PM
Uploaded byPichaya Morimoto
PDF, PPTX9,848 views

Vulnerable Active Record: A tale of SQL Injection in PHP Framework

This document summarizes an presentation about SQL injection vulnerabilities in PHP frameworks that use the active record pattern. It discusses what active record is, how SQL injection can still occur even with input validation, and recommends following best practices like parameterized queries and implementing defense in depth to help prevent SQL injection attacks. Case studies show how SQL injection vulnerabilities were found in specific frameworks even when developers thought secure coding practices were followed.

Embed presentation

Download as PDF, PPTX
Vulnerable Active Record A tale of SQL Injection in PHP Framework pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto Thailand PHP User Group Meetup January 28, 2015
★ What is Active Record ? ★ Secure by Design ? ★ Case Studies ★ Exploitation ★ Input Validation ★ Defence-in-Depth ★ Conclusion Overview
Active record pattern is an approach to accessing data in a database. A database table or view is wrapped into a class. Thus, an object instance is tied to row(s) in the table. PHP frameworks also bundle their own ORM implementing the active record pattern. For example, Laravel (Eloquent), CakePHP, Symfony (Doctrine), CodeIgniter and Yii. $query = $this->db->select('title, content, date'); $query->from('table1'); $query->where('id', $id); $query->get(); Source: https://en.wikipedia.org/wiki/Active_record_pattern What is Active Record ?
Secure by Design ? That’s Magic !
Case Study #1 Get rows from table ‘news’ and order by user input ‘sort’ PHP Framework: CodeIgniter 2.2
Hacker is here, where is SQLi ? SQLMap == Failed Acunetix == Failed Havij == Failed ‘ or ‘1’=’1 , union all select blah blah blah == Failed
SQL Injection Pwnage Pwned ! What if error message is turned off, is it still vulnerable? Ads: http://slideshare.net/pichayaa/sql-injection-owaspthailand
Stand back I know secure coding! No more SQL Injection with Type Validation !
Case Study #2 Secure Coding !!
Keep calm and Think Again Numeric = [Integer, Double, Hex, ...] id value above is hex encoded of “1 and 1>2 union select CHAR(32,58,32),user(),database(),version(),concat_ws (0x3a,username,password) from ci220news_db” + data field is varchar type ***
A list of security techniques that should be included in every software development project. ★ Parameterize Queries ★ Implement Logging, Error Handling and Intrusion Detection ★ Leverage Security Features of Frameworks and Security Libraries and more.. https://www.owasp.org /index.php/OWASP_Proactive_Controls OWASP Proactive Controls ProTip: PHP is not allowed to parameterize ‘Order By’ clause ;) Because it isn’t data, it is a column name!
A layered approach to security can be implemented at any level of a complete information security strategy. ★ Secure Coding in software requirement ★ OS Hardening, reduce attack surface ★ Perimeter Security (Network Firewall, IPS/IDS) ★ Centralized Log Server / SIEM ★ Patch / Vulnerability Management System ★ Incident Response Plans ★ Web Application Firewall Source: http://techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/ Defence-in-Depth
Security Today !== Security Tomorrow Conclusion http://framework.zend.com/security/advisory/ZF2014-04 http://bakery.cakephp. org/articles/markstory/2013/04/28/security_release_- _cakephp_1_2_12_1_3_16_2_2_8_and_2_3_4

More Related Content

PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PDF
SQL Injection: complete walkthrough (not only) for PHP developers
byKrzysztof Kotowicz
 
PDF
Sql Injection and XSS
byMike Crabb
 
PPTX
SQL Injection Defense in Python
byPublic Broadcasting Service
 
PPTX
Secure Programming In Php
byAkash Mahajan
 
PPT
How To Detect Xss
byFerruh Mavituna
 
PDF
Web Security attacks and defense
byJose Mato
 
PPTX
SQL Injections and Behind...
byarjunguptam
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
SQL Injection: complete walkthrough (not only) for PHP developers
byKrzysztof Kotowicz
 
Sql Injection and XSS
byMike Crabb
 
SQL Injection Defense in Python
byPublic Broadcasting Service
 
Secure Programming In Php
byAkash Mahajan
 
How To Detect Xss
byFerruh Mavituna
 
Web Security attacks and defense
byJose Mato
 
SQL Injections and Behind...
byarjunguptam
 

What's hot

PPTX
seminar report on Sql injection
byJawhar Ali
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPT
Advanced Topics On Sql Injection Protection
byamiable_indian
 
PPTX
Owasp Top 10 - A1 Injection
byPaul Ionescu
 
PPTX
Sql Injection attacks and prevention
byhelloanand
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PPT
Advanced Sql Injection ENG
byDmitry Evteev
 
PPT
SQL Injection
byAdhoura Academy
 
PPT
Web application attacks using Sql injection and countermasures
byCade Zvavanjanja
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
KEY
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
PDF
SQL Injection Tutorial
byMagno Logan
 
PDF
XSS And SQL Injection Vulnerabilities
byMindfire Solutions
 
PDF
C days2015
byNuno Loureiro
 
PDF
Secure code
byddeogun
 
PDF
Advanced SQL Injection: Attacks
byNuno Loureiro
 
PDF
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
byijtsrd
 
PDF
Web Application Security II - SQL Injection
byMd Syed Ahamad
 
PPT
Sql Injection Tutorial!
byralphmigcute
 
seminar report on Sql injection
byJawhar Ali
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
Advanced Topics On Sql Injection Protection
byamiable_indian
 
Owasp Top 10 - A1 Injection
byPaul Ionescu
 
Sql Injection attacks and prevention
byhelloanand
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
Advanced Sql Injection ENG
byDmitry Evteev
 
SQL Injection
byAdhoura Academy
 
Web application attacks using Sql injection and countermasures
byCade Zvavanjanja
 
Sql injection attack
byRajKumar Rampelli
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
SQL Injection Tutorial
byMagno Logan
 
XSS And SQL Injection Vulnerabilities
byMindfire Solutions
 
C days2015
byNuno Loureiro
 
Secure code
byddeogun
 
Advanced SQL Injection: Attacks
byNuno Loureiro
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
byijtsrd
 
Web Application Security II - SQL Injection
byMd Syed Ahamad
 
Sql Injection Tutorial!
byralphmigcute
 

Viewers also liked

PPTX
A5: Security Misconfiguration
byTariq Islam
 
PPTX
Sql injection
byZidh
 
PDF
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 
PDF
Art of Web Backdoor - Pichaya Morimoto
byPichaya Morimoto
 
PPTX
Sql injection attack_analysis_py_vo
byJirka Vejrazka
 
DOCX
Types of sql injection attacks
byRespa Peter
 
PPT
XAJA - Reverse AJAX framework
bySri Prasanna
 
PDF
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
byPichaya Morimoto
 
PPT
Sql injection attacks
byNitish Kumar
 
PDF
From Web Vulnerability to Exploit in 15 minutes
byPichaya Morimoto
 
PDF
Exploiting WebApp Race Condition Vulnerability 101
byPichaya Morimoto
 
PDF
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
byPichaya Morimoto
 
PPTX
CodeIgniter i18n Security Flaw
byAbbas Naderi
 
PDF
Exploiting Blind Vulnerabilities
byPichaya Morimoto
 
PPTX
PHP Frameworks, or how I learnt to stop worrying and love the code
byMichal Juhas
 
PDF
Extjs presentation
bySabari Nathan
 
PDF
How to scale PHP applications
byEnrico Zimuel
 
PPT
D:\Technical\Ppt\Sql Injection
byavishkarm
 
PDF
Lithium: The Framework for People Who Hate Frameworks
byNate Abele
 
PDF
Metasearch Outlook 2017
byMichal Juhas
 
A5: Security Misconfiguration
byTariq Islam
 
Sql injection
byZidh
 
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 
Art of Web Backdoor - Pichaya Morimoto
byPichaya Morimoto
 
Sql injection attack_analysis_py_vo
byJirka Vejrazka
 
Types of sql injection attacks
byRespa Peter
 
XAJA - Reverse AJAX framework
bySri Prasanna
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
byPichaya Morimoto
 
Sql injection attacks
byNitish Kumar
 
From Web Vulnerability to Exploit in 15 minutes
byPichaya Morimoto
 
Exploiting WebApp Race Condition Vulnerability 101
byPichaya Morimoto
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
byPichaya Morimoto
 
CodeIgniter i18n Security Flaw
byAbbas Naderi
 
Exploiting Blind Vulnerabilities
byPichaya Morimoto
 
PHP Frameworks, or how I learnt to stop worrying and love the code
byMichal Juhas
 
Extjs presentation
bySabari Nathan
 
How to scale PHP applications
byEnrico Zimuel
 
D:\Technical\Ppt\Sql Injection
byavishkarm
 
Lithium: The Framework for People Who Hate Frameworks
byNate Abele
 
Metasearch Outlook 2017
byMichal Juhas
 

Similar to Vulnerable Active Record: A tale of SQL Injection in PHP Framework

PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
OWASP Top 10 Proactive Controls
byKaty Anton
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
PDF
How to Destroy a Database
byJohn Ashmead
 
PPTX
OWASP top 10-2013
bytmd800
 
PPT
Advanced sql injection
bybadhanbd
 
PPT
Php & Web Security - PHPXperts 2009
bymirahman
 
PPTX
SQLi for Security Champions
byPetraVukmirovic
 
PDF
sql-inj_attack.pdf
byssuser07cf8b
 
PDF
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
ODP
Database security for PHP
byRohan Faye
 
PDF
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
PDF
Injection techniques conversys
byKrishnendu Paul
 
PDF
Code securely
byMaksym Hopei
 
PPTX
The path of secure software by Katy Anton
byDevSecCon
 
PPT
PHP Security Basics
byJohn Coggeshall
 
PPSX
Web application security
bywww.netgains.org
 
ODP
My app is secure... I think
byWim Godden
 
PPTX
Database and Database Security..
byRehan Manzoor
 
PDF
Security in PHP Applications: An absolute must!
byMark Niebergall
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
OWASP Top 10 Proactive Controls
byKaty Anton
 
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
How to Destroy a Database
byJohn Ashmead
 
OWASP top 10-2013
bytmd800
 
Advanced sql injection
bybadhanbd
 
Php & Web Security - PHPXperts 2009
bymirahman
 
SQLi for Security Champions
byPetraVukmirovic
 
sql-inj_attack.pdf
byssuser07cf8b
 
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
Database security for PHP
byRohan Faye
 
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
Injection techniques conversys
byKrishnendu Paul
 
Code securely
byMaksym Hopei
 
The path of secure software by Katy Anton
byDevSecCon
 
PHP Security Basics
byJohn Coggeshall
 
Web application security
bywww.netgains.org
 
My app is secure... I think
byWim Godden
 
Database and Database Security..
byRehan Manzoor
 
Security in PHP Applications: An absolute must!
byMark Niebergall
 

More from Pichaya Morimoto

PDF
Web Hacking with Object Deserialization
byPichaya Morimoto
 
PDF
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
byPichaya Morimoto
 
PDF
Securing and Hacking LINE OA Integration
byPichaya Morimoto
 
PDF
Pentest 101 @ Mahanakorn Network Research Laboratory
byPichaya Morimoto
 
PDF
Mysterious Crypto in Android Biometrics
byPichaya Morimoto
 
PDF
Bug Bounty แบบแมว ๆ
byPichaya Morimoto
 
PDF
Docker Plugin For DevSecOps
byPichaya Morimoto
 
PDF
Burp Extender API for Penetration Testing
byPichaya Morimoto
 
Web Hacking with Object Deserialization
byPichaya Morimoto
 
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
byPichaya Morimoto
 
Securing and Hacking LINE OA Integration
byPichaya Morimoto
 
Pentest 101 @ Mahanakorn Network Research Laboratory
byPichaya Morimoto
 
Mysterious Crypto in Android Biometrics
byPichaya Morimoto
 
Bug Bounty แบบแมว ๆ
byPichaya Morimoto
 
Docker Plugin For DevSecOps
byPichaya Morimoto
 
Burp Extender API for Penetration Testing
byPichaya Morimoto
 

Recently uploaded

PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
The year in review - MarvelClient in 2025
bypanagenda
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
December Patch Tuesday
byIvanti
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
AI Technology important knowledge ......
byutkarshj2007
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 

Vulnerable Active Record: A tale of SQL Injection in PHP Framework

  • 1.
    Vulnerable Active Record Atale of SQL Injection in PHP Framework pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto Thailand PHP User Group Meetup January 28, 2015
  • 2.
    ★ What isActive Record ? ★ Secure by Design ? ★ Case Studies ★ Exploitation ★ Input Validation ★ Defence-in-Depth ★ Conclusion Overview
  • 3.
    Active record patternis an approach to accessing data in a database. A database table or view is wrapped into a class. Thus, an object instance is tied to row(s) in the table. PHP frameworks also bundle their own ORM implementing the active record pattern. For example, Laravel (Eloquent), CakePHP, Symfony (Doctrine), CodeIgniter and Yii. $query = $this->db->select('title, content, date'); $query->from('table1'); $query->where('id', $id); $query->get(); Source: https://en.wikipedia.org/wiki/Active_record_pattern What is Active Record ?
  • 4.
    Secure by Design? That’s Magic !
  • 5.
    Case Study #1 Getrows from table ‘news’ and order by user input ‘sort’ PHP Framework: CodeIgniter 2.2
  • 6.
    Hacker is here,where is SQLi ? SQLMap == Failed Acunetix == Failed Havij == Failed ‘ or ‘1’=’1 , union all select blah blah blah == Failed
  • 7.
    SQL Injection Pwnage Pwned! What if error message is turned off, is it still vulnerable? Ads: http://slideshare.net/pichayaa/sql-injection-owaspthailand
  • 8.
    Stand back Iknow secure coding! No more SQL Injection with Type Validation !
  • 9.
  • 10.
    Keep calm andThink Again Numeric = [Integer, Double, Hex, ...] id value above is hex encoded of “1 and 1>2 union select CHAR(32,58,32),user(),database(),version(),concat_ws (0x3a,username,password) from ci220news_db” + data field is varchar type ***
  • 11.
    A list ofsecurity techniques that should be included in every software development project. ★ Parameterize Queries ★ Implement Logging, Error Handling and Intrusion Detection ★ Leverage Security Features of Frameworks and Security Libraries and more.. https://www.owasp.org /index.php/OWASP_Proactive_Controls OWASP Proactive Controls ProTip: PHP is not allowed to parameterize ‘Order By’ clause ;) Because it isn’t data, it is a column name!
  • 12.
    A layered approachto security can be implemented at any level of a complete information security strategy. ★ Secure Coding in software requirement ★ OS Hardening, reduce attack surface ★ Perimeter Security (Network Firewall, IPS/IDS) ★ Centralized Log Server / SIEM ★ Patch / Vulnerability Management System ★ Incident Response Plans ★ Web Application Firewall Source: http://techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/ Defence-in-Depth
  • 13.