Presentation slides


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Presentation slides

  1. 1. The Threat of SQL Injection Is your information safe? By: Jordon Janelle … …
  2. 2. Abstract <ul><li>The purpose of our presentation and report. </li></ul><ul><ul><li>Inform the user about SQL Injection. </li></ul></ul><ul><ul><li>Explain common mistakes and easy fixes to minimize risk. </li></ul></ul><ul><ul><li>Evaluate programs to actively detect when SQL injection attacks occur. </li></ul></ul><ul><ul><li>Review tools which can be used to identify weakness. </li></ul></ul>
  3. 3. What is SQL Injection? <ul><li>SQL Injection is when a malicious user attempted to run queries on a database that were not intended. </li></ul><ul><li>SQL Injection is only the first step. </li></ul><ul><ul><li>Oracle </li></ul></ul><ul><ul><li>Select banner || '-' || (select banner from v$version where banner like 'Oracle%') from v$version where banner like 'TNS%' </li></ul></ul><ul><ul><li> </li></ul></ul>
  4. 4. The History of SQL Injection • 1998 – rfp(rain forest puppy) writes article called “NT Web Technology Vulnerabilities” for Phrack 54 • February 1999 – Allaire release advisory – “Multiple SQL Statements in Dynamic Queries” • May 1999 – rfp and Matthew Astley release advisory with title “NT ODBC Remote Compromise” • February 2000 – “How I hacked Packetstorm – A look at hacking wwwthreads via SQL” – by rfp • September 2000 – “Application Assessments on IIS” – Blackhat – David Litchfield
  5. 5. The History of SQL Injection • October 2000 – SQL Injection FAQ – Chip Andrews – uses the first public usage of term “SQL Injection” in a paper • April 2001 – “Remote Web Application Disassembly with ODBC Error Messages” • January 2002 – Chris Anley releases “Advanced SQL Injection” • June 2002 – “(more) Advanced SQL” – Chris Anley – From: “SQL Injection and Data Mining through Inference”, David Litchfield
  6. 6. Examples of SQL injection <ul><li>Mass hack infects tens of thousands of sites </li></ul><ul><ul><li>Using the same malicious SQL Injection over 160,000 sites were infected. </li></ul></ul><ul><ul><li>;683627551 </li></ul></ul>
  7. 7. What is at risk? <ul><li>PII systems, Personally Identifiable Information </li></ul><ul><ul><li>Hospital Records </li></ul></ul><ul><ul><li>Government </li></ul></ul><ul><ul><li>Health Insurance </li></ul></ul><ul><li>Financial Information </li></ul><ul><ul><li>Credit Card Companies </li></ul></ul><ul><ul><li>Banks </li></ul></ul><ul><ul><li>Lenders </li></ul></ul><ul><li>Any Sensitive or Private Information </li></ul>
  8. 8. Legal Ramifications for Lack of Precautions. <ul><li>California </li></ul><ul><ul><li>Online Privacy Protection Act </li></ul></ul><ul><ul><li>Not to be confused with the Children’s Online Privacy Protection Act </li></ul></ul><ul><li>Germany </li></ul><ul><ul><li>The Federal Data Protection Act </li></ul></ul><ul><li>United States </li></ul><ul><ul><li>Sarbanes-Oxley Act </li></ul></ul>
  9. 9. Discover <ul><li>How do you know your site is being compromised? </li></ul><ul><ul><li>Input validation in web forms and cookies </li></ul></ul><ul><ul><li>Alerts to administrators </li></ul></ul><ul><li>Watch for SQL specific characters such as “ ’ ” or “ -- “ </li></ul><ul><li>Using some of the various programs discussed later </li></ul>
  10. 10. Discovered <ul><li>Frequently simple form validation inadequate. </li></ul><ul><li>Practically impossible to evaluate every possible input. </li></ul><ul><li>Most injections are discovered after the fact. </li></ul><ul><li>Respond! </li></ul>
  11. 11. Respond <ul><li>Inaction snowballs the problem for other companies. </li></ul><ul><li>The lure of anonymity of the internet. </li></ul><ul><li>What crimes would you commit if you were not going to be caught? </li></ul>
  12. 12. For Example <ul><li>Music downloading </li></ul><ul><ul><li>14% of users admitted to downloading illegal songs in 2004. </li></ul></ul><ul><ul><li>Translates to 23 million American users who admit it </li></ul></ul><ul><ul><li>Regardless of controversy, RIAA lawsuits dropped pirated music downloads by six millions users (Pew internet study) </li></ul></ul>
  13. 13. Know the Enemy <ul><li>Catching a good hacker is not as easy as your average p2p user. </li></ul><ul><li>The date/time stamp of unauthorized entries into a database cross-referenced with IP address log of connections. </li></ul><ul><li>A hacker is not going to hand you their address. </li></ul>
  14. 14. What you see isn’t what you get. <ul><li>IP Spoofing </li></ul><ul><li>Attacker’s packets bouncing around several different networks before reaching yours </li></ul><ul><li>You get to see the last location. </li></ul><ul><li>But is that all… </li></ul>
  15. 15. More Hops in Every Barrel <ul><li>Hop Count Filtering </li></ul><ul><li>Hops cannot as of yet be altered </li></ul><ul><li>Blocking statistically spoofed IP’s </li></ul><ul><li>Promises close to 90% block of spoofed IP’s </li></ul>
  16. 16. Tracing <ul><li>IP Traceback </li></ul><ul><ul><li>Algebra and many matrix calculations, luckily we have computers </li></ul></ul><ul><li>With a statistical sample, it has been suggested (Dean, D., et al) tracing paths of length 25 over 98% of the time </li></ul><ul><li>Drawback: needs thousands of packets to analyze. </li></ul><ul><li>Mostly for DOS attacks but still useful </li></ul>
  17. 17. Accountability <ul><li>FBI threatening serious jail time for attackers of federal sites. </li></ul><ul><li>Attacking government sites is “cyber-terrorism” attacking private sites is just a nuisance. </li></ul><ul><li>Most attacks are not considered worth investigating, one possible cause for so many of them </li></ul>
  18. 18. Types of SQL Injections <ul><li>Blind Injection </li></ul><ul><ul><li>Conditional Responses </li></ul></ul><ul><ul><li>Conditional Errors </li></ul></ul><ul><ul><li>Time Delays </li></ul></ul><ul><li>Code Injection </li></ul><ul><li>Code Execution </li></ul><ul><li>Buffer Overruns </li></ul>
  19. 19. Analysis Tools <ul><li>Free Tools </li></ul><ul><ul><li>Usually designed toward a specific back end database </li></ul></ul><ul><ul><li>Lack of product support </li></ul></ul><ul><ul><li>Lack of statistic collecting </li></ul></ul><ul><ul><li>Usability </li></ul></ul><ul><li>Purchased Tools </li></ul><ul><ul><li>Policy Based </li></ul></ul><ul><ul><li>Better support </li></ul></ul><ul><ul><li>Cost </li></ul></ul>
  20. 20. Purchased Tools <ul><li>N-Stalker </li></ul><ul><ul><li>Policy Based Driven Engine </li></ul></ul><ul><ul><li>Able to create its own False Positive filter </li></ul></ul><ul><ul><li>Able to run reports and keep a database of vulnerabilities </li></ul></ul><ul><ul><li>GUI Based System </li></ul></ul><ul><ul><li>Requires a subscription service </li></ul></ul>
  21. 21. Purchased Tools (Cont.) <ul><li>Acunetix WVS </li></ul><ul><ul><li>GUI Based </li></ul></ul><ul><ul><li>Requires an annual subscription service </li></ul></ul><ul><ul><li>Detailed Reporting </li></ul></ul><ul><ul><li>Not rule based </li></ul></ul><ul><ul><li>Does brute force </li></ul></ul><ul><ul><li>Scans for common mistakes </li></ul></ul>
  22. 22. Free Tools <ul><li>SQLIer </li></ul><ul><ul><li>Command line driven </li></ul></ul><ul><ul><li>Only does True/False SQL injections </li></ul></ul><ul><li>BobCat </li></ul><ul><ul><li>Used only with MSSQL and .NET applications </li></ul></ul><ul><li>SQLMap </li></ul><ul><ul><li>Works on multiple DBMS systems </li></ul></ul><ul><ul><li>Blind and Inbound SQL injections </li></ul></ul><ul><ul><li>Developed in Python (Command line driven) </li></ul></ul>