SQL Server Security "The Hackers Goldmine



Similar documents
W16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM

An Introduction to Application Security in J2EE Environments

Reducing Application Vulnerabilities by Security Engineering

T14 SECURITY TESTING: ARE YOU A DEER IN THE HEADLIGHTS? Ryan English SPI Dynamics Inc BIO PRESENTATION. Thursday, May 18, :30PM

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Adobe Systems Incorporated

Web App Security Audit Services

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Check list for web developers

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Application Firewall Overview. Published: February 2007 For the latest information, please see

Information Technology Policy

Chapter 1 Web Application (In)security 1

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

External Network & Web Application Assessment. For The XXX Group LLC October 2012

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Simon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Web Application Security

How To Compare Your Web Vulnerabilities To A Gamascan Report

Blind SQL Injection Are your web applications vulnerable?

Web Application Security Assessment and Vulnerability Mitigation Tests

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

White Paper Secure Reverse Proxy Server and Web Application Firewall

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Web application security

Web Application Report

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

DETAILED RISK ASSESSMENT REPORT

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Passing PCI Compliance How to Address the Application Security Mandates

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Migrating helpdesk to a new server

What is Web Security? Motivation

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

The Top Web Application Attacks: Are you vulnerable?

Web application security: Testing for vulnerabilities

Standard: Web Application Development

Last update: February 23, 2004

OWASP Top Ten Tools and Tactics

Start Secure. Stay Secure. Blind SQL Injection. Are your web applications vulnerable? By Kevin Spett

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Where every interaction matters.

Online Vulnerability Scanner Quick Start Guide

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

(WAPT) Web Application Penetration Testing

Strategic Information Security. Attacking and Defending Web Services

Implementation of Web Application Firewall

Top Ten Web Attacks. Saumil Shah Net-Square. BlackHat Asia 2002, Singapore

Högskoleexamen. Web application Security. Sektionen för informationsvetenskap, data- och elektroteknik. Rapport för Högskoleexamen, January 2013

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Lecture 11 Web Application Security (part 1)

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Administering the Web Server (IIS) Role of Windows Server

Administering the Web Server (IIS) Role of Windows Server 10972B; 5 Days

Testing Web Applications for SQL Injection Sam Shober

Rational AppScan & Ounce Products

Network Security Audit. Vulnerability Assessment (VA)

Understanding Security Testing

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

NSFOCUS Web Vulnerability Scanning System

A Review of Web Application Security for Preventing Cyber Crimes

Web Application Guidelines

Proxies. Chapter 4. Network & Security Gildas Avoine

BLIND SQL INJECTION (UBC)

Quick Reference Guide: Shared Hosting

Basic & Advanced Administration for Citrix NetScaler 9.2

Hack Proof Your Webapps

elearning for Secure Application Development

SOSFTP Managed File Transfer

10972B: Administering the Web Server (IIS) Role of Windows Server

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Cyber Essentials. Test Specification

Application Security and the SDLC. Dan Cornell Denim Group, Ltd.

inforouter V8.0 Server & Client Requirements

Security at the Next Level

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Sitefinity Security and Best Practices

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Reducing the Cost and Complexity of Web Vulnerability Management

Online Vulnerability Scanner User Manual

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

The monsters under the bed are real World Tour

Enterprise Application Security Workshop Series

Enterprise Security Critical Standards Summary

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Web Application Vulnerability Testing with Nessus

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Microsoft Administering the Web Server (IIS) Role of Windows Server

Online Backup Client User Manual Linux

Web Security School Final Exam

Application Security Testing

Guidelines for Web applications protection with dedicated Web Application Firewall

Transcription:

SQL Server Security "The Hackers Goldmine

Secure Software Forum (SSF) Annual education series dedicated to secure software Leading security experts collaborate on education initiatives Yearly programs include: February kick-off event in San Jose Free workshop series Executive dinner series Webcast series Workshops sponsored by Microsoft & SPI Dynamics 2

SPI Dynamics Overview Founded January 2000 by Web application and security experts The leader in Web application security assessment throughout the lifecycle Eight patents pending or issued 700+ Customers in Global 2000 Strong in F500, all industries and government Over 100% customer and revenue growth percentage year-to-year since inception 3

The History of Application Security

History of Web Applications Simple, single server solutions Browser Web Server HTML 5

Web Application Architecture Web Services Wireless Web Servers Presentation Layer Application Server Business Logic Database Server Customer Identification Media Store Content Services Access Controls Browser Transaction Information Core Business Data 6

KD7 Web Applications Breach the Perimeter HTTP(S) IMAP FTP SSH TELNET POP3 Internet IIS SunOne Apache Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server. Any Web Server: 80 DMZ ASP.NET WebSphere Java Firewall only allows applications on the web server to talk to application server. Trusted Inside Firewall only allows application server to talk to database server. SQL Oracle DB2 Corporate Inside 7

Slide 7 KD7 There should be a new version of this somewhere...mario? Kim.Dinerman, 2/23/2006

Application Vulnerability Overview

Web Application Vulnerabilities Web application vulnerabilities occur in three major areas: Administration Platform Application 9

KD6 Web Application Vulnerabilities Platform Known vulnerabilities can be exploited immediately with a minimum amount of skill or experience script kiddies Most easily defendable of all web vulnerabilities Must have streamlined patching procedures Must have inventory process Platform Examples: IIS UNICODE Apache chunked encoding 10

Slide 10 KD6 take off words, just put platform Kim.Dinerman, 2/23/2006

Web Application Vulnerabilities Administration More difficult to correct than known issues Require increased awareness More than just configuration, must be aware of security flaws in actual content Remnant files can reveal applications and versions in use Backup files can reveal source code and database connection strings Administration Examples: Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing 11

Web Application Vulnerabilities Application Coding techniques do not include security Input is assumed to be valid, but not tested Inappropriate file calls reveal source code & system files Unexamined input from a browser can inject scripts into page for replay against later visitors Unhandled error messages reveal application and database structures Unchecked database calls can be piggybacked with a hacker s own database call, giving direct access to business data through a web browser Application Examples: Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation SQL Injection Hidden Web Paths Forceful Browsing 12

Demonstration SQL Injection / Blind SQL Injection

SQL Injection Vulnerable Code Vulnerable code URL ssql = ssql + " where LocationID = " + Request["cboLocation"] "] + ""; ocmd.commandtext = ssql; 14

SQL Injection Vulnerable Code Debug View? ocmd.commandtext "SELECT EventName, EndDate,, [Description], [Location],. from Events where LocationID = convert(int,(select top 1 name from sysobjects))" 15

SQL Remediation Do not build SQL Statements with user provided data in the command Parameterized queries Mimimum necessary rights on application user Disable error messages 16

SQL Injection Safe Code Simple but safe code URL ssql = ssql + " where LocationID = @LocationID@ LocationID"; ocmd.commandtext = ssql; ocmd.parameters.add("@locationid", ", Request["cboLocation"]); "]); 17

Debug view SQL Injection Safe Code? ocmd.commandtext SELECT EventName,[Description], [Location] from Events where LocationID = @LocationID@ 18

SQL Injection Safe Code Safe code URL ocmd.commandtext = ssql + " where LocationID = @LocationID@ LocationID"; plocationid = new SqlParameter("@LocationID", ", SqlDbType.Int); plocationid.value = System.Convert.ToInt32( Request["cboLocation"]); "]); ocmd.parameters.add(plocationid); Debug view None, command object was never executed 19

Java Prepared Statement http://java.sun.com/docs/books/tutorial/jdbc/ basics/prepared.html PreparedStatement updatesales = con.preparestatement( "UPDATE COFFEES SET SALES =? WHERE COF_NAME LIKE? "); updatesales.setint(1, 75); updatesales.setstring(2, "Colombian"); updatesales.executeupdate(); 20

References Whitepaper http://www.spidynamics.com (education) PDF http://portal.spidynamics.com/blogs/dennis Downloads http://www.spidynamics.com (trial) 21

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information