1
Vidya Pratisthan’s College of Engineering, Baramati
A Seminar on“SQL INJECTION”
Presented by MANJIRI JACHAK
TEIT
Under the guidance of Mr. YOGESH KHALATE
2
1. WHAT IS SQL?2. WHAT IS SQL INJECTION?3. HOW COMMON IS IT? & IT’S VULNERABLE
APPLICATIONS..4. SQL INJECTION SCANNER5. SQL INJECTION CHARACTERS6. EVASION TECHNIQUE7. DEFENDING AGAINST SQL INJECTION8. CODE VERIFICATION9. CONCLUSION10. REFERENCES
TOPICS
3
What is SQL?
• SQL stands for Structured Query Language • Allows us to access a database • ANSI and ISO standard computer language
– The most current standard is SQL99• SQL can:
– insert new records in a database – execute queries against a database – delete records from a database – retrieve data from a database – update records in a database
4
• There are many different versions of the SQL language
• They support the same major keywords in a similar manner (such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others).
• Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard!
SQL is a Standard - but...
5
What is SQL Injection?
The ability to inject SQL commands
into the database engine
through an existing application
SQL injection
6
• It is probably the most common Website vulnerability today!
• It is a flaw in "web application" development, it is not a DB or web server problem– Most programmers are still not aware of this problem– A lot of the tutorials & demo “templates” are
vulnerable– Even worse, a lot of solutions posted on the Internet are
not good enough• In our pen tests over 60% of our clients turn out to be
vulnerable to SQL Injection
How common is it?
SQL injection
7
• Almost all SQL databases and programming languages are potentially vulnerable– MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access,
Sybase, Informix, etc– Perl and CGI scripts that access databases – ASP, JSP, PHP– XML, XSL and XSQL – Javascript – VB, MFC, and other ODBC-based tools and APIs – DB specific Web-based applications and API’s – Reports and DB Applications – 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)– many more
Vulnerable Applications
SQL injection
8
SQL INJECTION SQL INJECTION
SCANNER SCANNER
SQL injection
9
SQL injection scannerSQL injection scanner SQL Injection is one of the many web attack
mechanisms used by hackers to steal data from
organizations.
It takes place due to improper coding
It allows SQL statements to pass through and
query the database directly. .
SQL injection
10
Why is it possible to pass SQL queries directly to a database Why is it possible to pass SQL queries directly to a database that is hidden behind a firewall and any other security that is hidden behind a firewall and any other security
mechanism?mechanism?
SQL is, in fact, the only way that a web application (and users) can SQL is, in fact, the only way that a web application (and users) can interact with the database. interact with the database.
web application is hard coded with specific SQL queriesweb application is hard coded with specific SQL queries If any input field of the web application is not properly sanitised, a If any input field of the web application is not properly sanitised, a
hacker may injecthacker may inject additional SQL commands that broaden the range broaden the range of SQL commands that the web application will execute, thus going of SQL commands that the web application will execute, thus going beyond the original intended design and function. beyond the original intended design and function.
A hacker will thus have a clear channel of communication
11
System System ArchitecturalArchitectural Design Design • The System Architectural The System Architectural
Design is as shown in the Design is as shown in the figure.It contains three figure.It contains three important modules which important modules which are:are:
1. Spidering1. Spidering
2. Initial Analysis2. Initial Analysis
3.Input Fuzzing 3.Input Fuzzing
12
Mechanics of SQL Injection Mechanics of SQL Injection ScannerScanner
• The scanner processes the URL of a starting page for the Web The scanner processes the URL of a starting page for the Web application and tries to find all pages that are part of that application and tries to find all pages that are part of that application. This process is called spidering.application. This process is called spidering.
• The completed spidering process leads to a list of pages that are The completed spidering process leads to a list of pages that are going to be analyzed. The scanner tries to identify the input going to be analyzed. The scanner tries to identify the input vectors of the pages such as forms, request parameters and vectors of the pages such as forms, request parameters and cookies.cookies.
• Finally, every input vector of every page is “bombarded” with a Finally, every input vector of every page is “bombarded” with a variety of attack patterns – often referred to as input fuzzing - variety of attack patterns – often referred to as input fuzzing - and the resulting pages are scanned for indications of and the resulting pages are scanned for indications of vulnerability. vulnerability.
13
How does SQL Injection work?
Common vulnerable login query SELECT * FROM users WHERE login = 'victor'AND password = '123'
(If it returns something then login!)ASP/MS SQL Server login syntax
var sql = "SELECT * FROM usersWHERE login = '" + formusr + "' AND password = '" + formpwd + "'";
14
Injecting through Strings
formusr = ' or 1=1 – –
formpwd = anything
Final query would look like this:
SELECT * FROM users
WHERE username = ' ' or 1=1
– – AND password = 'anything'
SQL injection
15
SQL Injection Characters• ' or " character String Indicators• -- or # single-line comment• /*…*/ multiple-line comment• + addition, concatenate (or space in url)• || (double pipe) concatenate• % wildcard attribute indicator• ?Param1=foo&Param2=bar URL Parameters• PRINT useful as non transactional command• @variable local variable• @@variable global variable• waitfor delay '0:0:10' time delay
SQL injection
16
EVASION
TECHNIQUES
17
Evasion Techniques
• Input validation circumvention and Signature Evasion techniques are very similar
• Snort based detection of SQL Injection is partially possible but relies on "signatures"
• Signatures can be evaded easily
SQL injection
18
Signature Evasions
Evading ' OR 1=1 signature• ' OR 'unusual' = 'unusual'• ' OR 'something' = 'some'+'thing'• ' OR 'text' = N'text'• ' OR 'something' like 'some%'• ' OR 2 > 1• ' OR 'text' > 't'• ' OR 'whatever' IN ('whatever')• ' OR 2 BETWEEN 1 AND 3
SQL injection
19
Input validation
• Some people use PHP addslashes() function to escape characters– single quote (')– double quote (")– backslash (\)– NUL (the NULL byte)
• This can be easily evaded by using replacements for any of the previous characters in a numeric field
SQL injection
20
DEFENDING AGAINST SQL
INJECTION
21
SQL Injection Defense
1. It is quite simple: ”input validation”2. The real challenge is making best practices
consistent through all your code– Enforce "strong design" in new applications
– You should audit your existing websites and source code
3. Even if you have an air tight design, “harden your servers”
SQL injection
22
1.Input Validation
• Define data types for each field– Implement stringent "allow only good" filters
• If the input is supposed to be numeric, use a numeric variable in your script to store it
– Reject bad input rather than attempting to escape or modify it
– Implement stringent "known bad" filters• For example: reject "select", "insert", "update",
"shutdown", "delete", "drop", "--", "'"
SQL injection
23
2.Strong Design
• Define an easy "secure" path to querying data– Use stored procedures for interacting with
database– Call stored procedures through a parameterized
API– Validate all input through generic routines– Use the principle of "least privilege"
• Define several roles, one for each kind of query
SQL injection
24
3.Harden the Server
1. Run DB as a low-privilege user account2. Remove unused stored procedures and
functionality or restrict access to administrators3. Change permissions and remove "public" access to
system objects4. Audit password strength for all user accounts5. Remove pre-authenticated linked servers6. Remove unused network protocols7. Firewall the server so that only trusted clients can
connect to it (typically only: administrative network, web server and backup server)
SQL injection
25
CODE VERIFICATION
26
Code verification at two stages
• How do you ensure your development staff do not make any mistakes?
1. Audit: review the source code of the program (a programmer’s point of view)
2. Assess: conduct penetration test on the program (a hacker’s point of view)
SQL injection
27
1.Source Code Auditing• The simplest way to do a source
code auditing is probably by using the editor’s “search” function.
• For example, to check if a Java program is vulnerable to SQL injection attack, we could search for execute(), prepareStatement() and prepareCall(), and then back trace the formation of their corresponding input query string to see if they contains unchecked/unescaped user input.
SQL injection
28
2.Assessing web application
• Hack (Assess) your own web application
• Can be done manually or automatically
• Manually assess the web application by input “’ or 1=1 -–“ or input “1 union …..”, and check if the web application behaviour will be affected by these unexpected input.
SQL injection
29
Conclusion
• SQL Injection is a fascinating and dangerous vulnerability
• All programming languages and all SQL databases are potentially vulnerable
• Protecting against it requires – strong design– correct input validation – hardening
30
THANK YOU!!
31
REFERENCES1. http://www.securityfocus.com/infocus/1768
2.http://www.extropia.com/tutorials/sql/toc.html
3.http://www.google.com/sqlinjection
4.http://www.owasp.org
5. http://www.sqlsecurity.com
32
Questions ?