How I hacked PacketStorm (1988-2000)



Similar documents
Bayesian Classification for SQL Injection Detection

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

Detection of SQL Injection Attacks by Combining Static Analysis and Runtime Validation

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Check list for web developers

Still Aren't Doing. Frank Kim

SQL INJECTION AND PREVENTION TECHNIQUES

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

Detection and Prevention of SQL Injection Attacks

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

Understanding Sql Injection

A Novel Approach to detect SQL injection in web applications

Token Sequencing Approach to Prevent SQL Injection Attacks

Maintaining Stored Procedures in Database Application

SQL INJECTION MONITORING SECURITY VULNERABILITIES IN WEB APPLICATIONS

Toward A Taxonomy of Techniques to Detect Cross-site Scripting and SQL Injection Vulnerabilities

Security Code Review- Identifying Web Vulnerabilities

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

SQL Injection Vulnerabilities in Desktop Applications

Manipulating Microsoft SQL Server Using SQL Injection

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

An analysis on Blocking of SQL Injection Attacks by Comparing Static and Dynamic Queries

Automating SQL Injection Exploits

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Webapps Vulnerability Report

Enhanced Model of SQL Injection Detecting and Prevention

Passing PCI Compliance How to Address the Application Security Mandates

Classification of SQL Injection Attacks

A Tokenization and Encryption based Multi-Layer Architecture to Detect and Prevent SQL Injection Attack

Hacker Intelligence Initiative, Monthly Trend Report #4

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

A Simple and Fast Technique for Detection and Prevention of SQL Injection Attacks (SQLIAs)

BLIND SQL INJECTION (UBC)

SQL Injection January 23, 2013

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Thick Client Application Security

1. What is SQL Injection?

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

SQL Injection Protection by Variable Normalization of SQL Statement

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

SQL Injection. Sajjad Pourali CERT of Ferdowsi University of Mashhad

Web Application Security

Testing Web Applications for SQL Injection Sam Shober

AUTOMATE CRAWLER TOWARDS VULNERABILITY SCAN REPORT GENERATOR

Web Application Guidelines

Criteria for web application security check. Version

SECURING APACHE : THE BASICS - III

What is Web Security? Motivation

Detecting SQL Injection Vulnerabilities in Web Services

Web Applications Security: SQL Injection Attack

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Black Hat Briefings USA 2004 Cameron Hotchkies

Rational AppScan & Ounce Products

Web Application Security

How To Prevent An Sql Injection Attack

An Effective Approach for Detecting and Preventing Sqlinjection Attacks

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

SQL Injection. Slides thanks to Prof. Shmatikov at UT Austin

Database System Security. Paul J. Wagner UMSSIA 2008

Time-Based Blind SQL Injection using Heavy Queries A practical approach for MS SQL Server, MS Access, Oracle and MySQL databases and Marathon Tool

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

Advanced SQL Injection

Client logo placeholder XXX REPORT. Page 1 of 37

ICTN Enterprise Database Security Issues and Solutions

Where every interaction matters.

Understanding Web Application Security Issues

SQL Injection for newbie

Web Application Security

INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

MapReduce. MapReduce and SQL Injections. CS 3200 Final Lecture. Introduction. MapReduce. Programming Model. Example

SQL Injection Prevention Using Runtime Query Modeling and Keyword Randomization

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Exposed Database( SQL Server) Error messages Delicious food for Hackers

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Security Test s i t ng Eileen Donlon CMSC 737 Spring 2008

Analysis of SQL injection prevention using a proxy server

SQL Injection Attack Lab

HTTPParameter Pollution. ChrysostomosDaniel

Start Secure. Stay Secure. Blind SQL Injection. Are your web applications vulnerable? By Kevin Spett

Intrusion Protection against SQL Injection Attacks Using a Reverse Proxy

Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security

Top 10 Database. Misconfigurations.

Chapter 1 Web Application (In)security 1

CS 161 Computer Security

Transcription:

Outline Recap Secure Programming Lecture 8++: SQL Injection David Aspinall, Informatics @ Edinburgh 13th February 2014 Overview Some past attacks Reminder: basics Classification Injection route and motive Forms of SQL code injected Prevention and detection Summary Injection attacks use specially crafted inputs to subvert the intended operation of applications. OS Command Injections may execute arbitrary commands. SQL Injections can reveal database contents, affect the results of queries used for authentication; sometimes they can even execute commands. In this lecture we look at SQL Injections in more detail. Context How I hacked PacketStorm (1988-2000) Man steals 130m identities (2009) SQL Injection (SQLi) is by some estimates the current number one category of software vulnerability. As with overflows, there is a large body of crafty exploits made possible by (often small) errors in coding or design. We will look at: SQLi attack types and mechanisms detecting SQLi preventing SQLi -- Advisory RFP2K01 ------------------------------ rfp.labs ------------ "How I hacked PacketStorm" A look at hacking wwwthreads via SQL ------------------------------- rain forest puppy / rfp@wiretrip.net --- One of the first public examples and explanation Demonstrated retrieval of 800 passwords See Rain Forest Puppy s advisory and his earlier Phrack 54 article

Attempted handwritten attack in Swedish Elections (2010) Should know better (2011) Should know better (2013) Typical setting for attacks Running example: servlet code Normal usage [Picture from SQL Injection Attacks and Defense, J. Clarke, Syngress, 2012] 1 public class Show extends HttpServlet { 2 public ResultSet getuserlnfo(string login, String pin) { 3 Connection conn = DriverManager.getConnection("MyDB"}; 4 Statement stmt = conn.createstatement(); 5 String querystring = ""; 6 7 querystring = " "; 8 if ((! login.equals("")) && (! pin.equals(""))) { 9 querystring += "login= " + login + 10 " AND pin=" + pin; 11 } else { 12 querystring+="login= guest "; 13 } 14 15 ResultSet tempset = stmt.execute(querystring); 16 return tempset; 17 } 18 } 7 querystring = " "; 8 if ((! login.equals("")) && (! pin.equals(""))) { 9 querystring += "login= " + login + 10 " AND pin=" + pin; 11 } else { 12 querystring+="login= guest "; 13 } User submits login="john" and pin="1234" SQL issued: login= john AND pin=1234

Malicious usage Classifying SQL injections Injection routes 7 querystring = "SELECT info FROM users WHERE "; 8 if ((! login.equals("")) && (! pin.equals(""))) { 9 querystring += "login= " + login + 10 " AND pin=" + pin; 11 } else { 12 querystring+="login= guest "; 13 } User submits login="admin --" and pin="0" SQL issued: There are a wide variety of SQL injection techniques. Sometimes several are used to mount a single attack. It s useful to examine: route where injection happens motive what it aims to achieve SQL code the form of SQL injected User input e.g., web forms via HTTP GET or POST Cookies used by web apps to build queries Server variables logged by web apps (e.g., http headers) Second-order injection where injection is separated from attack login= admin -- AND pin=0 These slides follow A Classification of SQL Injection Attacks and Countermeasures by Halfond, Viegas and Orso. ISSE 2006. Primary motive of attack Auxiliary motives Forms of SQL code injected Extracting data Adding or modifying data Mounting a denial of service attack Bypassing authentication Executing arbitrary commands Finding injectable parameters Database server finger-printing Finding database schema Escalating privilege at the database level 1. Tautologies 2. Illegal/incorrect queries 3. Union query 4. Piggy-backed queries 5. Inference pairs 6. Stored procedures and other DBMS features Additionally, the injection may use alternate encodings to try to defeat sanitization routines that don t interpret them (e.g., char(120) instead of x). Exercise. For each of these types (described next), consider what the primary/secondary motive(s) of the attack could be.

Tautologies Illegal/incorrect Example response Inject code into condition statement(s) so they always evaluate to true. login= or 1=1 -- AND pin= Blacklisting tautologies is difficult Many ways of writing them: 1>0, x LIKE x,... Quasi tautologies: very often true RAND()>0.01,... Question. Instead of a tautology, can you think of how an attacker might use an always-false condition? Cause a run-time error, hoping to learn information from error responses. login= AND pin=convert(int,(select top 1 name from sysobjects where xtype= u )) Supposes MS SQL server sysobjects is server table of metadata Tries to find first user table Converts name into integer: runtime error Microsoft OLE DB Provider for SQL Server (Ox80040E07) Error converting nvarchar value CreditCards to a column of data type int Tells the attacker: SQL Server is running The first user-defined table is called CreditCards Union query Piggy-backed queries Inference pairs Inject a second query using UNION: login= UNION SELECT cardno from CreditCards where acctno=10032 -- AND pin= Suppose there are no tuples with login= Result: may reveal cardno for account 10032 Inject a second, distinct query: login= doe ; drop table users -- AND pin=123 Database parses second command after ; Executes second query, deleting users table NB: some databases don t need ; character Suppose error responses are correctly captured and not seen by the client. It might still be possible to extract information from the database, by finding some difference between outputs from pairs of queries. A Blind Injection tries to reveal information by exploiting some visible difference in outputs. A Timing Attack tries to reveal information by making a difference in response time dependent on a boolean (e.g., via WAITFOR)

Blind injection example Blind injection example Blind injection example Idea: discover whether login parameter is vulnerable with two tests. Step 1. always true: login= legaluser and 1=1 -- 2. always false: login= legaluser and 1=0 -- Step 1 login= legaluser and 1=1 -- RESPONSE: INVALID PASSWORD Attacker reasons: Perhaps my invalid input was detected and rejected, or perhaps the username query was executed separately from the password check. Step 2 login= legaluser and 1=0 -- RESPONSE: INVALID USERNAME AND PASSWORD Attacker reasons: Aha, the response is different! Now I can infer that the login parameter is injectable. Stored procedures Stored procedures Stored procedures Stored procedures are custom sub-routines which can provide customizable support for additional operations. May be written in scripting languages. Can open up additional vulnerabilities. CREATE PROCEDURE DBO.isAuthenticated @username varchar2, @pin int AS EXEC("SELECT accounts FROM users WHERE login= " +@username+ " and pass= " +@pass+ " and pin=" +@pin); GO This is invoked with something like: EXEC DBO.isAuthenticated david bananas 1234 Or something like: EXEC DBO.isAuthenticated( ; SHUTDOWN; --,, ) which results in: login= doe pass= ; SHUTDOWN; -- AND pin= [varchar2 is an Oracle datatype for variable length strings]

An especially dangerous stored procedures Microsoft SQL Server offers: xp_cmdshell, which allows operating system commands to be executed. EXEC master..xp_cmdshell format c: Since SQL Server 2005, this is disabled by default... but can be switched back on by db admins... maybe from inside the db Other database server features There are other features offered variously depending on the DBMS. For example, queries in MySQL can write files with the idiom: SELECT INTO outfile.txt... Question. Why might writing files be of use to an attacker? How do I repair an SQLi vulnerability? Mentioned last lecture: filtering to sanitize inputs prepared (aka parameterized) queries Both methods are server, so it is better to use database driver libraries whenever possible that abstract away from the underlying DBMS. In Java, JDBC provides the PreparedStatement class. [We ll look at further relevant secure coding issues later lectures; in particular, ways of managing input and also output filtering.] Question. What type of SQLi attacks might PreparedStatements not prevent against? How do I prevent SQLi vulnerabilities? Choice of stages (as usual): 1. eliminate before deployment: manual code review automatic static analysis 2. in testing or deployment: manual test for vulnerabilities or use automatic scanners 3. after deployment: wait until attacked, manually investigate use dynamic remediation plus alarms (app firewall or specialised technique) Some examples follow. Static prevention: automated analysis Idea: static code analysis used to warn programmer or prohibit/fix vulnerable code. Techniques: Detect suspicious code patterns, e.g., dynamic query construction Use static taint analysis to detect data-flows from input parameters to queries [We ll look at static analysis in more detail in later lectures] Dynamic detection tool: AMNESIA Idea: use static analysis pre-processing to generate a dynamic detection tool: 1. Find SQL query-generation points in code 2. Build SQL-query model as NDFA which models SQL grammar, transition labels are tokens 3. Instrument application to call runtime monitor 4. If monitor detects violation of state machine, triggers error, preventing SQL query

State machine for SQL production Variable β: matches any string in SQL grammar Spots violation in injectable parameters abort query if model not in accepting state [See Halfond and Orso, AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks, Automated Software Engineering, 2005] Dynamic prevention: SQLrand Idea: use instruction set randomization to change language dynamically to use opcodes/keywords that attacker can t easily guess. [See Boyd and Keromytis, SQLrand: Preventing SQL Injection Attacks, Applied Cryptography and Network Security, 2004] Review questions SQLi classification Describe three routes by which SQL injection may occur. Describe three auxiliary motives that an attacker may have when using SQL injection techniques to learn about a target. SQLi prevention and detection How would you repair the prototypical example SQLi vulnerability? Describe an automatic technique for preventing and an automatic technique for detecting SQLi vulnerabilities. References and credits Most content in this lecture has been adapted from: A Classification of SQL Injection Attacks and Countermeasures by Halfond, Viegas and Orso. ISSE 2006 SQL Injection Attacks and Defense, Edited by Justin Clarke, Syngress. 2nd Edition 2012.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information