SQL Injection Vulnerabilities in Desktop Applications



Similar documents
SQL Injection Protection by Variable Normalization of SQL Statement

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

Webapps Vulnerability Report

How I hacked PacketStorm ( )

SQL Injection for newbie

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

SQL Injection January 23, 2013

Testing Web Applications for SQL Injection Sam Shober

Understanding Sql Injection

Advanced Tornado TWENTYONE Advanced Tornado Accessing MySQL from Python LAB

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

Token Sequencing Approach to Prevent SQL Injection Attacks

MatriXay Database Vulnerability Scanner V3.0

Database Extension 1.5 ez Publish Extension Manual

This module provides an overview of service and cloud technologies using the Microsoft.NET Framework and the Windows Azure cloud.

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

Thick Client Application Security

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

How To Synchronize With Gmail For Business On Shoretel

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

Check list for web developers

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

SQL Injection Attack Lab

A SQL Injection : Internal Investigation of Injection, Detection and Prevention of SQL Injection Attacks

What is Web Security? Motivation

Nikolay Zaynelov Annual LUG-БГ Meeting nikolay.zaynelov.com

MGC WebCommander Web Server Manager

SQL Injection Attack Lab Using Collabtive

Day-Care Environment Communication and Database

Connecting to a Database Using PHP. Prof. Jim Whitehead CMPS 183, Spring 2006 May 15, 2006

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

Concepts Design Basics Command-line MySQL Security Loophole

Enhanced Model of SQL Injection Detecting and Prevention

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

1. Building Testing Environment

Web Application Security

User Roles & Adding Domains & Users

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Video Administration Backup and Restore Procedures

setup information for most domains hosted with InfoRailway.

NNT CIS Microsoft SQL Server 2008R2 Database Engine Level 1 Benchmark Report 0514a

TO SQL DB. Manual. Page 1 of 7. Manual. Tel & Fax: info@altiliagroup.com Web:

Dashboard Admin Guide

A Brief Introduction to MySQL

1. What is SQL Injection?

The release notes provide details of enhancements and features in Cloudera ODBC Driver for Impala , as well as the version history.

Security and Control Issues within Relational Databases

Web Applications Security: SQL Injection Attack

Gmail Or other POP3

Product: DQ Order Manager Release Notes

Oracle Database 11g SQL

Link and Sync Guide for Hosted QuickBooks Files

D61830GC30. MySQL for Developers. Summary. Introduction. Prerequisites. At Course completion After completing this course, students will be able to:

Hardened Plone. Making Your Plone Site Even More Secure. Presented by: Nathan Van Gheem

MySQL for Beginners Ed 3

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA

ORACLE BUSINESS INTELLIGENCE WORKSHOP

MIGRATIONWIZ SECURITY OVERVIEW

A Tokenization and Encryption based Multi-Layer Architecture to Detect and Prevent SQL Injection Attack

An Oracle White Paper June Security and the Oracle Database Cloud Service

Security Test s i t ng Eileen Donlon CMSC 737 Spring 2008

Fairsail REST API: Guide for Developers

Oracle Database: SQL and PL/SQL Fundamentals NEW

Passing PCI Compliance How to Address the Application Security Mandates

Configuring an Alternative Database for SAS Web Infrastructure Platform Services

SECURING APACHE : THE BASICS - III

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Certified PHP/MySQL Web Developer Course

AUTHENTICATION... 2 Step 1:Set up your LDAP server... 2 Step 2: Set up your username... 4 WRITEBACK REPORT... 8 Step 1: Table structures...

Upgrading MySQL from 32-bit to 64-bit

An Effective Approach for Detecting and Preventing Sqlinjection Attacks

Setup Guide. network support pc repairs web design graphic design Internet services spam filtering hosting sales programming

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

Advanced Web Security, Lab

TG Web. Technical FAQ

Using LDAP for User Authentication

KonyOne Server Installer - Linux Release Notes

Oracle Database: SQL and PL/SQL Fundamentals

An Introduction to SQL Injection Attacks for Oracle Developers. January 2004 INTEGRIGY. Mission Critical Applications Mission Critical Security

Installation and Administration Guide

CSCI-UA: Database Design & Web Implementation. Professor Evan Sandhaus sandhaus@cs.nyu.edu evan@nytimes.com

Criteria for web application security check. Version

Lucid Key Server v2 Installation Documentation.

Design and Functional Specification

KonyOne Server Prerequisites _ MS SQL Server

MySQL Security for Security Audits

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Oracle Database 12c: Introduction to SQL Ed 1.1

SQL Server for developers. murach's TRAINING & REFERENCE. Bryan Syverson. Mike Murach & Associates, Inc. Joel Murach

Introduction to PhPCollab

SQL Injection. SQL Injection. CSCI 4971 Secure Software Principles. Rensselaer Polytechnic Institute. Spring

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

Customize Mobile Apps with MicroStrategy SDK: Custom Security, Plugins, and Extensions

SQL Injection Attacks: Detection in a Web Application Environment

Tivoli Endpoint Manager BigFix Dashboard

Transcription:

Vulnerabilities in Desktop Applications Derek Ditch (lead) Dylan McDonald Justin Miller Missouri University of Science & Technology Computer Science Department April 29, 2008 Vulnerabilities in Desktop Applications

Outline Objective: To protect desktop applications and user data from SQL injection attacks 1 Background Akonadi Architecture Akonadi & 2 Types of Attacks Example 3 4 Vulnerabilities in Desktop Applications

Background Background Akonadi Architecture Akonadi & Why choose Akonadi? Part of core architecture for upcoming KDE 4.1 release Significant privacy data at risk Lack of protection for Qt applications in general from SQL injection Vulnerabilities in Desktop Applications

Akonadi Akonadi Architecture Background Akonadi Architecture Akonadi & Desktop neutral Personal Information Manager (PIM) service Akonadi stores/caches Email Chat logs Calendars Address Books RSS Feeds Uses MySQL backend Provides IMAP client interface Vulnerabilities in Desktop Applications

Akonadi Akonadi & Background Akonadi Architecture Akonadi & <<thread>> nager AkonadiConnection use <<TcpServer>> AkonadiServer 1 rage NotificationCollector 1 <<thread>> CacheCleaner <<interface>> clear old values IMAP <<realize>> handler Handler Append Delete Status send changes 1 build db DataStore DbInitializer Rogue client accesses IMAP socket interface Executes valid IMAP client command, with inter-mixed SQL as user data User data is injected into SQL query SQL is passed through API directly to database layer <<interface>> MySQL Database Vulnerabilities in Desktop Applications

Types of Attacks Example SQL injection attacks inject arbitrary text into prepared SQL buffers to perform actions unintended by the developer Even with internal SQL data stores, poorly crafted or protected queries are vulnerable In particular, Akonadi uses a passwordless internal SQL store protected only by file permissions Vulnerabilities in Desktop Applications

Types of Attacks Types of Attacks Example Tautology adds logic that is trivially true in order to make query return more results than intended Comment uses special character sequence ( -- or /* ) in input to disable parts of intended query Subqueries inserts a query within a query to change behavior of database server or modify arbitrary data within SQL database Vulnerabilities in Desktop Applications

Attack Setup Types of Attacks Example Suppose we have a user table: User Password Admin tauritzd takecs348 T ajfrost hackallatms F justinmiller offtoiowa F Queries like SELECT * FROM users WHERE user = $un AND password = $pwd; are often used to authenticate users when they enter their username and passwords in the application Let s see how ajfrost can become an admin! Vulnerabilities in Desktop Applications

Attack Result Types of Attacks Example We will now try an attack by entering SQL logic into an application s password field, resulting in this SQL query: Resulting SQL Query SELECT * FROM users WHERE username = ajfrost AND password = OR 1 = 1 AND admin = T ; We can use any row to be an administrator Vulnerabilities in Desktop Applications

Command Line Interface A special interactive mode flag can be passed from the command line for testing multiple queries in short order When in interactive mode, a prompt is displayed and as queries are entered, the provided and cleaned queries are run against a MySQL database Command line and interactive modes both show the impacts of the queries on the database Vulnerabilities in Desktop Applications

Example API Example usage: 1 // Create sqlcleaner then autoclean query 2 SQLSanitizer sqlcleaner(query); 3 4 if( true == sqlcleaner.cleaned() ) 5 // Process query 6 query = sqlcleaner.getquery() 7... 8 else 9 // Handle error Vulnerabilities in Desktop Applications

Example Output %./sqlsan "SELECT * FROM users WHERE username = ajfrost AND password = OR 1 = 1 AND admin = T ;" SQLSanitizer Test App v1 By: Dylan McDonald, Justin Miller, Derek Ditch Sanitized Query: SELECT * FROM users WHERE = ajfrost AND password = AND admin = T ; Vulnerabilities in Desktop Applications

Under the hood What happens to the string? If no parameters are given to the constructor then default, safe behavior is used. The query is automatically processed unless the parameter is set to false. The query is checked for commands that change the schema, subqueries, and tautologies. If all went well, cleaned() returns true. Otherwise, it returns false. Vulnerabilities in Desktop Applications

Make the smarter Handle more complex queries Reduce overhead of added protection Give back to community Ensure code conforms to KDE standards Submit patch to KDE developer mailing lists Make additional changes as necessary Publish findings Vulnerabilities in Desktop Applications

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information