SQL Injection PPT

Embed Size (px)

DESCRIPTION

Helps to understand sql attacks on web browser

Text of SQL Injection PPT

Vidya Pratisthans College of Engineering, BaramatiA Seminar on SQL INJECTION

Presented by MANJIRI JACHAK TEITUnder the guidance of Mr. YOGESH KHALATE1

TOPICS1. 2. 3. WHAT IS SQL? WHAT IS SQL INJECTION? HOW COMMON IS IT? & ITS VULNERABLE APPLICATIONS.. 4. SQL INJECTION SCANNER 5. SQL INJECTION CHARACTERS 6. EVASION TECHNIQUE 7. DEFENDING AGAINST SQL INJECTION 8. CODE VERIFICATION 9. CONCLUSION 10. REFERENCES

2

What is SQL? SQL stands for Structured Query Language Allows us to access a database ANSI and ISO standard computer language The most current standard is SQL99 SQL can: insert new records in a database execute queries against a database delete records from a database retrieve data from a database update records in a database3

SQL is a Standard - but... There are many different versions of the SQL language They support the same major keywords in a similar manner (such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others). Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard!4

SQL injection

What is SQL Injection?The ability to inject SQL commands

into the database enginethrough an existing application

5

SQL injection

How common is it? It is probably the most common Website vulnerability today! It is a flaw in "web application" development, it is not a DB or web server problem Most programmers are still not aware of this problem A lot of the tutorials & demo templates are vulnerable Even worse, a lot of solutions posted on the Internet are not good enough In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection6

SQL injection

Vulnerable Applications Almost all SQL databases and programming languages are potentially vulnerable MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and APIs Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) many more7

SQL injection

SQL INJECTIONSCANNER

8

SQL injection

SQL injection scanner SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It takes place due to improper coding It allows SQL statements to pass through and query the database directly.9

Why is it possible to pass SQL queries directly to a database that is hidden behind a firewall and any other security mechanism?

SQL is, in fact, the only way that a web application (and users) can interact with the database. web application is hard coded with specific SQL queries If any input field of the web application is not properly sanitised, a hacker may inject additional SQL commands that broaden the range of SQL commands that the web application will execute, thus going beyond the original intended design and function. A hacker will thus have a clear channel of communication

10

System Architectural Design The System Architectural Design is as shown in the figure.It contains three important modules which are: 1. Spidering 2. Initial Analysis 3.Input Fuzzing

11

Mechanics of SQL Injection Scanner The scanner processes the URL of a starting page for the Web application and tries to find all pages that are part of that application. This process is called spidering. The completed spidering process leads to a list of pages that are going to be analyzed. The scanner tries to identify the input vectors of the pages such as forms, request parameters and cookies.

Finally, every input vector of every page is bombarded with a variety of attack patterns often referred to as input fuzzing and the resulting pages are scanned for indications of vulnerability.12

How does SQL Injection work?Common vulnerable login querySELECT * FROM users WHERE login = 'victor' AND password = '123'

(If it returns something then login!) ASP/MS SQL Server login syntaxvar sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'";13

SQL injection

Injecting through Stringsformusr = ' or 1=1 formpwd = anythingFinal query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1

AND password = 'anything'14

SQL injection

SQL Injection Characters ' or " character String Indicators -- or # single-line comment /**/ multiple-line comment + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator ?Param1=foo&Param2=bar URL Parameters PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10' time delay

15

EVASION TECHNIQUES

16

SQL injection

Evasion Techniques Input validation circumvention and Signature Evasion techniques are very similar Snort based detection of SQL Injection is partially possible but relies on "signatures" Signatures can be evaded easily

17

SQL injection

Signature EvasionsEvading ' OR 1=1 signature ' OR 'unusual' = 'unusual' ' OR 'something' = 'some'+'thing' ' OR 'text' = N'text' ' OR 'something' like 'some%' ' OR 2 > 1 ' OR 'text' > 't' ' OR 'whatever' IN ('whatever') ' OR 2 BETWEEN 1 AND 3

18

SQL injection

Input validation Some people use PHP addslashes() function to escape characters single quote (') double quote (") backslash (\) NUL (the NULL byte)

This can be easily evaded by using replacements for any of the previous characters in a numeric field

19

DEFENDING AGAINST SQL INJECTION

20

SQL injection

SQL Injection Defense1. It is quite simple: input validation 2. The real challenge is making best practices consistent through all your code Enforce "strong design" in new applications You should audit your existing websites and source code21

3. Even if you have an air tight design,

harden your servers

SQL injection

1.Input Validation Define data types for each field Implement stringent "allow only good" filters If the input is supposed to be numeric, use a numeric variable in your script to store it

Reject bad input rather than attempting to escape or modify it Implement stringent "known bad" filters For example: reject "select", "insert", "update", "shutdown", "delete", "drop", "--", "'"22

SQL injection

2.Strong Design Define an easy "secure" path to querying data Use stored procedures for interacting with database Call stored procedures through a parameterized API Validate all input through generic routines Use the principle of "least privilege" Define several roles, one for each kind of query23

SQL injection

3.Harden the Server1. Run DB as a low-privilege user account 2. Remove unused stored procedures and functionality or restrict access to administrators 3. Change permissions and remove "public" access to system objects 4. Audit password strength for all user accounts 5. Remove pre-authenticated linked servers 6. Remove unused network protocols 7. Firewall the server so that only trusted clients can connect to it (typically only: administrative network, web server and backup server)24

CODE VERIFICATION

25

SQL injection

Code verification at two stages How do you ensure your development staff do not make any mistakes?

1. Audit: review the source code of theprogram (a programmers point of view)

2. Assess: conduct penetration test on theprogram (a hackers point of view)

26

SQL injection

1.Source Code Auditing The simplest way to do a source code auditing is probably by using the editors search function. For example, to check if a Java program is vulnerable to SQL injection attack, we could search for execute(), prepareStatement() and prepareCall(), and then back trace the formation of their corresponding input query string to see if they contains unchecked/unescaped user input.

27

SQL injection

2.Assessing web application Hack (Assess) your own web application Can be done manually or automatically Manually assess the web application by input or 1=1 - or input 1 union .., and check if the web application behaviour will be affected by these unexpected input.

28

Conclusion SQL Injection is a fascinating and dangerous vulnerability All programming languages and all SQL databases are potentially vulnerable Protecting against it requires strong design correct input validation hardening29

THANK YOU!!

30

REFERENCES1. http://www.securityfocus.com/infocus/1768 2.http://www.extropia.com/tutorials/sql/toc.html 3.http://www.google.com/sqlinjection 4.http://www.owasp.org 5. http://www.sqlsecurity.com

31

Questions ?

32