Your SlideShare is downloading. ×
libinjection and sqli obfuscation, presented at OWASP NYC
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

libinjection and sqli obfuscation, presented at OWASP NYC

1,247
views

Published on

SQL that isn't caught by WAFs but also isn't used (yet) by attackers! Why detecting SQLi is good, and why doing it with regular expressions is hard. And re-introducing libinjections which is a new …

SQL that isn't caught by WAFs but also isn't used (yet) by attackers! Why detecting SQLi is good, and why doing it with regular expressions is hard. And re-introducing libinjections which is a new way of detecting SQLi attacks.

This is a mashup of my Black Hat USA 2012 and DEFCON 20 talks, refreshed and updated.

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,247
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
33
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Transcript

    • 1. libinjection and SQLi ObfuscationOWASP NYNew York, NYSeptember 20, 2102 Nick Galbreath @ngalbreath nickg@client9.com
    • 2. http://client9.com/20120920 Follow along at your own pace
    • 3. libinjection first presented atBlack Hat USA 2012http://client9.com/20120725 iSEC Partners party at Bellagio
    • 4. SQLi Obfuscation first presented atDEFCON 20http://client9.com/20120727/
    • 5. All photos where taken by me last weekon Marthas Vineyard, MA or fromprevious conferences.Unless its a picture of a clownOr otherwise noted.Then it came from The Internet. Thanks Internet!
    • 6. The Next 30 Minutes• Why detecting SQLi is Important• SQL you didnt know about• Why detecting SQLi is a hard problem• Why current solutions arent so good• The libinjection algorithm and library
    • 7. Why Detect SQLi• Even if you know 100% of your queries are parameterized...• Knowing who and how often SQLi attacks is still good to know• Graph the attacks! Make security visible! Great internal PR.
    • 8. So Lets Detect SQLi !!!!Its Easy to Get Startedwith Regular Expressions s/UNIONs+(ALL)?/i ‣ At least two open source WAF use regular expressions. ‣ Failure cases in closed-source WAFs also indicate regexp.
    • 9. 1992 SQL Spec625 pages plain text
    • 10. 2003 SQL Spec128 pages pure BNF
    • 11. NULL
    • 12. MySQL NULL AliasMySQL NULL can written as Ncase sensitive. n is not a null. This means any WAF that does a "to_lower" on the user input and looks for "null" will miss this case.
    • 13. Numbers
    • 14. Integer Forms• [0-9]+• 0x[0-9a-fA-F]+ 0xDEADbeef MySQL, MSSQL 0x is case sensitive• 0x MSSQL only• xDEADbeef PgSQL• b10101010 MySQL, PgSQL• 0b010101 MySQL
    • 15. Floating Point• digits• digits[.]• digits[.]digits http://bit.ly/Qp6KTu• digits[eE]digits • digits[.]digits[eE]digits• digits[eE][+-]digits • [.]digits• digits[.][eE]digits • [.]digits[eE]digits• digits[.]digits[eE][+-]digits • [.]digits[eE][+-]digits Optional leading unary operator [+-]
    • 16. Floating Point, Oracle• Everyone of the previous formats can have a trailing [dDfF]• But why use numbers as all? Special literals, maybe case sensitive: • binary_double_infinity • binary_double_nan • binary_float_infinity • binary_float_nan
    • 17. MSSQL Money Literals • -$45.12 • $123.0 • +$1,000,000.00 Commas ignored • Other "monetary symbols" ignored • Autocasts to everything
    • 18. Parser Differences• 1. AND 2 vs.• 1.AND 2 vs.• 1.AND2 (no space between "1." "AND" and "2")• some parsers accept (MySQL), some dont (sqlite3)
    • 19. Comments
    • 20. MySQL # Comment• # signals an till-end-of-line Comment• Well used in SQLi attacks• However... # is an operator in PgSQL. Beware that s/#.*n// will delete code that needs inspecting.• Lots of other MySQL comment oddities: http://dev.mysql.com/doc/refman/5.6/ en/comments.html
    • 21. PGSQL Comments• Besides the usual -- comment• PgSQL has nested C-Style Comments•/* foo /* bar */ */• Careful! What happens when you remove comments in /* /* */ UNION ALL /* */ */
    • 22. Strings
    • 23. C-Style String Merging• C-Style consecutive strings are merged into one.• SELECT foo bar;• SELECT foo "bar"; (mysql)• SQL Spec and PgSQL requires a newline between literals: SELECT foo bar;
    • 24. Standard Unicode• N.... or n...• MSSQL Case-sensitive N• Not sure on escaping rules.
    • 25. MySQL Ad-Hoc Charset• _charset....• _latin1.....• _utf8....
    • 26. PGSQL Dollar QuotingFrom http://www.postgresql.org/docs/9.1/static/sql-syntax-lexical.html#SQL-SYNTAX-COMMENTSA dollar-quoted string constant consists of a dollar sign($), an optional "tag" of zero or more characters, anotherdollar sign, an arbitrary sequence of characters thatmakes up the string content, a dollar sign, the same tagthat began this dollar quote, and a dollar sign. Forexample, here are two different ways to specify thestring "Diannes horse" using dollar quoting:$$Diannes horse$$$SomeTag$Diannes horse$SomeTag$ Want more fun? They can be nested!
    • 27. PGSQL UnicodeFrom http://www.postgresql.org/docs/9.1/static/sql-syntax-lexical.html emphasis mine:... This variant starts with U& (upper or lower case U followed by ampersand) immediately before theopening double quote, without any spaces in between, for example U&"foo". (Note that this creates anambiguity with the operator &. Use spaces around the operator to avoid this problem.) Inside the quotes,Unicode characters can be specified in escaped form by writing a backslash followed by the four-digithexadecimal code point number or alternatively a backslash followed by a plus sign followed by a six-digithexadecimal code point number. For example, the identifier "data" could be written asU&"d0061t+000061"The following less trivial example writes the Russian word "slon" (elephant)in Cyrillic letters:U&"0441043B043E043D"If a different escape character than backslash isdesired, it can be specified using the UESCAPE clauseafter the string, for example:U&"d!0061t!+000061" UESCAPE !
    • 28. Oracle Q Stringhttp://docs.oracle.com/cd/B28359_01/appdev.111/b28370/fundamentals.htm#autoId6q!...! notation allows use of single quotes inside literalstring_var := q!Im a string!;You can use delimiters [, {, <, and (, pair them with ], }, >, and ),pass a string literal representing a SQL statement to asubprogram, without doubling the quotation marks aroundINVALID as follows:func_call(q[SELECT index_name FROM user_indexes WHERE status =INVALID]);
    • 29. Operators and Expressions
    • 30. Ridiculous Operators• != not equals, standard • ||/ cube root (pgsql)• <=> (mysql) • ** exponents (oracle• <> (mssql)• ^= (oracle)• !>, !< not less than (mssql)• / oracle• !! factorial (pgsql)• |/ sqaure root (pgsql)
    • 31. Expressions!• Using the common query extension of "OR 1=1"• Besides using literals, one can use functions: •COS(0) = SIN(PI()/2) •COS(@VERSION) = - SIN(@VERSION + PI()/2)
    • 32. EXCEPT (mssql) MINUS (Oracle)• Like UNION, UNION ALL• But returns all results from first query minus/except the ones from the second query• There is also INTERSECT and MINUS as well.• I think someone clever could use these, typically not in WAF rules.
    • 33. Side Note: "IN" lists• e.g. ....WHERE id IN (1,2,3,4) ....• These have to be manually created.• There is no API or parameter binding for this construct in any platform,framework or language.• There is no consistent, safe way to make this (other than convention,
    • 34. What happens whenregular expressions are used to capture these rules?
    • 35. (?:)s*whens*d+s*then)|(?:"s*(?:#|--|{))|(?:/*!s?d+)|(?:ch(?:a)?rs*(s*d)|(?:(?:(n?and|x?or|not)s+||||&&)s*w+()(?:[s()]cases*()|(?:)s*likes*()|(?:havings*[^s]+s*[^ws])|(?:ifs?([dw]s*[=<>~])(?:"s**.+(?:or|id)W*"d)|(?:^")|(?:^[ws"-]+(?<=ands)(?<=ors)(?<=xors)(?<=nands)(?<=nots)(?<=||)(?<=&&)w+()|(?:"[sd]*[^ws]+W*dW*.*["d])|(?:"s*[^ws?]+s*[^ws]+s*")|(?:"s*[^ws]+s*[Wd].*(?:#|--))|(?:".**s*d)|(?:"s*ors[^d]+[w-]+.*d)|(?:[()*<>%+-][w-]+[^ws]+"[^,])(?:d"s+"s+d)|(?:^admins*"|(/*)+"+s?(?:--|#|/*|{)?)|(?:"s*or[ws-]+s*[+<>=(),-]s*[d"])|(?:"s*[^ws]?=s*")|(?:"W*[+=]+W*")|(?:"s*[!=|][ds!=+-]+.*["(].*$)|(?:"s*[!=|][ds!=]+.*d+$)|(?:"s*likeW+[w"(])|(?:siss*0W)|(?:wheres[sw.,-]+s=)|(?:"[<>~]+")(?:unions*(?:all|distinct|[(!@]*)?s*[([]*s*select)|(?:w+s+likes+")|(?:likes*"%)|(?:"s*likeW*["d])|(?:"s*(?:n?and|x?or|not ||||&&)s+[sw]+=s*w+s*having)|(?:"s**s*w+W+")|(?:"s*[^?ws=.,;)(]+s*[(@"]*s*w+W+w)|(?:selects*[[]()sw.,"-]+from)|(?:find_in_sets*()(?:ins*(+s*select)|(?:(?:n?and|x?or|not ||||&&)s+[sw+]+(?:regexps*(|soundss+likes*"|[=d]+x))|("s*ds*(?:--|#))|(?:"[%&<>^=]+ds*(=|or))|(?:"W+[w+-]+s*=s*dW+")|(?:"s*iss*d.+"?w)|(?:"|?[w-]{3,}[^ws.,]+")|(?:"s*iss*[d.]+s*W.*")(?:[dW]s+ass*["w]+s*from)|(?:^[Wd]+s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s+(?:(?:group_)concat|char|load_file)s?(?)|(?:ends*);)|("s+regexpW)|(?:[s(]load_files*()(?:@.+=s*(s*select)|(?:d+s*ors*d+s*[-+])|(?:/w+;?s+(?:having|and|or|select)W)|(?:ds+groups+by.+()|(?:(?:;|#|--)s*(?:drop|alter))|(?:(?:;|#|--)s*(?:update|insert)s*w{2,})|(?:[^w]SETs*@w+)|(?:(?:n?and|x?or|not ||||&&)[s(]+w+[s)]*[!=+]+[sd]*["=()])(?:"s+ands*=W)|(?:(s*selects*w+s*()|(?:*/from)|(?:+s*d+s*+s*@)|(?:w"s*(?:[-+=|@]+s*)+[d(])|(?:coalesces*(|@@w+s*[^ws])|(?:W!+"w)|(?:";s*(?:if|while|begin))|(?:"[sd]+=s*d)|(?:orders+bys+ifw*s*()|(?:[s(]+cased*W.+[tw]hen[s(])(?:(select|;)s+(?:benchmark|if|sleep)s*?(s*(?s*w+)(?:creates+functions+w+s+returns)|(?:;s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*[[(]?w{2,})(?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")|(?:";.*:s*goto)(?:procedures+analyses*()|(?:;s*(declare|open)s+[w-]+)|(?:creates+(procedure|function)s*w+s*(s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs*(s*@)(?:selects*pg_sleep)|(?:waitfors*delays?"+s?d)|(?:;s*shutdowns*(?:;|--|#|/*|{))(?:sexecs+xp_cmdshell)|(?:"s*!s*["w])|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user|database|schema|connection_id)s*([^)]*)|(?:";?s*(?:select|union|having)s*[^s])|(?:wiifs*()|(?:execs+master.)|(?:union select @)|(?:union[w(s]*select)|(?:select.*w?user()|(?:into[s+]+(?:dump|out)files*")(?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(),+-]+s*againsts*()(?:,.*[)da-f"]"(?:".*"|Z|[^"]+))|(?:Wselect.+W*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*(s*spaces*()(?:[$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)])(?:(sleep((s*)(d*)(s*))|benchmark((.*),(.*))))
    • 36. Unicorn Alert!‣ At Black Hat USA 2005, Hanson and Patterson presented: Guns and Butter: Towards Formal Axioms of Validation (http://bit.ly/OBe7mJ)‣ …formally proved that for any regex validator, we could construct either a safe query which would be flagged as dangerous, or a dangerous query which would be flagged as correct.‣ (summary from libdejector documentation)
    • 37. Can we do better?
    • 38. libinjection
    • 39. Key Insight‣ A SQLi attack must be parsed as SQL within the original query.‣ SQL has a rigid syntax ‣ it works, or its a syntax error. ‣ Compare this to HTML/XSS rules‣ "Is it a SQLi attack?" becomes "Could it be a SQL snippet?"
    • 40. Only 3 ContextsUser input is only "injected" into SQL in threeways:‣ As-Is‣ Inside a single quoted string‣ Inside a double quoted stringMeans we have to parse input three times.Compare to XSS
    • 41. Identification of SQL snippets without context is hard‣ 1-917-660-3400 my phone number or ... an arithmetic expression in SQL?‣ @ngalbreath my twitter account or ... a SQL variable?‣ English-like syntax and common keywords: union, group, natural, left, right, join, top, table, create, in, is, not, before, begin, between
    • 42. Existing SQL Parsers‣ Only parse their flavor of SQL‣ Not well designed to handle snippets‣ Hard to extend‣ Worried about correctness ... so I wrote my own! ... so I wrote my own!
    • 43. Tokenization‣ Converts input into a stream of tokens‣ Uses "master list" of keywords and functions across all databases.‣ Handles comments, string, literals, weirdos.
    • 44. 5000224 UNION USER_ID>0--[ (...500224, string), (UNION, union operator), (USER_ID, name), (>, operator), (0, number), (--....., comment) ]
    • 45. Meet the Tokens‣ none/name ‣ group-like operation‣ variable ‣ union-like operator‣ string ‣ logical operator‣ regular operator ‣ function‣ unknown ‣ comma‣ number ‣ semi-colon‣ comment ‣ left parens‣ keyword ‣ right parens
    • 46. Merging, Specialization, Disambiguation‣ "IS", "NOT" ==> "IS NOT" (single op)‣ "NATURAL", "JOIN" => "NATURAL JOIN"‣ ("+", operator) -> ("+", unary operator)‣ (COS, function), (1, number) ==> (COS, name), (1, number) functions must be followed with a parenthesis!
    • 47. Folding‣ This step actually isnt needed to detect, but Text is needed to reduce false positives.‣ Converts simple arithmetic expressions into a single value, and does not try to evaluate.‣ 1-917-660-3400 -> "1" pics courtesy The Internet pics
    • 48. Knows nothing about SQLi ‣ So far this is purely a parsing problem. ‣ Knows nothing about SQLi (which is evolving) ‣ Can be 100% tested against any SQL input (not SQLi) for correctness. ‣ Language independent test cases$ cat test-tokens-numbers-floats-003.txt--TEST--floating-point parsing test--INPUT--SELECT .0;--EXPECTED--k SELECT1 .0; ;
    • 49. Fingerprints‣ The token types of a user input form a hash or a fingerprint. ‣ -6270" UNION ALL SELECT 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594# AND "JWWQ"="JWWQ ‣ becomes "sUk1,1,1,1,1,1,1,1,&"‣ Now lets generate fingerprints from Real World Data.‣ Can we distinguish between SQLi and benign input? pics courtesy The Internet
    • 50. Training on SQLi‣ Parse known SQLi attacks from ‣ SQLi vulnerability scanners ‣ Published reports ‣ SQLi How-Tos and Cheet Sheets‣ > 32,000 total‣ Since Black Hat, donations from ‣ modsecurity ‣ Qualys‣ > 50,000 total
    • 51. Training on Real Input‣ 100s of Millions of user inputs from Etsys access logs were also parsed.‣ Large enough to get a good sample (Top 50 USA site)‣ Old enough to have lots of odd ways of query string formatting.‣ Full text search with an diverse subject domain
    • 52. How many tokens areneeded to determine ifuser input is SQLi or not?
    • 53. no matter how long the input
    • 54. 632 out of 1,048,576 are SQLi&1o1U &f()o &f(1) 1&((f 1&((k 1&(1) 1&(1, 1&(1o 1&(f( 1&(k( 1&(k1 1&(kf 1&(kk 1&(kn 1&(ko 1&(v) 1&1Bf 1&1Uk 1&1f( 1&1o(1&1o1 1&1of 1&1ok 1&1on 1&1oo 1&1ov 1&f(( 1&f() 1&f(1 1&f(f 1&f(k 1&f(n 1&f(v 1&k(1 1&k(f 1&k1k 1&kUk 1&kk1 1&n() 1&no11&nos 1&o(1 1&o1o 1&sU( 1&so1 1&sos 1)&(1 1)&(f 1)&(k 1)&(n 1)&1B 1)&1U 1)&1f 1)&1o 1)&f( 1)&o( 1)()s 1))&( 1))&1 1))&f1))&o 1)))& 1)))) 1))); 1)))B 1)))U 1)))k 1)))o 1));k 1))B1 1))Uk 1))Un 1))k1 1))kk 1))o( 1))o1 1))of 1))ok 1))on 1),(11);k& 1);k( 1);kf 1);kk 1);kn 1);ko 1)B1 1)B1& 1)B1c 1)B1o 1)U(k 1)Uk1 1)Ukf 1)Ukk 1)Ukn 1)Unk 1)k1 1)k1c 1)k1o 1)kks1)o(1 1)o(k 1)o(n 1)o1B 1)o1f 1)o1k 1)o1o 1)of( 1)ok( 1)ok1 1)on& 1)ono 1,(f( 1,(k( 1,(k1 1,(kf 1,1), 1,1)o 1,1B1 1,1Uk1,f(1 1,s), 1;k&k 1;k(( 1;k(1 1;k(o 1;k1, 1;kf( 1;kks 1;kn( 1;kn, 1;knc 1;ko( 1;kok 1B1 1B1,1 1B1,n 1B1Uk 1B1c 1B1k11B1ks 1Bf(1 1Bf(f 1Bk(1 1Bn,n 1Bnk1 1U((k 1U(k1 1U(kf 1U(kn 1U1,1 1Uc 1Uk 1Uk(1 1Uk(k 1Uk(n 1Uk1 1Uk1, 1Uk1c 1Uk1f1Uk1k 1Uk1n 1Uk1o 1Ukf 1Ukf( 1Ukf, 1Ukk( 1Ukk, 1Ukk1 1Ukkk 1Ukkn 1Ukn& 1Ukn( 1Ukn, 1Ukn1 1Uknc 1Uknk 1Ukno 1Ukns 1Uko11Ukok 1Uks, 1Uksc 1Ukv 1Ukv, 1Ukvc 1Un,1 1Un1, 1Unk( 1Unk1 1Unkf 1Uon1 1f()k 1k1U( 1k1Uk 1k1c 1kU1, 1kf(1 1kk(1 1kksc1knkn 1n&f( 1nUk1 1nUkn 1nk1c 1nkf( 1o((( 1o((1 1o((f 1o(1) 1o(1o 1o(f( 1o(k( 1o(k1 1o(kf 1o(kn 1o(kv 1o(n) 1o(s) 1o1)&1o1)o 1o1Bf 1o1Uk 1o1f( 1o1kf 1o1o( 1o1o1 1o1of 1o1oo 1o1ov 1of() 1of(1 1of(f 1of(n 1of(s 1ok(1 1ok(k 1ok1 1ok1, 1ok1c1ok1k 1okf( 1oks, 1oksc 1okv, 1onos 1oso1 ;kknc Uk1,1 Uk1,f Uk1,n Ukkkn f((k( f((kf f()&f f()of f(1)& f(1)o f(1,f f(1o1f(f() f(f(1 f(k() f(k,( f(k,n f(n() f(v,1 k()ok k(1)U k(ok( k(vv) k1,1, k1,1c k1,1k k1,f( k1k(k k1o(s k;non kf(1) kf(1,kf(f( kf(n, kf(o) kf(v: kk(f( kk1f( kk1fn kk1kk kk1nk kk1vk kk1vn kn1kk kn1vk kn1vn ko(k( ko(kf kok(k kv) kvk(1 n&(1)n&(k1 n&(o1 n&1f( n&1o( n&1o1 n&1of n&1oo n&f(1 n&f(f n&k(1 n&o1o n)&(k n)&1f n)&1o n)&f( n))&( n))&1 n))&f n)))& n)));n)))k n)))o n));k n))kk n))o( n))o1 n))of n))ok n);k& n);k( n);kf n);kk n);kn n);ko n)k1o n)kks n)o(k n)o1& n)o1f n)o1on)of( n)ok( n,(f( n,(k( n,(k1 n,(kf n,f(1 n:o1U n;k&k n;k(( n;k(1 n;kf( n;kks n;kn( n;ko( n;kok nUk(k nUk1, nUkn, nUnk(nk1Uk nkf(1 nkksc nnn)U nno1U no(k1 no(o1 no1&1 no1Uk no1f( no1o( no1o1 no1of no1oo nof(1 nok(1 nok(k o1kf( oUk1, of()oof(1) ok1o1 okkkn ook1, s&(1) s&(1, s&(1o s&(f( s&(k) s&(k1 s&(kf s&(ko s&1Bf s&1Uk s&1c s&1f( s&1o( s&1o1 s&1of s&1ons&1oo s&1os s&1ov s&f(( s&f() s&f(1 s&f(f s&f(v s&k&s s&k(1 s&k(o s&k1o s&kc s&knk s&ko( s&ko1 s&kok s&kos s&n&s s&no1s&nos s&o(1 s&o(k s&o1o s&okc s&oko s&os s&sos s&v:o s&vos s&vso s)&(1 s)&(k s)&1B s)&1f s)&1o s)&f( s)&o( s))&( s))&1s))&f s))&n s))&o s)))& s))); s)))B s)))U s)))k s)))o s));k s))B1 s))Uk s))Un s))k1 s))kk s))o( s))o1 s))of s))ok s),(1s);k& s);k( s);kf s);kk s);kn s);ko s)B1 s)B1& s)B1c s)B1o s)U(k s)Uk1 s)Unk s)k1 s)k1c s)k1o s)kks s)o(1 s)o(k s)o1Bs)o1f s)o1k s)o1o s)of( s)ok( s)ok1 s,1), s;k&k s;k(( s;k(1 s;k(o s;k1, s;k1o s;k; s;k[k s;k[n s;kf( s;kkn s;kks s;kn(s;knk s;knn s;ko( s;kok s;kvc s;kvk s;n:k sB1 sB1&s sB1Uk sB1c sB1os sU((k sU(k( sU(kk sU(kn sU(ks sUk(k sUk1 sUk1&sUk1, sUk1c sUk1k sUk1o sUkf( sUkk1 sUkkk sUkn( sUkn, sUkn1 sUknk sUkok sUkv, sUkvc sUn(k sUnk1 sUnkf sUno1 sf(1) sf(n,sf(s) sk)&( sk)&1 sk)&f sk);k sk)B1 sk)Uk sk)Un sk)k1 sk)kk sk)o( sk)o1 sk)of sk)ok sk1&1 sk1Uk sk1c sk1o1 sk1os skU1,skks skksc sn,f( sno1U so((( so((k so((s so(1) so(1o so(f( so(k) so(k1 so(kk so(kn so(ko so(ks so(os so(s) so1&1 so1&oso1&s so1Bf so1Uk so1c so1f( so1kf so1o( so1o1 so1of so1ok so1oo so1os so1ov sof() sof(1 sof(f sof(k sok&s sok(1 sok(ksok(o sok(s sok1 sok1, sok1c sok1o sokc sokf( sokn, soknk soko( soko1 sokok sokos sonk1 sono1 sonos sos sos&( soso(sosos sov&1 sov&s sov:o sovo1 sovok sovos sovov sovso v:o1) vUk1, vok1, as of 2012-09-20
    • 55. The LibraryOn GitHub Now~500 Lines of CodeOne file + dataNo memory allocationNo threadsNo external dependenciesFixed stack size>100k checks a second
    • 56. tada#include "sqlparse.h"#include <string.h>int main(){ const char* ucg = "1 OR 1=1"; // input should be normalized, upper-cased // You can use sqli_normalize // if you dont have your own function sfilter sf; return is_sqli(&sf, ucg, strlen(ucg));}$ gcc -Wall -Wextra sample.c sqlparse.c$ ./a.out$ echo $?1
    • 57. Work inProgress
    • 58. Whats Next?• Change API to allow passing in fingerprint data or a function. Allows upgrades without code changes.• Can we reduce the number of tokens? String, variables, numbers are all just values.• Folding of comma-separated values? 1,2,3,4 => 1• Can we just eliminate all parenthesis?
    • 59. Help!• More SQLi from the field please!• False positives welcome• More test cases with exotic SQL to test parser.• Ports to other languages (the language- neutral test framework should make this easier).• Compiling on Windows (mostly tested on Mac OS X and Linux)
    • 60. Do you have a commercial WAF?• Set up a dead page and let me poke it.• Curious on false positives and false negatives.
    • 61. Slides and Source Code:http://www.client9.com/libinjection/Nick Galbreath@ngalbreathnickg@client9.com Oct 25, OWASP USA, Austin, Texas Continuous Deployment and Security