SQL that isn't caught by WAFs but also isn't used (yet) by attackers! Why detecting SQLi is good, and why doing it with regular expressions is hard. And re-introducing libinjections which is a new way of detecting SQLi attacks.
This is a mashup of my Black Hat USA 2012 and DEFCON 20 talks, refreshed and updated.
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013Nick Galbreath
What if we could reduce SQLi attacks in your application by 90%? WIth little to no changes in your application, with no new hardware or firewalls?
First presentated at RSA Conference USA, 2013-02-27
libinjection: from SQLi to XSS by Nick GalbreathCODE BLUE
libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs. Two years later the algorithm has been used by a number of open-source and proprietary WAFs and honeypots. This talk will introduce a new algorithm for detecting XSS. Like the SQLi libinjection algorithm, this does not use regular expressions, is very fast, and has a low false positive rate. Also like the original libinjection algorithm, this is available on GitHub with free license.
Nick Galbreath
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features. Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market. He is the author of ""Cryptography for Internet and Database Applications"" (Wiley). Previous speaking engagements have been at Black Hat, Def Con, DevOpsDays and other OWASP events. He holds a master's degree in mathematics from Boston University and currently resides in Tokyo, Japan.
In 2013
- LASCON http://lascon.org/about/, Keynote Speaker Austin, Texas USA
- DevOpsDays Tokyo, Japan
- Security Development Conference (Microsoft) San Francisco, CA, USA
- DevOpsDays Austin, Texas, USA
- Positive Hack Days http://phdays.com, Moscow Russia
- RSA USA, San Francisco, CA, speaker and panelist
In 2012
- DefCon
- BlackHat USA
- Others
Recent workshop on security code review given at SecTalks Melbourne. The slides contain a link to the vulnerable PHP application to perform the review.
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013Nick Galbreath
What if we could reduce SQLi attacks in your application by 90%? WIth little to no changes in your application, with no new hardware or firewalls?
First presentated at RSA Conference USA, 2013-02-27
libinjection: from SQLi to XSS by Nick GalbreathCODE BLUE
libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs. Two years later the algorithm has been used by a number of open-source and proprietary WAFs and honeypots. This talk will introduce a new algorithm for detecting XSS. Like the SQLi libinjection algorithm, this does not use regular expressions, is very fast, and has a low false positive rate. Also like the original libinjection algorithm, this is available on GitHub with free license.
Nick Galbreath
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features. Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market. He is the author of ""Cryptography for Internet and Database Applications"" (Wiley). Previous speaking engagements have been at Black Hat, Def Con, DevOpsDays and other OWASP events. He holds a master's degree in mathematics from Boston University and currently resides in Tokyo, Japan.
In 2013
- LASCON http://lascon.org/about/, Keynote Speaker Austin, Texas USA
- DevOpsDays Tokyo, Japan
- Security Development Conference (Microsoft) San Francisco, CA, USA
- DevOpsDays Austin, Texas, USA
- Positive Hack Days http://phdays.com, Moscow Russia
- RSA USA, San Francisco, CA, speaker and panelist
In 2012
- DefCon
- BlackHat USA
- Others
Recent workshop on security code review given at SecTalks Melbourne. The slides contain a link to the vulnerable PHP application to perform the review.
Mock what? What Mock?Learn What is Mocking, and how to use Mocking with ColdFusion testing, development, and continuous integration. Look at Mocking and Stubbing with a touch of Theory and a lot of Examples, including what you could test, and what you should test… and what you shouldn't test (but might be fun).
Francesco Strazzullo - Frameworkless Frontend Development - Codemotion Milan ...Codemotion
Do you feel the JavaScript fatigue? Are you still trying to learn ‘the next big thing’? Does your code seem legacy just after six months because of that ‘next big thing’? Have you ever thought of building a software, even a complex one, without any kind of dependency on your package.json? During the talk we are going to see how to create your own framework and libraries with just standard ECMAScript features and W3C standard APIs.
I've seen projects with shiny, new code render into unmaintainable big balls of mud within 2-3 years. Multiple times. But regardless of whether it's the code base as a whole that's rotten, or whether it's just the UI and User Experience that needs a major overhaul: the question on rewrite vs refactoring will come up sooner or later. Based on years of experience, and a plethora of bad decisions cumulating into epic failures, I'll share my experience on how to have a code base that stays maintainable - even after years. After this talk, you'll have more insight into whether you should refactor or rewrite, and how to do it right from now on.
Getting started with JavaScript can be somewhat challenging. Especially given how fast the scenery changes. In this presentation I provide a general view of the state of the art. Besides this I go through various JavaScript related tricks that I've found useful in practice.
survivejs.com is a companion site of the presentation and goes on further detail in various topics.
The original presentation was given at AgileJkl, a local agile conference held in Central Finland.
How to analyze your codebase with Exakat using Docker - Longhorn PHPDana Luther
Whether you’re a solo developer working on a long standing project, or a developer working as part of a large (or small) team, you may be surprised at just how much variety can sneak into your codebase, even when everything is running properly. Exakat is an incredibly powerful static analyzer engine and will help you to identify issues before they become problems. In this presentation I will show you how to quickly set up and run Exakat via Docker to analyze your codebase and start incorporating this valuable tool into your toolbox.
Game On! (@gameontext – http://game-on.org) is an awesome throwback text-based adventure built with microservices. Completely open source, it enables everyone to choose their own adventure to learn about microservices concepts while extending the game. One of the core services is the Map, which maintains a two-dimensional map containing all the registered rooms. The Map started with a document store as a back end, but as the Map changed over time, tombstones started to accrue. And then people started to ask how to manage three dimensions, and dragons appeared. Come to this session to find out why the decision was made to change the NoSQL back end, how it was done, and the result of the change with a new NoSQL API (http://jnosql.org/).
This PPT gives information about:
1. WHERE condintion,
2. Order By,
3. Group By,
4. SQL Standard
5. SQL Queries
6. SQL Database Tables
7. SQL Injection
Mock what? What Mock?Learn What is Mocking, and how to use Mocking with ColdFusion testing, development, and continuous integration. Look at Mocking and Stubbing with a touch of Theory and a lot of Examples, including what you could test, and what you should test… and what you shouldn't test (but might be fun).
Francesco Strazzullo - Frameworkless Frontend Development - Codemotion Milan ...Codemotion
Do you feel the JavaScript fatigue? Are you still trying to learn ‘the next big thing’? Does your code seem legacy just after six months because of that ‘next big thing’? Have you ever thought of building a software, even a complex one, without any kind of dependency on your package.json? During the talk we are going to see how to create your own framework and libraries with just standard ECMAScript features and W3C standard APIs.
I've seen projects with shiny, new code render into unmaintainable big balls of mud within 2-3 years. Multiple times. But regardless of whether it's the code base as a whole that's rotten, or whether it's just the UI and User Experience that needs a major overhaul: the question on rewrite vs refactoring will come up sooner or later. Based on years of experience, and a plethora of bad decisions cumulating into epic failures, I'll share my experience on how to have a code base that stays maintainable - even after years. After this talk, you'll have more insight into whether you should refactor or rewrite, and how to do it right from now on.
Getting started with JavaScript can be somewhat challenging. Especially given how fast the scenery changes. In this presentation I provide a general view of the state of the art. Besides this I go through various JavaScript related tricks that I've found useful in practice.
survivejs.com is a companion site of the presentation and goes on further detail in various topics.
The original presentation was given at AgileJkl, a local agile conference held in Central Finland.
How to analyze your codebase with Exakat using Docker - Longhorn PHPDana Luther
Whether you’re a solo developer working on a long standing project, or a developer working as part of a large (or small) team, you may be surprised at just how much variety can sneak into your codebase, even when everything is running properly. Exakat is an incredibly powerful static analyzer engine and will help you to identify issues before they become problems. In this presentation I will show you how to quickly set up and run Exakat via Docker to analyze your codebase and start incorporating this valuable tool into your toolbox.
Game On! (@gameontext – http://game-on.org) is an awesome throwback text-based adventure built with microservices. Completely open source, it enables everyone to choose their own adventure to learn about microservices concepts while extending the game. One of the core services is the Map, which maintains a two-dimensional map containing all the registered rooms. The Map started with a document store as a back end, but as the Map changed over time, tombstones started to accrue. And then people started to ask how to manage three dimensions, and dragons appeared. Come to this session to find out why the decision was made to change the NoSQL back end, how it was done, and the result of the change with a new NoSQL API (http://jnosql.org/).
This PPT gives information about:
1. WHERE condintion,
2. Order By,
3. Group By,
4. SQL Standard
5. SQL Queries
6. SQL Database Tables
7. SQL Injection
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionChema Alonso
Talk delivered by Chema Alonso & Jose Palazon "Palako" in ShmooCON 2009 at Washington about SQL Injection, Blind SQL Injection, Time-Based Blind SQL Injection, RFD (Remote File Downloading) and Serialized SQL Injection. http://www.slideshare.net/chemai64/timebased-blind-sql-injection-using-heavy-queries-34887073
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
SPARKNaCl https://github.com/rod-chapman/SPARKNaCl is a new, freely-available, verified and fast reference implementation of the NaCl cryptographic API, based on the TweetNaCl distribution. It has a fully automated, complete and sound proof of type-safety and several key correctness properties. In addition, the code is surprisingly fast - out-performing TweetNaCl's C implementation on an Ed25519 Sign operation by a factor of 3 at all optimisation levels on a 32-bit RISC-V bare-metal machine. This talk will concentrate on how "Proof Driven Optimisation" can result in code that is both correct and fast.
Rails is a great Ruby-based framework for producing web sites quickly and effectively. Here are a bunch of tips and best practices aimed at the Ruby newbie.
An introduction to the different types of NoSQL and some guidance on when to choose them, and when to use plain old SQL. Focuses on developer productivity, intuitive code, and system issues including scaling and usage patterns. As delivered at JavaOne 2014 in San Francisco
Similar to libinjection and sqli obfuscation, presented at OWASP NYC (20)
Fixing security by fixing software developmentNick Galbreath
Fixing Security by Fixing Software Development Using Continuous Deployment
Do you have an effective release cycle? Is your process long and archaic? Long release cycle are typically based on assumptions we haven't seen since the 1980s and require very mature organizations to implement successfully. They can also disenfranchise developers from caring or even knowing about security or operational issues. Attend this session to learn more about an alternative approach to managing deployments through Continuous Deployment, otherwise known as Continuous Delivery. Find out how small, but frequent changes to the production environment can transform an organization’s development process to truly integrate security. Learn how to get started with continuous deployment and what tools and process are needed to make implementation within your organization a (security) success.
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
If we are ever going to get ahead of the whack-a-mole security vulnerability game, we, as security professionals need to start getting involved more in the development of software. Let's review the origins of the traditional software development, and what assumptions are made. Then we'll review if those assumptions still hold for modern web applications, and what problems they cause, especially for security. Continuous deployment helps address these problems and allows for faster, more secure development. It's more than just "pushing code a lot", when done correctly it can be transformative to the organization. We'll discuss what continuous deployment is, how to get started, and what components are needed to make it successful, and secure.
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Nick Galbreath
First presented at Security BSidesLA, Hermosa Beach, California, August 16, 2012
Continuous deployment is characters by a small and frequent changes to production. Find out why it's my #1 security feature. It's not just about pushing fast!
How do fonts look when uploaded onto slideshare when the presentation is of various sides? How does it look on a washed-out projector? For plain text? For computer-code?
This presentation provides a number of sans-serif and monospace fonts to help answer these questions.
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Nick Galbreath
Rate Limits at Scale SANS AppSec Las Vegas.
Rate Limit Everything All the time using a quantized time system with Memcache or Redis. Use this protect resources or discover anomalies.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
5. All photos where taken by me last week
on Martha's Vineyard, MA or from
previous conferences.
Unless it's a picture of a clown
Or otherwise noted.
Then it came from The Internet.
Thanks Internet!
6. The Next 30 Minutes
• Why detecting SQLi is Important
• SQL you didn't know about
• Why detecting SQLi is a hard problem
• Why current solutions aren't so good
• The libinjection algorithm and library
7. Why Detect SQLi
• Even if you know 100% of your queries
are parameterized...
• Knowing who and how often SQLi
attacks is still good to know
• Graph the attacks! Make security
visible! Great internal PR.
8. So Let's Detect SQLi !!!!
It's Easy to Get Started
with Regular Expressions
s/UNIONs+(ALL)?/i
‣ At least two open source WAF
use regular expressions.
‣ Failure cases in closed-source
WAFs also indicate regexp.
12. MySQL NULL Alias
MySQL NULL can written as N
case sensitive. n is not a null.
This means any WAF that does a
"to_lower" on the user input and
looks for "null" will miss this case.
16. Floating Point, Oracle
• Everyone of the previous formats can
have a trailing [dDfF]
• But why use numbers as all?
Special literals, maybe case sensitive:
• binary_double_infinity
• binary_double_nan
• binary_float_infinity
• binary_float_nan
20. MySQL # Comment
• '#' signals an till-end-of-line Comment
• Well used in SQLi attacks
• However... '#' is an operator in PgSQL.
Beware that s/#.*n// will delete
code that needs inspecting.
• Lots of other MySQL comment
oddities:
http://dev.mysql.com/doc/refman/5.6/
en/comments.html
21. PGSQL Comments
• Besides the usual '--' comment
• PgSQL has nested C-Style Comments
•/* foo /* bar */ */
• Careful! What happens when you
'remove comments' in
/* /* */ UNION ALL /* */ */
25. MySQL Ad-Hoc
Charset
• _charset'....'
• _latin1'.....'
• _utf8'....'
26. PGSQL Dollar Quoting
From http://www.postgresql.org/docs/9.1/static/sql-syntax-lexical.html#SQL-SYNTAX-COMMENTS
A dollar-quoted string constant consists of a dollar sign
($), an optional "tag" of zero or more characters, another
dollar sign, an arbitrary sequence of characters that
makes up the string content, a dollar sign, the same tag
that began this dollar quote, and a dollar sign. For
example, here are two different ways to specify the
string "Dianne's horse" using dollar quoting:
$$Dianne's horse$$
$SomeTag$Dianne's horse$SomeTag$
Want more fun? They can be nested!
27. PGSQL Unicode
From http://www.postgresql.org/docs/9.1/static/sql-syntax-
lexical.html emphasis mine:
... This variant starts with U& (upper or lower case U followed by ampersand) immediately before the
opening double quote, without any spaces in between, for example U&"foo". (Note that this creates an
ambiguity with the operator &. Use spaces around the operator to avoid this problem.) Inside the quotes,
Unicode characters can be specified in escaped form by writing a backslash followed by the four-digit
hexadecimal code point number or alternatively a backslash followed by a plus sign followed by a six-digit
hexadecimal code point number. For example, the identifier "data" could be written as
U&"d0061t+000061"
The following less trivial example writes the Russian word "slon" (elephant)
in Cyrillic letters:
U&"0441043B043E043D"
If a different escape character than backslash is
desired, it can be specified using the UESCAPE clause
after the string, for example:
U&"d!0061t!+000061" UESCAPE '!'
28. Oracle Q String
http://docs.oracle.com/cd/B28359_01/appdev.111/b28370/
fundamentals.htm#autoId6
q'!...!' notation allows use of single quotes inside literal
string_var := q'!I'm a string!';
You can use delimiters [, {, <, and (, pair them with ], }, >, and ),
pass a string literal representing a SQL statement to a
subprogram, without doubling the quotation marks around
'INVALID' as follows:
func_call(q'[SELECT index_name FROM user_indexes
WHERE status ='INVALID']');
30. Ridiculous Operators
• != not equals, standard • ||/ cube root (pgsql)
• <=> (mysql) • ** exponents (oracle
• <> (mssql)
• ^= (oracle)
• !>, !< not less than
(mssql)
• / oracle
• !! factorial (pgsql)
• |/ sqaure root (pgsql)
31. Expressions!
• Using the common query extension of
"OR 1=1"
• Besides using literals, one can use functions:
•COS(0) = SIN(PI()/2)
•COS(@VERSION) = -
SIN(@VERSION + PI()/2)
32. EXCEPT (mssql)
MINUS (Oracle)
• Like UNION, UNION ALL
• But returns all results from first query
minus/except the ones from the
second query
• There is also INTERSECT and MINUS
as well.
• I think someone clever could use these,
typically not in WAF rules.
33. Side Note: "IN" lists
• e.g. ....WHERE id IN (1,2,3,4) ....
• These have to be manually created.
• There is no API or parameter binding
for this construct in any
platform,framework or language.
• There is no consistent, safe way to
make this (other than convention,
36. Unicorn Alert!
‣ At Black Hat USA 2005,
Hanson and Patterson presented:
Guns and Butter: Towards Formal Axioms
of Validation (http://bit.ly/OBe7mJ)
‣ …formally proved that for any regex validator,
we could construct either a safe query which
would be flagged as dangerous, or a dangerous
query which would be flagged as correct.
‣ (summary from libdejector documentation)
39. Key Insight
‣ A SQLi attack must be parsed as SQL within
the original query.
‣ SQL has a rigid syntax
‣ it works, or it's a syntax error.
‣ Compare this to HTML/XSS rules
‣ "Is it a SQLi attack?" becomes
"Could it be a SQL snippet?"
40. Only 3 Contexts
User input is only "injected" into SQL in three
ways:
‣ As-Is
‣ Inside a single quoted string
‣ Inside a double quoted string
Means we have to parse input three times.
Compare to XSS
41. Identification of
SQL snippets
without context is hard
‣ 1-917-660-3400 my phone number or
... an arithmetic expression in SQL?
‣ @ngalbreath my twitter account or
... a SQL variable?
‣ English-like syntax and common keywords:
union, group, natural, left, right, join, top,
table, create, in, is, not, before, begin, between
42. Existing SQL Parsers
‣ Only parse their flavor of SQL
‣ Not well designed to handle snippets
‣ Hard to extend
‣ Worried about correctness
... so I wrote my own!
... so I wrote my own!
43. Tokenization
‣ Converts input into a stream of tokens
‣ Uses "master list" of keywords and functions
across all databases.
‣ Handles comments, string, literals, weirdos.
44. 5000224' UNION USER_ID>0--
[ ('...500224', string),
('UNION', union operator),
('USER_ID', name),
('>', operator),
('0', number),
('--.....', comment) ]
45. Meet the Tokens
‣ none/name ‣ group-like operation
‣ variable ‣ union-like operator
‣ string ‣ logical operator
‣ regular operator ‣ function
‣ unknown ‣ comma
‣ number ‣ semi-colon
‣ comment ‣ left parens
‣ keyword ‣ right parens
46. Merging,
Specialization,
Disambiguation
‣ "IS", "NOT" ==> "IS NOT" (single op)
‣ "NATURAL", "JOIN" => "NATURAL JOIN"
‣ ("+", operator) -> ("+", unary operator)
‣ (COS, function), (1, number) ==>
(COS, name), (1, number)
functions must be followed with a
parenthesis!
47. Folding
‣ This step actually isn't needed to detect, but
Text
is needed to reduce false positives.
‣ Converts simple arithmetic expressions into a
single value, and does not try to evaluate.
‣ 1-917-660-3400 -> "1"
pics courtesy The Internet
pics
48. Knows nothing about SQLi
‣ So far this is purely a parsing problem.
‣ Knows nothing about SQLi (which is evolving)
‣ Can be 100% tested against any SQL input
(not SQLi) for correctness.
‣ Language independent test cases
$ cat test-tokens-numbers-floats-003.txt
--TEST--
floating-point parsing test
--INPUT--
SELECT .0;
--EXPECTED--
k SELECT
1 .0
; ;
49. Fingerprints
‣ The token types of a user input form a hash or
a fingerprint.
‣ -6270" UNION ALL SELECT 5594, 5594, 5594, 5594, 5594, 5594,
5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594,
5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594,
5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594,
5594, 5594, 5594, 5594, 5594# AND "JWWQ"="JWWQ
‣ becomes "sUk1,1,1,1,1,1,1,1,&"
‣ Now let's generate fingerprints from
Real World Data.
‣ Can we distinguish between SQLi and benign
input?
pics courtesy The Internet
50. Training on SQLi
‣ Parse known SQLi attacks from
‣ SQLi vulnerability scanners
‣ Published reports
‣ SQLi How-Tos and Cheet Sheets
‣ > 32,000 total
‣ Since Black Hat, donations from
‣ modsecurity
‣ Qualys
‣ > 50,000 total
51. Training on Real Input
‣ 100s of Millions of user inputs from Etsy's
access logs were also parsed.
‣ Large enough to get a good sample (Top 50
USA site)
‣ Old enough to have lots of odd ways of query
string formatting.
‣ Full text search with an diverse subject
domain
52. How many tokens are
needed to determine if
user input is SQLi or not?
55. The Library
On GitHub Now
~500 Lines of Code
One file + data
No memory allocation
No threads
No external dependencies
Fixed stack size
>100k checks a second
56. tada
#include "sqlparse.h"
#include <string.h>
int main()
{
const char* ucg = "1 OR 1=1";
// input should be normalized, upper-cased
// You can use sqli_normalize
// if you don't have your own function
sfilter sf;
return is_sqli(&sf, ucg, strlen(ucg));
}
$ gcc -Wall -Wextra sample.c sqlparse.c
$ ./a.out
$ echo $?
1
58. What's Next?
• Change API to allow passing in
fingerprint data or a function. Allows
upgrades without code changes.
• Can we reduce the number of tokens?
String, variables, numbers are all just
values.
• Folding of comma-separated values?
1,2,3,4 => 1
• Can we just eliminate all parenthesis?
59. Help!
• More SQLi from the field please!
• False positives welcome
• More test cases with exotic SQL to test
parser.
• Ports to other languages (the language-
neutral test framework should make
this easier).
• Compiling on Windows (mostly tested
on Mac OS X and Linux)
60. Do you have a
commercial WAF?
• Set up a dead page and let me poke it.
• Curious on false positives and false
negatives.
61. Slides and Source Code:
http://www.client9.com/libinjection/
Nick Galbreath
@ngalbreath
nickg@client9.com
Oct 25, OWASP USA, Austin, Texas
Continuous Deployment and Security