web site security part 2 : defending against sql injection
DESCRIPTION
Web site security Part 2 : Defending Against SQL Injection. Reporter : James Chen. Outline. What is SQL Injection? SQL Injection Testing Methodology SQL Injection Defense SQL injection detection method and tools My Automatic Anti-SQL Injection Method features Summary. - PowerPoint PPT PresentationTRANSCRIPT
1
Web site security Part 2 : Defending Against SQL Injection
Reporter : James Chen
2
Outline
What is SQL Injection? SQL Injection Testing Methodology SQL Injection Defense SQL injection detection method and tools My Automatic Anti-SQL Injection Method f
eatures Summary
3
What is SQL Injection?
The ability to inject SQL commands into the database enginethrough an existing application
4
How common is it? It is probably the most common Website vulnerability
today! It is a flaw in "web application" development,
it is not a DB or web server problem Most programmers are still not aware of this problem A lot of the tutorials & demo “templates” are
vulnerable Even worse, a lot of solutions posted on the Internet
are not good enough In our pen tests over 60% of our clients turn out to be
vulnerable to SQL Injection
5
Vulnerable Applications Almost all SQL databases and programming languages are
potentially vulnerable MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access,
Sybase, Informix, etc Accessed through applications developed using:
Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and API’s Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) many more
6
SQL Injection Characters ' or " character String Indicators -- or # single-line comment /*…*/ multiple-line comment + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator ?Param1=foo&Param2=bar URL Parameters PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10' time delay
7
SQL Injection Testing Methodology
1) Input Validation
2) Info. Gathering
6) OS Cmd Prompt
7) Expand Influence
4) Extracting Data
3) 1=1 Attacks 5) OS Interaction
8
1) Input Validation :Discovery of Vulnerabilities
Vulnerabilities can be anywhere, we check all entry points: Fields in web forms Script parameters in URL query strings Values stored in cookies or hidden fields
By "fuzzing" we insert into every one: Character sequence: ' " ) # || + > SQL reserved words with white space delimiters
%09select (tab%09, carriage return%13, linefeed%10 and space%32 with and, or, update, insert, exec, etc)
Delay query ' waitfor delay '0:0:10'--
9
2) Information Gathering We will try to find out the following:
Understand the query Output mechanism Determine database type Find out user privilege level
10
3) 1=1 Attacks
Discover DB structure Enumerating table columns in different DB
s Database Enumeration
11
4) Extracting Data
Password grabbing Create DB Accounts Grabbing MS SQL Server Hashes Brute forcing Passwords Transfer DB structure and data Create Identical DB Structure Transfer DB
12
5) OS Interaction
Interacting with the OS Assessing Network Connectivity Gathering IP information through reverse l
ookups Network Reconnaissance
13
Architecture To keep in mind always! Our injection most times will be executed on a different
server The DB server may not even have Internet access
Web Server
WebPage
Access
Database Server
Injected SQLExecution!
Application Server
InputValidation
Flaw
14
6) OS Cmd Prompt
Jumping to the OS Using ActiveX Automation Scripts Retrieving VNC Password from Registry
15
7) Expand Influence
Hopping into other DB Servers Linked Servers Executing through stored procedures
remotely Uploading files through reverse connection Uploading files through SQL Injection
16
Evasion Techniques Input validation or IDS Signature Evasion
Evading ' OR 1=1 signature ' OR 'something' like 'some%‘
use PHP addslashes() function to escape characters This can be easily evaded by using replacements f
or any of characters in a numeric field To be circumvented by encoding or using Char() Using white spaces, comments, string concatenati
on, variables, hex value
17
SQL Injection Defense It is quite simple: input validation The real challenge is making best
practices consistent through all your codeEnforce "strong design" in new applicationsYou should audit your existing websites and
source code Even if you have an air tight design,
harden your servers
18
Strong Design Define an easy "secure" path to querying
dataUse stored procedures for interacting with
databaseCall stored procedures through a
parameterized APIValidate all input through generic routinesUse the principle of "least privilege"
Define several roles, one for each kind of query
19
Input Validation Define data types for each field
Implement stringent "allow only good" filters If the input is supposed to be numeric, use a
numeric variable in your script to store itReject bad input rather than attempting to
escape or modify it Implement stringent "known bad" filters
For example: reject "select", "insert", "update", "shutdown", "delete", "drop", "--", "'"
20
Harden the Server Run DB as a low-privilege user account Remove unused stored procedures and functionality or
restrict access to administrators Change permissions and remove "public" access to
system objects Audit password strength for all user accounts Remove pre-authenticated linked servers Remove unused network protocols Firewall the server so that only trusted clients can
connect to it (typically only: administrative network, web server and backup server)
21
Detection and Dissuasion You may want to react to SQL injection attempts by:
Logging the attempts Sending email alerts Blocking the offending IP Sending back intimidating error messages:
"WARNING: Improper use of this application has been detected. A possible attack was identified. Legal actions will be taken."
Check with your lawyers for proper wording This should be coded into your validation scripts
22
SQL injection detection method has introducedTypical validation procedureAnti-SQL-Injection.phpTo take the popular open-source IDS SnortWAVES—Black-box approach
23
WAVES—Black-box approach Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. “Web
Application Security Assessment by Fault Injection and Behavior Monitoring.” In Proc. 12th Int’l World Wide Web Conference, p.148-159, Budapest, Hungary, 2003.
Using crawler to discover all pages in a Web site that contain HTML forms.
HTML forms are parsed and stored in XML format.
To inject malicious SQL patterns into the server-side program that processes the form’s input.
If the filtering mechanism is provided on a global scale, then injection will fail.
24
Automatic black-box method features
Complete crawling Bypass the validation procedure Test set and injection patterns Automatic
generation (self-learning) Output analysis according output error
messages
25
Other sql injection tools introduction
Absinthe WebScarab WebGoat
26
Absinthe (字典攻擊 )
27
Absinthe (cont.)
28
Web Scarab
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.
It is written in Java, and is thus portable to many platforms.
WebScarab records the conversations (requests and responses) that it observes.
To allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
29
WebScarab plugin WebScarab provides a number of plugins :
Fragments - extracts Scripts and HTML comments from HTML pages.
Proxy - observes traffic between the browser and the web server
Manual intercept Reveal hidden fields
Spider - identifies new URLs on the target site, and fetches them on command.
Parameter fuzzer - performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.
30
WebScarab Feature
WebScarab is extensible. Each feature above is implemented as a pl
ugin, and can be removed or replaced. New features can be easily implemented a
s well . WebScarab is intended to become the tool
of choice for serious Web debugging.
31
WebScarab-selfcontained.jar
32
WebScarab snapshot
33
WebGoat
Web application security is difficult to learn and practice.
WebGoat is a full J2EE web application designed to teach web application security lessons.
34
My Automatic Anti-SQL Injection Method features 不需要重新改寫網頁 不需調整資料庫安全權限 不需透過 IDS 或其他網路防禦設備 不針對字典攻擊做防禦 自動加入 input vlidation or filter function 於網頁中
35
How to insert validation function
Using crawler to discover all pages in a Web site that contain HTML forms.
HTML forms are parsed and stored in XML format.
To inject validation function into the server-side program that processes the form’s input.
If SQL injection fail, my solutioin is success.
36
How to implement my solution Using Web Scarab as platform. Using Web Scarab’s Spider to identifies new U
RLs on the target site, and fetches them on command.
To inject validation function into the server-side program that processes the form’s input.
Testing:using Web Scarab’s Parameter fuzzer to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.
37
Summary SQL Injection is a dangerous vulnerability All programming languages and all SQL databas
es are potentially vulnerable Protecting against it requires Input validation, ID
S detection AND strong database and OS hardening must be used together.
We try to implement a anti-SQL Injection system to insert correct input validation function automatically.
38
Reference
Advanced SQL Injection, Victor Chapela, http://www.owasp.org/docroot/owasp/misc/Advanced_SQL_Injection.ppt