Stopping SQL Injection and. Manoranjan (Mano) Paul. Track: Operating Systems Security - Are we there yet?

Transcription

1 Stopping SQL Injection and Crossing Over Cross-site Scripting Track: Operating Systems Security - Are we there yet? Manoranjan (Mano) Paul CISSP, MCSD, MCAD, CompTIA Network+, ECSA/LPT

2 Catalyst(s) SQL Injection and (XSS)! 2 Security Catalysts SQL Injection Cross-site Scripting

3 From 2003 Common Attacks and Defenses Source: BurtonGroup Research Securing the Web Infrastructure: Safeguarding Business Assets and Services v1.0, 21 November Author: Phil Schacter

4 To 2006 Top 10 Web Application Vulnerabilities Source: MITRE Data - OWASP Top

5 SQL Injection and Cross-site Scripting (XSS) Two of the most prevalent application attacks in this day and age Perimeter defense devices such as intrusion detection systems (IDS) and firewalls offer limited to no protection against such attacks Allows one to open the safe inside the house from the outside CIA Impact Disclosure of sensitive information (Confidentiality) Authentication / System / User Modification of data (Integrity) Denial of Service - URL redirection / website defacement (Availability) Can be controlled/mitigated with a little effort and standardized security practices

6 SQL Injection Anatomy What is it? SQL Injection is only one of the many types of injection attacks SQL Injection is a form of attack on a database-driven Web site Attacker executes unauthorized SQL commands by taking advantage of insecure code on a system, bypassing even deeply nested firewall environments. How does it Work? Programmer expects user to supply some Address and Password string _scmdtext = "SELECT * FROM USERS WHERE user_login = '" + txt address.text + "' AND user_pwd = ' + txtpassword.text. + "'"; Attacker supplies: Or 1=1 - - string _scmdtext = "SELECT * FROM USERS WHERE user_login = '" + Or 1= "' AND user_pwd = ' + txtpassword.text. + "'"; Resulting in the following valid SQL syntax to execute SELECT * FROM USERS WHERE user_login = Or 1 = 1 - -

7 What can you do with SQL Injection? Bypass Authentication Discover Databases (Schemas, Users, Columns, Values) Data Disclosure From the Database to the Network DEMONSTRATION

8 What is it? Cross-site Scripting (XSS) - Anatomy It is essentially code injection attacks into the various interpreters in the browser using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages Is an attack on the privacy of clients of a particular web site Involves 3 parties attacker, a client and the vulnerable website Goal steal or manipulate customer data How does it Work? Attacker executes code on client (customer) that appears to come from reputable source (e.g., burtongroup.com) Attacker attempts to steal account information from customer Attacker may attempt to use client data to compromise web site

9 What can you do with XSS? Steal Authentication Information and Account hijacking Changing of user settings Cookie theft/poisoning Denial of Service - Website Defacement Phishing (Pharming and Phear) embedded links Identity Theft! (Impersonation) DEMONSTRATION

10 Ah, but nobody codes like that anymore! Legacy Applications in Production Research Findings Globalization and Perimeter-less Security

11 Defenses So what should we do? SQL Injection Cross-site Scripting Parameterized Queries Escape Sequences Quoting Quotes Avoid Dynamic SQL Remove Unused Functions Disable Active Scripting Use Non-HTML Properties Encode Input Validation Error Handling Least Privilege Awareness, Training and Education Security Development Life Cycle Policy, Standards and Best Practices (Coding Standards )

12 Defending against SQL Injection Validate (filter) all input (consider RegEx) Standardize Input Validation Mechanism (length, type, pattern, rules) Display generic error messages and redirect to generic error page Always encode input Escape sequences Quoting Quotes Replace single quotes ( ) with double quotes ( ) Remove unused Functions/Stored Procedures Avoid dynamic SQL and Use parameterized queries for user input Stored Procedures!= Secure Run with least privilege

13 Defending against Cross-site Scripting (XSS) Validate (filter) all input (consider RegEx) Standardize Input Validation Mechanism (length, type, pattern, rules) Enable request validation Always encode output Set appropriate character encoding (ISO ) Beware of UTF-8 Unicode and Long UTF-8 Unicode Unicode must also be sanitized <SCRIPT> = <SCRIPT> Beware of Hex encoding script = script Use innertext property instead of innerhtml property for HTML controls Configure browser to disallow active scripting

14 Conclusion SQL Injection and Cross-site Scripting - Two of the most prevalent application attacks in this day and age 2 security Catalysts Need to know how they work and the impact before you can defend against them Can be controlled/mitigated with a little effort and standardized security practices Operating Systems Security Are we there Yet? Is your SAFE locked and secure?

15 References BurtonGroup Research - Securing the Web Infrastructure: Safeguarding Business Assets and Services. v1.0, 21 November Author: Phil Schacter Victor Chapela: "Advanced SQL Injection" Chris Anley: "Advanced SQL Injection In SQL Server Applications" nley: Chris Anley : "More Advanced SQL Injection" OWASP Cross site scripting OWASP Testing for XSS

16 Q&A Stopping SQL Injection and Crossing Over Cross-site Scripting Track: Operating Systems Security - Are we there yet? Manoranjan (Mano) Paul CISSP, MCSD, MCAD, CompTIA Network+, ECSA/LPT

17 UPDATE Following the Catalyst EU conference, Mano Paul left Dell Inc. and founded SecuRisk Solutions - a security training, product development and consulting company. Manoranjan (Mano) Paul mano.paul@securisksolutions.com CISSP, MCSD, MCAD, CompTIA Network+, ECSA/LPT