Slide 1

Web SecuritySQL injection

OVERVIEWIntroductionSQL InjectionSQL Injection mitigation Test SQL Injection Vulnerabilities (SQLIVs) in Web Applications Based on Structure Matching (SMART)Conclusion

Web ApplicationsIncomputing, aweb applicationis anyapplicationthat uses aweb browseras a clientWith the rapid development of Internet, web applications involving database component become more and more popular.Structured Query Language (SQL)is the major language to interact with database systems , such as MS SQL Server, Oracle, Access, MySQL, etc.

SQL injectionSQL injectionis acode injectiontechnique, used toattackdata driven applications, in which malicious SQL statements are inserted into an entry field for executionSQL injection must exploit asecurity vulnerabilityin an application's softwareSQL injectionEx: Suppose that a specific web application uses the following code for user authentication:

String query = "SELECT accounts FROM users WHERE login = \ ' " + login + "\' AND pass=\ ' " + pass + "\ ''';

Normal behaviorIf the login and pass fields are filled with Ali and 33214 the resulted query will beSELECT accounts FROM users WHERE login = Ali' AND pass= 33214This query will return true only if the login name Ali and the password 33214 exists in the DB

Injected SQL statementIf the login and pass fields are filled with admin and ' or '1'='1 the resulted query will beSELECT accounts FROM users WHERE login='admin AND pass = or 1=1In this situation, the WHERE clause always has a true value, and contributes to a query result of all the accounts in table usersIf the web application takes the first record to be the authenticated user, the user authentication mechanism would be broken by SQL injectionhttp://testfire.net/bank/login.aspx8Injected SQL statement cont.Imagine If we filled the pass field with the following SQL statement a ; DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't

SELECT accounts FROM users WHERE login='admin AND pass = a ; DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't

SQL injection in URLEx: Suppose that a specific website have the following URL for showing books review depending on book ID

Original URL:http://books.example.com/showReview.php?ID=5

Injected URL:http://books.example.com/showReview.php?ID=5AND1=1

Resulted SQL query :SELECT * FROM bookreviews WHERE ID = 5 AND 1=1;

Mitigation

1- Prepared statement 2- EscapingFranks's Oracle site => Frankss Oracle siteA ''double quoted'' word => A double quoted word

Test SQL Injection Vulnerabilities (SQLIVs) in Web Applications Based on Structure Matching (SMART)Related Applications:

Paros : is an open-source security scanner for testing web application vulnerabilities. It is a traditional penetration test which automatically scans web applications with injected HTTP request. By analyzing the response page,JDBC checker : checks the type correctness of generated SQL queries, in order to find SQLIVs caused by improper type checking.Sania : proposes syntactic and semantic analysis of the parse tree of intended SQL queries. After filling attack codes in leaf nodes, Sania checks the differences between initially parse tree and modified parse tree, and reports SQLIVsTest SQLIVs in Web Applications Based on Structure Matching (SMART)Structure definition ( According to the ANSI SQL standard)Structure extractionStructure matchingValidation

Test SQLIVs in Web Applications Based on Structure Matching (SMART)A. Structure definition ( According to the ANSI SQL standard)

Blank, includes space characters, tabs, carriage returns, line feeds, etc.Single-line comment, often lead by comment symbol "--Multiple-line comment, often cited by a pair of comment symbol "/*" and "*/".Keyword, pre-defined by SQL standard, which makes the SQL query meaningful, such as "SELECT", "INSERT","GRANT", OR etc.Punctuation, often used to separate SQL queries, or used in some mathematical operations, such as "=", "(", ";", etc.Identifier, often used to specify database name, table name, variable name, etc.Data, includes all kinds of data used in SQL standard,such as integers, real numbers, strings, dates, times, etc.Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont.B. Structure extraction

To describe the structure of SQL queries, SMART defines the SQL structure features of SQL query Q as a string array S: S=a1,a2,a3.. am (m1) where ai (1im) is the ith keyword or punctuation in query Q, and m is the total number of keywords and punctuations.Regular expressions analysis is used on the SQL query to extract its structure featuresFor example, the structure features of query "SELECT accounts FROM users WHERE login= 'admin' AND pass= 'admin ' " is: 'SELECT FROM WHERE = AND ='C. Structure matching

For a given structure features array S, we define three kinds of operation to modify it: "add" an element into it, "delete" an element from it, and "change" one of its elements into anotherGiven SQL structure features SI=A[1..m], S2=B[1..n], we define d(i, j)= (A[1..i], B[1..j]) as the least number of modification operations required to transfer A[1..i] into B[1..j].

Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont.D. Validation

Web applications are usually composed by many web pages where each web page has zero or more input parameters. For example, the following HTTP request shows that the "Login.jsp" page has two input parameters "login" and "pass", and their default values are "admin" and "admin": HTTP://www.bookstore.com/Login.jsp?login=admin&pass=admin

we test the two input parameters in turn. If "login" parameter is the current parameter being tested, we first send the above original request over HTTP, and get all the SQL queries generated by it, denoted as Q=Q1,Q2..Qm.Then we get all the SQL queries generated by the injected request, denoted as Q'=Q1Q2 .. Qn.Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont.If m does not equal n, we cannot determine whether SQL injection succeeds, because the SQL queries are probably generated by different code branchesif m equals n, then we examine each pair of Qi, and Qi and extract their structure features, denoted as S1 and S2 If the extraction of S1 and S2 are both failed, we cannot determine whether SQLIV exists.If the extraction of S1 is failed and S2 is successful, we believe that the injection has broken some authentication mechanism, and alert it as a SQLIVIf the extraction of S1 is successful and S2 is failed, we believe that the injection has broken the structure of the generated SQL query, and also alert it as a SQLIVIf the extraction of S1and S2 are both successful, we calculate the matching value of S1 and S2.

Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont.If matching_value(S1,S2) equal zero, we believe that the structure of the SQL query doesn't change so the SQL injection doesn't succeedIf matching_value(S1,S2) is larger than zero and not larger than a given upper bound specified, we believe that the SQL injection appears and changes the structure of the SQL query, and alert it as a SQLIVif matching_value(S1,S2) is larger than the upper bound, we believe that the change of the structure is caused by executing different code branchesIf we still cannot determine whether SQL injection succeeds when finishing all the test cases, we believe that the tested input parameter is probably safe against SQL injection. Then we continue to test next input parameter, until all the input parameters are testedTest SQLIVs in Web Applications Based on Structure Matching (SMART) cont.CONCLUSIONWe presented SMART, a new method to automatically test SQL injection vulnerabilities in web applications. SMART tests each input parameter of web applications, matches the SQL queries generated by both original HTTP request and injected HTTP request, and determines whether it has SQL injection vulnerability.CROSS-SITE SCRIPTING XSSOVERVIEWINTRODUCTIONXSS VULNERABILITIESA SOLUTION TO BLOCK CROSS SITE SCRIPTING VULNERABILITIESAVOIDING XSS VULNERABILITIESCONCLUSION

CROSS-SITE SCRIPTING (XSS)Cross-site scripting or XSS is a defined as a computer security vulnerability found in web applications.XSS allows for code injection by malicious web users into Internet pages viewed by other users. In an XSS attack, the attacker gains the ability to see private user IDs, passwords, credit card information and other personal identification.

XSS VULNERABILITIESThere are Two types of XSS vulnerabilities:

Reflected (Non-Persistent)Stored (Persistent)

Reflected (NON-PERSISTENT)It occurs when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user

An example could be when an attacker convinces a user to follow a malicious URL that injects code into the results page; thus giving the attacker full access to that page's content.

Reflected (NON-PERSISTENT)Malicious content dose not get stored in the server

Stored (PERSISTENT)It occurs when the data provided by the attacker is saved by the server (database, file system, other location).Then permanently displayed on "normal" pages returned to other users in the course of regular browsing,Stored (PERSISTENT)The server stores the malicious content

A solution to block Cross Site Scripting Vulnerabilities

A solution to block Cross Site Scripting Vulnerabilities Cont.

Components interaction The schema for each web page, where an input control is present, is generated and stored offline by the developer in a folder structure or in a database.

When a request is received, the HTTP request is passed on to the converter.

Converter converts the input to an XML object and sends it to the validator.

Components interaction Cont.Validator retrieves the corresponding schema for the request and maps the XML object with the schema document.If the input maps with the schema then the status is returned to the converter as yes, otherwise the status no is returned.

If the status yes then the request is forwarded to the web application. Otherwise, the request is forwarded to an error page.

AVOIDING XSS VULNERABILITIESEliminating scripts Cookie security Input validation

ELIMINATING SCRIPTSSome web applications are written to function without the need for client-side scripts.

In this way users would not be susceptible to XSS attacks.

COOKIE SECURITYBecause client-side scripts have access to cookies, XSS exploits are able steal these cookies and hinder business functions.

Web applications tie session cookies to the IP address of the user who originally logged in; only that IP address is permitted to use the particular cookie.

INPUT VALIDATIONIt helps decipher other injection attacks such as SQL injection.

Effective for most types of input, yet when an application by design must be able to accept special HTML characters, HTML entity encoding is the desired choice.AVOIDING XSS VULNERABILITIES Do not follow links from sites that navigate to security-sensitive pages referencing personal or business information.

Always practice obtaining a list of attacks that have occurred on particular sites or messages boards.AVOIDING XSS VULNERABILITIESUsers can disable scripting when not required in order to reduce an XSS-style attack.

Do not trust links given on other sites such as e-mail or message boards.

Always access any site with sensitive information through its address and not third party sitesCONCLUISONAlways practice using testing tools during the design phase to eliminate XSS holes in the application.

Input validation and HTML escaping are essential, yet that must be applied at all application points accepting data.Denial of Service attacks (DOS)

Outlines Abstract Introduction Motivation.General Attack scenario.Classification of DOS and DDOS attacks.General attack classification Definition for DOS and DDOSDos attack classification From DOS to DDOSHow to protect.Example of DOS using LOIC.

Abstract Recently many prominent web sites face so called Distributed Denial of Service Attacks (DDoS). While former security threats could be faced by a tight security policy and active measures like using firewalls, vendor patches etc. these DDoS are new in such way that there is no completely satisfying protection yet, in this part of presentation we will cover this topic carefully.We will classify types of attacks. Explore different DDOS tools.Introduction Motivation Security threats is as old as the internet it self, In fact the first connection between computers in the ARPAnet between SRI and UCLA resulted in a crash of the receiving system due to some bugs in the communication software a classical Denial-of-Service attack.General attack scenariobig web sites usually use more than one system running their web server. The clients access these servers via a load balancing server which redirects the HTTP requests to one of the servers. Todays web servers don't work as stand alone systems but need the support of a number of backend systems (like database or le-servers) to fulll their tasks. The whole LAN network where the site is hosted is typically protected by a firewall system. On the way the IP datagrams have to pass a num-ber of routers. On each of these systems there is at least the hardware, the operating system and (as part of the OS) aTCP/IP protocol stack that can fall victim to attacks.

Classification of DOS and DDOS attacks. a possible classification of IT attacks according to the intention of the cracker could be Denial of Service attack The main goal of the attack is the disruption of service, this can be reached by a variety of ways.IntrusionGet access to a system and to circumvent certain barriers .Information Theft Access to otherwise restricted, sensitive information.Modification Attacker try to alter information, the type of attack increased lately DOS definition according to W3CWhat is a Denial of Service attack?Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests can not get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed, and the computer can no longer process legitimate user requests.DDOS definition according to W3CA Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms. Typically a DDoS master program is installed on one computer using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands of agent programs within seconds.Definition of DOS and DOSS Denial-Of-Service Attack = DOS Attack is a malicious attempt by a single person or a group of people to cause the victim, site or node to deny service to it customers.

DoS = when a single host attacksDDoS = when multiple hosts attack simultaneously

DOS attack classification DOS and DDOS usually used limited number of well known attacks with names like Smurf, teardrop, or SYN-Flood.

We will try to provide a classification in categories according to specified criteria.System attacked. Part of the system attacked.Bug or overload.System attacked According to general attack scenario we will identify a number of attack points :Attack clients themselves ( useless number of users or large )Attack the router that connects the site hosting the webserver to its ISP ( Internet Service Provider ) this will effectively cut off all access to the websites.Attack the firewall system although firewalls should be quite immune to direct attacks , firewalls is a bottle nick all in and out bound connection go through it, so if an attack with a high load will stop them.Attack the load balancer. attack the servers it self ( will be hard )Part of the system is attacked Attacks forms can be further divided by the part of the system that is attacked.Attack depends on the hardware (rare), theoretically CPU and network card could fail to work due to some data in net work packages.Attack based on the limitation of the hardware.Attacks targeting the Operating systems or the TCP/IP stacks of host.For this type of attack some are bugs that can be fixed some are fundamental limitation. What to do ?!!! Bug or overloadIn general one has to distinguish whether a DoS is a cause of a specific bug or just an overload of components that function according to their specification. Although bugs are often more severe in their effects, most of the time the vendors quickly provide fixes. All the administrators have to do is to apply them to their system in order to avoid further attacks. Attacks that are based on an overload are typically harder to cope with. Of course you can buy new hardware, but as long as an attacker finds enough resources to use as relays in the Internet he will always bring your system to a halt. Changing the specification or protocols in order to fix the hole that allows the DoS is nearly impossible as this would often mean changing the software in millions of computers worldwide.Examples Jolt2 is an attack targeting most of Microsoft windows systems , jolt2 sends a continuous stream of ICMP ECHO-REPLy fragment with specially tuned fragmentation which almost cause consumption of CPU and Memory 100% which render the system to unusable.

SYN-Flooding attack is to generate many half open TCP connections .

Smurf Attack so called amplifier sites in order to multiply the amount of traffic that hits the destination, this attack ends ICMP_ECHO_REQUEST packets with spoofed sender address to one or more subnet, subnet broadcast addresses, the packets received and replied by as many stations as are connected to the subnet.

From DOS to DDOSMajor Internet websites like amazon or Yahoo tend to have Internet connections with very large bandwidth an server farms with lots of components. Furthermore they are typically protected by firewall systems that block the known attacks that are based on malformed packets .

Their fears about large-scale attacks were proved soon later in February 2000 when major Internet sites ebay amazonetc - where under attack. There are currently a few popular DDoS attack tools, like : Trinoo, Tribe Flood Network (TFN), it's successor TFN2KHow the attack happens ?The actual attack is carried out by so called daemons hidden programs a number of the daemon is controlled by handlers and finally this handlers are activated by the attacker using clients tools.

How the intrusion to clients computers happen ? (|)Stolen account is setup as a repository for a daemons program and attack tools .

Sniffers are used scan large ranges of network blocks to identify potential targets . Targets will include (overflow , security bugs,etc. ).

A list of vulnerable systems is then used to create a script that perform exploit, set up command running under the root account , that listen to TCP port and connects to this port to confirm the success of the exploit .

From the list select one with the desired architecture ,Pre-compiled binaries of the DDoS daemons and handlers programs are created and stored on a stolen account somewhere on the Interne.

How the intrusion to clients computers happen ?( ||)A script is then run which takes this list of "owned systems and produces yet another script to automate the installation process, running each installation in the background for maximum multitasking. The result of this automation is the ability for attackers to set up the denial of service network in a very short time frame and on widely dispersed systems whose true owners often don't even realize the attack.Protection from DDOSGeneral protection Basic security measures are mandatory.If a running system is hacked into, no more network attacks are necessary, since local attacks ( processes consuming , memory consuming or simply shutting down )

A set of firewall should be used to separate the interior net from the internet , the firewall rules should include some sanity check for source and destination addresses.

Intrusion detection systems should be used to notify administrators of unusual activities.

Protection IP verify unicast reverse-path( Smurf)Use theIP verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection.This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet.

Configure rate limiting for SYN packetsLimit response time.

Apply ingress and egress filteringEgress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.ingress filteringis a technique used to make sure that incomingpacketsare actually from the networks that they claim to be from.