SQL Server Security "The Hackers Goldmine
Secure Software Forum (SSF) Annual education series dedicated to secure software Leading security experts collaborate on education initiatives Yearly programs include: February kick-off event in San Jose Free workshop series Executive dinner series Webcast series Workshops sponsored by Microsoft & SPI Dynamics 2
SPI Dynamics Overview Founded January 2000 by Web application and security experts The leader in Web application security assessment throughout the lifecycle Eight patents pending or issued 700+ Customers in Global 2000 Strong in F500, all industries and government Over 100% customer and revenue growth percentage year-to-year since inception 3
The History of Application Security
History of Web Applications Simple, single server solutions Browser Web Server HTML 5
Web Application Architecture Web Services Wireless Web Servers Presentation Layer Application Server Business Logic Database Server Customer Identification Media Store Content Services Access Controls Browser Transaction Information Core Business Data 6
KD7 Web Applications Breach the Perimeter HTTP(S) IMAP FTP SSH TELNET POP3 Internet IIS SunOne Apache Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server. Any Web Server: 80 DMZ ASP.NET WebSphere Java Firewall only allows applications on the web server to talk to application server. Trusted Inside Firewall only allows application server to talk to database server. SQL Oracle DB2 Corporate Inside 7
Slide 7 KD7 There should be a new version of this somewhere...mario? Kim.Dinerman, 2/23/2006
Application Vulnerability Overview
Web Application Vulnerabilities Web application vulnerabilities occur in three major areas: Administration Platform Application 9
KD6 Web Application Vulnerabilities Platform Known vulnerabilities can be exploited immediately with a minimum amount of skill or experience script kiddies Most easily defendable of all web vulnerabilities Must have streamlined patching procedures Must have inventory process Platform Examples: IIS UNICODE Apache chunked encoding 10
Slide 10 KD6 take off words, just put platform Kim.Dinerman, 2/23/2006
Web Application Vulnerabilities Administration More difficult to correct than known issues Require increased awareness More than just configuration, must be aware of security flaws in actual content Remnant files can reveal applications and versions in use Backup files can reveal source code and database connection strings Administration Examples: Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing 11
Web Application Vulnerabilities Application Coding techniques do not include security Input is assumed to be valid, but not tested Inappropriate file calls reveal source code & system files Unexamined input from a browser can inject scripts into page for replay against later visitors Unhandled error messages reveal application and database structures Unchecked database calls can be piggybacked with a hacker s own database call, giving direct access to business data through a web browser Application Examples: Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation SQL Injection Hidden Web Paths Forceful Browsing 12
Demonstration SQL Injection / Blind SQL Injection
SQL Injection Vulnerable Code Vulnerable code URL ssql = ssql + " where LocationID = " + Request["cboLocation"] "] + ""; ocmd.commandtext = ssql; 14
SQL Injection Vulnerable Code Debug View? ocmd.commandtext "SELECT EventName, EndDate,, [Description], [Location],. from Events where LocationID = convert(int,(select top 1 name from sysobjects))" 15
SQL Remediation Do not build SQL Statements with user provided data in the command Parameterized queries Mimimum necessary rights on application user Disable error messages 16
SQL Injection Safe Code Simple but safe code URL ssql = ssql + " where LocationID = @LocationID@ LocationID"; ocmd.commandtext = ssql; ocmd.parameters.add("@locationid", ", Request["cboLocation"]); "]); 17
Debug view SQL Injection Safe Code? ocmd.commandtext SELECT EventName,[Description], [Location] from Events where LocationID = @LocationID@ 18
SQL Injection Safe Code Safe code URL ocmd.commandtext = ssql + " where LocationID = @LocationID@ LocationID"; plocationid = new SqlParameter("@LocationID", ", SqlDbType.Int); plocationid.value = System.Convert.ToInt32( Request["cboLocation"]); "]); ocmd.parameters.add(plocationid); Debug view None, command object was never executed 19
Java Prepared Statement http://java.sun.com/docs/books/tutorial/jdbc/ basics/prepared.html PreparedStatement updatesales = con.preparestatement( "UPDATE COFFEES SET SALES =? WHERE COF_NAME LIKE? "); updatesales.setint(1, 75); updatesales.setstring(2, "Colombian"); updatesales.executeupdate(); 20
References Whitepaper http://www.spidynamics.com (education) PDF http://portal.spidynamics.com/blogs/dennis Downloads http://www.spidynamics.com (trial) 21