Hamdi Yesilyurt, MAStudent in MSDF & PhD-Public Affaris

SQLrand: Preventing SQL Injection Attacks

SQL

Riji JacobMS Student in

Computer Science

Many of the Web applications employ database driven content on the Internet.

yahoo, Amazon The interactive nature of web applications

that employ database services consist vulnerabilities to SQL injection attacks

Web applications receive user inputs via form fields and then transfer those inputs as database requests

Introduction

Transaction may consist of user name, password and information that have large amounts of monetary value.

A national security and privacy matter, such as social security numbers in the U.S.

SQL injection attacks are widespread and Web applications are vulnerable to SQL Injection Attacks (SQLIAs).

over 300 Internet Web sites has shown that most of them could be vulnerable to SQLIAs- Study by Gartner Group

SQLIA Examples: Travelocity, FTD.com, and Guess Inc.

Importance of Database Security

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application

Data provided by the user is NOT validated and included in an SQL query in such a way that part of the user’s input is treated as SQL code.

SQL Injection Attack(SQLIA)

Tautologies Illegal/Logically Incorrect Queries Union Query Piggy-Backed Queries Stored Procedures Inference Alternate Encodings

SQLIA TYPES

Attack Intent: Bypassing authentication, identifying injectable parameters, extracting data.

The general goal of a tautology-based attack is to inject code in one or more conditional statements so that they always evaluate to true.

An attacker exploits an injectable field that is used in a query’s WHERE conditional

SELECT accounts FROM users WHERElogin=’’ or 1=1 -- AND pass=’’ AND pin=

Tautologies

Attack Intent: Identifying injectable parameters, performing database finger-printing, extracting data.

Description: This attack lets an attacker gather important information about the type and structure of the back-end database of a Web

application. SELECT accounts FROM users WHERE login=’’ AND pass=’’ AND pin= convert (int,(select top 1 name

from sysobjects where xtype=’u’))

Illegal/Logically Incorrect Queries

Attack Intent: Bypassing Authentication, extracting data.

Description: In union-query attacks, an attacker exploits a vulnerable parameter to change the data set returned for a given query.

SELECT accounts FROM users WHERE login=’’ UNION SELECT cardNo from CreditCards where

acctNo=10032 -- AND pass=’’ AND pin=

Union Query

Attack Intent: Extracting data, adding or modifying data, performing

denial of service, executing remote commands.

Description: In this attack type, an attacker tries to inject additional queries into the original query.

Vulnerability to this type of attack is often dependent on having a database configuration that allows multiple statements to be contained in a single string.

SELECT accounts FROM users WHERE login=’doe’ ANDpass=’’; drop table users -- ’ AND pin=123

Piggy- Backed Queries

Attack Intent: Performing privilege escalation, performing denial of service, executing remote commands.

Description: SQLIAs of this type try to execute stored procedures

An attacker determines which backend database is in use

CREATE PROCEDURE DBO.isAuthenticated@userName varchar2, @pass varchar2, @pin intASEXEC("SELECT accounts FROM usersWHERE login=’" +@userName+ "’ and pass=’" +@password+ "’ and pin=" +@pin);GO

Stored Procedures

Attack Intent: Identifying injectable parameters, extracting data, determining database schema.

Description: The query is modified to recast it in the form of an action that is executed based on the answer to a true/false question about data values in the database.

Attackers are generally trying to attack a site that has been secured enough so that, when an injection has succeeded, there is no usable feedback via database error messages.

SELECT accounts FROM users WHERE login=’legalUser’ andASCII(SUBSTRING((select top 1 name from

sysobjects),1,1))> X WAITFOR 5 -- ’ AND pass=’’ AND pin=0

Inference

Attack Intent: Evading detection.

Description: In this attack, the injected text is modified so as to avoid detection by defensive coding practices and also many automated prevention techniques.

SELECT accounts FROM users WHERE login=’legalUser’;exec(char(0x73687574646f776e)) -- AND pass=’’ AND pin=tion with other attacks.

Alternate Encodings

* Apply Instruction-set randomization to SQL* Creating instances of the language that are

unpredictable to the attacker * Queries injected by the attacker will be

caught by the database parser.* An intermediary proxy that translates the

random SQL to its standard language. * Mechanism imposes negligible

performance overhead to query processing and can be easily retrofitted to existing systems.

SQLrand: Preventing SQL Injection Attacks

SQLrand and System Architecture

Mechanism provides a tool reads an SQL statement(s) and rewrites all keywords with the random key appended.

select gender, avg(age)from cs101.studentswhere dept = %dgroup by gender

The utility will identify the six keywords in the example query and append the key to

each one (e.g., when the key is “123”):

select123 gender, avg123 (age)from123 cs101.studentswhere123 dept = %dgroup123 by123 gender

Example

Built proxy server that sits between the client (web server) and SQL server, de-randomizesrequests received from the client, and conveys the query to the server.

If an SQL injection attack has occurred, the proxy’s parser will fail to recognize the randomized

implementation focused on CGI scripts as the query generators, a similar approach applies when using JDBC query and will reject it.

Implementation

THANK YOU