Upload
emil-grant
View
215
Download
0
Embed Size (px)
Citation preview
Welcome to Blackhat!Welcome to Blackhat!
Blackhat Security BriefingsBlackhat Security Briefings
New Orleans- Feb 2002New Orleans- Feb 2002
Timothy M. MullenTimothy M. MullenAnchorIS.Com, Inc.AnchorIS.Com, Inc.
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Web Vulnerability and Web Vulnerability and SQL Injection SQL Injection Countermeasures Countermeasures Securing your servers from the most Securing your servers from the most
insidiousinsidiousof attacks:of attacks:
The demands of the Global Marketplace have made web The demands of the Global Marketplace have made web development more complex than ever. With customer development more complex than ever. With customer demands and competitive influences, the functions our demands and competitive influences, the functions our applications must be capable of performing constantly applications must be capable of performing constantly push our development into new areas. push our development into new areas.
Even with enterprise firewall solutions, hardened servers, Even with enterprise firewall solutions, hardened servers, and up-to-date web server software in place and and up-to-date web server software in place and properly configured, poor design methodology can leave properly configured, poor design methodology can leave
our systems open for attack.our systems open for attack. Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Session OverviewSession Overview
Part I:Part I:∙ ∙ VulnerabilitiesVulnerabilities
Client-side HTML, URL Manipulation, SQL InjectionClient-side HTML, URL Manipulation, SQL Injection∙ ∙ CountermeasuresCountermeasures
Input Validation, Data Sanitation, Variable Typing, Input Validation, Data Sanitation, Variable Typing, Procedure Structure, Permissions and ACL’s.Procedure Structure, Permissions and ACL’s.
Part II:Part II:∙ ∙ Live Demos highlighting real-word sites with different Live Demos highlighting real-word sites with different
issues, participant involvement and brainstorming issues, participant involvement and brainstorming (Time Permitting)(Time Permitting)
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Part IPart I
VulnerabilitesVulnerabilites∙ ∙ Client-side HTMLClient-side HTML
∙ ∙ URL ManipulationURL Manipulation∙ ∙ SQL InjectionSQL Injection
CountermeasuresCountermeasures∙ ∙ Implementation/SetupImplementation/Setup ∙ Input Validation∙ Input Validation∙ ∙ Data SanitationData Sanitation ∙ Variable Typing∙ Variable Typing∙ ∙ Procedure StructureProcedure Structure ∙ Permissions and ACL’s∙ Permissions and ACL’s
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Vulnerabilities – Vulnerabilities – Session DemosSession Demos
Client-side HTML IssuesClient-side HTML Issues∙ ∙ Web FormsWeb Forms∙ ∙ Input/Select controlsInput/Select controls∙ ∙ Hidden FieldsHidden Fields
URL ManipulationURL Manipulation∙ ∙ Editing the URLEditing the URL∙ ∙ Session variablesSession variables∙ ∙ CookiesCookies
SQL InjectionSQL Injection∙ ∙ The possibilities are endless!The possibilities are endless!
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Countermeasures-Countermeasures-Session DemosSession Demos
Implementation and SetupImplementation and Setup∙ ∙ ADODB Connection Strings and DSN’sADODB Connection Strings and DSN’s
∙ ∙ ODBC Error reportingODBC Error reporting
∙ ∙ Custom error pagesCustom error pages
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Countermeasures-Countermeasures-Session DemosSession Demos
Input ValidationInput Validation
∙ ∙ Consider ALL input EVIL!Consider ALL input EVIL!
∙ ∙ Querystring count checkingQuerystring count checking
∙ ∙ Data Type ValidationData Type Validation
∙ ∙ Value/Length CheckingValue/Length Checking
∙ ∙ Extents/Boundary Checking Extents/Boundary Checking
∙ ∙ Host submission limits per unit of timeHost submission limits per unit of time
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Countermeasures-Countermeasures-Session DemosSession Demos
Data SanitationData Sanitation∙ ∙ REPLACE functionREPLACE function
∙ ∙ RegExp function RegExp function
∙ ∙ Custom functions / explicit declarationsCustom functions / explicit declarations
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Countermeasures-Countermeasures-Session DemosSession Demos
Variable TypingVariable Typing∙ ∙ Command objectCommand object
∙ ∙ Parameter declarationParameter declaration
∙ ∙ Command type declaration Command type declaration
∙ ∙ Execute as methodsExecute as methods
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Countermeasures-Countermeasures-Session DemosSession Demos
SQL Stored Procedure StructureSQL Stored Procedure Structure∙ ∙ Use stored procedures whenever possibleUse stored procedures whenever possible
∙ ∙ Type cast variables Type cast variables
∙ ∙ Create and use Views as table sourcesCreate and use Views as table sources
∙ ∙ Avoid “Select *” statements for performance as well Avoid “Select *” statements for performance as well as securityas security
∙ ∙ sp_executeSQL procedure for ad hoc queriessp_executeSQL procedure for ad hoc queries
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Countermeasures-Countermeasures-Session DemosSession Demos
Permissions and ACL’s.Permissions and ACL’s.∙ ∙ Open views, but lock down tablesOpen views, but lock down tables
∙ ∙ Use groupsUse groups
∙ ∙ lock down xp_cmdshell, xp_sendmail or removelock down xp_cmdshell, xp_sendmail or remove
∙ ∙ SQL Service contextSQL Service context
∙ ∙ Integrated/Mixed securityIntegrated/Mixed security
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Part IIPart II
Live Web Demos and FeedbackLive Web Demos and Feedback∙ ∙ Expose potentially insecure implementations of web Expose potentially insecure implementations of web applicationsapplications
∙ ∙ Discuss potential vulnerabilities and exploitsDiscuss potential vulnerabilities and exploits
∙ ∙ Mitigation and PreventionMitigation and Prevention
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
Web Vulnerabilities-Web Vulnerabilities-Live DemosLive Demos
Real-world web application issues Real-world web application issues and feedback and feedback
DiscussionDiscussion
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]
THANK YOU!THANK YOU!
Additional Resources:Additional Resources:http://www.hammerofgod.comhttp://www.hammerofgod.comemailto:[email protected]:[email protected]
http://www.securityfocus.comhttp://www.securityfocus.com http://www.sqlsecurity.comhttp://www.sqlsecurity.com http://heap.nologin.net/aspsec.htmlhttp://heap.nologin.net/aspsec.html http://security.devx.com/bestdefense/http://security.devx.com/bestdefense/
default.aspdefault.asp http://www.microsoft.com/technet/treeview/http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/itsolutions/default.asp?url=/technet/itsolutions/security/database/database.aspsecurity/database/database.asp
Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; [email protected]