SlideShare a Scribd company logo

libinjection: a C library for SQLi detection, from Black Hat USA 2012

Download as KEY, PDF
Nick Galbreath
Nick Galbreath

libinjection: a c library for SQLi detection and generation through lexical analysis of real world attacks

Technology
1 of 40
libinjection a C library for SQLi detection and generation through lexical analysis of real world attacks Nick Galbreath @ngalbreath nickg@client9.com Wednesday July 25, 2012 2:45PM Augustus I+II, Caesar's Palace, Las Vegas
The latest version of this presentation: http:// www.client9.com/ 20120725/ 2
whoami ‣ Director of Engineering @ Etsy ‣ Enterprise, Fraud, Security, Email, Fun ‣ Know a little bit about c, e.g. stringencoders: ‣ C library for string processing ‣ used by every ad server in the world ‣ used in Chrome browser ‣ http://code.google.com/p/stringencoders Nick Galbreath @ngalbreath
The Next 14 Minutes ‣ Why is detecting SQLi hard ‣ The algorithm behind libinjection ‣ The results ‣ Next Steps Nick Galbreath @ngalbreath
Detecting SQLi from User Input is a Hard Problem
It's Easy to Get Started with Regular Expressions! s/UNIONs+(ALL)?/i ‣ At least two open source WAF use regular expressions. ‣ Failure cases in closed-source WAFs also indicate regexp. Nick Galbreath @ngalbreath
SQL IS HUGE ‣ Turing Complete! (sorta) ‣ 1992 SQL Spec: bit.ly/10fmhZ ‣ 625 pages of plain text ‣ 2003 SQL Spec: bit.ly/OB5vfW ‣ 128 pages of pure BNF ‣ No one implements exactly ‣ Everyone has extensions, exceptions, bugs Nick Galbreath @ngalbreath
It's more complicated than you think. ‣ Recursive commenting rules ‣ A single number can't be done in a single regexp. ‣ Really Loosely Typed ‣ String rules - OMFG. You think you know but you have no idea. ‣ Come see my talk at DEFCON this Friday at... 4:20 pm Nick Galbreath @ngalbreath
RegExp Soup (?:)s*whens*d+s*then)|(?:"s*(?:#|--|{))|(?:/*!s?d+)|(?:ch(?:a)?rs*(s*d)|(?:(?:(n?and|x?or|not)s+||||&&)s*w+() (?:[s()]cases*()|(?:)s*likes*()|(?:havings*[^s]+s*[^ws])|(?:ifs?([dw]s*[=<>~]) (?:"s*ors*"?d)|(?:x(?:23|27|3d))|(?:^.?"$)|(?:(?:^["]*(?:[d"]+|[^"]+"))+s*(?:n?and|x?or|not||||&&)s*[w"[+&!@(),.-])|(?:[^ws]w+s*[|-] s*"s*w)|(?:@w+s+(and|or)s*["d]+)|(?:@[w-]+s(and|or)s*[^ws])|(?:[^ws:]s*dW+[^ws]s*".)|(?:Winformation_schema|table_nameW) (?:"s**.+(?:or|id)W*"d)|(?:^")|(?:^[ws"-]+(?<=ands)(?<=ors)(?<=xors)(?<=nands)(?<=nots)(?<=||)(?<=&&)w+()|(?:"[sd]*[^ws]+W*d W*.*["d])|(?:"s*[^ws?]+s*[^ws]+s*")|(?:"s*[^ws]+s*[Wd].*(?:#|--))|(?:".**s*d)|(?:"s*ors[^d]+[w-]+.*d)|(?:[()*<>%+-][w-]+[^ws] +"[^,]) (?:d"s+"s+d)|(?:^admins*"|(/*)+"+s?(?:--|#|/*|{)?)|(?:"s*or[ws-]+s*[+<>=(),-]s*[d"])|(?:"s*[^ws]?=s*")|(?:"W*[+=]+W*")|(?:"s*[!=|] [ds!=+-]+.*["(].*$)|(?:"s*[!=|][ds!=]+.*d+$)|(?:"s*likeW+[w"(])|(?:siss*0W)|(?:wheres[sw.,-]+s=)|(?:"[<>~]+") (?:unions*(?:all|distinct|[(!@]*)?s*[([]*s*select)|(?:w+s+likes+")|(?:likes*"%)|(?:"s*likeW*["d])|(?:"s*(?:n?and|x?or|not ||||&&)s+[s w]+=s*w+s*having)|(?:"s**s*w+W+")|(?:"s*[^?ws=.,;)(]+s*[(@"]*s*w+W+w)|(?:selects*[[]()sw.,"-]+from)|(?:find_in_sets*() (?:ins*(+s*select)|(?:(?:n?and|x?or|not ||||&&)s+[sw+]+(?:regexps*(|soundss+likes*"|[=d]+x))|("s*ds*(?:--|#))|(?:"[%&<>^=]+ds*(=| or))|(?:"W+[w+-]+s*=s*dW+")|(?:"s*iss*d.+"?w)|(?:"|?[w-]{3,}[^ws.,]+")|(?:"s*iss*[d.]+s*W.*") (?:[dW]s+ass*["w]+s*from)|(?:^[Wd]+s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename| truncate|load|alter|delete|update|insert|desc)s+(?:(?:group_)concat|char|load_file)s?(?)|(?:ends*);)|("s+regexpW)|(?:[s(]load_files*() (?:@.+=s*(s*select)|(?:d+s*ors*d+s*[-+])|(?:/w+;?s+(?:having|and|or|select)W)|(?:ds+groups+by.+()|(?:(?:;|#|--)s*(?:drop|alter))|(?: (?:;|#|--)s*(?:update|insert)s*w{2,})|(?:[^w]SETs*@w+)|(?:(?:n?and|x?or|not ||||&&)[s(]+w+[s)]*[!=+]+[sd]*["=()]) (?:"s+ands*=W)|(?:(s*selects*w+s*()|(?:*/from)|(?:+s*d+s*+s*@)|(?:w"s*(?:[-+=|@]+s*)+[d(])|(?:coalesces*(|@@w+s*[^ws])|(?:W! +"w)|(?:";s*(?:if|while|begin))|(?:"[sd]+=s*d)|(?:orders+bys+ifw*s*()|(?:[s(]+cased*W.+[tw]hen[s(]) (?:(select|;)s+(?:benchmark|if|sleep)s*?(s*(?s*w+) (?:creates+functions+w+s+returns)|(?:;s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*[[(]?w{2,}) (?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")|(?:";.*:s*goto) (?:procedures+analyses*()|(?:;s*(declare|open)s+[w-]+)|(?:creates+(procedure|function)s*w+s*(s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs* (s*@) (?:selects*pg_sleep)|(?:waitfors*delays?"+s?d)|(?:;s*shutdowns*(?:;|--|#|/*|{)) (?:sexecs+xp_cmdshell)|(?:"s*!s*["w])|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user|database|schema|connection_id)s*([^)]*)|(?:";? s*(?:select|union|having)s*[^s])|(?:wiifs*()|(?:execs+master.)|(?:union select @)|(?:union[w(s]*select)|(?:select.*w?user()|(?:into[s+]+ (?:dump|out)files*") (?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(),+-]+s*againsts*() (?:,.*[)da-f"]"(?:".*"|Z|[^"]+))|(?:Wselect.+W*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*(s*spaces*() (?:[$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)]) (?:(sleep((s*)(d*)(s*))|benchmark((.*),(.*)))) (?:(union(.*)select(.*)from)) (?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$) Nick Galbreath @ngalbreath
Guns and Butter ‣ In 2005, right here at Black Hat, Hanson and Patterson presented: Guns and Butter: Towards Formal Axioms of Validation (http://bit.ly/OBe7mJ) ‣ …formally proved that for any regex validator, we could construct either a safe query which would be flagged as dangerous, or a dangerous query which would be flagged as correct. ‣ (summary from libdejector documentation) Nick Galbreath @ngalbreath
Existing WAFs ‣ Visual inspection shows bugs ‣ Don't see very much in testing ‣ Don't see much or any false positive testing ‣ Closed source WAF have zero accountability (e.g. there is no formal disclosure of what they detect or not, and how they do it) Nick Galbreath @ngalbreath
CAN WE DO BETTER? Nick Galbreath @ngalbreath
libinjection
Key Insight ‣ A SQLi attack must be parsed as SQL with the original query. ‣ "Is it a SQLi attack?" becomes "Could it be a SQL snippet?" ‣ "does this input start as a sql snippet" Nick Galbreath @ngalbreath
Only 3 Contexts User input is only "injected" into SQL in three ways: ‣ As-Is ‣ Inside a single quoted string ‣ Inside a double quoted string (I suppose another would be inside a comment, but we can't do everything) Nick Galbreath @ngalbreath
Identification of SQL snippets without context is hard ‣ 1-917-660-3400 my phone number or an arithmetic expression? ‣ @ngalbreath my twitter account or a SQL variable? Nick Galbreath @ngalbreath
Existing SQL Parsers ‣ Only parse their flavor of SQL ‣ Not well designed to handle snippets ‣ Hard to extend ‣ Worried about correctness ... so I wrote my own! Nick Galbreath @ngalbreath
Tokenization ‣ Converts input into a stream of tokens ‣ Uses "master list" of keywords and functions across all databases. ‣ Handles comments, string, literals, weirdos. Nick Galbreath @ngalbreath
5000224' UNION USER_ID>0-- [ ('...500224', string), ('UNION', union operator), ('USER_ID', name), ('>', operator), ('0', number), ('--.....', comment) ] Nick Galbreath @ngalbreath
Meet the Tokens ‣ none/name ‣ group-like operation ‣ variable ‣ union-like operator ‣ string ‣ logical operator ‣ regular operator ‣ function ‣ unknown ‣ comma ‣ number ‣ semi-colon ‣ comment ‣ left parens ‣ keyword ‣ right parens Nick Galbreath @ngalbreath
Merging, Specialization, Disambiguation ‣ "IS", "NOT" ==> "IS NOT" (single op) ‣ "NATURAL", "JOIN" => "NATURAL JOIN" ‣ ("+", operator) -> ("+", "unary operator") ‣ (COS, function), (1, number) ==> (COS, name), (1, number) functions are followed with a parenthesis. Nick Galbreath @ngalbreath
Folding ‣ This step actually isn't needed to detect, but is needed to reduce false positives. ‣ Converts simple arithmetic expressions into a single value (don't try to evaluate them). ‣ 1-917-660-3400 -> "1" Nick Galbreath @ngalbreath
Knows nothing about SQLi ‣ So far this is purely a parsing problem. ‣ Knows nothing about SQLi (which is evolving) ‣ Can be 100% tested against any SQL input (not SQLi) for correctness. Nick Galbreath @ngalbreath
Fingerprints ‣ The token types of a user input form a hash or a fingerprint. ‣ -6270" UNION ALL SELECT 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594# AND "JWWQ"="JWWQ ‣ becomes "sUk1,1,1,1,1,1,1,1,&" ‣ Now let's generate fingerprints from Real World Data. ‣ Can we distinguish between SQLi and benign input? Nick Galbreath @ngalbreath
Training on SQLi ‣ Parse known SQLi attacks from ‣ SQLi vulnerability scanners ‣ Published reports ‣ SQLI How-Tos ‣ > 32,000 total Nick Galbreath @ngalbreath
Training on real Input ‣ 100s of Millions of user inputs from Etsy's log were also parsed. ‣ Large enough to get a good sample (Top 50 USA site) ‣ Old enough to have lots of odd ways of query string formatting. ‣ Full text search with an diverse subject domain Nick Galbreath @ngalbreath
How many tokens are needed to determine if a user input is SQLi or not?
5 No matter long the input is.
480 out of 1,048,576 are SQLi n,(k( 1))Un n)ok( s)Unk 1)o1B n,(k1 s&n&s k(vv) sosos 1oks, sk)&1 1)o1f 1)o1k n);k& 1&1Bf 1)o1o s&os n,(kf s;k; n&1o1 1o(f( f(k,( 1ok1 1oksc so1f( sk)&f soso( 1),(1 s))&( s))&1 &f()o nok(1 k1,1k 1&f(n soko1 1Unk1 1ok(1 n))kk 1Unk( soko( 1)o(1 s)ok1 sov&s n;kn( nok(k s))&f sovso 1)ok1 s))&o 1)ok( s&sos n&k(1 s&vso so1c sUk(k k1,1, 1)o(n 1)o(k 1Bf(1 1kf(1 s&ko1 s&k(o 1)k1 sk);k 1&f(1 1Unkf s)k1 sos&( 1&(k1 1))on s&kc nUk(o 1;ko( 1)B1 sokc n)o1& no1oo 1&(kn s&1oo so1o1 s)o1f 1&(kf s)o1k s)o1o f(1)o n&1o( s)o1B 1okv, sk)&( 1;kok sok1 f(k() 1Ukv, s&1of 1&1oo n&1f( 1))); 1)))& 1&1of sovo1 s&1ov s)&1o sono1 1o((f 1)))) 1o(s) s)&1f 1&1ov 1Uk1k n))ok k()ok nkksc 1Uk1c n))of s&(k1 s)&1B n;kks n)o(k kf(n, f(f(1 sovov s&1o( sovos s&1o1 vok1, sovok sUk1 1o((( 1)))k 1&1o1 f(f() 1)))o n))o( 1)))U k1k(k 1Uk1, 1&1f( so(s) 1)))B f(n() n))o1 s)&(1 1)of( 1,(k1 sk)B1 f(1,f 1,(k( 1Bk(1 1onos 1o1f( 1,f(1 1B1c s&okc s;ko( sk1os s&oko 1ono1 1,(kf sB1 1));k s;kf( n)kks s;kok sk1o1 s;k(( 1o((1 1o1Bf so(f( n;kf( s&k(1 1&1o( nof(1 s);kk sk1c 1))o( s);ko s);kn sok1, s;k(1 1)kks s);kf so(os so1ov s;k1, 1))Uk soknk s))k1 1)B1o 1)B1c n);k( n;kok s;k(o s);k( sok1o sok1c sf(n, s);k& sB1&s s;k1o sUno1 s))kk n);kf 1&so1 sokn, n;ko( n);kk n);kn n);ko s&1on sof(k n;k&k k1o(s sonos sk1&1 sof(f 1oso1 1;knc sUknk f()of n&(1) s&ko( sof() ok1o1 n,f(1 1o(1) s;kkn s;kks 1o(kn sof(1 sUkn, s)k1c 1;kn( s)k1o s;k&k skks s;n:k no(o1 s))o( k(ok( so(ks so(kk so(kn so(ko s))o1 n)&(k o1kf( s))ok ;kknc skksc so(k1 n;k(( s&o(1 s))of so(k) n;k(1 n&(o1 s&kok sov:o s)of( sU(kk sU(kn f(v,1 sk)of 1)&f( sk)ok no1f( sU(ks oUk1, 1ok1c s&(1) s&kos 1ok1k sUnk1 1)ono 1of(1 so1o( s;knn s;knk 1of() vUk1, no1of 1&no1 sk)o1 s)B1 1)&o( sUk1& s&(k) 1o1)o f()&f sk)o( n&f(1 so1of 1)on& 1)B1& so1oo no1o1 so1ok 1ok1, 1of(n no1o( so1os s;kn( 1of(f sUnkf 1o(n) s&1os no(k1 n)))o n)))k 1kk(1 1;k(o 1)()s s&k1o s)B1& n)&1f n))&( sUk1, n)&1o no1&1 n))); sf(1) 1;k(1 n)))& sokf( 1;k(( ook1, n)of( sUk1c s)B1c n&(k1 sUk1o s)B1o 1Ukf( okkkn s&vos s)o(k 1)&1f 1Uk1 1))&o 1))&f 1)&1B 1)&(k s,1), f(1o1 s)&f( s)o(1 sUkf( s&k&s 1okf( 1)&(1 1))&1 1;kf( 1))&( sokos 1))ok 1o1of 1o(1o 1kksc 1o1oo 1Uk(k 1))of 1o1ov Ukkkn 1,(f( 1ok(k so1Uk s&1f( sokok of(1) 1;k&k kf(1) sk)k1 s&v:o sok&s n)o1o n)o1f sUn(k 1o1o( 1o1o1 1))o1 sov&1 n));k n))&f sk)kk s)&(k 1)Unk n))&1 sU((k 1)k1o 1);kk s;kvc 1);ko 1);kn 1)k1c s;kvk 1);kf 1Uks, s&o(k 1);k& s)&o( s&(1o s&f() 1,1), 1);k( sk)Un sk)Uk s&f(1 1)&1o 1Uksc nUnk( so((k 1o1kf s&1Bf 1))kk kvk(1 n&o1o f(1)& &f(1) 1))k1 so((( s))Un s))Uk n,(f( 1)Uk1 s),(1 s&knk 1))B1 s)kks 1Uk no(1) n)&f( s)ok( s))B1 sos 1&(1o s)Uk1 s));k so(1) 1&o(1 sok(1 nUk(k n&1of 1B1 sB1c n&1oo so(1o 1k1c sok(s sok(o sok(k so((s so1kf 1;kks s)))B sf(s) 1&o1o n)k1o s)))U sonk1 kf(1, 1o(kf 1,s), s)))k so1&1 s)))o s&nos s&1Uk s&o1o 1o(k1 so1Bf s;k[k sB1os of()o s;k[n s)))& s&(f( so1&s s&no1 so1&o s))); Possible that more token types will be added to help reduce false positives. Nick Galbreath @ngalbreath
The Library ‣ > 100k query strings can be checked per second ‣ C, logic is under 1000 LOC ‣ No memory allocation ‣ Fixed, stable memory usage (~500 on stack) ‣ No threads ‣ Could go even faster Nick Galbreath @ngalbreath
Sample Usage sfilter sf; // on stack, ~500 bytes const char* ucg = "my user input"; bool issqli = is_sqli(&sf, ucg, strlen(ucg)); // tada metadata on input is in struct sfilter; (names subject to change, cleanup) Nick Galbreath @ngalbreath
Test Cases ‣ All input test cases available ‣ Including false positives found along the way ‣ Code coverage reports Nick Galbreath @ngalbreath
Python Prototype ‣ Algorithm in python as well ‣ Not as up-to-date as the C version ‣ Working on it ‣ Runs under PyPy (and quite fast) Nick Galbreath @ngalbreath
Make Existing Systems Work Better ‣ The Tokenizer could be ripped out, to make a "SQL normalizer/simplifier" ‣ all white space normalized ‣ all comments removed ‣ all numbers in various flavors converted to "1" ‣ all strings converted to a fixed value "foo" ‣ Makes existing regular expressions work better and detect more. Nick Galbreath @ngalbreath
Great for Fuzzers ‣ The SQLi fingerprints are actually a great source of templates for fuzzers and SQLi generators ‣ Take fingerprint and turn it back into SQL Nick Galbreath @ngalbreath
Available Now http://www.client9.com/libinjection/ ‣ source code on github ‣ BSD License (only to track how this gets used) ‣ Due to high commercial demand, I'm switching to GPL. This is only to force discussions with third-parties on integration, etc. My goal is to get this used, so if this is barrier let me know! Nick Galbreath @ngalbreath
Help! ‣ More SQLi test cases! ‣ More real-world test cases ‣ Missing some PGSQL / Oracle string insanity ‣ Need better understanding of non-ASCII usage ‣ Porting to other languages (it's not that hard). Nick Galbreath @ngalbreath
More Analysis at DEFCON 20 New Techniques in SQLi Obfuscation SQL never before used in SQLi http://www.client9.com/20120727/ July 27, 2012 Friday, 4:20pm at the Rio Nick Galbreath @ngalbreath
Slides and Source Code: http://www.client9.com/libinjection/ Contact: Nick Galbreath @ngalbreath nickg@client9.com nickg@etsy.com and... join my mailing list for updates and early access to slides, code Thanks for coming by!
Photos courtesy Ken Lee @kennysan http://flic.kr/s/ aHsjBbEnz1 40

Recommended

Clean Coal Technology, It's Challenges and Future Scope
Clean Coal Technology, It's Challenges and Future Scope Clean Coal Technology, It's Challenges and Future Scope
Clean Coal Technology, It's Challenges and Future Scope ಆಕಾಶ್ ಗೌಡ
 
DSpace standard Data model and DSpace-CRIS
DSpace standard Data model and DSpace-CRISDSpace standard Data model and DSpace-CRIS
DSpace standard Data model and DSpace-CRISAndrea Bollini
 
Anaerobic digestion
Anaerobic digestionAnaerobic digestion
Anaerobic digestionpritiverma34
 
Anaerobic Digester
Anaerobic DigesterAnaerobic Digester
Anaerobic DigesterDeepali Yeleswarapu
 
Trickling Filter, Wastewater Treatment method
Trickling Filter, Wastewater Treatment methodTrickling Filter, Wastewater Treatment method
Trickling Filter, Wastewater Treatment methodAnitaPoudel5
 
Rainwater harvesting practices and design of rainwater harvesting system for ...
Rainwater harvesting practices and design of rainwater harvesting system for ...Rainwater harvesting practices and design of rainwater harvesting system for ...
Rainwater harvesting practices and design of rainwater harvesting system for ...CTA
 
Anaerobic methods of waste water treatment v.n.nag
Anaerobic methods of waste water treatment v.n.nagAnaerobic methods of waste water treatment v.n.nag
Anaerobic methods of waste water treatment v.n.nagvishal nag
 
wastewater treatment
wastewater treatmentwastewater treatment
wastewater treatmentEzhilmathi S
 

Recommended

Clean Coal Technology, It's Challenges and Future Scope
Clean Coal Technology, It's Challenges and Future Scope Clean Coal Technology, It's Challenges and Future Scope
Clean Coal Technology, It's Challenges and Future Scope ಆಕಾಶ್ ಗೌಡ
 
DSpace standard Data model and DSpace-CRIS
DSpace standard Data model and DSpace-CRISDSpace standard Data model and DSpace-CRIS
DSpace standard Data model and DSpace-CRISAndrea Bollini
 
Anaerobic digestion
Anaerobic digestionAnaerobic digestion
Anaerobic digestionpritiverma34
 
Anaerobic Digester
Anaerobic DigesterAnaerobic Digester
Anaerobic DigesterDeepali Yeleswarapu
 
Trickling Filter, Wastewater Treatment method
Trickling Filter, Wastewater Treatment methodTrickling Filter, Wastewater Treatment method
Trickling Filter, Wastewater Treatment methodAnitaPoudel5
 
Rainwater harvesting practices and design of rainwater harvesting system for ...
Rainwater harvesting practices and design of rainwater harvesting system for ...Rainwater harvesting practices and design of rainwater harvesting system for ...
Rainwater harvesting practices and design of rainwater harvesting system for ...CTA
 
Anaerobic methods of waste water treatment v.n.nag
Anaerobic methods of waste water treatment v.n.nagAnaerobic methods of waste water treatment v.n.nag
Anaerobic methods of waste water treatment v.n.nagvishal nag
 
wastewater treatment
wastewater treatmentwastewater treatment
wastewater treatmentEzhilmathi S
 
Water-Energy-Food Nexus
Water-Energy-Food NexusWater-Energy-Food Nexus
Water-Energy-Food NexusMaa- ja metsätalousministeriö
 
Water energy nexus
Water energy nexusWater energy nexus
Water energy nexusThe Texas Network, LLC
 
ScienceDirect
ScienceDirectScienceDirect
ScienceDirectUCT
 
Microbial fuel cells for harnessing energy from wastewater
Microbial fuel cells for harnessing energy from wastewaterMicrobial fuel cells for harnessing energy from wastewater
Microbial fuel cells for harnessing energy from wastewaterSagia Sajish
 
Medlars
MedlarsMedlars
MedlarsKumar Gpt
 
Pub med
Pub medPub med
Pub medIqra tasifali
 
Composting: stages & factors affecting
Composting: stages & factors affectingComposting: stages & factors affecting
Composting: stages & factors affectingSankritaShankarGaonk
 
Water quality & wastewater management_Dr SP Gautam(CPCB) _2013
Water quality & wastewater management_Dr SP Gautam(CPCB) _2013Water quality & wastewater management_Dr SP Gautam(CPCB) _2013
Water quality & wastewater management_Dr SP Gautam(CPCB) _2013India Water Portal
 
treatmernt of wastewaterEqualization basin and pumping station
treatmernt of wastewaterEqualization basin and pumping stationtreatmernt of wastewaterEqualization basin and pumping station
treatmernt of wastewaterEqualization basin and pumping stationZeeshan Khan
 
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forumlibinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open ForumNick Galbreath
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
libinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレスlibinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレスCODE BLUE
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachineNick Galbreath
 
Program understanding: What programmers really want
Program understanding: What programmers really wantProgram understanding: What programmers really want
Program understanding: What programmers really wantEinar Høst
 
libinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYClibinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYCNick Galbreath
 
How to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionHow to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionAlienVault
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceAlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM AlienVault
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect XssFerruh Mavituna
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHPWim Godden
 
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013Nick Galbreath
 

More Related Content

What's hot

ScienceDirect
ScienceDirectScienceDirect
ScienceDirectUCT
 
Microbial fuel cells for harnessing energy from wastewater
Microbial fuel cells for harnessing energy from wastewaterMicrobial fuel cells for harnessing energy from wastewater
Microbial fuel cells for harnessing energy from wastewaterSagia Sajish
 
Composting: stages & factors affecting
Composting: stages & factors affectingComposting: stages & factors affecting
Composting: stages & factors affectingSankritaShankarGaonk
 
Water quality & wastewater management_Dr SP Gautam(CPCB) _2013
Water quality & wastewater management_Dr SP Gautam(CPCB) _2013Water quality & wastewater management_Dr SP Gautam(CPCB) _2013
Water quality & wastewater management_Dr SP Gautam(CPCB) _2013India Water Portal
 
treatmernt of wastewaterEqualization basin and pumping station
treatmernt of wastewaterEqualization basin and pumping stationtreatmernt of wastewaterEqualization basin and pumping station
treatmernt of wastewaterEqualization basin and pumping stationZeeshan Khan
 

What's hot (9)

Water-Energy-Food Nexus
Water-Energy-Food NexusWater-Energy-Food Nexus
Water-Energy-Food Nexus
 
Water energy nexus
Water energy nexusWater energy nexus
Water energy nexus
 
ScienceDirect
ScienceDirectScienceDirect
ScienceDirect
 
Microbial fuel cells for harnessing energy from wastewater
Microbial fuel cells for harnessing energy from wastewaterMicrobial fuel cells for harnessing energy from wastewater
Microbial fuel cells for harnessing energy from wastewater
 
Medlars
MedlarsMedlars
Medlars
 
Pub med
Pub medPub med
Pub med
 
Composting: stages & factors affecting
Composting: stages & factors affectingComposting: stages & factors affecting
Composting: stages & factors affecting
 
Water quality & wastewater management_Dr SP Gautam(CPCB) _2013
Water quality & wastewater management_Dr SP Gautam(CPCB) _2013Water quality & wastewater management_Dr SP Gautam(CPCB) _2013
Water quality & wastewater management_Dr SP Gautam(CPCB) _2013
 
treatmernt of wastewaterEqualization basin and pumping station
treatmernt of wastewaterEqualization basin and pumping stationtreatmernt of wastewaterEqualization basin and pumping station
treatmernt of wastewaterEqualization basin and pumping station
 

Viewers also liked

libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forumlibinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open ForumNick Galbreath
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
libinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレスlibinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレスCODE BLUE
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachineNick Galbreath
 
Program understanding: What programmers really want
Program understanding: What programmers really wantProgram understanding: What programmers really want
Program understanding: What programmers really wantEinar Høst
 
libinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYClibinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYCNick Galbreath
 
How to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionHow to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionAlienVault
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceAlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM AlienVault
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHPWim Godden
 

Viewers also liked (12)

libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forumlibinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 
libinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレスlibinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレス
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachine
 
Program understanding: What programmers really want
Program understanding: What programmers really wantProgram understanding: What programmers really want
Program understanding: What programmers really want
 
libinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYClibinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYC
 
How to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionHow to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat Detection
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHP
 

Similar to libinjection: a C library for SQLi detection, from Black Hat USA 2012

SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013Nick Galbreath
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
A Re-Introduction to JavaScript
A Re-Introduction to JavaScriptA Re-Introduction to JavaScript
A Re-Introduction to JavaScriptSimon Willison
 
Smart Client Development
Smart Client DevelopmentSmart Client Development
Smart Client DevelopmentTamir Khason
 
Errors detected in the Visual C++ 2012 libraries
Errors detected in the Visual C++ 2012 librariesErrors detected in the Visual C++ 2012 libraries
Errors detected in the Visual C++ 2012 librariesPVS-Studio
 
Grails @ Java User Group Silicon Valley
Grails @ Java User Group Silicon ValleyGrails @ Java User Group Silicon Valley
Grails @ Java User Group Silicon ValleySven Haiges
 
An Experiment with Checking the glibc Library
An Experiment with Checking the glibc LibraryAn Experiment with Checking the glibc Library
An Experiment with Checking the glibc LibraryAndrey Karpov
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Sandro Zaccarini
 
Bringing choas to order in your node.js app
Bringing choas to order in your node.js appBringing choas to order in your node.js app
Bringing choas to order in your node.js appDan Jenkins
 
Python and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error densityPython and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error densityPVS-Studio
 
What is the cost of a secret
What is the cost of a secretWhat is the cost of a secret
What is the cost of a secretLibbySchulze
 
MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012jackdanger
 
ruby on rails pitfalls
ruby on rails pitfallsruby on rails pitfalls
ruby on rails pitfallsRobbin Fan
 
Como NÃO testar o seu projeto de Software. DevDay 2014
Como NÃO testar o seu projeto de Software. DevDay 2014Como NÃO testar o seu projeto de Software. DevDay 2014
Como NÃO testar o seu projeto de Software. DevDay 2014alexandre freire
 
Progressive Enhancement with JavaScript and Ajax
Progressive Enhancement with JavaScript and AjaxProgressive Enhancement with JavaScript and Ajax
Progressive Enhancement with JavaScript and AjaxChristian Heilmann
 
Beyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic AnalysisBeyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic AnalysisC4Media
 

Similar to libinjection: a C library for SQLi detection, from Black Hat USA 2012 (20)

SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20
 
groovy & grails - lecture 6
groovy & grails - lecture 6groovy & grails - lecture 6
groovy & grails - lecture 6
 
A Re-Introduction to JavaScript
A Re-Introduction to JavaScriptA Re-Introduction to JavaScript
A Re-Introduction to JavaScript
 
Smart Client Development
Smart Client DevelopmentSmart Client Development
Smart Client Development
 
Errors detected in the Visual C++ 2012 libraries
Errors detected in the Visual C++ 2012 librariesErrors detected in the Visual C++ 2012 libraries
Errors detected in the Visual C++ 2012 libraries
 
Grails @ Java User Group Silicon Valley
Grails @ Java User Group Silicon ValleyGrails @ Java User Group Silicon Valley
Grails @ Java User Group Silicon Valley
 
An Experiment with Checking the glibc Library
An Experiment with Checking the glibc LibraryAn Experiment with Checking the glibc Library
An Experiment with Checking the glibc Library
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
 
Bringing choas to order in your node.js app
Bringing choas to order in your node.js appBringing choas to order in your node.js app
Bringing choas to order in your node.js app
 
Python and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error densityPython and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error density
 
What is the cost of a secret
What is the cost of a secretWhat is the cost of a secret
What is the cost of a secret
 
MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012
 
ruby on rails pitfalls
ruby on rails pitfallsruby on rails pitfalls
ruby on rails pitfalls
 
Como NÃO testar o seu projeto de Software. DevDay 2014
Como NÃO testar o seu projeto de Software. DevDay 2014Como NÃO testar o seu projeto de Software. DevDay 2014
Como NÃO testar o seu projeto de Software. DevDay 2014
 
Progressive Enhancement with JavaScript and Ajax
Progressive Enhancement with JavaScript and AjaxProgressive Enhancement with JavaScript and Ajax
Progressive Enhancement with JavaScript and Ajax
 
Away day
Away dayAway day
Away day
 
Beyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic AnalysisBeyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic Analysis
 

More from Nick Galbreath

Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Nick Galbreath
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
DevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListDevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListNick Galbreath
 
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Nick Galbreath
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Nick Galbreath
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Nick Galbreath
 
Slide show font sampler, black on white
Slide show font sampler, black on whiteSlide show font sampler, black on white
Slide show font sampler, black on whiteNick Galbreath
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Nick Galbreath
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 

More from Nick Galbreath (12)

Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
DevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListDevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading List
 
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012
 
Slide show font sampler, black on white
Slide show font sampler, black on whiteSlide show font sampler, black on white
Slide show font sampler, black on white
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

libinjection: a C library for SQLi detection, from Black Hat USA 2012

  • 1. libinjection a C library for SQLi detection and generation through lexical analysis of real world attacks Nick Galbreath @ngalbreath nickg@client9.com Wednesday July 25, 2012 2:45PM Augustus I+II, Caesar's Palace, Las Vegas
  • 2. The latest version of this presentation: http:// www.client9.com/ 20120725/ 2
  • 3. whoami ‣ Director of Engineering @ Etsy ‣ Enterprise, Fraud, Security, Email, Fun ‣ Know a little bit about c, e.g. stringencoders: ‣ C library for string processing ‣ used by every ad server in the world ‣ used in Chrome browser ‣ http://code.google.com/p/stringencoders Nick Galbreath @ngalbreath
  • 4. The Next 14 Minutes ‣ Why is detecting SQLi hard ‣ The algorithm behind libinjection ‣ The results ‣ Next Steps Nick Galbreath @ngalbreath
  • 5. Detecting SQLi from User Input is a Hard Problem
  • 6. It's Easy to Get Started with Regular Expressions! s/UNIONs+(ALL)?/i ‣ At least two open source WAF use regular expressions. ‣ Failure cases in closed-source WAFs also indicate regexp. Nick Galbreath @ngalbreath
  • 7. SQL IS HUGE ‣ Turing Complete! (sorta) ‣ 1992 SQL Spec: bit.ly/10fmhZ ‣ 625 pages of plain text ‣ 2003 SQL Spec: bit.ly/OB5vfW ‣ 128 pages of pure BNF ‣ No one implements exactly ‣ Everyone has extensions, exceptions, bugs Nick Galbreath @ngalbreath
  • 8. It's more complicated than you think. ‣ Recursive commenting rules ‣ A single number can't be done in a single regexp. ‣ Really Loosely Typed ‣ String rules - OMFG. You think you know but you have no idea. ‣ Come see my talk at DEFCON this Friday at... 4:20 pm Nick Galbreath @ngalbreath
  • 9. RegExp Soup (?:)s*whens*d+s*then)|(?:"s*(?:#|--|{))|(?:/*!s?d+)|(?:ch(?:a)?rs*(s*d)|(?:(?:(n?and|x?or|not)s+||||&&)s*w+() (?:[s()]cases*()|(?:)s*likes*()|(?:havings*[^s]+s*[^ws])|(?:ifs?([dw]s*[=<>~]) (?:"s*ors*"?d)|(?:x(?:23|27|3d))|(?:^.?"$)|(?:(?:^["]*(?:[d"]+|[^"]+"))+s*(?:n?and|x?or|not||||&&)s*[w"[+&!@(),.-])|(?:[^ws]w+s*[|-] s*"s*w)|(?:@w+s+(and|or)s*["d]+)|(?:@[w-]+s(and|or)s*[^ws])|(?:[^ws:]s*dW+[^ws]s*".)|(?:Winformation_schema|table_nameW) (?:"s**.+(?:or|id)W*"d)|(?:^")|(?:^[ws"-]+(?<=ands)(?<=ors)(?<=xors)(?<=nands)(?<=nots)(?<=||)(?<=&&)w+()|(?:"[sd]*[^ws]+W*d W*.*["d])|(?:"s*[^ws?]+s*[^ws]+s*")|(?:"s*[^ws]+s*[Wd].*(?:#|--))|(?:".**s*d)|(?:"s*ors[^d]+[w-]+.*d)|(?:[()*<>%+-][w-]+[^ws] +"[^,]) (?:d"s+"s+d)|(?:^admins*"|(/*)+"+s?(?:--|#|/*|{)?)|(?:"s*or[ws-]+s*[+<>=(),-]s*[d"])|(?:"s*[^ws]?=s*")|(?:"W*[+=]+W*")|(?:"s*[!=|] [ds!=+-]+.*["(].*$)|(?:"s*[!=|][ds!=]+.*d+$)|(?:"s*likeW+[w"(])|(?:siss*0W)|(?:wheres[sw.,-]+s=)|(?:"[<>~]+") (?:unions*(?:all|distinct|[(!@]*)?s*[([]*s*select)|(?:w+s+likes+")|(?:likes*"%)|(?:"s*likeW*["d])|(?:"s*(?:n?and|x?or|not ||||&&)s+[s w]+=s*w+s*having)|(?:"s**s*w+W+")|(?:"s*[^?ws=.,;)(]+s*[(@"]*s*w+W+w)|(?:selects*[[]()sw.,"-]+from)|(?:find_in_sets*() (?:ins*(+s*select)|(?:(?:n?and|x?or|not ||||&&)s+[sw+]+(?:regexps*(|soundss+likes*"|[=d]+x))|("s*ds*(?:--|#))|(?:"[%&<>^=]+ds*(=| or))|(?:"W+[w+-]+s*=s*dW+")|(?:"s*iss*d.+"?w)|(?:"|?[w-]{3,}[^ws.,]+")|(?:"s*iss*[d.]+s*W.*") (?:[dW]s+ass*["w]+s*from)|(?:^[Wd]+s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename| truncate|load|alter|delete|update|insert|desc)s+(?:(?:group_)concat|char|load_file)s?(?)|(?:ends*);)|("s+regexpW)|(?:[s(]load_files*() (?:@.+=s*(s*select)|(?:d+s*ors*d+s*[-+])|(?:/w+;?s+(?:having|and|or|select)W)|(?:ds+groups+by.+()|(?:(?:;|#|--)s*(?:drop|alter))|(?: (?:;|#|--)s*(?:update|insert)s*w{2,})|(?:[^w]SETs*@w+)|(?:(?:n?and|x?or|not ||||&&)[s(]+w+[s)]*[!=+]+[sd]*["=()]) (?:"s+ands*=W)|(?:(s*selects*w+s*()|(?:*/from)|(?:+s*d+s*+s*@)|(?:w"s*(?:[-+=|@]+s*)+[d(])|(?:coalesces*(|@@w+s*[^ws])|(?:W! +"w)|(?:";s*(?:if|while|begin))|(?:"[sd]+=s*d)|(?:orders+bys+ifw*s*()|(?:[s(]+cased*W.+[tw]hen[s(]) (?:(select|;)s+(?:benchmark|if|sleep)s*?(s*(?s*w+) (?:creates+functions+w+s+returns)|(?:;s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*[[(]?w{2,}) (?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")|(?:";.*:s*goto) (?:procedures+analyses*()|(?:;s*(declare|open)s+[w-]+)|(?:creates+(procedure|function)s*w+s*(s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs* (s*@) (?:selects*pg_sleep)|(?:waitfors*delays?"+s?d)|(?:;s*shutdowns*(?:;|--|#|/*|{)) (?:sexecs+xp_cmdshell)|(?:"s*!s*["w])|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user|database|schema|connection_id)s*([^)]*)|(?:";? s*(?:select|union|having)s*[^s])|(?:wiifs*()|(?:execs+master.)|(?:union select @)|(?:union[w(s]*select)|(?:select.*w?user()|(?:into[s+]+ (?:dump|out)files*") (?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(),+-]+s*againsts*() (?:,.*[)da-f"]"(?:".*"|Z|[^"]+))|(?:Wselect.+W*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*(s*spaces*() (?:[$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)]) (?:(sleep((s*)(d*)(s*))|benchmark((.*),(.*)))) (?:(union(.*)select(.*)from)) (?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$) Nick Galbreath @ngalbreath
  • 10. Guns and Butter ‣ In 2005, right here at Black Hat, Hanson and Patterson presented: Guns and Butter: Towards Formal Axioms of Validation (http://bit.ly/OBe7mJ) ‣ …formally proved that for any regex validator, we could construct either a safe query which would be flagged as dangerous, or a dangerous query which would be flagged as correct. ‣ (summary from libdejector documentation) Nick Galbreath @ngalbreath
  • 11. Existing WAFs ‣ Visual inspection shows bugs ‣ Don't see very much in testing ‣ Don't see much or any false positive testing ‣ Closed source WAF have zero accountability (e.g. there is no formal disclosure of what they detect or not, and how they do it) Nick Galbreath @ngalbreath
  • 12. CAN WE DO BETTER? Nick Galbreath @ngalbreath
  • 14. Key Insight ‣ A SQLi attack must be parsed as SQL with the original query. ‣ "Is it a SQLi attack?" becomes "Could it be a SQL snippet?" ‣ "does this input start as a sql snippet" Nick Galbreath @ngalbreath
  • 15. Only 3 Contexts User input is only "injected" into SQL in three ways: ‣ As-Is ‣ Inside a single quoted string ‣ Inside a double quoted string (I suppose another would be inside a comment, but we can't do everything) Nick Galbreath @ngalbreath
  • 16. Identification of SQL snippets without context is hard ‣ 1-917-660-3400 my phone number or an arithmetic expression? ‣ @ngalbreath my twitter account or a SQL variable? Nick Galbreath @ngalbreath
  • 17. Existing SQL Parsers ‣ Only parse their flavor of SQL ‣ Not well designed to handle snippets ‣ Hard to extend ‣ Worried about correctness ... so I wrote my own! Nick Galbreath @ngalbreath
  • 18. Tokenization ‣ Converts input into a stream of tokens ‣ Uses "master list" of keywords and functions across all databases. ‣ Handles comments, string, literals, weirdos. Nick Galbreath @ngalbreath
  • 19. 5000224' UNION USER_ID>0-- [ ('...500224', string), ('UNION', union operator), ('USER_ID', name), ('>', operator), ('0', number), ('--.....', comment) ] Nick Galbreath @ngalbreath
  • 20. Meet the Tokens ‣ none/name ‣ group-like operation ‣ variable ‣ union-like operator ‣ string ‣ logical operator ‣ regular operator ‣ function ‣ unknown ‣ comma ‣ number ‣ semi-colon ‣ comment ‣ left parens ‣ keyword ‣ right parens Nick Galbreath @ngalbreath
  • 21. Merging, Specialization, Disambiguation ‣ "IS", "NOT" ==> "IS NOT" (single op) ‣ "NATURAL", "JOIN" => "NATURAL JOIN" ‣ ("+", operator) -> ("+", "unary operator") ‣ (COS, function), (1, number) ==> (COS, name), (1, number) functions are followed with a parenthesis. Nick Galbreath @ngalbreath
  • 22. Folding ‣ This step actually isn't needed to detect, but is needed to reduce false positives. ‣ Converts simple arithmetic expressions into a single value (don't try to evaluate them). ‣ 1-917-660-3400 -> "1" Nick Galbreath @ngalbreath
  • 23. Knows nothing about SQLi ‣ So far this is purely a parsing problem. ‣ Knows nothing about SQLi (which is evolving) ‣ Can be 100% tested against any SQL input (not SQLi) for correctness. Nick Galbreath @ngalbreath
  • 24. Fingerprints ‣ The token types of a user input form a hash or a fingerprint. ‣ -6270" UNION ALL SELECT 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594# AND "JWWQ"="JWWQ ‣ becomes "sUk1,1,1,1,1,1,1,1,&" ‣ Now let's generate fingerprints from Real World Data. ‣ Can we distinguish between SQLi and benign input? Nick Galbreath @ngalbreath
  • 25. Training on SQLi ‣ Parse known SQLi attacks from ‣ SQLi vulnerability scanners ‣ Published reports ‣ SQLI How-Tos ‣ > 32,000 total Nick Galbreath @ngalbreath
  • 26. Training on real Input ‣ 100s of Millions of user inputs from Etsy's log were also parsed. ‣ Large enough to get a good sample (Top 50 USA site) ‣ Old enough to have lots of odd ways of query string formatting. ‣ Full text search with an diverse subject domain Nick Galbreath @ngalbreath
  • 27. How many tokens are needed to determine if a user input is SQLi or not?
  • 28. 5 No matter long the input is.
  • 29. 480 out of 1,048,576 are SQLi n,(k( 1))Un n)ok( s)Unk 1)o1B n,(k1 s&n&s k(vv) sosos 1oks, sk)&1 1)o1f 1)o1k n);k& 1&1Bf 1)o1o s&os n,(kf s;k; n&1o1 1o(f( f(k,( 1ok1 1oksc so1f( sk)&f soso( 1),(1 s))&( s))&1 &f()o nok(1 k1,1k 1&f(n soko1 1Unk1 1ok(1 n))kk 1Unk( soko( 1)o(1 s)ok1 sov&s n;kn( nok(k s))&f sovso 1)ok1 s))&o 1)ok( s&sos n&k(1 s&vso so1c sUk(k k1,1, 1)o(n 1)o(k 1Bf(1 1kf(1 s&ko1 s&k(o 1)k1 sk);k 1&f(1 1Unkf s)k1 sos&( 1&(k1 1))on s&kc nUk(o 1;ko( 1)B1 sokc n)o1& no1oo 1&(kn s&1oo so1o1 s)o1f 1&(kf s)o1k s)o1o f(1)o n&1o( s)o1B 1okv, sk)&( 1;kok sok1 f(k() 1Ukv, s&1of 1&1oo n&1f( 1))); 1)))& 1&1of sovo1 s&1ov s)&1o sono1 1o((f 1)))) 1o(s) s)&1f 1&1ov 1Uk1k n))ok k()ok nkksc 1Uk1c n))of s&(k1 s)&1B n;kks n)o(k kf(n, f(f(1 sovov s&1o( sovos s&1o1 vok1, sovok sUk1 1o((( 1)))k 1&1o1 f(f() 1)))o n))o( 1)))U k1k(k 1Uk1, 1&1f( so(s) 1)))B f(n() n))o1 s)&(1 1)of( 1,(k1 sk)B1 f(1,f 1,(k( 1Bk(1 1onos 1o1f( 1,f(1 1B1c s&okc s;ko( sk1os s&oko 1ono1 1,(kf sB1 1));k s;kf( n)kks s;kok sk1o1 s;k(( 1o((1 1o1Bf so(f( n;kf( s&k(1 1&1o( nof(1 s);kk sk1c 1))o( s);ko s);kn sok1, s;k(1 1)kks s);kf so(os so1ov s;k1, 1))Uk soknk s))k1 1)B1o 1)B1c n);k( n;kok s;k(o s);k( sok1o sok1c sf(n, s);k& sB1&s s;k1o sUno1 s))kk n);kf 1&so1 sokn, n;ko( n);kk n);kn n);ko s&1on sof(k n;k&k k1o(s sonos sk1&1 sof(f 1oso1 1;knc sUknk f()of n&(1) s&ko( sof() ok1o1 n,f(1 1o(1) s;kkn s;kks 1o(kn sof(1 sUkn, s)k1c 1;kn( s)k1o s;k&k skks s;n:k no(o1 s))o( k(ok( so(ks so(kk so(kn so(ko s))o1 n)&(k o1kf( s))ok ;kknc skksc so(k1 n;k(( s&o(1 s))of so(k) n;k(1 n&(o1 s&kok sov:o s)of( sU(kk sU(kn f(v,1 sk)of 1)&f( sk)ok no1f( sU(ks oUk1, 1ok1c s&(1) s&kos 1ok1k sUnk1 1)ono 1of(1 so1o( s;knn s;knk 1of() vUk1, no1of 1&no1 sk)o1 s)B1 1)&o( sUk1& s&(k) 1o1)o f()&f sk)o( n&f(1 so1of 1)on& 1)B1& so1oo no1o1 so1ok 1ok1, 1of(n no1o( so1os s;kn( 1of(f sUnkf 1o(n) s&1os no(k1 n)))o n)))k 1kk(1 1;k(o 1)()s s&k1o s)B1& n)&1f n))&( sUk1, n)&1o no1&1 n))); sf(1) 1;k(1 n)))& sokf( 1;k(( ook1, n)of( sUk1c s)B1c n&(k1 sUk1o s)B1o 1Ukf( okkkn s&vos s)o(k 1)&1f 1Uk1 1))&o 1))&f 1)&1B 1)&(k s,1), f(1o1 s)&f( s)o(1 sUkf( s&k&s 1okf( 1)&(1 1))&1 1;kf( 1))&( sokos 1))ok 1o1of 1o(1o 1kksc 1o1oo 1Uk(k 1))of 1o1ov Ukkkn 1,(f( 1ok(k so1Uk s&1f( sokok of(1) 1;k&k kf(1) sk)k1 s&v:o sok&s n)o1o n)o1f sUn(k 1o1o( 1o1o1 1))o1 sov&1 n));k n))&f sk)kk s)&(k 1)Unk n))&1 sU((k 1)k1o 1);kk s;kvc 1);ko 1);kn 1)k1c s;kvk 1);kf 1Uks, s&o(k 1);k& s)&o( s&(1o s&f() 1,1), 1);k( sk)Un sk)Uk s&f(1 1)&1o 1Uksc nUnk( so((k 1o1kf s&1Bf 1))kk kvk(1 n&o1o f(1)& &f(1) 1))k1 so((( s))Un s))Uk n,(f( 1)Uk1 s),(1 s&knk 1))B1 s)kks 1Uk no(1) n)&f( s)ok( s))B1 sos 1&(1o s)Uk1 s));k so(1) 1&o(1 sok(1 nUk(k n&1of 1B1 sB1c n&1oo so(1o 1k1c sok(s sok(o sok(k so((s so1kf 1;kks s)))B sf(s) 1&o1o n)k1o s)))U sonk1 kf(1, 1o(kf 1,s), s)))k so1&1 s)))o s&nos s&1Uk s&o1o 1o(k1 so1Bf s;k[k sB1os of()o s;k[n s)))& s&(f( so1&s s&no1 so1&o s))); Possible that more token types will be added to help reduce false positives. Nick Galbreath @ngalbreath
  • 30. The Library ‣ > 100k query strings can be checked per second ‣ C, logic is under 1000 LOC ‣ No memory allocation ‣ Fixed, stable memory usage (~500 on stack) ‣ No threads ‣ Could go even faster Nick Galbreath @ngalbreath
  • 31. Sample Usage sfilter sf; // on stack, ~500 bytes const char* ucg = "my user input"; bool issqli = is_sqli(&sf, ucg, strlen(ucg)); // tada metadata on input is in struct sfilter; (names subject to change, cleanup) Nick Galbreath @ngalbreath
  • 32. Test Cases ‣ All input test cases available ‣ Including false positives found along the way ‣ Code coverage reports Nick Galbreath @ngalbreath
  • 33. Python Prototype ‣ Algorithm in python as well ‣ Not as up-to-date as the C version ‣ Working on it ‣ Runs under PyPy (and quite fast) Nick Galbreath @ngalbreath
  • 34. Make Existing Systems Work Better ‣ The Tokenizer could be ripped out, to make a "SQL normalizer/simplifier" ‣ all white space normalized ‣ all comments removed ‣ all numbers in various flavors converted to "1" ‣ all strings converted to a fixed value "foo" ‣ Makes existing regular expressions work better and detect more. Nick Galbreath @ngalbreath
  • 35. Great for Fuzzers ‣ The SQLi fingerprints are actually a great source of templates for fuzzers and SQLi generators ‣ Take fingerprint and turn it back into SQL Nick Galbreath @ngalbreath
  • 36. Available Now http://www.client9.com/libinjection/ ‣ source code on github ‣ BSD License (only to track how this gets used) ‣ Due to high commercial demand, I'm switching to GPL. This is only to force discussions with third-parties on integration, etc. My goal is to get this used, so if this is barrier let me know! Nick Galbreath @ngalbreath
  • 37. Help! ‣ More SQLi test cases! ‣ More real-world test cases ‣ Missing some PGSQL / Oracle string insanity ‣ Need better understanding of non-ASCII usage ‣ Porting to other languages (it's not that hard). Nick Galbreath @ngalbreath
  • 38. More Analysis at DEFCON 20 New Techniques in SQLi Obfuscation SQL never before used in SQLi http://www.client9.com/20120727/ July 27, 2012 Friday, 4:20pm at the Rio Nick Galbreath @ngalbreath
  • 39. Slides and Source Code: http://www.client9.com/libinjection/ Contact: Nick Galbreath @ngalbreath nickg@client9.com nickg@etsy.com and... join my mailing list for updates and early access to slides, code Thanks for coming by!
  • 40. Photos courtesy Ken Lee @kennysan http://flic.kr/s/ aHsjBbEnz1 40

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n