SlideShare a Scribd company logo

libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum

Download as KEY, PDF
Nick Galbreath
Nick Galbreath
Technology
1 of 37
libinjection New Techinques in Detecting SQLi Atttacks iSEC Partners Open Forum Gilt Group, New York, September 6 2102 Nick Galbreath @ngalbreath nickg@client9.com
http://client9.com/20120906/ Follow along at your own pace
First presented at Black Hat USA 2012 http://client9.com/20120725 iSEC Partners party at Bellagio
The Next 15 Minutes • You know what SQLi is and why it's important • Why detecting SQLi is a hard problem • Why current solutions aren't so good • The libinjection algorithm and library
It's Easy to Get Started with Regular Expressions s/UNIONs+(ALL)?/i ‣ At least two open source WAF use regular expressions. ‣ Failure cases in closed-source WAFs also indicate regexp.
1992 SQL Spec 625 pages plain text bit.ly/10fmhZ
2003 SQL Spec 128 pages pure BNF bit.ly/OB5vfW
Integer Forms • [0-9]+ • 0x[0-9a-fA-F]+ 0xDEADbeef MySQL, MSSQL 0x is case sensitive • 0x MSSQL only • x'DEADbeef' PgSQL • b'10101010' MySQL, PgSQL • 0b010101 MySQL
Floating Point • digits • digits[.] http://bit.ly/Qp6KTu • digits[.]digits • digits[.]digits[eE]digits • digits[eE]digits • [.]digits • digits[eE][+-]digits • [.]digits[eE]digits • digits[.][eE]digits • [.]digits[eE][+-]digits • digits[.]digits[eE][+-]digits • "binary_float_infinity" (O) Optional starts with [+-] Optional ending with [dDfF] (Oracle)
Money Literals • MSSQL has a money type. • -$45.12 • $123.0 • +$1,000,000.00 Commas ignored • Haven't experimented with this yet. • Does it auto-cast to a float or int type?
Ridiculous Operators • != not equals, standard • ||/ cube root (pgsql) • <=> mysql • ** exponents (oracle) • <> mssql • # bitwise xor (pgsql conflicts with mysql • ^= oracle comment) • !>, !< not less than mssql • / oracle • !! factorial (pgsql) • |/ sqaure root (pgsql)
Strings, Charsets, and Comments Such a cluster that I defer you to my DEFCON 20 talk. http://client9.com/20120727/
(?:)s*whens*d+s*then)|(?:"s*(?:#|--|{))|(?:/*!s?d+)|(?:ch(?:a)?rs*(s*d)|(?:(?:(n?and|x?or| not)s+||||&&)s*w+() (?:[s()]cases*()|(?:)s*likes*()|(?:havings*[^s]+s*[^ws])|(?:ifs?([dw]s*[=<>~]) (?:"s*ors*"?d)|(?:x(?:23|27|3d))|(?:^.?"$)|(?:(?:^["]*(?:[d"]+|[^"]+"))+s*(?:n?and|x?or|not|| ||&&)s*[w"[+&!@(),.-])|(?:[^ws]w+s*[|-]s*"s*w)|(?:@w+s+(and|or)s*["d]+)|(?:@[w-]+s(and| or)s*[^ws])|(?:[^ws:]s*dW+[^ws]s*".)|(?:Winformation_schema|table_nameW) (?:"s**.+(?:or|id)W*"d)|(?:^")|(?:^[ws"-]+(?<=ands)(?<=ors)(?<=xors)(?<=nands)(?<=nots)(?<=| |)(?<=&&)w+()|(?:"[sd]*[^ws]+W*dW*.*["d])|(?:"s*[^ws?]+s*[^ws]+s*")|(?:"s*[^ws]+ s*[Wd].*(?:#|--))|(?:".**s*d)|(?:"s*ors[^d]+[w-]+.*d)|(?:[()*<>%+-][w-]+[^ws]+"[^,]) (?:d"s+"s+d)|(?:^admins*"|(/*)+"+s?(?:--|#|/*|{)?)|(?:"s*or[ws-]+s*[+<>=(),-]s*[d"])| (?:"s*[^ws]?=s*")|(?:"W*[+=]+W*")|(?:"s*[!=|][ds!=+-]+.*["(].*$)|(?:"s*[!=|][ds!=]+.*d+$)| (?:"s*likeW+[w"(])|(?:siss*0W)|(?:wheres[sw.,-]+s=)|(?:"[<>~]+") (?:unions*(?:all|distinct|[(!@]*)?s*[([]*s*select)|(?:w+s+likes+")|(?:likes*"%)|(?:"s*like W*["d])|(?:"s*(?:n?and|x?or|not ||||&&)s+[sw]+=s*w+s*having)|(?:"s**s*w+W+")|(?:"s*[^? ws=.,;)(]+s*[(@"]*s*w+W+w)|(?:selects*[[]()sw.,"-]+from)|(?:find_in_sets*() (?:ins*(+s*select)|(?:(?:n?and|x?or|not ||||&&)s+[sw+]+(?:regexps*(|soundss+likes*"|[=d] +x))|("s*ds*(?:--|#))|(?:"[%&<>^=]+ds*(=|or))|(?:"W+[w+-]+s*=s*dW+")|(?:"s*iss*d.+"?w)| (?:"|?[w-]{3,}[^ws.,]+")|(?:"s*iss*[d.]+s*W.*") (?:[dW]s+ass*["w]+s*from)|(?:^[Wd]+s*(?:union|select|create|rename|truncate|load|alter|delete| update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s+(?: (?:group_)concat|char|load_file)s?(?)|(?:ends*);)|("s+regexpW)|(?:[s(]load_files*() (?:@.+=s*(s*select)|(?:d+s*ors*d+s*[-+])|(?:/w+;?s+(?:having|and|or|select)W)|(?:ds+group s+by.+()|(?:(?:;|#|--)s*(?:drop|alter))|(?:(?:;|#|--)s*(?:update|insert)s*w{2,})|(?:[^w]SETs*@w +)|(?:(?:n?and|x?or|not ||||&&)[s(]+w+[s)]*[!=+]+[sd]*["=()]) (?:"s+ands*=W)|(?:(s*selects*w+s*()|(?:*/from)|(?:+s*d+s*+s*@)|(?:w"s*(?:[-+=|@]+s*)+ [d(])|(?:coalesces*(|@@w+s*[^ws])|(?:W!+"w)|(?:";s*(?:if|while|begin))|(?:"[sd]+=s*d)| (?:orders+bys+ifw*s*()|(?:[s(]+cased*W.+[tw]hen[s(]) (?:(select|;)s+(?:benchmark|if|sleep)s*?(s*(?s*w+) (?:creates+functions+w+s+returns)|(?:;s*(?:select|create|rename|truncate|load|alter|delete|update| insert|desc)s*[[(]?w{2,}) (?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")|(?:";.*:s*goto) (?:procedures+analyses*()|(?:;s*(declare|open)s+[w-]+)|(?:creates+(procedure|function)s*w+s* (s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs*(s*@) (?:selects*pg_sleep)|(?:waitfors*delays?"+s?d)|(?:;s*shutdowns*(?:;|--|#|/*|{)) (?:sexecs+xp_cmdshell)|(?:"s*!s*["w])|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user| database|schema|connection_id)s*([^)]*)|(?:";?s*(?:select|union|having)s*[^s])|(?:wiifs*()| (?:execs+master.)|(?:union select @)|(?:union[w(s]*select)|(?:select.*w?user()|(?:into[s+]+ (?:dump|out)files*") (?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(),+-]+
Proven Fail ‣ At Black Hat USA 2005, Hanson and Patterson presented: Guns and Butter: Towards Formal Axioms of Validation (http://bit.ly/OBe7mJ) ‣ …formally proved that for any regex validator, we could construct either a safe query which would be flagged as dangerous, or a dangerous query which would be flagged as correct. ‣ (summary from libdejector documentation)
Can we do better?
libinjection
Key Insight ‣ A SQLi attack must be parsed as SQL within the original query. ‣ SQL has a rigid syntax ‣ it works, or it's a syntax error. ‣ Compare this to HTML/XSS rules ‣ "Is it a SQLi attack?" becomes "Could it be a SQL snippet?"
Only 3 Contexts User input is only "injected" into SQL in three ways: ‣ As-Is ‣ Inside a single quoted string ‣ Inside a double quoted string Means we have to parse input three times. Compare to XSS
Identification of SQL snippets without context is hard ‣ 1-917-660-3400 my phone number or an arithmetic expression in SQL? ‣ @ngalbreath my twitter account or a SQL variable? ‣ English-like syntax and common keywords: union, group, natural, left, right, join, top, table, create, in, is, not, before, begin, between
Existing SQL Parsers ‣ Only parse their flavor of SQL ‣ Not well designed to handle snippets ‣ Hard to extend ‣ Worried about correctness ... so I wrote my own!
Tokenization ‣ Converts input into a stream of tokens ‣ Uses "master list" of keywords and functions across all databases. ‣ Handles comments, string, literals, weirdos.
5000224' UNION USER_ID>0-- [ ('...500224', string), ('UNION', union operator), ('USER_ID', name), ('>', operator), ('0', number), ('--.....', comment) ]
Meet the Tokens ‣ none/name ‣ group-like operation ‣ variable ‣ union-like operator ‣ string ‣ logical operator ‣ regular operator ‣ function ‣ unknown ‣ comma ‣ number ‣ semi-colon ‣ comment ‣ left parens ‣ keyword ‣ right parens
Merging, Specialization, Disambiguation ‣ "IS", "NOT" ==> "IS NOT" (single op) ‣ "NATURAL", "JOIN" => "NATURAL JOIN" ‣ ("+", operator) -> ("+", unary operator) ‣ (COS, function), (1, number) ==> (COS, name), (1, number) functions must be followed with a parenthesis!
Folding ‣ This step actually isn't needed to detect, but is needed to reduce false positives. ‣ Converts simple arithmetic expressions into a single value (don't try to evaluate them). ‣ 1-917-660-3400 -> "1"
Knows nothing about SQLi ‣ So far this is purely a parsing problem. ‣ Knows nothing about SQLi (which is evolving) ‣ Can be 100% tested against any SQL input (not SQLi) for correctness. ‣ Language independent test cases $ cat test-tokens-numbers-floats-003.txt --TEST-- floating-point parsing test --INPUT-- SELECT .0; --EXPECTED-- k SELECT 1 .0 ; ;
Fingerprints ‣ The token types of a user input form a hash or a fingerprint. ‣ -6270" UNION ALL SELECT 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594# AND "JWWQ"="JWWQ ‣ becomes "sUk1,1,1,1,1,1,1,1,&" ‣ Now let's generate fingerprints from Real World Data. ‣ Can we distinguish between SQLi and benign input?
Training on SQLi ‣ Parse known SQLi attacks from ‣ SQLi vulnerability scanners ‣ Published reports ‣ SQLI How-Tos ‣ > 32,000 total ‣ Since Black Hat, donations from ‣ modsecurity ‣ qualys ‣ > 50,000 total
Training on Real Input ‣ 100s of Millions of user inputs from Etsy's access logs were also parsed. ‣ Large enough to get a good sample (Top 50 USA site) ‣ Old enough to have lots of odd ways of query string formatting. ‣ Full text search with an diverse subject domain
How many tokens are needed to determine if user input is SQLi or not?
5 no matter how long the input
622 out of 1,048,576 are SQLi &1o1U &f()o &f(1) 1&((f 1&((k 1&(1, 1&(1o 1&(f( 1&(k( 1&(k1 1&(kf 1&(kk 1&(kn 1&(ko 1&(v) 1&1Bf 1&1Uk 1&1f( 1&1o( 1&1o1 1&1of 1&1ok 1&1on 1&1oo 1&1ov 1&f(( 1&f() 1&f(1 1&f(f 1&f(k 1&f(n 1&f(v 1&k(1 1&k(f 1&k1k 1&kUk 1&kk1 1&n() 1&no1 1&o(1 1&o1o 1&so1 1)&(1 1)&(f 1)&(k 1)&(n 1)&1B 1)&1U 1)&1f 1)&1o 1)&f( 1)&o( 1)()s 1))&( 1))&1 1))&f 1))&o 1)))& 1)))) 1))); 1)))B 1)))U 1)))k 1)))o 1));k 1))B1 1))Uk 1))Un 1))k1 1))kk 1))o( 1))o1 1))of 1))ok 1))on 1),(1 1);k& 1);k( 1);kf 1);kk 1);kn 1);ko 1)B1 1)B1& 1)B1c 1)B1o 1)U(k 1)Uk1 1)Ukf 1)Ukk 1)Ukn 1)Unk 1)k1 1)k1c 1)k1o 1)kks 1)o(1 1)o(k 1)o(n 1)o1B 1)o1f 1)o1k 1)o1o 1)of( 1)ok( 1)ok1 1)on& 1)ono 1,(f( 1,(k( 1,(k1 1,(kf 1,1), 1,1)o 1,1B1 1,1Uk 1,f(1 1,s), 1;k&k 1;k(( 1;k(1 1;k(o 1;k1, 1;kf( 1;kks 1;kn( 1;kn, 1;knc 1;ko( 1;kok 1B1 1B1,1 1B1,n 1B1Uk 1B1c 1B1k1 1B1ks 1Bf(1 1Bf(f 1Bk(1 1Bn,n 1Bnk1 1U(k1 1U(kf 1U1,1 1Uc 1Uk 1Uk(1 1Uk(k 1Uk(n 1Uk1 1Uk1, 1Uk1c 1Uk1f 1Uk1k 1Uk1n 1Uk1o 1Ukf 1Ukf( 1Ukf, 1Ukk( 1Ukk, 1Ukk1 1Ukkk 1Ukkn 1Ukn& 1Ukn( 1Ukn, 1Ukn1 1Uknc 1Uknk 1Ukno 1Ukns 1Uko1 1Ukok 1Uks, 1Uksc 1Ukv 1Ukv, 1Ukvc 1Un,1 1Un1, 1Unk( 1Unk1 1Unkf 1Uon1 1f()k 1k1U( 1k1Uk 1k1c 1kU1, 1kf(1 1kk(1 1kksc 1knkn 1n&f( 1nUk1 1nUkn 1nk1c 1nkf( 1o((( 1o((1 1o((f 1o(1) 1o(1o 1o(f( 1o(k( 1o(k1 1o(kf 1o(kn 1o(kv 1o(n) 1o(s) 1o1)& 1o1)o 1o1Bf 1o1Uk 1o1f( 1o1kf 1o1o( 1o1o1 1o1of 1o1oo 1o1ov 1of() 1of(1 1of(f 1of(n 1of(s 1ok(1 1ok(k 1ok1 1ok1, 1ok1c 1ok1k 1okf( 1oks, 1oksc 1okv, 1onos 1oso1 ;kknc Uk1,1 Uk1,f Uk1,n Ukkkn f((k( f((kf f()&f f()of f(1)& f(1)o f(1,f f(1o1 f(f() f(f(1 f(k() f(k,( f(k,n f(n() f(v,1 k()ok k(1)U k(ok( k(vv) k1,1, k1,1c k1,1k k1,f( k1k(k k1o(s k;non kf(1) kf(1, kf(f( kf(n, kf(v: kk(f( kk1kk kk1nk kk1vk kk1vn kn1kk kn1vk kn1vn ko(k( ko(kf kok(k kv) kvk(1 n&(1) n&(k1 n&(o1 n&1f( n&1o( n&1o1 n&1of n&1oo n&f(1 n&f(f n&k(1 n&o1o n)&(k n)&1f n)&1o n)&f( n))&( n))&1 n))&f n)))& n))); n)))k n)))o n));k n))kk n))o( n))o1 n))of n))ok n);k& n);k( n);kf n);kk n);kn n);ko n)k1o n)kks n)o(k n)o1& n)o1f n)o1o n)of( n)ok( n,(f( n,(k( n,(k1 n,(kf n,f(1 n:o1U n;k&k n;k(( n;k(1 n;kf( n;kks n;kn( n;ko( n;kok nUk(k nUk1, nUkn, nUnk( nk1Uk nkf(1 nkksc nnn)U nno1U no(k1 no(o1 no1&1 no1Uk no1f( no1o( no1o1 no1of no1oo nof(1 nok(1 nok(k o1kf( oUk1, of()o of(1) ok1o1 okkkn ook1, s&(1) s&(1, s&(1o s&(f( s&(k) s&(k1 s&(kf s&1Bf s&1Uk s&1c s&1f( s&1o( s&1o1 s&1of s&1on s&1oo s&1os s&1ov s&f(( s&f() s&f(1 s&f(f s&f(v s&k&s s&k(1 s&k(o s&k1o s&kc s&knk s&ko( s&ko1 s&kok s&kos s&n&s s&no1 s&nos s&o(1 s&o(k s&o1o s&okc s&oko s&os s&sos s&v:o s&vos s&vso s)&(1 s)&(k s)&1B s)&1f s)&1o s)&f( s)&o( s))&( s))&1 s))&f s))&n s))&o s)))& s))); s)))B s)))U s)))k s)))o s));k s))B1 s))Uk s))Un s))k1 s))kk s))o( s))o1 s))of s))ok s),(1 s);k& s);k( s);kf s);kk s);kn s);ko s)B1 s)B1& s)B1c s)B1o s)U(k s)Uk1 s)Unk s)k1 s)k1c s)k1o s)kks s)o(1 s)o(k s)o1B s)o1f s)o1k s)o1o s)of( s)ok( s)ok1 s,1), s;k&k s;k(( s;k(1 s;k(o s;k1, s;k1o s;k; s;k[k s;k[n s;kf( s;kkn s;kks s;kn( s;knk s;knn s;ko( s;kok s;kvc s;kvk s;n:k sB1 sB1&s sB1Uk sB1c sB1os sU((k sU(k( sU(kk sU(kn sU(ks sUk(k sUk1 sUk1& sUk1, sUk1c sUk1k sUk1o sUkf( sUkk1 sUkkk sUkn( sUkn, sUkn1 sUknk sUkok sUkv, sUkvc sUn(k sUnk1 sUnkf sUno1 sf(1) sf(n, sf(s) sk)&( sk)&1 sk)&f sk);k sk)B1 sk)Uk sk)Un sk)k1 sk)kk sk)o( sk)o1 sk)of sk)ok sk1&1 sk1Uk sk1c sk1o1 sk1os skU1, skks skksc sn,f( sno1U so((( so((k so((s so(1) so(1o so(f( so(k) so(k1 so(kk so(kn so(ko so(ks so(os so(s) so1&1 so1&o so1&s so1Bf so1Uk so1c so1f( so1kf so1o( so1o1 so1of so1ok so1oo so1os so1ov sof() sof(1 sof(f sof(k sok&s sok(1 sok(k sok(o sok(s sok1 sok1, sok1c sok1o sokc sokf( sokn, soknk soko( soko1 sokok sokos sonk1 sono1 sonos sos sos&( soso( sosos sov&1 sov&s sov:o sovo1 sovok sovos sovov sovso v:o1) vUk1, vok1,
The Library On GitHub Now ~500 Lines of Code One file + data No memory allocation No threads No external dependencies Fixed stack size >100k checks a second
tada #include "sqlparse.h" #include <string.h> int main() { const char* ucg = "1 OR 1=1"; // input should be normalized, upper-cased // You can use sqli_normalize // if you don't have your own function sfilter sf; return is_sqli(&sf, ucg, strlen(ucg)); } $ gcc -Wall -Wextra sample.c sqlparse.c $ ./a.out $ echo $? 1
What's Next? • Change API to allow passing in fingerprint data or a function. Allows upgrades without code changes. • Can we reduce the number of tokens? String, variables, numbers are all just values. • Folding of comma-separated values? 1,2,3,4 => 1 • Can we just eliminate all parenthesis?
Help! • More SQLi from the field please! • False positives welcome • More test cases with exotic SQL to test parser. • Ports to other languages (the language- neutral test framework should make this easier). • Compiling on Windows (mostly tested on Mac OS X and Linux)
Slides and Source Code: http://www.client9.com/libinjection/ Nick Galbreath @ngalbreath nickg@client9.com Sept 20 OWASP NY SQL obfuscation and libinjection Oct 25, OWASP USA, Austin, Texas Continuous Deployment and Security Thanks

Recommended

Html and visual fox pro
Html and visual fox proHtml and visual fox pro
Html and visual fox proMike Feltman
 
MX960 Router
MX960 RouterMX960 Router
MX960 RouterKashif Latif
 
IPV6 Addressing
IPV6 Addressing IPV6 Addressing
IPV6 Addressing Heba_a
 
Programming guide for linux usb device drivers
Programming guide for linux usb device driversProgramming guide for linux usb device drivers
Programming guide for linux usb device driversIntegrated Circuit Design Research & Education Center (ICDREC)
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux KernelKernel TLV
 
Juniper Trouble Shooting
Juniper Trouble ShootingJuniper Trouble Shooting
Juniper Trouble ShootingMike(Haobin) Zheng
 
Block Drivers
Block DriversBlock Drivers
Block DriversAnil Kumar Pugalia
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsEng. Emad Al-Atoum
 

Recommended

Html and visual fox pro
Html and visual fox proHtml and visual fox pro
Html and visual fox proMike Feltman
 
MX960 Router
MX960 RouterMX960 Router
MX960 RouterKashif Latif
 
IPV6 Addressing
IPV6 Addressing IPV6 Addressing
IPV6 Addressing Heba_a
 
Programming guide for linux usb device drivers
Programming guide for linux usb device driversProgramming guide for linux usb device drivers
Programming guide for linux usb device driversIntegrated Circuit Design Research & Education Center (ICDREC)
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux KernelKernel TLV
 
Juniper Trouble Shooting
Juniper Trouble ShootingJuniper Trouble Shooting
Juniper Trouble ShootingMike(Haobin) Zheng
 
Block Drivers
Block DriversBlock Drivers
Block DriversAnil Kumar Pugalia
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsEng. Emad Al-Atoum
 
OSPF Summary LSA (Type 3 LSA)
OSPF Summary LSA (Type 3 LSA)OSPF Summary LSA (Type 3 LSA)
OSPF Summary LSA (Type 3 LSA)NetProtocol Xpert
 
Composants routeur cisco et différent mode de Configuration
Composants routeur cisco et différent mode de ConfigurationComposants routeur cisco et différent mode de Configuration
Composants routeur cisco et différent mode de ConfigurationZakariaBouzzitMadrid
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/CoreShay Cohen
 
InfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must KnowInfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must KnowMellanox Technologies
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
MIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol Issues
MIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol IssuesMIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol Issues
MIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol IssuesMIPI Alliance
 
IPv6
IPv6IPv6
IPv6medalaa
 
I2c drivers
I2c driversI2c drivers
I2c driverspradeep_tewani
 
Comment configurer un réseau de vidéosurveillance
Comment configurer un réseau de vidéosurveillanceComment configurer un réseau de vidéosurveillance
Comment configurer un réseau de vidéosurveillanceLa Grande Ecole de l'Informatique
 
Linux I2C
Linux I2CLinux I2C
Linux I2CKaidenYu
 
eMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutioneMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutionArasan Chip Systems
 
Routage
RoutageRoutage
RoutageSirine Ibrahim
 
Steps to build and run oai
Steps to build and run oaiSteps to build and run oai
Steps to build and run oaissuser38b887
 
infiniband.pdf
infiniband.pdfinfiniband.pdf
infiniband.pdfAkashSuresh45
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01Irsandi Hasan
 
IP Addressing and subnetting
IP Addressing and subnettingIP Addressing and subnetting
IP Addressing and subnettingAli Nezhad
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingStephan Cadene
 
I2C Drivers
I2C DriversI2C Drivers
I2C DriversSysPlay eLearning Academy for You
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver艾鍗科技
 
Chapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9e
Chapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9eChapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9e
Chapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9eadpeer
 
libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012Nick Galbreath
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 

More Related Content

What's hot

OSPF Summary LSA (Type 3 LSA)
OSPF Summary LSA (Type 3 LSA)OSPF Summary LSA (Type 3 LSA)
OSPF Summary LSA (Type 3 LSA)NetProtocol Xpert
 
Composants routeur cisco et différent mode de Configuration
Composants routeur cisco et différent mode de ConfigurationComposants routeur cisco et différent mode de Configuration
Composants routeur cisco et différent mode de ConfigurationZakariaBouzzitMadrid
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/CoreShay Cohen
 
InfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must KnowInfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must KnowMellanox Technologies
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
MIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol Issues
MIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol IssuesMIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol Issues
MIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol IssuesMIPI Alliance
 
Steps to build and run oai
Steps to build and run oaiSteps to build and run oai
Steps to build and run oaissuser38b887
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01Irsandi Hasan
 
IP Addressing and subnetting
IP Addressing and subnettingIP Addressing and subnetting
IP Addressing and subnettingAli Nezhad
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingStephan Cadene
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver艾鍗科技
 
Chapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9e
Chapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9eChapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9e
Chapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9eadpeer
 

What's hot (20)

OSPF Summary LSA (Type 3 LSA)
OSPF Summary LSA (Type 3 LSA)OSPF Summary LSA (Type 3 LSA)
OSPF Summary LSA (Type 3 LSA)
 
Composants routeur cisco et différent mode de Configuration
Composants routeur cisco et différent mode de ConfigurationComposants routeur cisco et différent mode de Configuration
Composants routeur cisco et différent mode de Configuration
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/Core
 
InfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must KnowInfiniBand Essentials Every HPC Expert Must Know
InfiniBand Essentials Every HPC Expert Must Know
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
MIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol Issues
MIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol IssuesMIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol Issues
MIPI DevCon Seoul 2018: Troubleshooting MIPI M-PHY Link and Protocol Issues
 
IPv6
IPv6IPv6
IPv6
 
I2c drivers
I2c driversI2c drivers
I2c drivers
 
Comment configurer un réseau de vidéosurveillance
Comment configurer un réseau de vidéosurveillanceComment configurer un réseau de vidéosurveillance
Comment configurer un réseau de vidéosurveillance
 
Linux I2C
Linux I2CLinux I2C
Linux I2C
 
eMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutioneMMC 5.0 Total IP Solution
eMMC 5.0 Total IP Solution
 
Routage
RoutageRoutage
Routage
 
Steps to build and run oai
Steps to build and run oaiSteps to build and run oai
Steps to build and run oai
 
infiniband.pdf
infiniband.pdfinfiniband.pdf
infiniband.pdf
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01
 
IP Addressing and subnetting
IP Addressing and subnettingIP Addressing and subnetting
IP Addressing and subnetting
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development Training
 
I2C Drivers
I2C DriversI2C Drivers
I2C Drivers
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver
 
Chapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9e
Chapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9eChapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9e
Chapter 8 - IP Subnetting, Troubleshooting and Introduction to NAT 9e
 

Viewers also liked

libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012Nick Galbreath
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
libinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYClibinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYCNick Galbreath
 
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013Nick Galbreath
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachineNick Galbreath
 
Program understanding: What programmers really want
Program understanding: What programmers really wantProgram understanding: What programmers really want
Program understanding: What programmers really wantEinar Høst
 
How to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionHow to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionAlienVault
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceAlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM AlienVault
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHPWim Godden
 

Viewers also liked (12)

libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 
libinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYClibinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYC
 
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachine
 
Program understanding: What programmers really want
Program understanding: What programmers really wantProgram understanding: What programmers really want
Program understanding: What programmers really want
 
How to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionHow to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat Detection
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHP
 

Similar to libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformationLars Marius Garshol
 
PNWPHP -- What are Databases so &#%-ing Difficult
PNWPHP -- What are Databases so &#%-ing DifficultPNWPHP -- What are Databases so &#%-ing Difficult
PNWPHP -- What are Databases so &#%-ing DifficultDave Stokes
 
Errors detected in the Visual C++ 2012 libraries
Errors detected in the Visual C++ 2012 librariesErrors detected in the Visual C++ 2012 libraries
Errors detected in the Visual C++ 2012 librariesPVS-Studio
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for CassandraEdward Capriolo
 
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"DataStax Academy
 
Hello, Is That FreeSWITCH? Then We're Coming to Check You!
Hello, Is That FreeSWITCH? Then We're Coming to Check You!Hello, Is That FreeSWITCH? Then We're Coming to Check You!
Hello, Is That FreeSWITCH? Then We're Coming to Check You!PVS-Studio
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersChema Alonso
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)ÇözümPARK
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Cassandra Tutorial
Cassandra TutorialCassandra Tutorial
Cassandra Tutorialmubarakss
 
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Source Conference
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfChris Gates
 
ABRIDGED VERSION - Joys & frustrations of putting 34,000 lines of Haskell in...
ABRIDGED VERSION - Joys & frustrations of putting 34,000 lines of Haskell in... ABRIDGED VERSION - Joys & frustrations of putting 34,000 lines of Haskell in...
ABRIDGED VERSION - Joys & frustrations of putting 34,000 lines of Haskell in...Saurabh Nanda
 

Similar to libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum (20)

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformation
 
PHP - Introduction to Advanced SQL
PHP - Introduction to Advanced SQLPHP - Introduction to Advanced SQL
PHP - Introduction to Advanced SQL
 
PNWPHP -- What are Databases so &#%-ing Difficult
PNWPHP -- What are Databases so &#%-ing DifficultPNWPHP -- What are Databases so &#%-ing Difficult
PNWPHP -- What are Databases so &#%-ing Difficult
 
Errors detected in the Visual C++ 2012 libraries
Errors detected in the Visual C++ 2012 librariesErrors detected in the Visual C++ 2012 libraries
Errors detected in the Visual C++ 2012 libraries
 
Php forum2015 tomas_final
Php forum2015 tomas_finalPhp forum2015 tomas_final
Php forum2015 tomas_final
 
Writing clean code
Writing clean codeWriting clean code
Writing clean code
 
Mutant Tests Too: The SQL
Mutant Tests Too: The SQLMutant Tests Too: The SQL
Mutant Tests Too: The SQL
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for Cassandra
 
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
 
Hello, Is That FreeSWITCH? Then We're Coming to Check You!
Hello, Is That FreeSWITCH? Then We're Coming to Check You!Hello, Is That FreeSWITCH? Then We're Coming to Check You!
Hello, Is That FreeSWITCH? Then We're Coming to Check You!
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Cassandra Tutorial
Cassandra TutorialCassandra Tutorial
Cassandra Tutorial
 
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
 
ABRIDGED VERSION - Joys & frustrations of putting 34,000 lines of Haskell in...
ABRIDGED VERSION - Joys & frustrations of putting 34,000 lines of Haskell in... ABRIDGED VERSION - Joys & frustrations of putting 34,000 lines of Haskell in...
ABRIDGED VERSION - Joys & frustrations of putting 34,000 lines of Haskell in...
 

More from Nick Galbreath

Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Nick Galbreath
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
DevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListDevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListNick Galbreath
 
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Nick Galbreath
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Nick Galbreath
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Nick Galbreath
 
Slide show font sampler, black on white
Slide show font sampler, black on whiteSlide show font sampler, black on white
Slide show font sampler, black on whiteNick Galbreath
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Nick Galbreath
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 

More from Nick Galbreath (12)

Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
DevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListDevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading List
 
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012
 
Slide show font sampler, black on white
Slide show font sampler, black on whiteSlide show font sampler, black on white
Slide show font sampler, black on white
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Recently uploaded (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum

  • 1. libinjection New Techinques in Detecting SQLi Atttacks iSEC Partners Open Forum Gilt Group, New York, September 6 2102 Nick Galbreath @ngalbreath nickg@client9.com
  • 2. http://client9.com/20120906/ Follow along at your own pace
  • 3. First presented at Black Hat USA 2012 http://client9.com/20120725 iSEC Partners party at Bellagio
  • 4. The Next 15 Minutes • You know what SQLi is and why it's important • Why detecting SQLi is a hard problem • Why current solutions aren't so good • The libinjection algorithm and library
  • 5. It's Easy to Get Started with Regular Expressions s/UNIONs+(ALL)?/i ‣ At least two open source WAF use regular expressions. ‣ Failure cases in closed-source WAFs also indicate regexp.
  • 6. 1992 SQL Spec 625 pages plain text bit.ly/10fmhZ
  • 7. 2003 SQL Spec 128 pages pure BNF bit.ly/OB5vfW
  • 8. Integer Forms • [0-9]+ • 0x[0-9a-fA-F]+ 0xDEADbeef MySQL, MSSQL 0x is case sensitive • 0x MSSQL only • x'DEADbeef' PgSQL • b'10101010' MySQL, PgSQL • 0b010101 MySQL
  • 9. Floating Point • digits • digits[.] http://bit.ly/Qp6KTu • digits[.]digits • digits[.]digits[eE]digits • digits[eE]digits • [.]digits • digits[eE][+-]digits • [.]digits[eE]digits • digits[.][eE]digits • [.]digits[eE][+-]digits • digits[.]digits[eE][+-]digits • "binary_float_infinity" (O) Optional starts with [+-] Optional ending with [dDfF] (Oracle)
  • 10. Money Literals • MSSQL has a money type. • -$45.12 • $123.0 • +$1,000,000.00 Commas ignored • Haven't experimented with this yet. • Does it auto-cast to a float or int type?
  • 11. Ridiculous Operators • != not equals, standard • ||/ cube root (pgsql) • <=> mysql • ** exponents (oracle) • <> mssql • # bitwise xor (pgsql conflicts with mysql • ^= oracle comment) • !>, !< not less than mssql • / oracle • !! factorial (pgsql) • |/ sqaure root (pgsql)
  • 12. Strings, Charsets, and Comments Such a cluster that I defer you to my DEFCON 20 talk. http://client9.com/20120727/
  • 13. (?:)s*whens*d+s*then)|(?:"s*(?:#|--|{))|(?:/*!s?d+)|(?:ch(?:a)?rs*(s*d)|(?:(?:(n?and|x?or| not)s+||||&&)s*w+() (?:[s()]cases*()|(?:)s*likes*()|(?:havings*[^s]+s*[^ws])|(?:ifs?([dw]s*[=<>~]) (?:"s*ors*"?d)|(?:x(?:23|27|3d))|(?:^.?"$)|(?:(?:^["]*(?:[d"]+|[^"]+"))+s*(?:n?and|x?or|not|| ||&&)s*[w"[+&!@(),.-])|(?:[^ws]w+s*[|-]s*"s*w)|(?:@w+s+(and|or)s*["d]+)|(?:@[w-]+s(and| or)s*[^ws])|(?:[^ws:]s*dW+[^ws]s*".)|(?:Winformation_schema|table_nameW) (?:"s**.+(?:or|id)W*"d)|(?:^")|(?:^[ws"-]+(?<=ands)(?<=ors)(?<=xors)(?<=nands)(?<=nots)(?<=| |)(?<=&&)w+()|(?:"[sd]*[^ws]+W*dW*.*["d])|(?:"s*[^ws?]+s*[^ws]+s*")|(?:"s*[^ws]+ s*[Wd].*(?:#|--))|(?:".**s*d)|(?:"s*ors[^d]+[w-]+.*d)|(?:[()*<>%+-][w-]+[^ws]+"[^,]) (?:d"s+"s+d)|(?:^admins*"|(/*)+"+s?(?:--|#|/*|{)?)|(?:"s*or[ws-]+s*[+<>=(),-]s*[d"])| (?:"s*[^ws]?=s*")|(?:"W*[+=]+W*")|(?:"s*[!=|][ds!=+-]+.*["(].*$)|(?:"s*[!=|][ds!=]+.*d+$)| (?:"s*likeW+[w"(])|(?:siss*0W)|(?:wheres[sw.,-]+s=)|(?:"[<>~]+") (?:unions*(?:all|distinct|[(!@]*)?s*[([]*s*select)|(?:w+s+likes+")|(?:likes*"%)|(?:"s*like W*["d])|(?:"s*(?:n?and|x?or|not ||||&&)s+[sw]+=s*w+s*having)|(?:"s**s*w+W+")|(?:"s*[^? ws=.,;)(]+s*[(@"]*s*w+W+w)|(?:selects*[[]()sw.,"-]+from)|(?:find_in_sets*() (?:ins*(+s*select)|(?:(?:n?and|x?or|not ||||&&)s+[sw+]+(?:regexps*(|soundss+likes*"|[=d] +x))|("s*ds*(?:--|#))|(?:"[%&<>^=]+ds*(=|or))|(?:"W+[w+-]+s*=s*dW+")|(?:"s*iss*d.+"?w)| (?:"|?[w-]{3,}[^ws.,]+")|(?:"s*iss*[d.]+s*W.*") (?:[dW]s+ass*["w]+s*from)|(?:^[Wd]+s*(?:union|select|create|rename|truncate|load|alter|delete| update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s+(?: (?:group_)concat|char|load_file)s?(?)|(?:ends*);)|("s+regexpW)|(?:[s(]load_files*() (?:@.+=s*(s*select)|(?:d+s*ors*d+s*[-+])|(?:/w+;?s+(?:having|and|or|select)W)|(?:ds+group s+by.+()|(?:(?:;|#|--)s*(?:drop|alter))|(?:(?:;|#|--)s*(?:update|insert)s*w{2,})|(?:[^w]SETs*@w +)|(?:(?:n?and|x?or|not ||||&&)[s(]+w+[s)]*[!=+]+[sd]*["=()]) (?:"s+ands*=W)|(?:(s*selects*w+s*()|(?:*/from)|(?:+s*d+s*+s*@)|(?:w"s*(?:[-+=|@]+s*)+ [d(])|(?:coalesces*(|@@w+s*[^ws])|(?:W!+"w)|(?:";s*(?:if|while|begin))|(?:"[sd]+=s*d)| (?:orders+bys+ifw*s*()|(?:[s(]+cased*W.+[tw]hen[s(]) (?:(select|;)s+(?:benchmark|if|sleep)s*?(s*(?s*w+) (?:creates+functions+w+s+returns)|(?:;s*(?:select|create|rename|truncate|load|alter|delete|update| insert|desc)s*[[(]?w{2,}) (?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")|(?:";.*:s*goto) (?:procedures+analyses*()|(?:;s*(declare|open)s+[w-]+)|(?:creates+(procedure|function)s*w+s* (s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs*(s*@) (?:selects*pg_sleep)|(?:waitfors*delays?"+s?d)|(?:;s*shutdowns*(?:;|--|#|/*|{)) (?:sexecs+xp_cmdshell)|(?:"s*!s*["w])|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user| database|schema|connection_id)s*([^)]*)|(?:";?s*(?:select|union|having)s*[^s])|(?:wiifs*()| (?:execs+master.)|(?:union select @)|(?:union[w(s]*select)|(?:select.*w?user()|(?:into[s+]+ (?:dump|out)files*") (?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(),+-]+
  • 14. Proven Fail ‣ At Black Hat USA 2005, Hanson and Patterson presented: Guns and Butter: Towards Formal Axioms of Validation (http://bit.ly/OBe7mJ) ‣ …formally proved that for any regex validator, we could construct either a safe query which would be flagged as dangerous, or a dangerous query which would be flagged as correct. ‣ (summary from libdejector documentation)
  • 15. Can we do better?
  • 17. Key Insight ‣ A SQLi attack must be parsed as SQL within the original query. ‣ SQL has a rigid syntax ‣ it works, or it's a syntax error. ‣ Compare this to HTML/XSS rules ‣ "Is it a SQLi attack?" becomes "Could it be a SQL snippet?"
  • 18. Only 3 Contexts User input is only "injected" into SQL in three ways: ‣ As-Is ‣ Inside a single quoted string ‣ Inside a double quoted string Means we have to parse input three times. Compare to XSS
  • 19. Identification of SQL snippets without context is hard ‣ 1-917-660-3400 my phone number or an arithmetic expression in SQL? ‣ @ngalbreath my twitter account or a SQL variable? ‣ English-like syntax and common keywords: union, group, natural, left, right, join, top, table, create, in, is, not, before, begin, between
  • 20. Existing SQL Parsers ‣ Only parse their flavor of SQL ‣ Not well designed to handle snippets ‣ Hard to extend ‣ Worried about correctness ... so I wrote my own!
  • 21. Tokenization ‣ Converts input into a stream of tokens ‣ Uses "master list" of keywords and functions across all databases. ‣ Handles comments, string, literals, weirdos.
  • 22. 5000224' UNION USER_ID>0-- [ ('...500224', string), ('UNION', union operator), ('USER_ID', name), ('>', operator), ('0', number), ('--.....', comment) ]
  • 23. Meet the Tokens ‣ none/name ‣ group-like operation ‣ variable ‣ union-like operator ‣ string ‣ logical operator ‣ regular operator ‣ function ‣ unknown ‣ comma ‣ number ‣ semi-colon ‣ comment ‣ left parens ‣ keyword ‣ right parens
  • 24. Merging, Specialization, Disambiguation ‣ "IS", "NOT" ==> "IS NOT" (single op) ‣ "NATURAL", "JOIN" => "NATURAL JOIN" ‣ ("+", operator) -> ("+", unary operator) ‣ (COS, function), (1, number) ==> (COS, name), (1, number) functions must be followed with a parenthesis!
  • 25. Folding ‣ This step actually isn't needed to detect, but is needed to reduce false positives. ‣ Converts simple arithmetic expressions into a single value (don't try to evaluate them). ‣ 1-917-660-3400 -> "1"
  • 26. Knows nothing about SQLi ‣ So far this is purely a parsing problem. ‣ Knows nothing about SQLi (which is evolving) ‣ Can be 100% tested against any SQL input (not SQLi) for correctness. ‣ Language independent test cases $ cat test-tokens-numbers-floats-003.txt --TEST-- floating-point parsing test --INPUT-- SELECT .0; --EXPECTED-- k SELECT 1 .0 ; ;
  • 27. Fingerprints ‣ The token types of a user input form a hash or a fingerprint. ‣ -6270" UNION ALL SELECT 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594# AND "JWWQ"="JWWQ ‣ becomes "sUk1,1,1,1,1,1,1,1,&" ‣ Now let's generate fingerprints from Real World Data. ‣ Can we distinguish between SQLi and benign input?
  • 28. Training on SQLi ‣ Parse known SQLi attacks from ‣ SQLi vulnerability scanners ‣ Published reports ‣ SQLI How-Tos ‣ > 32,000 total ‣ Since Black Hat, donations from ‣ modsecurity ‣ qualys ‣ > 50,000 total
  • 29. Training on Real Input ‣ 100s of Millions of user inputs from Etsy's access logs were also parsed. ‣ Large enough to get a good sample (Top 50 USA site) ‣ Old enough to have lots of odd ways of query string formatting. ‣ Full text search with an diverse subject domain
  • 30. How many tokens are needed to determine if user input is SQLi or not?
  • 31. 5 no matter how long the input
  • 32. 622 out of 1,048,576 are SQLi &1o1U &f()o &f(1) 1&((f 1&((k 1&(1, 1&(1o 1&(f( 1&(k( 1&(k1 1&(kf 1&(kk 1&(kn 1&(ko 1&(v) 1&1Bf 1&1Uk 1&1f( 1&1o( 1&1o1 1&1of 1&1ok 1&1on 1&1oo 1&1ov 1&f(( 1&f() 1&f(1 1&f(f 1&f(k 1&f(n 1&f(v 1&k(1 1&k(f 1&k1k 1&kUk 1&kk1 1&n() 1&no1 1&o(1 1&o1o 1&so1 1)&(1 1)&(f 1)&(k 1)&(n 1)&1B 1)&1U 1)&1f 1)&1o 1)&f( 1)&o( 1)()s 1))&( 1))&1 1))&f 1))&o 1)))& 1)))) 1))); 1)))B 1)))U 1)))k 1)))o 1));k 1))B1 1))Uk 1))Un 1))k1 1))kk 1))o( 1))o1 1))of 1))ok 1))on 1),(1 1);k& 1);k( 1);kf 1);kk 1);kn 1);ko 1)B1 1)B1& 1)B1c 1)B1o 1)U(k 1)Uk1 1)Ukf 1)Ukk 1)Ukn 1)Unk 1)k1 1)k1c 1)k1o 1)kks 1)o(1 1)o(k 1)o(n 1)o1B 1)o1f 1)o1k 1)o1o 1)of( 1)ok( 1)ok1 1)on& 1)ono 1,(f( 1,(k( 1,(k1 1,(kf 1,1), 1,1)o 1,1B1 1,1Uk 1,f(1 1,s), 1;k&k 1;k(( 1;k(1 1;k(o 1;k1, 1;kf( 1;kks 1;kn( 1;kn, 1;knc 1;ko( 1;kok 1B1 1B1,1 1B1,n 1B1Uk 1B1c 1B1k1 1B1ks 1Bf(1 1Bf(f 1Bk(1 1Bn,n 1Bnk1 1U(k1 1U(kf 1U1,1 1Uc 1Uk 1Uk(1 1Uk(k 1Uk(n 1Uk1 1Uk1, 1Uk1c 1Uk1f 1Uk1k 1Uk1n 1Uk1o 1Ukf 1Ukf( 1Ukf, 1Ukk( 1Ukk, 1Ukk1 1Ukkk 1Ukkn 1Ukn& 1Ukn( 1Ukn, 1Ukn1 1Uknc 1Uknk 1Ukno 1Ukns 1Uko1 1Ukok 1Uks, 1Uksc 1Ukv 1Ukv, 1Ukvc 1Un,1 1Un1, 1Unk( 1Unk1 1Unkf 1Uon1 1f()k 1k1U( 1k1Uk 1k1c 1kU1, 1kf(1 1kk(1 1kksc 1knkn 1n&f( 1nUk1 1nUkn 1nk1c 1nkf( 1o((( 1o((1 1o((f 1o(1) 1o(1o 1o(f( 1o(k( 1o(k1 1o(kf 1o(kn 1o(kv 1o(n) 1o(s) 1o1)& 1o1)o 1o1Bf 1o1Uk 1o1f( 1o1kf 1o1o( 1o1o1 1o1of 1o1oo 1o1ov 1of() 1of(1 1of(f 1of(n 1of(s 1ok(1 1ok(k 1ok1 1ok1, 1ok1c 1ok1k 1okf( 1oks, 1oksc 1okv, 1onos 1oso1 ;kknc Uk1,1 Uk1,f Uk1,n Ukkkn f((k( f((kf f()&f f()of f(1)& f(1)o f(1,f f(1o1 f(f() f(f(1 f(k() f(k,( f(k,n f(n() f(v,1 k()ok k(1)U k(ok( k(vv) k1,1, k1,1c k1,1k k1,f( k1k(k k1o(s k;non kf(1) kf(1, kf(f( kf(n, kf(v: kk(f( kk1kk kk1nk kk1vk kk1vn kn1kk kn1vk kn1vn ko(k( ko(kf kok(k kv) kvk(1 n&(1) n&(k1 n&(o1 n&1f( n&1o( n&1o1 n&1of n&1oo n&f(1 n&f(f n&k(1 n&o1o n)&(k n)&1f n)&1o n)&f( n))&( n))&1 n))&f n)))& n))); n)))k n)))o n));k n))kk n))o( n))o1 n))of n))ok n);k& n);k( n);kf n);kk n);kn n);ko n)k1o n)kks n)o(k n)o1& n)o1f n)o1o n)of( n)ok( n,(f( n,(k( n,(k1 n,(kf n,f(1 n:o1U n;k&k n;k(( n;k(1 n;kf( n;kks n;kn( n;ko( n;kok nUk(k nUk1, nUkn, nUnk( nk1Uk nkf(1 nkksc nnn)U nno1U no(k1 no(o1 no1&1 no1Uk no1f( no1o( no1o1 no1of no1oo nof(1 nok(1 nok(k o1kf( oUk1, of()o of(1) ok1o1 okkkn ook1, s&(1) s&(1, s&(1o s&(f( s&(k) s&(k1 s&(kf s&1Bf s&1Uk s&1c s&1f( s&1o( s&1o1 s&1of s&1on s&1oo s&1os s&1ov s&f(( s&f() s&f(1 s&f(f s&f(v s&k&s s&k(1 s&k(o s&k1o s&kc s&knk s&ko( s&ko1 s&kok s&kos s&n&s s&no1 s&nos s&o(1 s&o(k s&o1o s&okc s&oko s&os s&sos s&v:o s&vos s&vso s)&(1 s)&(k s)&1B s)&1f s)&1o s)&f( s)&o( s))&( s))&1 s))&f s))&n s))&o s)))& s))); s)))B s)))U s)))k s)))o s));k s))B1 s))Uk s))Un s))k1 s))kk s))o( s))o1 s))of s))ok s),(1 s);k& s);k( s);kf s);kk s);kn s);ko s)B1 s)B1& s)B1c s)B1o s)U(k s)Uk1 s)Unk s)k1 s)k1c s)k1o s)kks s)o(1 s)o(k s)o1B s)o1f s)o1k s)o1o s)of( s)ok( s)ok1 s,1), s;k&k s;k(( s;k(1 s;k(o s;k1, s;k1o s;k; s;k[k s;k[n s;kf( s;kkn s;kks s;kn( s;knk s;knn s;ko( s;kok s;kvc s;kvk s;n:k sB1 sB1&s sB1Uk sB1c sB1os sU((k sU(k( sU(kk sU(kn sU(ks sUk(k sUk1 sUk1& sUk1, sUk1c sUk1k sUk1o sUkf( sUkk1 sUkkk sUkn( sUkn, sUkn1 sUknk sUkok sUkv, sUkvc sUn(k sUnk1 sUnkf sUno1 sf(1) sf(n, sf(s) sk)&( sk)&1 sk)&f sk);k sk)B1 sk)Uk sk)Un sk)k1 sk)kk sk)o( sk)o1 sk)of sk)ok sk1&1 sk1Uk sk1c sk1o1 sk1os skU1, skks skksc sn,f( sno1U so((( so((k so((s so(1) so(1o so(f( so(k) so(k1 so(kk so(kn so(ko so(ks so(os so(s) so1&1 so1&o so1&s so1Bf so1Uk so1c so1f( so1kf so1o( so1o1 so1of so1ok so1oo so1os so1ov sof() sof(1 sof(f sof(k sok&s sok(1 sok(k sok(o sok(s sok1 sok1, sok1c sok1o sokc sokf( sokn, soknk soko( soko1 sokok sokos sonk1 sono1 sonos sos sos&( soso( sosos sov&1 sov&s sov:o sovo1 sovok sovos sovov sovso v:o1) vUk1, vok1,
  • 33. The Library On GitHub Now ~500 Lines of Code One file + data No memory allocation No threads No external dependencies Fixed stack size >100k checks a second
  • 34. tada #include "sqlparse.h" #include <string.h> int main() { const char* ucg = "1 OR 1=1"; // input should be normalized, upper-cased // You can use sqli_normalize // if you don't have your own function sfilter sf; return is_sqli(&sf, ucg, strlen(ucg)); } $ gcc -Wall -Wextra sample.c sqlparse.c $ ./a.out $ echo $? 1
  • 35. What's Next? • Change API to allow passing in fingerprint data or a function. Allows upgrades without code changes. • Can we reduce the number of tokens? String, variables, numbers are all just values. • Folding of comma-separated values? 1,2,3,4 => 1 • Can we just eliminate all parenthesis?
  • 36. Help! • More SQLi from the field please! • False positives welcome • More test cases with exotic SQL to test parser. • Ports to other languages (the language- neutral test framework should make this easier). • Compiling on Windows (mostly tested on Mac OS X and Linux)
  • 37. Slides and Source Code: http://www.client9.com/libinjection/ Nick Galbreath @ngalbreath nickg@client9.com Sept 20 OWASP NY SQL obfuscation and libinjection Oct 25, OWASP USA, Austin, Texas Continuous Deployment and Security Thanks

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n