Download - { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection
![Page 1: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/1.jpg)
{Code Injection
Cable Johnson
![Page 2: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/2.jpg)
Overview
Common Injection Types Developer Prevention
Code Injection
![Page 3: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/3.jpg)
{“username” stored as string constant
![Page 4: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/4.jpg)
Insert source code into existing application
Single command Entire script
Used by worms to propagate
Overview
![Page 5: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/5.jpg)
SQL injection Web injection/XSS
Shell injection
Common Injection Types
![Page 6: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/6.jpg)
Infiltrate database Dump data, alter data
Done at database level Easily Automated Attempted constantly
Average: 71 attempts/hr Peak: 800-1300 attempts/hr
SQL Injection
![Page 7: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/7.jpg)
SQL: database level XSS: web level
PHP/ASP injection: server infiltration HTML/Script injection: browser
infiltration
Most common injection type today
Web
![Page 8: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/8.jpg)
Targets machine rather than db or webpage
Done at shell (command line) level Windows and UNIX Typically used to escalate privileges
Shell Injection
![Page 9: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/9.jpg)
Design Input sanatization
Prevention
![Page 10: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/10.jpg)
Blacklisting Minimize use of user input
Limit database use Disable unnecessary database
functionality
Update regularly Attack yourself
Design
![Page 11: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/11.jpg)
Character exclusion Signature exclusion
Prepared statements
Sanitization
![Page 12: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/12.jpg)
( ‘ ), ( \ ), ( ` )
Require alphanumeric only Limit string length to guard against
complex queries
Easy to implement Easily recognizable
Character Exclusion
![Page 13: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/13.jpg)
UNION SELECT OR 1=1 EXEC SP_ (or EXEC XP_)
False positives come with large signature sets
Easily avoidable
Signature Exclusion
![Page 14: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/14.jpg)
OR 1 = 1 OR ‘str’ = ‘str’ OR ‘str’ = ‘st’+’r’ OR ‘str’ = N’str’ OR ‘s’ IN (‘str’) O/**/R ‘s’ < ‘z’
Unreasonable to keep signatures for countless possible inputs
Signature Weakness
![Page 15: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/15.jpg)
Efficient method of sanatization Also a query optimization
Build the sql statement with minimal syntax
Run partial query (“prepare”) Fill in user input after preparation
Prepared Statements
![Page 16: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/16.jpg)
sql = “SELECT * FROM users WHERE username=$1 AND password=$2”statement = db.prepare(sql)
username = input()password = input()
statement.execute(username, password)
Pseudo Code
![Page 17: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/17.jpg)
Seth Amanda George
Bad Sanatization
![Page 18: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/18.jpg)
function checkForBadSql($sqlcode) { global $CONTEXT, $ERROR_TEXT;
$badSqlCode[] = 'create'; $badSqlCode[] = 'database'; $badSqlCode[] = 'table'; $badSqlCode[] = 'insert'; $badSqlCode[] = 'update'; $badSqlCode[] = 'rename'; $badSqlCode[] = 'replace'; $badSqlCode[] = 'select'; $badSqlCode[] = 'handler'; $badSqlCode[] = 'delete'; $badSqlCode[] = 'truncate'; $badSqlCode[] = 'drop'; $badSqlCode[] = 'where'; $badSqlCode[] = 'or'; $badSqlCode[] = 'and'; $badSqlCode[] = 'values'; $badSqlCode[] = 'set'; //test if sql code is bad if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode)) { //bad sql found -- hack attept! Abort $ERROR_TEXT = "Invalid text was entered. Please correct."; return 0; }
return 1; }
![Page 19: { Code Injection Cable Johnson. Overview Common Injection Types Developer Prevention Code Injection](https://reader035.vdocuments.mx/reader035/viewer/2022081816/56649dd35503460f94acb1ea/html5/thumbnails/19.jpg)
Injection requires knowledge and craftiness on attacker’s part, but very deadly
SQL: database XSS: web Shell: machine
Several prevention tactics, but prepared statements win
Review