1. SQL Injection Exploitation TechniquesTechTalk NOVEMBER 2013 DEPARTMENT: ARCHITECTURE AND DEVELOPMENT

2. Table of Contents ^Definition of Terms How to Inject Exploitation Techniques How to Protect Yourself2 3. Definition of TermsSQL, Injection and OWASP 4. SQL^ SQL stands for Structured Query Language Allows us to access a database ANSI and ISO standard computer language The most current standard is SQL99 SQL can: execute queries against a database retrieve data from a database insert new records in a database delete records from a database update records in a database4 5. SQL^ There are many different versions of the SQL language They support the same major keywords in a similar manner (such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others) Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard5 6. SQL^ Data Manipulation Language SELECT - extracts data UPDATE - updates data INSERT INTO - inserts new data DELETE - deletes data Data Definition Language CREATE TABLE - creates a new database table ALTER TABLE - alters (changes) a database table DROP TABLE - deletes a database table6 7. SQL^ A relational database contains one or more tables identified each by a name Tables contain records (rows) with data For example, the following table is called "users" and contains data distributed in rows and columns:7 8. SQL^ With SQL, we can query a database and have a result set returned Using the previous table, a query looks like this: SELECT LastName FROM users WHERE UserID = 1; Gives a result set like this: LastName -------------Smith8 9. Injection^What is Injection ? Technique often used to attack data driven applications There are many kind of Injections What is SQL Injection ? The ability to inject SQL commands into the database engine through an existing application9 10. Injection^What is SQL Injection ? Easy to exploit Common in Web Apps Can produce severe impact10 11. OWASP^ The Open Web Application Security Project (OWASP) Worldwide not-for-profit charitable organization Focused on improving the security of software Mission: Make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Everyone is free to participate11 12. OWASP Top Ten^OWASP Top 10 2013 (current version) A1InjectionA2Broken Authentification and Session ManagementA3Cross Site Scripting (XSS)A4Insecure Direct Object ReferencesA5Security MisconfigurationA6Sensitive Data ExposureA7Missing Function Level Action ControlA8Cross Site Request Forgery (CSRF)A9Using Known Vulnerable ComponentsA10Unvalidated Redirects and Forwardshttps://www.owasp.org/index.php/Top_10_2013-Release_Notes12 13. How to InjectAre You Vulnerable? SQL Payload 14. Are You Vulnerable?^Find a Web Application Understand when/how the application interacts with a DB Server Authentication forms Search engines E-Commerce sites14 15. Are You Vulnerable?^ List all input fields whose values could be used in crafting a SQL query Including the hidden fields of POST requests Then test them separately trying to interfere with the query and to generate an error Consider also HTTP Headers and Cookies15 16. Are You Vulnerable?^ Add a single quote (') or a semicolon (;) to the field or parameter under test Also comment delimiters (-- or /* */, ) SQL keywords like 'AND' and 'OR' can be used to try to modify the query Insert a string where a number is expected In order to generate an Error16 17. Are You Vulnerable?^17 18. SQL Payload^18 19. Exploitation techniquesUnion Exploitation Technique Boolean Exploitation Technique Time Delay Exploitation Technique Automated Exploitation 20. Union Exploitation^What is the right numbers of columns in the SELECT statement ? Success Fails20 21. Union Exploitation^What is the right numbers of columns in the SELECT statement? Success The select statement has the given number of column or more Fails Increase the given number21 22. Boolean Exploitation^ With this technique: nothing is known on the outcome of an operation The main objective: carrying out a series of boolean queries to the server observing the answers and finally deducing the meaning of such answers22 23. Time Delay^Objectives Nothing is known on the outcome of an operation Sending an injected query and in case the conditional is true, the tester can monitor the time taken to for the server to respond If there is a delay, the tester can assume the result of the conditional query is true Example using MySQL 5 1' union select 1, SUBSTRING((SELECT first_name FROM users LIMIT 1),1,1) =a' and sleep(5) or null # 23 24. How to Protect Yourself 25. Prevent SQL Injection^ Use dynamic SQL only if absolutely necessary Tip: prepared statements, parameterized queries, or stored procedures Java : PreparedStatement() with bind variables .Net : parameterized queries sSqlCommand() or OleDbCommand() with bind variables PHP : PDO with strongly typed parameterized queries (using bindParam())25 26. Prevent SQL Injection^ Install patches regularly and timely The database server, the operating system, or the development tools you use can have vulnerabilities Use APIs OWASP ESAPI26 27. Prevent SQL Injection^ Remove all functionality you don't use As far as security is concerned, more is not better. MS_SQL for example has xp_cmdshell that gives access to the shell (hackers dream) Use automated test tools for SQL injections To check for SQL injections or vulnerabilities27 28. Story: Student has a Problem^http://php.net/manual/de/security.database.sql-injection.php28 29. Story: Student Has a Problem^Is there any Ultimate Solution ?NO! Why?Nobody is perfect. Only our Holy GodWhat should I do ?Look first for the kingdom of heaven, the rest will be given I29 30. Thank you for your attention! 31. Additional Information^Prevent SQL-Injection by Joanna on: http://www.marcofolio.net/features/how_you_can_prevent_an_sql_injection.htmlOWASP Enterprise Security API: https://www.owasp.org/index.php/ESAPIOWASP_Top_Ten_Cheat_Sheet https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet31 32. Reference List^PHP. SQL Injection 666x205 [Image file] Retrieved from: http://php.net/manual/de/security.database.sql-injection.php [12.12.2013]OWASP - the free and open software security community. Top 10 2013-Release Notes. Retrieved from: https://www.owasp.org/index.php/Top_10_2013-Release_Notes [12.12.2013]32