "ā€™ . " + 10 " ?p1 injection:isFriendOf ?p2 . " + 11 " ?p1 injection:fullName ?name1 . " + 12 " ?p2 injection:fullName ?name2 . " + 13 "}"; img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 10. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The ļ¬nal query 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ā€™Pablo Ordunaā€™ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + /* From this point everything 10 is commented and thus ignored */ "ā€™ . " + 11 " ?p1 injection:isFriendOf ?p2 . " + 12 " ?p1 injection:fullName ?name1 . " + 13 " ?p2 injection:fullName ?name2 . " + 14 "}"; img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 11. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection This code will return the name of the building instead of the name of a user It is possible to use the ļ¬‚exibility of SPARQL to perform other kind of queries retrieving any information in the ontology img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 12. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Introducing Blind SPARQL Injection The previous sample was especially vulnerable since it returned a string It is possible to retrieve any information as a string Strings are usually not retrieved in SPARQL, but individuals What if the returning value is an individual? Itā€™s still possible to retrieve any information If itā€™s possible to know if a given query is true or false, itā€™s possible to iteratively retrieve any information The following code retrieves the individuals themselves Itā€™s possible to know if the query provided or not the individuals img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 13. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 4 "SELECT ?p1 ?p2 " + 5 "WHERE {" + 6 " ?p1 a injection:Person . " + 7 " ?p2 a injection:Person . " + 8 " ?p1 injection:fullName ā€™" + name + "ā€™Ė†Ė†xsd :string . " + 9 " ?p1 injection:isFriendOf ?p2 . " + 10 "}"; 11 Query query = QueryFactory.create(queryString); img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 14. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Once again, the variable name has not been sanitized So itā€™s still possible to inject SPARQL code The injected code canā€™t return a building or the building name But, adding a condition like ā€œdoes the building name start by this letterā€ we will get: The common results ā†’ so the building name starts by that letter No results ā†’ so the building name does not start by that letter img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 15. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = /* PREFIXES ... */ 2 "SELECT ?p1 ?p2 " + 3 "WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ā€™" + name + "ā€™Ė†Ė†xsd :string . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 "}"; 9 String name = "Pablo Ordunaā€™ . " + 10 "?b1 a injection:Building . " + 11 "?b1 injection:name ?buildingName . " + 12 "FILTER regex(?buildingName, "Ė†" + s + ".*") . " + 13 "} #"; // }:-D img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 16. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The ļ¬nal query would be. . . 1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?p1 ?p2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ā€™Pablo Ordunaā€™ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?buildingName . " + 9 " FILTER regex(?buildingName, "Ė†" + s + ".*") . " + 10 " } #" + /* from here ignored*/ "ā€™Ė†Ė†xsd:string . " + 11 " ?p1 injection:isFriendOf ?p2 . }"; img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 17. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Querying recursively. . . 1 public static String recursively(String letters) throws Exception{ 2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++ i){ 3 char c = POSSIBLE_LETTERS.charAt(i); 4 if(tryBlind(letters + c)){ 5 System.out.println(c); 6 return "" + c + recursively(letters + c); 7 } 8 } 9 return ""; 10 } img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 18. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection It is possible to optimize this system using binary search Performing queries using Regular Expressions like Ė†[A-M].* to know if the char is between the char A and M Given a charset of length 64, we would reduce the number of iterations from 64 times 10 (640) to 6 times 10 (60) Using the whole UTF-16 charset, it would reduce the number of iterations from 65536 times 10 (655360) to 16 times 10 (160) The point is that itā€™s possible to retrieve any information in the ontology independently from the values returned by the query img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 19. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection Introducing SPARQL/Update Injection All the previous examples are executed in read-only query languages SPARUL introduces the chance to modify the ontology INSERT, MODIFY and DELETE statements are available The following sample modiļ¬es the fullName of the resource injection:Pablo, setting it to the value of the variable name img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 20. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String updateString = "PREFIX injection: <http:// www.morelab.deusto.es/injection.owl#> " + 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "DELETE {" + 4 " injection:Pablo injection:fullName ?name1 "+ 5 "} WHERE {" + 6 " injection:Pablo injection:fullName ?name1" + 7 "}n INSERT {" + 8 " injection:Pablo injection:fullName ā€™" + name + "ā€™Ė†Ė†xsd:string" + 9 "}"; 10 UpdateRequest update = UpdateFactory.create( updateString); img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 21. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String name = "Pablo Ordunyaā€™Ė†Ė†xsd:string" + 2 "} n " + 3 "INSERT {" + 4 " injection:Pablo injection:isFriendOf injection:EvilMonkey" + 5 "} #"; // }:-D 6 String result = sample.run(name); With this vulnerability, it is possible to modify the whole ontology. img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 22. Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Addressing code injection Mechanisms provided by the library must be used (if provided) Not as simple as scaping the ā€™ characters: the string u0027 is a simple quote, just as in Java 1 System.out.println("au0022.length() + u0022b".length()); 2 // This code prints "2", the result of ("a".length() + "b".length()) 3 // since u0022 will be replaced by " even if it is commented or inside 4 // String img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 23. Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Frameworks In Jena, the initialBinding argument can be used in the QueryExecutionFactory 1 // initial binding 2 QuerySolutionMap initialBinding = new QuerySolutionMap(); 3 RDFNode parameterizedName = model.createLiteral( name); 4 initialSetting.add("thename", parameterizedName); 5 6 // Perform the query 7 Query query = QueryFactory.create(queryString); 8 QueryExecution qe = QueryExecutionFactory.create( query, model, initialBinding); 9 ResultSet results = qe.execSelect(); img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 24. Introduction Vulnerable code samples Addressing code injection Conclusions Conclusions Not sanitizing the user input might add a set of security vulnerabilities in our systems In the paper it is presented how new query languages inherit security issues present in older query languages, and therefore they should also be taken into account when working with them img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 25. Introduction Vulnerable code samples Addressing code injection Conclusions Questions? DeustoTech - Internet http://www.morelab.deusto.es Pablo OrduĖœan pablo.orduna@deusto.es Aitor Almeida aitor.almeida@deusto.es Unai Aguilera unai.aguilera@deusto.es Xabier Laiseca xabier.laiseca@deusto.es Diego LĀ“pez-de-IpiĖœa o n dipina@deusto.es Aitor GĀ“mez-Goiri o aitor.gomez@deusto.es img/deustotech.png P. OrduĖœa, A. Almeida, U. Aguilera, X. Laiseca, D. LĀ“pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .