SQL Injection(Most common Injection

Flaw)

From Rich Helton’s October 2010 C# Web Security

Intro to SQL Injection…

Many web pages communicate directly to a backend database for processing.

For example, a username and password is asked for on the Web page and the web page will pass it to the database to validate the information.

Some applications will not validate the field adequately before passing it to the database, and the database will process whatever it will receive.

Hackers will pass SQL commands directly to the database, and in some cases tables like “passwords” are returned because the SQL commands are not being filtered adequately.

SQL may return errors in the web page that even lists the correct tables to query so that the hacker may make more accurate attempts to get data.

SQL Injection

SQL Injection is the ability to inject malicious SQL commands into the backend code.

For example:

SELECT * FROM users WHERE username = ‘USRTEXT ' AND password = ‘PASSTEXT’

Passing ' OR 1=1-- in the USRTEXT field generates:

SELECT * FROM users WHERE username = ‘’ OR 1=1 -- '

AND password = ‘PASSTEXT’ The OR 1=1 returns true and the rest is commented

out

ASP.NET Hacme Bank(Let’s try it)

ASP.NET Hacme BankAuthentication without username/password

Types of SQL Injection…

There are really two types of SQL injection, “Blind” SQL Injection and “Directed” SQL Injection.

Blind SQL Injection is performed when a hacker passes SQL commands into the web form and generic errors are returned to the user, for instance a “404” Error page or page not found. The hacker has to make more extensive guesses on the database behind the web server.

Directed SQL Injection is when the web server returns SQL errors to the user that give information about the table that has issue processing the SQL command. Some web pages may return “users.password table incorrect SQL query”, which gives the hacker the name of the database to launch the attack against.

Common attack strings

‘ or 27(hex) – delineates SQL string values.“ or 22 (hex) – also delineates SQL string values.; or 3B (hex) - terminates statements.# or 23(hex) - also terminates a statement. (Access DB)/* or 2F2A (hex) - comment delimiter.-- or 2D2D (hex) – also comment delimiter.( or 28 (hex) or ) or 29 (hex) – logical sub clauses.{ or 7B (hex) or } or 7D (hex) – terminates a question.exec – used to call MS-SQL stored procedures.

union – a SQL command very common to SQL injection.

HackmeBooks SQL Injection(shows org.hsqldb.jdbc connection)

HackmeBooks SQL Injection(attacking)

HSQL DB, uses a SHUTDOWN to shut down the database, since the SEARCH field uses straight SQL commands, typing in ‘;+SHUTDOWN;-- will add ‘%’; SHUTDOWN; --%’ in the SQL statement, thus shutting down the database:

Session is now closed because we shutdown the database:

Real life example

Start by identifying the SQL Server version, table name and fields in the error page:

We see that it is SQL Server, and an “id” field into the “business.dbo.urltracking” table. An Attacker can now try inserting into the table.

Common fixes to SQL Injection…

SQL Injection is caused by “Dynamic SQL” with unconstrained validation.

Constrain the validation to not pass SQL commands to Dynamic SQL.

Use Stored Procedures.

Use Parameterized, or Prepared statements.

Use newer technology frameworks that are built using Parameterized statements like NHibernate and Spring.NET.

Use the ADO.NET Entity framework.

Stored Procedures

A stored procedure is a precompiled subroutine that is stored in the data dictionary for use of applications accessing the SQL Server.

A sample stored procedure for exec sp_GetInventory ‘FL’ :

Hacking Stored Procedures

Stored procedures can be just as dangerous as SQL Injection, if not properly configured.

One the most dangerous Stored Procs in SQL Server is the default xp_cmd_shell.

If you have admin permissions with SQL server, you can try this simple example: exec master..xp_cmdshell ‘dir c:\’

Extending this feature, dynamic SQL may allow, in the username form : MyUsername; exec xp_cmdshell '"echo open 192.168.10.12" >> c:\hack.txt’;

See http://www.informit.com/articles/article.aspx?p=30124&seqNum=3 for an example attack.

Stored Procedures Hacks(Who’s hacking them? From SANs )

Entity Framework

With the ADO.NET Entity Framework, Visual Studio can be used to create Entity Relationship Models (ERM) in order to create a database.

Entity Framework is part of .NET 4 and is often referred to as EF4.

Entity Framework(Generate from DB)

Entity Framework(Selecting ADO.NET in VS 2010)

A Sample Entity Framework(Model1.edmx with the VS Model Browser)

Changes made to the model can propagate to the Database.

Another Example(Has all the details of the data)

A Database can be generated

Customize the code generated by the Entity Designer with T4 (.tt) templates

T4 is the Text Template Transformation Toolkit. T4 is a means for creating code generated artifacts. T4 will generate a .tt file which looks like ASP classic syntax with the brackets. The .tt file is the Text Template file that will generate the background C# code from the Entity Model. Click on the model .edmx file and select “Add Code Generation File…”

Use a T4 Editor to highlight code

VS 2010 does not come with a T4 Visual Editor, so a plugin needs to be installed to offer IntelliSense. For VS 2010, I use the plugin at http://t4-editor.tangible-engineering.com

To

T4 Editor

The .tt is just the template to generate the underlying .cs (C#) file:

PEM

Microsoft’s Portable Extension Metadata, a subset of shema metadata, can be installed to add validation to the Entity Module and its entities, http://visualstudiogallery.msdn.microsoft.com/en-us/e6467914-d48d-4075-8885-ce5a0dcb744d

PEM

After installing PEM, validation not only shows up in properties, but generation code can be generated through T4.

PEM

PemValidation.cs with the Validate method for Employee:

Object-Relational Mapping (ORM)

NHibernate, the .NET version of Hibernate, can be used as a object-relational mapping (ORM) and persistence framework that allows you to map .NET objects to relational database tables using (XML) configuration files.Its purpose is to relieve the developer from a significant amount of relational data persistence-related programming tasks. The main advantages of Hibernate is that maps database entities to objects and hides the details of the data access from the business logic.Hibernate uses prepared statements, so it is protected from direct SQL injection, but it could still be vulnerable to injecting HQL statements which are more complex to execute.

Sample Customer Mapping

NHibernate Validator

NHibernate has it’s own Validator plugin http://nhforge.org/wikis/validator/nhibernate-validator-1-0-0-documentation.aspx .This validator (or constraint) will not only validate the values but can also validate the size of the data before being persisted. Sample constraint annotations:

public class Address {

[NotNull]

private string name; // Cannot be null

[NotNull]

[Length(Max = 5, Message = "{long}")]

[Pattern(Regex = "[0-9]+")] // Regex for Digits

private string zip; // 5 digits

Recommendations

It is recommended to validate the data at the entity level, just in case the Front End is compromised. ORM’s not only make the coding of data easier to the Database, by not using SQL in multiple places, but also alleviates many of the Dynamic SQL issues.