Attacking Applications: SQL Injection & Buffer Overflows

  • Published on

  • View

  • Download

Embed Size (px)


Chapter 1

Chapter 9Attacking Applications:SQL Injection & Buffer Overflows

1SQL Injection & Buffer OverflowAKA: Code InjectionCommon IssuesBoth used to attack applicationsBoth generally caused by programming flawsBoth usually delivered via user input fieldBoth caused by invalid parameters (not verified)

Countermeasures for bothUtilize secure programming methods

2SQL InjectionOccurs when an app processes user-provided data to create an SQL statement without first validating the input.Read or modify a database by compromising the meaning of the original query

Results1. Attacker gets to remotely execute system commands, or2. Attacker takes control of database server

3Finding a SQL Injection Vulnerability1. Search for websites with login page or other input or query fields2. Test using single quotes3. Use SELECT to retrieve data, orUse automated tool: Absinthe it works:

4The Purpose of SQL InjectionIdentifying vulnerabilitiesDatabase Finger-PrintingDetermine Database SchemaExtract / Add / Modify DataPerform DoSEvade DetectionBypass AuthenticationExecute Remote CommandsPerform Privilege EscalationInstall Malware5SQL Injection CountermeasuresPractice Defensive CodingChange default admin login informationDisable default admin login accountValidate / Sanitize user inputUse strong firewall rulesBlock ports: 1434 (SQL & mysql); 1521-1530 (Oracle)Dont display error messagesRemove Stored Procedures, but rather use Prepared StatementsSession encryption

6SQL Injection CountermeasuresUse escape commandsescapeshellcmd(): decreases risks involved in allowing user input to be passed to the shellescapeshellarg(): convert scalar value into single-quote delimited stringMysql_real-escape-string()Sanitizes data before sending to MYSQL

7Buffer Overflows

How it works:

8Buffer OverflowsTypesStack basedStatic locations for memory address spaceHeap basedDynamic memory address spacesCountermeasuresIDS should look for NOP (No Operation) instructionsDont use: C or C++ commands that dont provide argument checking. (C & C++ leave data integrity checking to programmer): eg) strcpy(), strcat(), streadd()Use functions that check buffer size eg) strncopy()DO use: Java or Perl or Lisp9


View more >