{Code Injection

Cable Johnson

Overview

Common Injection Types Developer Prevention

Code Injection

{“username” stored as string constant

Insert source code into existing application

Single command Entire script

Used by worms to propagate

Overview

SQL injection Web injection/XSS

Shell injection

Common Injection Types

Infiltrate database Dump data, alter data

Done at database level Easily Automated Attempted constantly

Average: 71 attempts/hr Peak: 800-1300 attempts/hr

SQL Injection

SQL: database level XSS: web level

PHP/ASP injection: server infiltration HTML/Script injection: browser

infiltration

Most common injection type today

Web

Targets machine rather than db or webpage

Done at shell (command line) level Windows and UNIX Typically used to escalate privileges

Shell Injection

Design Input sanatization

Prevention

Blacklisting Minimize use of user input

Limit database use Disable unnecessary database

functionality

Update regularly Attack yourself

Design

Character exclusion Signature exclusion

Prepared statements

Sanitization

( ‘ ), ( \ ), ( ` )

Require alphanumeric only Limit string length to guard against

complex queries

Easy to implement Easily recognizable

Character Exclusion

UNION SELECT OR 1=1 EXEC SP_ (or EXEC XP_)

False positives come with large signature sets

Easily avoidable

Signature Exclusion

OR 1 = 1 OR ‘str’ = ‘str’ OR ‘str’ = ‘st’+’r’ OR ‘str’ = N’str’ OR ‘s’ IN (‘str’) O/**/R ‘s’ < ‘z’

Unreasonable to keep signatures for countless possible inputs

Signature Weakness

Efficient method of sanatization Also a query optimization

Build the sql statement with minimal syntax

Run partial query (“prepare”) Fill in user input after preparation

Prepared Statements

sql = “SELECT * FROM users WHERE username=$1 AND password=$2”statement = db.prepare(sql)

username = input()password = input()

statement.execute(username, password)

Pseudo Code

Seth Amanda George

Bad Sanatization

function checkForBadSql($sqlcode) { global $CONTEXT, $ERROR_TEXT;

$badSqlCode[] = 'create'; $badSqlCode[] = 'database'; $badSqlCode[] = 'table'; $badSqlCode[] = 'insert'; $badSqlCode[] = 'update'; $badSqlCode[] = 'rename'; $badSqlCode[] = 'replace'; $badSqlCode[] = 'select'; $badSqlCode[] = 'handler'; $badSqlCode[] = 'delete'; $badSqlCode[] = 'truncate'; $badSqlCode[] = 'drop'; $badSqlCode[] = 'where'; $badSqlCode[] = 'or'; $badSqlCode[] = 'and'; $badSqlCode[] = 'values'; $badSqlCode[] = 'set'; //test if sql code is bad if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode)) { //bad sql found -- hack attept! Abort $ERROR_TEXT = "Invalid text was entered. Please correct."; return 0; }

return 1; }

Injection requires knowledge and craftiness on attacker’s part, but very deadly

SQL: database XSS: web Shell: machine

Several prevention tactics, but prepared statements win

Review