{ code injection cable johnson. overview common injection types developer prevention code...
TRANSCRIPT
{Code Injection
Cable Johnson
Overview
Common Injection Types Developer Prevention
Code Injection
{“username” stored as string constant
Insert source code into existing application
Single command Entire script
Used by worms to propagate
Overview
SQL injection Web injection/XSS
Shell injection
Common Injection Types
Infiltrate database Dump data, alter data
Done at database level Easily Automated Attempted constantly
Average: 71 attempts/hr Peak: 800-1300 attempts/hr
SQL Injection
SQL: database level XSS: web level
PHP/ASP injection: server infiltration HTML/Script injection: browser
infiltration
Most common injection type today
Web
Targets machine rather than db or webpage
Done at shell (command line) level Windows and UNIX Typically used to escalate privileges
Shell Injection
Design Input sanatization
Prevention
Blacklisting Minimize use of user input
Limit database use Disable unnecessary database
functionality
Update regularly Attack yourself
Design
Character exclusion Signature exclusion
Prepared statements
Sanitization
( ‘ ), ( \ ), ( ` )
Require alphanumeric only Limit string length to guard against
complex queries
Easy to implement Easily recognizable
Character Exclusion
UNION SELECT OR 1=1 EXEC SP_ (or EXEC XP_)
False positives come with large signature sets
Easily avoidable
Signature Exclusion
OR 1 = 1 OR ‘str’ = ‘str’ OR ‘str’ = ‘st’+’r’ OR ‘str’ = N’str’ OR ‘s’ IN (‘str’) O/**/R ‘s’ < ‘z’
Unreasonable to keep signatures for countless possible inputs
Signature Weakness
Efficient method of sanatization Also a query optimization
Build the sql statement with minimal syntax
Run partial query (“prepare”) Fill in user input after preparation
Prepared Statements
sql = “SELECT * FROM users WHERE username=$1 AND password=$2”statement = db.prepare(sql)
username = input()password = input()
statement.execute(username, password)
Pseudo Code
Seth Amanda George
Bad Sanatization
function checkForBadSql($sqlcode) { global $CONTEXT, $ERROR_TEXT;
$badSqlCode[] = 'create'; $badSqlCode[] = 'database'; $badSqlCode[] = 'table'; $badSqlCode[] = 'insert'; $badSqlCode[] = 'update'; $badSqlCode[] = 'rename'; $badSqlCode[] = 'replace'; $badSqlCode[] = 'select'; $badSqlCode[] = 'handler'; $badSqlCode[] = 'delete'; $badSqlCode[] = 'truncate'; $badSqlCode[] = 'drop'; $badSqlCode[] = 'where'; $badSqlCode[] = 'or'; $badSqlCode[] = 'and'; $badSqlCode[] = 'values'; $badSqlCode[] = 'set'; //test if sql code is bad if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode)) { //bad sql found -- hack attept! Abort $ERROR_TEXT = "Invalid text was entered. Please correct."; return 0; }
return 1; }
Injection requires knowledge and craftiness on attacker’s part, but very deadly
SQL: database XSS: web Shell: machine
Several prevention tactics, but prepared statements win
Review