Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SQL Injection Vulnerabilities and How to Prevent Them

1,919 views

Published on

Presentation delivered at JCertif Tunisia 2015 on the 8th Feb. An explanation of SQL injection, the different types of SQL injection attacks and best practice to ensure your code is not vulnerable.

Published in: Technology
  • Be the first to comment

SQL Injection Vulnerabilities and How to Prevent Them

  1. 1. Jumping Bean SQL Injection Vulnerabilities & How to stop them
  2. 2. Jumping Bean About Me ● Mark Clarke – Solutions Architect at Jumping Bean, – Java developer, – Linux system administrator, – Founding member of JoziJUG ● Contact – @mxc4- twitter, – LinkedIn,
  3. 3. Jumping Bean Where are we going? ● Why Cyber Security? ● Attack vectors, ● Why SQL injection? ● Types of SQL injection, ● How to prevent SQL injection exploits
  4. 4. Jumping Bean Why Cyber Security? ● Recent notable breaches, – Sony, – Target, – Home Depo, – LinkedIn ● Who is behind these breaches? – Organised crime, – State sponsored cyber war, ● A legal requirement to secure data in many countries,
  5. 5. Jumping Bean Attack Vectors ● People - social engineering e.g phishing, impersonating etc, ● Devices – compromising the physical device, eg, replacing firmware or physical chips, ● Operating System – target vulnerabilities in the hosts operating system, ● Network – Intercepting or injecting network traffic. Network services DNS, Web proxies etc, ● Platforms – exploiting vulnerabilities in platform stacks e.g web servers, database servers, technology stacks Java, .Net, PHP, ● Applications - attacking applications directly, either standard applications such as browsers or Flash or custom applications
  6. 6. Jumping Bean Why focus on SQL Injection?
  7. 7. Jumping Bean Web Application Attack Vectors (OWASP Top 10) Source: OWASP TOP 10 2013
  8. 8. Jumping Bean The Open Web Application Security Project (OWASP) ● OWASP Top 10 Project – Most Critical Web Application Security Risks – 2003,2004,2007,2010,2013 – Attack vectors changing as developers and organisations begin to address identified risks, – Provide information to: ● Understand the risks, ● help developers address them
  9. 9. Jumping Bean Web Application Vulnerabilities
  10. 10. Jumping Bean Injection Attacks ● Application passes data that has not been sanitised to an interpreter of some kind: – LDAP queries, – Xpath, – NoSQL queries – SQL queries, – SMTP, – Command interpreter
  11. 11. Jumping Bean APT Attack Methodology "Advanced persistent threat lifecycle" by Dell SecureWorks - http://www.secureworks.com/cyber-threat-intelligence/advanced-persistent- threats/understand-threat/. Licensed under CC BY-SA 3.0 via Wikimedia Commons ● Sophisticated attacks use “minor” security vulnerabilities to gain access and then escalate their privileges and gain further access to systems
  12. 12. Jumping Bean What is SQL Injection?
  13. 13. Jumping Bean What is SQL Injection (SQLi)? ● Unchecked input used to manipulate generated SQL statements – change the logic of the statement, ● Most effective against weakly typed languages, – PHP, – Ruby, etc ● But any code that uses embedded SQL could be vulnerable i.e. JQL or JDBC statements, ● Manipulation of – URL parameters, – Cookies, – Form elements E.G. Post Parameters username=”admin” pass=”SZK!k#$!DD” or pass =”' or '1'='1”; <= SQL Injection String username=request.getParameter("username"); String password=request.getParameter("pass");; //String password= JDBC String query = "select id from users where username='”+ username+”' and password='"+password+”'”; Java Persistence Query Language em.createQuery("select id from users where username='”+ username+”' and password='"+password+”'”);
  14. 14. Jumping Bean Types of SQL Injection ● Simple SQL injection – Tautologies, logic manipulation, – Stacking queries – Union queries, – Command injection ● Error based, – Rely on error messages being output to the screen ● Blind SQL Injection – Content based attack, – Timing attack
  15. 15. Jumping Bean Simple SQL Injection - Tautologies ● Tautological injections – 1 or 1=1 – B') or 1=1; - - Please preapre in advance! ● “Select desc,price,qty from orders where cust.id=”+id; ● Select desc,price,qty from orders where cust.id=1 or 1=1; ● “Select user from users where user='”+username+”' and pass = password('“+pass+“'); ● Select user from users where user='a' and pass=password('B') or 1=1; - - ');
  16. 16. Jumping Bean Demo with Web Goat
  17. 17. Jumping Bean Simple SQL Injection -Stacking Queries ● Append additional SQL queries after escaping the original query, – “SELECT name,email, address FROM members where id=”+id – Parameter ● “2; DROP TABLE users --” – “SELECT name,email, address FROM members where id=2; Drop table users” ● Java is not vulnerable to stacked queries but some languages are. E.G. PHP
  18. 18. Jumping Bean Simple SQL Injection - Union Queries ● Used to exfiltrate data via UI, – e.g. collection used to populate a table for display ● Append a union SQL query to an exiting query, ● Need to match columns number and types ● “Select prodId, desc, brand,price from product where id=”+id; – “1 union Select 1,grantee,privilege_type,1 from information_schema. user_privileges” ● How to determine number and type of columns? – “1 order by 6”; – Trial and error for column type ● Can convert numeric columns to string with cast function
  19. 19. Jumping Bean SQL Command Injection ● System stored procedures may allow attackers to escalate their breach: – xp_cmdshell (mssql), – source (mysql), – LoadFIle (mysql) ● xp_regaddmultistring ● xp_regdeletekey ● xp_regdeletevalue ● xp_regenumkeys ● xp_regenumvalues ● xp_regread ● Medias (xp_availablemedia) ● ODBC Resources (xp_enumdsn) ● Managing Services (xp_servicecontrol) ● Login mode (xp_loginconfig) ● Creating Cab Files (xp_makecab)
  20. 20. Jumping Bean Error Based SQL Injection ● Relies on poor or non-existent error handling in code, ● Extract data via crafted SQL errors, ● "Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Something' AND Something > ('Something')' at line 1"
  21. 21. Jumping Bean SQL Blind Injection ● No error message sent to screen. User is either redirected to an standard error page or page just fails to render properly – Easily implemented by a global error catcher. ● Bad News – your application is still susceptible to SQL injection ● Blind SQL injection is when the result of the query has to be inferred either: – content based,based on response size, – or a timing attack
  22. 22. Jumping Bean Blind SQL Injection - Content Based ● Observe out come of parameter tampering e.g – Www.example.com/products.jsp?id=4 – www.example.com/products.jsp?id=5-1 ● Generate a true and false result and compare response differences – Www.example.com/products.jsp?id=5-6; – Www.example.com/products.jsp?id=5 and 1=0
  23. 23. Jumping Bean Blind SQL Injection – Timing Based ● MSSQL – waitfor command – if (select user) = 'sa' waitfor delay '0:0:10' ● MySQL – sleep, benchmark – IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(1000000000,MD5(1)) , – Select distinct if(table_name='users',sleep(1),table_name) from tables; ● Exfiltrate data – Select id,desc,price from products where product=1 and substring(Select TABLE_NAME from information_schema.tables limit 1)='a'; – Select id,desc,price from products where product=1 and substring(Select TABLE_NAME from information_schema.tables limit 1)='b'; – Select id,desc,price from products where product=1 and substring(Select TABLE_NAME from information_schema.tables limit 1,2,1)='a';
  24. 24. Jumping Bean SQL Prevention Measures ● Web Application Firewalls (WAF) – Used to protect against unknown vulnerability, – mod_security for Apache, – Uses pattern matching rules – Problem: easy to bypass ● Char() function ● Select 0xaa → hexadecimal bypass ● SELECT CONCAT('0x',HEX('c:boot.ini') ● SELECT LOAD_FILE(0x633A5C626F6F742E696E69) ● SQL White listing, – Input validation, sanitisation routines, – PHP add_slashes, mysql_real_escape_string vulnerablities ● Not the best ways
  25. 25. Jumping Bean Coding Best Practice ● Use of Prepared Statements (Parametrized Queries) – Java ● JDBC prepared statements, ● JPA createQuery with named parameters or place holders, ● Use criteria API, – PHP ● PDO ● Use of Stored Procedures ● JDBC String updateStatement = "update COFFEES " + "set TOTAL = TOTAL + ? " + "where COF_NAME = ?"; updateSales.setInt(1,300); updateSales.setString(2, “Java”); updateSales.executeUpdate(); ● JPA Query qry = em.createQuery("SELECT c FROM Customer c WHERE c.cust_id=:cust_id") qry.setParameter("cust_id", cust_id) qry.getSingleResult();
  26. 26. Jumping Bean SQL Injection Testing? ● Write unit tests to check for parameter tampering, ● Penetration testing tools: (fuzzing) – Sqlmap, – SQLNinja – Zed Attack Proxy (ZAP) from OWASP
  27. 27. Jumping Bean The End ● Mark Clarke – Twitter – LinkedIn – Jumping Bean – Certified Ethical Hacker Training

×