sql injection v.2
DESCRIPTION
Highlevel review of SQL injections technique and methods of avoiding security failsTRANSCRIPT
![Page 1: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/1.jpg)
SQL – injections for Dummies
OWASP Community Lviv
Bohdan Serednytskyi, Security Engineer, R&D Team, SoftServe August, 2012
![Page 2: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/2.jpg)
Easy to exploit!
Common in Web Apps!
Severe impact!
![Page 3: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/3.jpg)
The ability to inject SQL commands into the database engine through an existing application.
SQL-Injection
![Page 4: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/4.jpg)
SQL-Injection Impact
![Page 5: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/5.jpg)
Data Leakage
![Page 6: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/6.jpg)
Data Modification
![Page 7: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/7.jpg)
Denial of Access
![Page 8: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/8.jpg)
Data Loss
![Page 9: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/9.jpg)
![Page 10: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/10.jpg)
Complete host takeover
![Page 11: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/11.jpg)
Vulnerable request can handle Insert, Update, Delete
SQL-Injection
It is a flaw in "web application" development, it is not a DB or web server problem
Almost all SQL databases and programming languages are potentially vulnerable
![Page 12: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/12.jpg)
SQL-Injection Anatomy
SQL-injection
SQL-injection Blind SQL-injection
Blind SQL-injection Double blind SQL-injection
![Page 13: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/13.jpg)
База даних
WEB-server DB
SELECT first_name, last_name FROM users WHERE user_id = '%' or ‘0’=‘0’ union select null, version() #;
Scenario
Attacker
http://example.com/app/accountView?id='%' or ‘0’=‘0’ union select null, version() #
![Page 14: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/14.jpg)
private void queryDB(String u_name){
string sql = “select * from users where name = ‘ “ + u_name + “ ’ ”;
doQuery(sql);}
1) select * from users where name = ‘Jerry’
2) select * from users where name = ‘Jerry’ or ‘1’ =‘1’
Example
![Page 15: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/15.jpg)
1) http://newspaper.com/items.php?id=2 and 1=2
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
2) http://newspaper.com/items.php?id=2 and 1=1
Example Blind SQL-injection
![Page 16: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/16.jpg)
Detection
![Page 17: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/17.jpg)
Discovery of Vulnerabilities
Fields in web form
Script parameters in URL query strings
Values stored in cookies or hidden fields
![Page 18: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/18.jpg)
Fuzzing
Character sequence: ' " ) # || + >
Delay query: ' waitfor delay '0:0:10'--
SQL reserved words with white space delimiters
![Page 19: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/19.jpg)
Protection
![Page 20: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/20.jpg)
String custname = request.getParameter("customerName");String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( );
Use of Prepared Statements (Parameterized Queries)
![Page 21: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/21.jpg)
String custname = request.getParameter("customerName"); try {
CallableStatement cs = connection.prepareCall("{call sp_getAccountBalance(?)}");
cs.setString(1, custname); ResultSet results = cs.executeQuery();
// … result set handling }
catch (SQLException se) { // … logging and error handling }
Use of Stored Procedures
![Page 22: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/22.jpg)
Escaping all User Supplied Input
OWASP Enterprise Security API
![Page 23: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/23.jpg)
A security solution on the web application level which does not depend on the application itself
Web Application Firewall
![Page 24: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/24.jpg)
Additional Defenses
Least Privilege
White List Input Validation
IDS, IPS
![Page 25: Sql Injection V.2](https://reader033.vdocuments.mx/reader033/viewer/2022051110/54c265f64a795967748b45e7/html5/thumbnails/25.jpg)