1

Web site security Part 2 : Defending Against SQL Injection

Reporter : James Chen

2

Outline

What is SQL Injection? SQL Injection Testing Methodology SQL Injection Defense SQL injection detection method and tools My Automatic Anti-SQL Injection Method f

eatures Summary

3

What is SQL Injection?

The ability to inject SQL commands into the database enginethrough an existing application

4

How common is it? It is probably the most common Website vulnerability

today! It is a flaw in "web application" development,

it is not a DB or web server problem Most programmers are still not aware of this problem A lot of the tutorials & demo “templates” are

vulnerable Even worse, a lot of solutions posted on the Internet

are not good enough In our pen tests over 60% of our clients turn out to be

vulnerable to SQL Injection

5

Vulnerable Applications Almost all SQL databases and programming languages are

potentially vulnerable MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access,

Sybase, Informix, etc Accessed through applications developed using:

Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and API’s Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) many more

6

SQL Injection Characters ' or " character String Indicators -- or # single-line comment /*…*/ multiple-line comment + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator ?Param1=foo&Param2=bar URL Parameters PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10' time delay

7

SQL Injection Testing Methodology

1) Input Validation

2) Info. Gathering

6) OS Cmd Prompt

7) Expand Influence

4) Extracting Data

3) 1=1 Attacks 5) OS Interaction

8

1) Input Validation :Discovery of Vulnerabilities

Vulnerabilities can be anywhere, we check all entry points: Fields in web forms Script parameters in URL query strings Values stored in cookies or hidden fields

By "fuzzing" we insert into every one: Character sequence: ' " ) # || + > SQL reserved words with white space delimiters

%09select (tab%09, carriage return%13, linefeed%10 and space%32 with and, or, update, insert, exec, etc)

Delay query ' waitfor delay '0:0:10'--

9

2) Information Gathering We will try to find out the following:

Understand the query Output mechanism Determine database type Find out user privilege level

10

3) 1=1 Attacks

Discover DB structure Enumerating table columns in different DB

s Database Enumeration

11

4) Extracting Data

Password grabbing Create DB Accounts Grabbing MS SQL Server Hashes Brute forcing Passwords Transfer DB structure and data Create Identical DB Structure Transfer DB

12

5) OS Interaction

Interacting with the OS Assessing Network Connectivity Gathering IP information through reverse l

ookups Network Reconnaissance

13

Architecture To keep in mind always! Our injection most times will be executed on a different

server The DB server may not even have Internet access

Web Server

WebPage

Access

Database Server

Injected SQLExecution!

Application Server

InputValidation

Flaw

14

6) OS Cmd Prompt

Jumping to the OS Using ActiveX Automation Scripts Retrieving VNC Password from Registry

15

7) Expand Influence

Hopping into other DB Servers Linked Servers Executing through stored procedures

remotely Uploading files through reverse connection Uploading files through SQL Injection

16

Evasion Techniques Input validation or IDS Signature Evasion

Evading ' OR 1=1 signature ' OR 'something' like 'some%‘

use PHP addslashes() function to escape characters This can be easily evaded by using replacements f

or any of characters in a numeric field To be circumvented by encoding or using Char() Using white spaces, comments, string concatenati

on, variables, hex value

17

SQL Injection Defense It is quite simple: input validation The real challenge is making best

practices consistent through all your codeEnforce "strong design" in new applicationsYou should audit your existing websites and

source code Even if you have an air tight design,

harden your servers

18

Strong Design Define an easy "secure" path to querying

dataUse stored procedures for interacting with

databaseCall stored procedures through a

parameterized APIValidate all input through generic routinesUse the principle of "least privilege"

Define several roles, one for each kind of query

19

Input Validation Define data types for each field

Implement stringent "allow only good" filters If the input is supposed to be numeric, use a

numeric variable in your script to store itReject bad input rather than attempting to

escape or modify it Implement stringent "known bad" filters

For example: reject "select", "insert", "update", "shutdown", "delete", "drop", "--", "'"

20

Harden the Server Run DB as a low-privilege user account Remove unused stored procedures and functionality or

restrict access to administrators Change permissions and remove "public" access to

system objects Audit password strength for all user accounts Remove pre-authenticated linked servers Remove unused network protocols Firewall the server so that only trusted clients can

connect to it (typically only: administrative network, web server and backup server)

21

Detection and Dissuasion You may want to react to SQL injection attempts by:

Logging the attempts Sending email alerts Blocking the offending IP Sending back intimidating error messages:

"WARNING: Improper use of this application has been detected. A possible attack was identified. Legal actions will be taken."

Check with your lawyers for proper wording This should be coded into your validation scripts

22

SQL injection detection method has introducedTypical validation procedureAnti-SQL-Injection.phpTo take the popular open-source IDS SnortWAVES—Black-box approach

23

WAVES—Black-box approach Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. “Web

Application Security Assessment by Fault Injection and Behavior Monitoring.” In Proc. 12th Int’l World Wide Web Conference, p.148-159, Budapest, Hungary, 2003.

Using crawler to discover all pages in a Web site that contain HTML forms.

HTML forms are parsed and stored in XML format.

To inject malicious SQL patterns into the server-side program that processes the form’s input.

If the filtering mechanism is provided on a global scale, then injection will fail.

24

Automatic black-box method features

Complete crawling Bypass the validation procedure Test set and injection patterns Automatic

generation (self-learning) Output analysis according output error

messages

25

Other sql injection tools introduction

Absinthe WebScarab WebGoat

26

Absinthe (字典攻擊 )

27

Absinthe (cont.)

28

Web Scarab

WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.

It is written in Java, and is thus portable to many platforms.

WebScarab records the conversations (requests and responses) that it observes.

To allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.

29

WebScarab plugin WebScarab provides a number of plugins ：

Fragments - extracts Scripts and HTML comments from HTML pages.

Proxy - observes traffic between the browser and the web server

Manual intercept Reveal hidden fields

Spider - identifies new URLs on the target site, and fetches them on command.

Parameter fuzzer - performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.

30

WebScarab Feature

WebScarab is extensible. Each feature above is implemented as a pl

ugin, and can be removed or replaced. New features can be easily implemented a

s well . WebScarab is intended to become the tool

of choice for serious Web debugging.

31

WebScarab-selfcontained.jar

32

WebScarab snapshot

33

WebGoat

Web application security is difficult to learn and practice.

WebGoat is a full J2EE web application designed to teach web application security lessons.

34

My Automatic Anti-SQL Injection Method features 不需要重新改寫網頁 不需調整資料庫安全權限 不需透過 IDS 或其他網路防禦設備 不針對字典攻擊做防禦 自動加入 input vlidation or filter function 於網頁中

35

How to insert validation function

Using crawler to discover all pages in a Web site that contain HTML forms.

HTML forms are parsed and stored in XML format.

To inject validation function into the server-side program that processes the form’s input.

If SQL injection fail, my solutioin is success.

36

How to implement my solution Using Web Scarab as platform. Using Web Scarab’s Spider to identifies new U

RLs on the target site, and fetches them on command.

To inject validation function into the server-side program that processes the form’s input.

Testing:using Web Scarab’s Parameter fuzzer to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.

37

Summary SQL Injection is a dangerous vulnerability All programming languages and all SQL databas

es are potentially vulnerable Protecting against it requires Input validation, ID

S detection AND strong database and OS hardening must be used together.

We try to implement a anti-SQL Injection system to insert correct input validation function automatically.

38

Reference

Advanced SQL Injection, Victor Chapela, http://www.owasp.org/docroot/owasp/misc/Advanced_SQL_Injection.ppt