VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Similar documents
Where every interaction matters.

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Magento Security and Vulnerabilities. Roman Stepanov

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Adobe Systems Incorporated

Web Application Security Assessment and Vulnerability Mitigation Tests

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Intrusion detection for web applications

Time-Based Blind SQL Injection using Heavy Queries A practical approach for MS SQL Server, MS Access, Oracle and MySQL databases and Marathon Tool

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Data Breaches and Web Servers: The Giant Sucking Sound

The Top Web Application Attacks: Are you vulnerable?

Web Application Security

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

LDAP Injection & Blind LDAP Injection In Web Applications

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

How to complete the Secure Internet Site Declaration (SISD) form

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

OWASP AND APPLICATION SECURITY

05.0 Application Development

External Network & Web Application Assessment. For The XXX Group LLC October 2012

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

SWAT PRODUCT BROCHURE

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Thick Client Application Security

Hacking de aplicaciones Web

SECURING APACHE : THE BASICS - III

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

IJMIE Volume 2, Issue 9 ISSN:

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

WebCruiser Web Vulnerability Scanner User Guide

Overview of the Penetration Test Implementation and Service. Peter Kanters

(WAPT) Web Application Penetration Testing

Detection of SQL Injection and XSS Vulnerability in Web Application

Introduction to Computer Security Benoit Donnet Academic Year

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Web Application Attacks And WAF Evasion

Check list for web developers

Learn Ethical Hacking, Become a Pentester

Criteria for web application security check. Version

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Early Vulnerability Detection for Supporting Secure Programming

Using an Open Source Threat Model for Prioritized Defense

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Columbia University Web Security Standards and Practices. Objective and Scope

Chapter 1 Web Application (In)security 1

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

SQuAD: Application Security Testing

What is Web Security? Motivation

MANAGED SECURITY TESTING

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Web application security

Protecting Your Organisation from Targeted Cyber Intrusion

Getting started with OWASP WebGoat 4.0 and SOAPUI.

Proxies. Chapter 4. Network & Security Gildas Avoine

1. Building Testing Environment

Essential IT Security Testing

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

Pentests more than just using the proper tools

Advanced Web Security, Lab

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Web Application Report

OWASP Top Ten Tools and Tactics

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Attack Vector Detail Report Atlassian

Pentests more than just using the proper tools

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

How To Fix A Web Application Security Vulnerability

Introduction. Two levels of security vulnerabilities:

Testing the OWASP Top 10 Security Issues

How To Write A Web Application Vulnerability Scanner And Security Auditor

SQL Injection for newbie

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

SQL Injection January 23, 2013

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Transcription:

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES AUTHOR: Chema Alonso Informática 64. Microsoft MVP Enterprise Security Hello and welcome to Intypedia. You have probably read or heard recently the news about an attacker being able to steal clients' data from a company through the company's website and you may have wondered how they did it. In this lesson we will try to explain briefly how this is possible. Join us! SCENE 1. ARCHITECTURE OF A WEB APPLICATION. SECURITY INCIDENTS Many Internet users may wonder how is it possible for an attacker to access the sensitive information of a company, when it isn't published on the Internet through the company's website. For example, gaining access or even modifying the values of a company's database. The technical answer is much simpler than one would think. Indeed. Even if the database server storing the company's information is behind a number of firewalls or other protective measures, there is a communication channel between the web server and the database server that is what the attacker uses to reach the stored data. Alice, could you describe to us the basic architecture of a web application that uses a database? Script Intypedia007en 1

Certainly. Although a web application can be as complex as a system would require, typical applications have the following structure. Here you can see that there are three distinct levels according to their roles. The first one is the user interface manager, that is, the part in charge of human-computer interaction, which in a typical web application would be the web browser. The second level is where the application logic is located. It will run on web servers and application servers that using different technologies will generate knowledge and process information for a particular purpose. Finally, we would have the data storage, that is, the information repository where the company's knowledge is stored. This repository can be implemented by an LDAP tree, a relational database, data storage in XML or a simple data file. There is a connection between each of the adjacent levels. The user, through the information sent by the web browser, interacts with the web server and, in turn, the application logic interacts with the data storage to read and write information on the system. Of course, each interaction has its own set of protocols and languages. This way, between the interface level and the application logic level, protocols such as http or https can be used to send information. While specific network protocols are used for the queries sent between the web server and the data repositories in their own languages. For example, if the repository is an LDAP tree, the application logic will send LDAP queries with LDAP search filters. In the case of a relational database, queries in SQL language would be used over protocols such as Tabular Data Stream or Oracle Net. For a repository in XML format we would use XPath queries. How interesting! Thus, the answer to how an attacker can recover information from a computer network with a web application seems pretty clear. Chances are there is a security breach in the application's code. Currently, according to the Open Web Application Security Project (OWASP), the 10 most likely attack vectors for these applications are: A1-Injection, A2-Cross-Site Scripting (XSS), A3-Broken Authentication and Session Management, A4-Insecure Direct Object References, A5-Cross Site Request Forgery (CSRF), A6-Security Misconfiguration, A7-Insecure Cryptographic Storage, A8- Failure to Restrict URL Access, A9-Insufficient Transport Layer Protection, A10-Invalidated Redirects and Forwards. These attacks attempt to exploit security flaws in web applications (in client or server) with a specific purpose, like for example extracting information from a database. We will have enough time in the future to take a closer look at each one of them, but now we are going to explain the basics of one of the most famous and effective attacks: the SQL code injection. Script Intypedia007en 2

SCENE 2. CODE INJECTION IN WEB APPLICATIONS One of the key security challenges that web applications face is protecting themselves against injection attacks. Bob, would you mind telling us about the breach exploited by attackers in these types of vulnerabilities? Of course, Alice, it is simple to explain. The vulnerability exploited by the attacker is that the web application does not correctly validate the data that is being entered by the user in the interface, which is then used in queries to the data repository. Let's take a look at an example. Let's suppose that a web application has a user authentication system using a form on which you must enter a username and password. If the programmer doesn't validate properly the information that is entered, but instead, concatenates the data directly building a query that is sent to the database server, the attacker can interact directly with the database. They can use SQL queries, for example and, depending on the environment, remove, modify or delete information. As you can see, the attacker hasn't entered a valid password, but has introduced a condition using the quote character. When this is concatenated in the SQL query that is sent to the database, the result is always compliant, so the application logic always receives an authenticated user from the application. One may think that the vulnerability exploit consists only of using the quote character effectively, but it's not only that. The vulnerability is, in fact, that the data isn't filtered correctly. If instead of a login form with text fields, the attacker were to exploit the call to a program with a numeric parameter, it would be as easy as introducing a space between the number and the command they want to inject to be able to execute commands on the relational database. For example, something as simple as http://www.server.com/app.aps?id=1; shutdown could be an attack to stop the database engine using SQL Injection. And it wouldn't be necessary to enter any quotation marks. That's right and this is not just for databases. The attack can be performed successfully on systems with any type of data repository. You would only have to change the types of commands you want to inject and, then, almost any command allowed by the engine could be executed. Script Intypedia007en 3

Of course, the attacker finds certain limitations like the privileges that the web application account has inside the data repository engine or the type of information shown by the application after executing the commands. That is why researchers have developed very refined techniques for extracting the information stored by the system, even without ever seeing the data directly on the website. Yes, when extracting data from an engine, there's a distinction between inbound and outbound attacks. The former are those in which the web application itself, handled properly, shows the attacker the extracted information. On the contrary, outbound attacks extract information by generating error messages or triggering events that allow them to extract the data. There are proofs of concept in which data is extracted by generating DNS queries to a controlled server where the extracted data is kept in a log. Furthermore, the attacker doesn't need to view the data drawn from a database through the web application, because of the so-called blind attacks. In these attacks, the data is inferred from the behaviour of a web application after injecting a certain command, as Bob will explain to us now. SCENE 3. BLIND INJECTION TECHNIQUES As you said, Alice, when an attacker can inject any code in the queries that are sent to the databases, they can force changes in the application's behaviour based on the different injections. If an attacker is able to find a constant behaviour when injecting code with True values in all the conditions of the generated query meaning that all conditions are met or a constant behaviour when injecting code with a False value meaning that the condition isn't met then the attacker can construct a binary logic to extract all the information in the database. For a better understanding of this, let's imagine a simple environment. Suppose a developer has built a web page that displays a news article. The article is stored in a table inside a relational database to which the developer has access using a simple query like: Select * from articles where id='+article_id+'. The developer uses the value article_id to select the article and this is picked up by a GET parameter from the client, something like: www.server.com/show_articles.php?article_id=1 Script Intypedia007en 4

Supposing that the construction of the SQL query with the article_id value is done by concatenating a string without filtering the value that is sent for article_id, then we would have a SQL Injection vulnerability. With this vulnerability, an attacker could study the application's behaviour in extreme situations with True and False conditions, in order to establish a binary logic. This way, they could inject something like: http://www.server.com/show_articles.php?article_id=1 and 1=1 and http://www.server.com/show_articles.php?article_id=1 and 1=0. In the first case, the resulting SQL query doesn't change the application's functionality, but in the second case, the SQL query doesn't return any results. This would generate two SQL queries such as: - Select fields from table where conditions and 1=1 - Select field from table where conditions and 1=0 If the application displays different behaviours to these injections, such as showing an article in the first case and an error message in the second case, then you could extract the information using a blind attack. With these behaviours, the attacker would know that if an article is shown after an injection, this would mean that the condition entered gives a True result. But if an error message is shown, that would mean that the entered condition gives a False result. Therefore, to extract the information, the attacker could make injections of the following type: http://www.server.com/show_articles.php?article_id=1 and (100=(select top 1 ascii (substring(login,1,1)) from users)) This would be asking if the ASCII value of the first letter of the first user is equal to 100, i.e, if the user's name begins with d lowercase. Using this type of queries it's possible to dump the entire database without even seeing the information. Obviously, it is possible to "guess" the names of the tables. This technique generates a large number of requests to the database that could be recorded in a log or raise the awareness of an intrusion detection system. These blind techniques have evolved by analyzing the behaviour of the applications and looking for different behaviours in all the characteristics of the result pages. Even the time delays have been used to recognize True and False values. Script Intypedia007en 5

SCENE 4. AVOIDING INJECTION TECHNIQUES. MITIGATION As we have already seen, if the application doesn't filter correctly the parameters that come from the user to generate the query, the attacker can find ways to extract the information from the data repository using queries of different complexity. This requires a special emphasis on filtering the data that comes from the client. In development environments there are advanced components for creating secure data mining queries, so it is advisable to use these types of components to create queries instead of doing it manually with the concatenation of text strings and variables. In addition, some of these integrated development environments come with static code analysers that are able to detect such vulnerabilities through a comprehensive source code analysis. Well, that's all for today. At the Intypedia website you will find additional documents for this lesson. Goodbye! See you next time! Script adapted to the Intypedia format from the document delivered by Chema Alonso Madrid, Spain. May 2011 http://www.intypedia.com http://twitter.com/intypedia Script Intypedia007en 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information