Hackers Paradise SQL Injection Attacks

8,503 views

Published on

Hackers Paradise SQL Injection Attacks

Published in: Technology, Health & Medicine
3 Comments
21 Likes
Statistics
Notes
  • Very interesting topic on SQL Injection Attacks. I've learned a lot from this slide.

    Roy Jan
    http://au.freepolyphonicringtones.org/ http://at.freepolyphonicringtones.org/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • outstanding presentation..convinced me to have a hardlook at my company model..brilliant
    Teisha
    http://dashinghealth.com http://healthimplants.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • thanks
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
8,503
On SlideShare
0
From Embeds
0
Number of Embeds
418
Actions
Shares
0
Downloads
0
Comments
3
Likes
21
Embeds 0
No embeds

No notes for slide

Hackers Paradise SQL Injection Attacks

  1. 1. DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com [email_address]
  2. 2. Session Agenda <ul><li>Introduction to SQL Injection </li></ul><ul><li>How Do Attackers Do it? </li></ul><ul><li>Advanced Attacks </li></ul><ul><li>Solutions </li></ul><ul><ul><li>Least-privilege Access </li></ul></ul><ul><ul><li>Parameterize DML </li></ul></ul><ul><ul><li>Validating Input </li></ul></ul>
  3. 3. What is a SQL Injection? <ul><li>SQL statement(s) “injected” into an existing SQL command </li></ul><ul><li>Injection occurs through malformed application input: </li></ul><ul><ul><li>Text box. </li></ul></ul><ul><ul><li>Query string. </li></ul></ul><ul><ul><li>Manipulated values in HTML. </li></ul></ul><ul><li>A good SQL injection attack can cripple and even destroy your database! </li></ul>
  4. 4. SQL Injection Causes public void OnLogon(object src, EventArgs e){ SqlConnection con = new SqlConnection( &quot;server=(local);database=myDB;uid=sa;pwd;&quot; ); string query = String.Format( &quot;SELECT COUNT(*) FROM Users WHERE &quot; + &quot;username='{0}' AND password='{1}'&quot;, txtUser.Text, txtPassword.Text ); SqlCommand cmd = new SqlCommand(query, con); conn.Open(); SqlDataReader reader = cmd.ExecuteReader(); try{ if(reader.HasRows()) IssueAuthenticationTicket(); else TryAgain(); } finally{ con.Close() } }
  5. 5. The Problem Expected: Username: doug Password: p@$$w0rd SELECT COUNT(*) FROM Users WHERE username='doug' and password='p@$$w0rd' Malicious: Username: ' OR 1=1 -- Password: SELECT COUNT(*) FROM Users WHERE username='' OR 1=1 -- and password='p@$$w0rd'
  6. 6. Basic SQL Injection
  7. 7. How Do Attackers Know? <ul><li>Insider Information </li></ul><ul><li>Trial and Error </li></ul><ul><ul><li>Error message often reveal too much </li></ul></ul><ul><ul><li>Malicious user can force an error to discover information about the database </li></ul></ul>
  8. 8. It Gets Worse <ul><li>Once a malicious user can access the database, they are likely to use: </li></ul><ul><ul><li>xp_cmdshell </li></ul></ul><ul><ul><li>xp_grantlogin </li></ul></ul><ul><ul><li>xp_regread </li></ul></ul><ul><li>With the right privileges the user can access ALL databases on the server </li></ul>
  9. 9. Extended Stored Procedures
  10. 10. Problem: Access Privileges <ul><li>Application is accessing database with: </li></ul><ul><ul><li>“ sa” account </li></ul></ul><ul><ul><li>ASP.NET worker process account (added as admin) </li></ul></ul><ul><ul><li>High-privilege user account </li></ul></ul>
  11. 11. Solution: Limit Privileges <ul><li>Application should have least necessary privileges to access database </li></ul><ul><li>Grant ASP.NET account access to database using an alias </li></ul><ul><li>Create an account that has minimal privileges (EXEC-only) </li></ul>
  12. 12. MachineASPNET -- Windows 2000 / XP EXEC sp_grantlogin [MachineNameASPNET] EXEC sp_grantdbaccess [MachineNameASPNET], [Alias] GRANT EXECUTE ON [ProcedureName] TO [Alias] GO -- Windows Server 2003 EXEC sp_grantlogin [NT AUTHORITYNETWORK SERVICE] EXEC sp_grantdbaccess [NT AUTHORITYNETWORK SERVICE] GRANT EXECUTE ON [ProcedureName] TO [NT AUTHORITYNETWORK SERVICE] GO
  13. 13. Least Privilege
  14. 14. Problem: DML in Code <ul><li>Application code shouldn’t contain SQL Data Manipulation Language (DML) </li></ul><ul><li>DML enables malicious input to be injected </li></ul><ul><li>Eliminating DML should be part of your next security review </li></ul>
  15. 15. Solution: Parameterize DML <ul><li>If DML is a requirement of the application add parameters to the SQL statements </li></ul>string sql = &quot;SELECT * FROM Users &quot; + &quot;WHERE username=@Username &quot; + &quot;AND password= @Password&quot;; SqlCommand command = new SqlCommand (sql, connection); command.Parameters.Add(&quot;@Username&quot;, SqlDbType.VarChar).Value = UserName.Text; command.Parameters.Add(&quot;@Password&quot;, SqlDbType.VarChar).Value = Password.Text;
  16. 16. Solution: Stored Procedures <ul><li>Less vulnerable to SQL injection attacks </li></ul><ul><li>Added security via EXECUTE permission </li></ul>SqlCommand command = new SqlCommand (&quot;Users_GetUser&quot;, connection); command.CommandType = CommandType.StoredProcedure; SqlCommand command = new SqlCommand (sql, connection); command.Parameters.Add(&quot;@Username&quot;, SqlDbType.VarChar).Value = UserName.Text; command.Parameters.Add(&quot;@Password&quot;, SqlDbType.VarChar).Value = Password.Text;
  17. 17. Stored Procedures
  18. 18. Problem: User Input <ul><li>All user input is inherently evil </li></ul><ul><li>Malicious input can: </li></ul><ul><ul><li>Inject SQL statements </li></ul></ul><ul><ul><ul><li>Execute arbitrary SQL </li></ul></ul></ul><ul><ul><ul><li>Damage limited only by privilege of data account </li></ul></ul></ul><ul><ul><li>Alter application flow </li></ul></ul><ul><ul><li>Attack other users (cross-site scripting) </li></ul></ul><ul><ul><ul><li>Read/write cookies </li></ul></ul></ul><ul><ul><ul><li>Execute script, etc. </li></ul></ul></ul>
  19. 19. Solution: Input Validation <ul><li>All user input should be cleansed </li></ul><ul><ul><li>ASP.NET validation controls </li></ul></ul><ul><ul><li>RegEx class </li></ul></ul><ul><ul><li>Reject invalid input </li></ul></ul><ul><li>Encode any input that is echoed to the browser </li></ul><ul><ul><li>HttpUlitity.HtmlEncode() </li></ul></ul><ul><li>Always use parameterized SQL queries </li></ul><ul><ul><li>Parameterized commands (good) </li></ul></ul><ul><ul><li>Parameterized stored procedures (better) </li></ul></ul>
  20. 20. ASP.NET Request Validation <ul><li>Validates query string, form data, cookies </li></ul><ul><li>Developers still have responsibility to secure inputs </li></ul><ul><li>Can be disabled at page-, application-, or machine-level </li></ul>
  21. 21. Input and Request Validation
  22. 22. <ul><li>SqlJunkies.com </li></ul><ul><ul><li>Online resource for DEVELOPERS using SQL Server </li></ul></ul><ul><li>DotNetJunkies.com </li></ul><ul><ul><li>Online resource for developers working with the .NET Framework </li></ul></ul><ul><li>Web Application Disassembly with ODBC Error Messages by David Litchfield http://www.nextgenss.com/papers/webappdis.doc </li></ul>
  23. 23. Writing Secure Code (Second Edition) Michael Howard & David LeBlanc Microsoft Press, December 2002 Required reading at Microsoft!
  24. 24. Improving Web Application Security Building Secure ASP.NET Applications http://msdn.microsoft.com/security/default.aspx?pull= /library/en-us/dnnetsec/html/threatcounter.asp http://msdn.microsoft.com/security/default.aspx?pull= /library/en-us/dnnetsec/html/secnetlpmsdn.asp
  25. 25. Q1: Overall satisfaction with the session Q2: Usefulness of the information Q3: Presenter’s knowledge of the subject Q4: Presenter’s presentation skills Q5: Effectiveness of the presentation Please fill out a session evaluation on CommNet
  26. 26. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

×