CHAPTER 9Attacking Applications:
SQL Injection & Buffer Overflows
SQL Injection & Buffer Overflow
AKA: Code Injection Common Issues
Both used to attack applications Both generally caused by programming flaws Both usually delivered via user input field Both caused by invalid parameters (not
verified)
Countermeasures for both Utilize secure programming methods
SQL Injection Occurs when an app processes user-
provided data to create an SQL statement without first validating the input.
Read or modify a database by compromising the meaning of the original query
Results 1. Attacker gets to remotely execute system
commands, or 2. Attacker takes control of database server
Finding a SQL Injection Vulnerability
1. Search for websites with login page or other input or query fields
2. Test using single quotes 3. Use SELECT to retrieve data, or Use automated tool: Absinthe
http://www.youtube.com/watch?v=Aotphk1sOAQ http://www.youtube.com/watch?v=_Bh1_-wg-ok Why it works: http://
www.youtube.com/watch?v=AhTfo6pWBIM
The Purpose of SQL Injection
Identifying vulnerabilities Database Finger-Printing Determine Database Schema Extract / Add / Modify Data Perform DoS Evade Detection Bypass Authentication Execute Remote Commands Perform Privilege Escalation Install Malware
SQL Injection Countermeasures
Practice Defensive Coding Change default admin login information Disable default admin login account Validate / Sanitize user input Use strong firewall rules
Block ports: 1434 (SQL & mysql); 1521-1530 (Oracle)
Don’t display error messages Remove Stored Procedures, but rather
use Prepared Statements Session encryption
SQL Injection Countermeasures
Use escape commands escapeshellcmd(): decreases risks involved in
allowing user input to be passed to the shell escapeshellarg(): convert scalar value into
single-quote delimited string Mysql_real-escape-string()
Sanitizes data before sending to MYSQL
Buffer Overflows
http://www.youtube.com/watch?v=7LDdd90aq5Y
How it works: http://www.youtube.com/watch?v=kZZgNnhxA_4
http://www.youtube.com/watch?v=diKNfnY76z8 http://www.youtube.com/watch?v=AlgwqMH3Uss
Buffer Overflows Types
Stack based Static locations for memory address space
Heap based Dynamic memory address spaces
Countermeasures IDS should look for NOP (No Operation) instructions Don’t use: C or C++ commands that don’t provide
argument checking. (C & C++ leave data integrity checking to programmer): eg) strcpy(), strcat(), streadd()
Use functions that check buffer size – eg) strncopy() DO use: Java or Perl or Lisp