This document discusses SQL injections and how to prevent them. It begins by defining SQL injection as the ability to inject SQL commands into a database through an application. It then explains how SQL injections work by exploiting vulnerabilities in user input validation. The document outlines common techniques used in SQL injections and discusses how widespread this issue is. It provides recommendations for input validation, securing databases, and detecting and discouraging SQL injection attacks. The key takeaway is that proper input validation and server hardening are needed to prevent SQL injections.
3. The ability to inject SQL commands into the
database engine
through an existing application
What is SQL Injection?
4. SQL Injection
Generally, the purpose of SQL injection is to
convince the application to run SQL code that was
not intended.
SQL injection occurs when an application processes
user-provided data to create a SQL statement
without first validating the input.
5. SQL Injection
The user input is then submitted to a web
application database server for execution.
When successfully exploited, SQL injection can give
an attacker access to database content or allow
the hacker to remotely execute system
commands.
In the worst-case scenario, the hacker can take
control of the server that is hosting the database.
6. 6
SQL Injection
This exploit can give a hacker access to a remote shell into
the server file system.
The impact of a SQL injection attacks depends on
– where the vulnerability is in the code,
– how easy it is to exploit the vulnerability,
– what level of access the application has to the database.
Theoretically, SQL injection can occur in any type of
application, but it is most commonly associated with web
applications.
The web applications are easy targets because by their very
nature they are open to being accessed from the
Internet.
7. It is probably the most common Website vulnerability today!
It is a flaw in "web application" development,
it is not a DB or web server problem
Most programmers are still not aware of this problem
A lot of the tutorials & demo “templates” are vulnerable
Even worse, a lot of solutions posted on the Internet are not good
enough
In our pen tests over 60% of our clients turn out to be
vulnerable to SQL Injection
HOW COMMON IS IT?
8. 8
How does SQL Injection work?
Common vulnerable login query
SELECT * FROM users
WHERE login = ‘silent'
AND password = ‘hexor'
(If it returns something then login!)
ASP/MS SQL Server login syntax
var sql = "SELECT * FROM users
WHERE login = '" + formusr + “’
AND password = '" + formpwd + "'";
9. 9
Injecting through Strings
formusr = ' or 1=1 – –
formpwd = anything
Final query would look like this:
SELECT * FROM users
WHERE username = ' ' or 1=1
– – AND password = 'anything'
10. 10
SQL Injection Defense
It is quite simple: input validation
The real challenge is making best practices consistent
through all your code
Enforce "strong design" in new applications
You should audit your existing websites and source code
Even if you have an air tight design, harden your
servers
11. 11
Define data types for each field
Implement stringent "allow only good" filters
If the input is supposed to be numeric, use a numeric variable
in your script to store it
Reject bad input rather than attempting to escape or modify
it
Input Validation
12. 12
1. Run DB as a low-privilege user account.
2. Remove unused stored procedures and functionality or restrict
access to administrators.
3. Change permissions and remove "public" access to system
objects.
4. Audit password strength for all user accounts.
5. Firewall the server so that only trusted clients can connect to it
(typically only: administrative network, web server and backup
server).
Harden the Server
13. 13
You may want to react to SQL injection attempts by:
Logging the attempts
Sending email alerts
Blocking the offending IP
Sending back intimidating error messages:
"WARNING: Improper use of this application has been detected. A possible
attack was identified. Legal actions will be taken."
Check with your lawyers for proper wording
This should be coded into your validation scripts
Detection and Dissuasion
14. 14
SQL Injection is a fascinating and dangerous
vulnerability
All programming languages and all SQL databases are
potentially vulnerable
Protecting against it requires
strong design
correct input validation
hardening
Conclusion