SlideShare a Scribd company logo

2nd-Order-SQLi-Josh

J
Joshua S. Clark, CISSP
1 of 15
Download to read offline
Joshua S. Clark, CISSP Security Consultant
• Second Order SQL Injection Ø (10 minutes) • Response to Customer Email Ø (5 minutes) • Q&A Ø (5 minutes)
Overview & Prevention
What is it? • Indirect way of attacking an application • Malicious SQL gets saved into the database • SQL is used in another query elsewhere • Example: 1. Create a user 2. Change the users password
Example: Insert/Read/Update Users UserName Password Josh abc ✔
Example: Malicious Insert/Read/Update Users UserNam e Password hacker’-- abc ✖
Recommendations • Perform InputValidation on all user-supplied data w/Whitelist • Use parameterized queries • Use stored procedures instead of dynamic SQL • Consider using an Object-Relational Mapping tool
Action #1: InputValidation with Whitelist • Code Example <?php //function should be a white list of only input that is known to be good $safeValue = $check_if_value_is_permitted($_GET[‘name’); if(!$safeValue) $stmt = $dbh->prepare("INSERT INTO CustomersDB (name, value)VALUES (?, ?)"); $stmt->bindParam(1, $name); $stmt->bindParam(2, $value); // insert one row $name = ’1’; $value = $safeValue; $stmt->execute();
Action #2: Use Parameterized Queries • Code Example <?php $stmt = $dbh->prepare("INSERT INTO CustomersDB (name, value)VALUES (?, ?)"); $stmt->bindParam(1, $name); $stmt->bindParam(2, $value); // insert one row $name = 'one'; $value = 1; $stmt->execute(); //By using this method the parameters are never bound directly to the query but sent after the execute method is called
Action #3: Use Stored Procedures • Code Example <?php $stmt = $dbh->prepare("CALL sp_returns_cust_count (?)"); $stmt->bindParam(1, $return_value, PDO::PARAM_INT, 1); // call the stored procedure $stmt->execute(); print "procedure returned $return_valuen"; ?> //Parameters must still be bound in this example and will prevent the same type of SQL injection attack
Overview & Prevention
Exploit Code Review: SQL InjectionVuln 6 $query = "SELECT * FROM listings WHERE id = ".$_GET['id']; 7 //Vulnerability exists at line 8 8 $result = mysql_query($query); • SQL injection occurs when: 1. Data enters an application from an untrusted source 2. The data is used to dynamically construct a SQL query • An attacker could pass: 1’ OR 1=1 -> to id variable would be the same as returning all the listings • Even worse, an attacker could pass 1’; DROP table listings which would delete the listing table
Code Review: Remediation Steps 6 $_GET['id'] = str_replace("/", "", $_SERVER['PATH_INFO']); 7 // Step 1: InputValidation: Check id against allowed whitelist if possible 8 $safeValue = $validateInput($_GET[‘id’]; 6 // Step 2: Use positional parameter in query 5 $listing_id = intval($safeValue); 6 $query = "SELECT * FROM listings WHERE id = ? 7 //Step 3: Use mysqli() instead of mysql_query() 8 $stmt = $mysqli - > prepare($query); 9 //Step 4: Bind parameter 10 $stmt -> bind_param(1, $listing_id); 11 $stmt -> execute(); ✔ ✔ ✔ ✔
Email (1/2) Dear Customer XYZ, My name is Joshua Clark and I will be assisting you with the review of your scan. After reviewing the source code we identified a SQL injection vulnerability within the code that you provided.The vulnerability exists on line 7 of source_file.php. See below: 7: $result = mysql_query($query); SQL injection occurs when: 1) Data enters an application from an untrusted source 2)The data is used to dynamically construct a SQL query In this case data is passed to mysql_query() on line 7 from an untrusted source such as $_GET[‘id’]. An attacker could pass in value of “1’ OR 1=1 into the id value which would result in the following query being executed: SELECT * FROM listingsWHERE id = 1’ OR 1=1 This would result in returning all the rows from the database instead of just 1 record as expected.The attacker could also try to do execute dangerous SQL commands by entering: 1’; DROP table listing;-- which would delete the listings table all together.
Email (2/2) In order to prevent SQL injection we have the following recommendations for your code: 1) Perform InputValidation on all user-supplied variables -> In the case above simply adding the ‘intval($_GET[‘id’]);’ will remove the SQL injection vulnerability but there may also be an access control check needed here as well. 2) Use parameterized queries for dynamic queries ->When using dynamic SQL prepared statements eliminate SQL injection vulnerabilities 3) Use Stored Procedures when possible 4) Use the updated/recommended mysqli() function instead of mysql_query() function because it has many advantage over the previous function such as: -> Prepared Statements -> Object-Oriented Interface -> Enhanced Debugging Support Regards, Joshua S. Clark, CISSP Application Security Consultant

Recommended

CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxManahari Darshika Pemarathna
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat ProtectionLan & Wan Solutions
 
Everything about Blind xss
Everything about Blind xssEverything about Blind xss
Everything about Blind xssMd Atikqur Rahman
 
ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
Golden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain PersistenceGolden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain PersistenceMohammed Adam
 

Recommended

CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxManahari Darshika Pemarathna
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat ProtectionLan & Wan Solutions
 
Everything about Blind xss
Everything about Blind xssEverything about Blind xss
Everything about Blind xssMd Atikqur Rahman
 
ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
Golden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain PersistenceGolden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain PersistenceMohammed Adam
 
送信ドメイン認証最新動向と ENMA の導入・活用・展望
送信ドメイン認証最新動向と ENMA の導入・活用・展望送信ドメイン認証最新動向と ENMA の導入・活用・展望
送信ドメイン認証最新動向と ENMA の導入・活用・展望Takahiko Suzuki
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達zaki4649
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
1006 sas 實習課
1006 sas 實習課1006 sas 實習課
1006 sas 實習課Visual Cognition and Modeling Lab
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
議題二:Web應用程式安全防護
議題二:Web應用程式安全防護議題二:Web應用程式安全防護
議題二:Web應用程式安全防護Nicolas su
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionRafidah Ariffin
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)n|u - The Open Security Community
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016Anna Völkl
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 

More Related Content

What's hot

送信ドメイン認証最新動向と ENMA の導入・活用・展望
送信ドメイン認証最新動向と ENMA の導入・活用・展望送信ドメイン認証最新動向と ENMA の導入・活用・展望
送信ドメイン認証最新動向と ENMA の導入・活用・展望Takahiko Suzuki
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達zaki4649
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
議題二:Web應用程式安全防護
議題二:Web應用程式安全防護議題二:Web應用程式安全防護
議題二:Web應用程式安全防護Nicolas su
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionRafidah Ariffin
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016Anna Völkl
 

What's hot (20)

送信ドメイン認証最新動向と ENMA の導入・活用・展望
送信ドメイン認証最新動向と ENMA の導入・活用・展望送信ドメイン認証最新動向と ENMA の導入・活用・展望
送信ドメイン認証最新動向と ENMA の導入・活用・展望
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
1006 sas 實習課
1006 sas 實習課1006 sas 實習課
1006 sas 實習課
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
議題二:Web應用程式安全防護
議題二:Web應用程式安全防護議題二:Web應用程式安全防護
議題二:Web應用程式安全防護
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password Solution
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
 

Similar to 2nd-Order-SQLi-Josh

03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguageIRJET Journal
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksKevin Alcock
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sqlKaustav Sengupta
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
8 sql injection
8 sql injection8 sql injection
8 sql injectiondrewz lin
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampFelipe Prado
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Colin O'Dell
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Colin O'Dell
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better SecurityColin O'Dell
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachJeff Prom
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLPradeep Kumar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 

Similar to 2nd-Order-SQLi-Josh (20)

Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacks
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
8 sql injection
8 sql injection8 sql injection
8 sql injection
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better Security
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington Beach
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQL
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 

2nd-Order-SQLi-Josh

  • 1. Joshua S. Clark, CISSP Security Consultant
  • 2. • Second Order SQL Injection Ø (10 minutes) • Response to Customer Email Ø (5 minutes) • Q&A Ø (5 minutes)
  • 4. What is it? • Indirect way of attacking an application • Malicious SQL gets saved into the database • SQL is used in another query elsewhere • Example: 1. Create a user 2. Change the users password
  • 6. Example: Malicious Insert/Read/Update Users UserNam e Password hacker’-- abc ✖
  • 7. Recommendations • Perform InputValidation on all user-supplied data w/Whitelist • Use parameterized queries • Use stored procedures instead of dynamic SQL • Consider using an Object-Relational Mapping tool
  • 8. Action #1: InputValidation with Whitelist • Code Example <?php //function should be a white list of only input that is known to be good $safeValue = $check_if_value_is_permitted($_GET[‘name’); if(!$safeValue) $stmt = $dbh->prepare("INSERT INTO CustomersDB (name, value)VALUES (?, ?)"); $stmt->bindParam(1, $name); $stmt->bindParam(2, $value); // insert one row $name = ’1’; $value = $safeValue; $stmt->execute();
  • 9. Action #2: Use Parameterized Queries • Code Example <?php $stmt = $dbh->prepare("INSERT INTO CustomersDB (name, value)VALUES (?, ?)"); $stmt->bindParam(1, $name); $stmt->bindParam(2, $value); // insert one row $name = 'one'; $value = 1; $stmt->execute(); //By using this method the parameters are never bound directly to the query but sent after the execute method is called
  • 10. Action #3: Use Stored Procedures • Code Example <?php $stmt = $dbh->prepare("CALL sp_returns_cust_count (?)"); $stmt->bindParam(1, $return_value, PDO::PARAM_INT, 1); // call the stored procedure $stmt->execute(); print "procedure returned $return_valuen"; ?> //Parameters must still be bound in this example and will prevent the same type of SQL injection attack
  • 12. Exploit Code Review: SQL InjectionVuln 6 $query = "SELECT * FROM listings WHERE id = ".$_GET['id']; 7 //Vulnerability exists at line 8 8 $result = mysql_query($query); • SQL injection occurs when: 1. Data enters an application from an untrusted source 2. The data is used to dynamically construct a SQL query • An attacker could pass: 1’ OR 1=1 -> to id variable would be the same as returning all the listings • Even worse, an attacker could pass 1’; DROP table listings which would delete the listing table
  • 13. Code Review: Remediation Steps 6 $_GET['id'] = str_replace("/", "", $_SERVER['PATH_INFO']); 7 // Step 1: InputValidation: Check id against allowed whitelist if possible 8 $safeValue = $validateInput($_GET[‘id’]; 6 // Step 2: Use positional parameter in query 5 $listing_id = intval($safeValue); 6 $query = "SELECT * FROM listings WHERE id = ? 7 //Step 3: Use mysqli() instead of mysql_query() 8 $stmt = $mysqli - > prepare($query); 9 //Step 4: Bind parameter 10 $stmt -> bind_param(1, $listing_id); 11 $stmt -> execute(); ✔ ✔ ✔ ✔
  • 14. Email (1/2) Dear Customer XYZ, My name is Joshua Clark and I will be assisting you with the review of your scan. After reviewing the source code we identified a SQL injection vulnerability within the code that you provided.The vulnerability exists on line 7 of source_file.php. See below: 7: $result = mysql_query($query); SQL injection occurs when: 1) Data enters an application from an untrusted source 2)The data is used to dynamically construct a SQL query In this case data is passed to mysql_query() on line 7 from an untrusted source such as $_GET[‘id’]. An attacker could pass in value of “1’ OR 1=1 into the id value which would result in the following query being executed: SELECT * FROM listingsWHERE id = 1’ OR 1=1 This would result in returning all the rows from the database instead of just 1 record as expected.The attacker could also try to do execute dangerous SQL commands by entering: 1’; DROP table listing;-- which would delete the listings table all together.
  • 15. Email (2/2) In order to prevent SQL injection we have the following recommendations for your code: 1) Perform InputValidation on all user-supplied variables -> In the case above simply adding the ‘intval($_GET[‘id’]);’ will remove the SQL injection vulnerability but there may also be an access control check needed here as well. 2) Use parameterized queries for dynamic queries ->When using dynamic SQL prepared statements eliminate SQL injection vulnerabilities 3) Use Stored Procedures when possible 4) Use the updated/recommended mysqli() function instead of mysql_query() function because it has many advantage over the previous function such as: -> Prepared Statements -> Object-Oriented Interface -> Enhanced Debugging Support Regards, Joshua S. Clark, CISSP Application Security Consultant