5. What is SQL Injection
• SQL injection happens when an application
fails to filter SQL syntax from user-
controllable input.
• The user input is used in the construction of
dynamic SQL statements
• The user input then affects the execution of
the dynamically generated SQL statement
7. 11
Impact of SQL Injection
Bypassing authentication mechanisms
select id from users where name=‘admin’ and password=‘’ or ‘1’=‘1’
Information disclosure
select phone from users where name=‘’
UNION
select credit_num from users --’
Information tampering
select id from clients where name=‘’; update clients set debt=0; --
8. 12
Impact of SQL Injection
Database corrupting
select usr_id from clients where name=‘’; drop table clients;--
Command execution
select picture
from animals
where name=‘‘;EXEC master.dbo.xp_cmdshell 'format /y c:’
10. What to Look for :
Dynamic SQL
● EXECUTE IMMEDIATE (PL/SQL)
● DBMS_SQL package (PL/SQL)
● PreparedStatement (Java)
Input not being sanitized
Unhandled Errors
11. EXECUTE IMMEDIATE
CREATE OR REPLACE PROCEDURE odtug (name IN VARCHAR2)
IS
sql VARCHAR2;
code VARCHAR2;
BEGIN
...
sql := 'SELECT salary FROM emp WHERE name = ''' || name || '''';
EXECUTE IMMEDIATE sql INTO code;
...
END;
sql := 'SELECT salary FROM emp WHERE name = :name';
EXECUTE IMMEDIATE sql USING name INTO code;
Use Bind
Variables
12. DBMS_SQL
CREATE OR REPLACE PROCEDURE kscope(name IN VARCHAR2) IS
dyn_cursor INTEGER;
rows_processed INTEGER;
sql VARCHAR2(150);
code VARCHAR2(2);
BEGIN
sql := 'SELECT salary FROM emp WHERE name = ''' || name || '''';
dyn_cursor := dbms_sql.open_cursor;
DBMS_SQL.PARSE(dyn_cursor , sql, DBMS_SQL.NATIVE);
DBMS_SQL.DEFINE_COLUMN(dyn_cursor , 1, code, 10);
rows_processed := DBMS_SQL.EXECUTE(dyn_cursor);
DBMS_SQL.CLOSE_CURSOR(dyn_cursor);
END;
sql := 'SELECT postal-code FROM states WHERE state-name = :name';
dyn_cursor := dbms_sql.open_cursor;
DBMS_SQL.PARSE(dyn_cursor, sql, DBMS_SQL.NATIVE);
DBMS_SQL.DEFINE_COLUMNdyn_cursor, 1, code, 10);
DBMS_SQL.BIND_VARIABLE(dyn_cursor, ':name', name);
rows_processed := DBMS_SQL.EXECUTE(dyn_cursor);
DBMS_SQL.CLOSE_CURSOR(dyn_cursor);
Use Bind
Variables
13. Dynamic Cursors
CREATE OR REPLACE PROCEDURE kscop(address IN VARCHAR2) IS
sql VARCHAR2;
BEGIN
sql := 'SELECT * FROM emp WHERE address = ''' || address || '''';
OPEN crs_emp FOR sql;
LOOP
FETCH crs_emp INTO rec_state
EXIT WHEN crs_emp %NOTFOUND;
END LOOP;
CLOSE crs_emp;
END;
Avoid using Dynamic Cursors
use
EXECUTE IMMEDIATE / DBMS_SQL
with bind variables
Instead
14. JDBC - PreparedStatement
String name = request.getParameter("name");
PreparedStatement pstmt =
conn.prepareStatement("insert into EMP (ENAME) values ('" + name + "')");
pstmt.execute();
pstmt.close();
PreparedStatement pstmt =
conn.prepareStatement ("insert into EMP (ENAME) values (?)");
String name = request.getParameter("name");
pstmt.setString (1, name);
pstmt.execute();
pstmt.close();
15. 19
DBMS_ASSERT
• ENQUOTE_LITERAL - Encloses the string literal within
single quotation marks.
sql_stmt constant varchar2(32000) :=
' SELECT count(*) FROM emp
where dept_name='''|| dept_parm ||'''';
literal varchar2(1024):= '''|| dept_parm ||''';
sql_stmt constant varchar2(32000) :=
' SELECT count(*) FROM emp
where dept_name= ‘
|| SYS.DBMS_ASSERT.ENQUOTE_LITERAL(literal);
16. 20
DBMS_ASSERT
• SIMPLE_SQL_NAME - Verifies that the string is a simple
SQL name.
sql_stmt constant varchar2(32000) :=
‘SELECT ‘||p_col ||’ FROM ‘|| p_tab;
sql_stmt constant varchar2(32000) :=
‘SELECT ‘ ||
SYS.DBMS_ASSERT.SIMAPLE_SQL_NAME(p_col)
||’ FROM ‘||
SYS.DBMS_ASSERT.SIMAPLE_SQL_NAME(p_tab);
17. 21
Error Handling
Do not enclose valuable information, it can be used to
orchestrate as attack.
EXCEPTION
WHEN OTHERS THEN
dbms_output.put_line('No Data Found');
18. 22
Defense = Security By Design
• Use Bind Arguments
• Error Handling – Do not enclose valuable information
• Input Validation
• Use DBMS_ASSERT
• Always validate HTML Fields / Parameters
• Carefully inspect dynamic SQL and filter parameters
• Use fully qualified name when calling packages.
19. Q & A
Exploits of a mom – XKCD – Randall Munroe
20. Design & Develop Secured Oracle Applications
Please Fill Out Your Evaluations
Oded Raz, Oracle ACE Director
Brillix LTD
Editor's Notes
This is your opening slide.
Demonstrate it against an example page in swiftcoders.com
If not applicable consider the following Example:
Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
Enter naïve input
Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
This time enter: <script lanugauge="javascript">alert("hello")</script>
Demonstrate it against an example page in swiftcoders.com
If not applicable consider the following Example:
Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
Enter naïve input
Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
This time enter: <script lanugauge="javascript">alert("hello")</script>
Demonstrate it against an example page in swiftcoders.com
If not applicable consider the following Example:
Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
Enter naïve input
Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
This time enter: <script lanugauge="javascript">alert("hello")</script>
Demonstrate it against an example page in swiftcoders.com
If not applicable consider the following Example:
Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
Enter naïve input
Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
This time enter: <script lanugauge="javascript">alert("hello")</script>
Use this template for all your content slides. There are also other layout slides you can feel free to use.
Use this template for all your content slides. There are also other layout slides you can feel free to use.
Bypassing Authentication – A record is searched for with the supplied user name and password. If it is found (i.e. the query returns something other than an empty set), the authentication is considered successful. By injecting, the query is altered to always return something, since the ‘1’=‘1’ clause is added which always evaluates to TRUE. Therefore login will always succeed.
Bypassing Authentication – A record is searched for with the supplied user name and password. If it is found (i.e. the query returns something other than an empty set), the authentication is considered successful. By injecting, the query is altered to always return something, since the ‘1’=‘1’ clause is added which always evaluates to TRUE. Therefore login will always succeed.
Use this template for all your content slides. There are also other layout slides you can feel free to use.
Demonstrate it against an example page in swiftcoders.com
If not applicable consider the following Example:
Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
Enter naïve input
Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
This time enter: <script lanugauge="javascript">alert("hello")</script>
Demonstrate it against an example page in swiftcoders.com
If not applicable consider the following Example:
Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
Enter naïve input
Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
This time enter: <script lanugauge="javascript">alert("hello")</script>
Demonstrate it against an example page in swiftcoders.com
If not applicable consider the following Example:
Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
Enter naïve input
Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
This time enter: <script lanugauge="javascript">alert("hello")</script>
Demonstrate it against an example page in swiftcoders.com
If not applicable consider the following Example:
Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
Enter naïve input
Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php
This time enter: <script lanugauge="javascript">alert("hello")</script>