webapp security sql injection
play

Webapp security: SQL injection Network Security Lecture 9 Today - PowerPoint PPT Presentation

Jan 03, 2023 •550 likes •815 views

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing the security of network protocols We will now focus on web applications and their vulnerabilities (and attacks) SQL injection Eike Ritter

  1. Webapp security: SQL injection Network Security Lecture 9

  2. Today • We have finished analyzing the security of network protocols • We will now focus on web applications and their vulnerabilities (and attacks) – SQL injection Eike Ritter Network Security - Lecture 9 1

  3. SQL INJECTION Eike Ritter Network Security - Lecture 9 2

  4. SQL injection • Input validation vulnerability • SQL queries are built using (unsanitized) data provided by the users String q = " SELECT user, pwd FROM users ” + " WHERE user= ‘ " + request.getParameter( " user " ) + ” ’ ”; stmt.executeQuery(q); • If the attacker provides as parameter special characters such as ‘ (tick), -- (comment), + (space), % (wildcard), it is possible to: – Modify queries in an unexpected way – Probe the database – Run commands (e.g., using xp_commandshell in MS SQL Server)

  5. SQL injection

  6. SQL injection Eike Ritter Network Security - Lecture 9 5

  7. SQL injection foo " SELECT user, pwd FROM users ” + " WHERE user= ‘ " + request.getParameter( " user " ) + ” ’ ”; SQL Query SELECT user, pwd FROM users WHERE user = ‘foo’

  8. SQL injection ‘ OR 1=1# " SELECT user, pwd FROM users ” + " WHERE user= ‘ " + request.getParameter( " user " ) + ” ’ ”; SQL Query SELECT user, pwd FROM users WHERE user = ‘’ OR 1=1#’

  9. SQL injection • The application is not vulnerable if it uses prepared statements authQuery = conn.prepareStatement( “SELECT user, pwd FROM users WHERE user = ?”); authQuery.setString(1, request.getParameter(“user”)); authQuery.executeQuery(); Eike Ritter Network Security - Lecture 9 8

  10. Finding SQL injections • Provide the application specially-crafted values and check if they cause errors – ‘ – “ – # • Inject expression (typically a tautology) and check if it is interpreted: – user=‘ OR 1=1 # Eike Ritter Network Security - Lecture 9 9

  11. Exploiting SQL injections • Take advantage of server’s error messages to learn the structure of the database and its tables You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'foo, user, pwd from users' at line 1

  12. Exploiting SQL injections • Take advantage of server’s error messages to learn the structure of the database and its tables You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'foo, user, pwd from users' at line 1

  13. Exploiting different statement types • INSERT INTO users (user, pwd, privs) VALUES (‘foo’, ‘bar’, 1) • Suppose user field is vulnerable • Attacker submits: foo’, ‘bar’, 0) # • User foo is now registered with administrative privileges (0)

  14. Exploiting different statement types • UPDATE users SET pwd = ‘newbar’ WHERE user = ‘foo’ AND pwd = ‘bar’ • Again, user field is vulnerable • Attacker submits admin’ # • Attacker resets the admin’s password to a string of his/her choice

  15. Exploiting SQL injection – cont’d • You identified a SQL injection in the SELECT query used in the login page SELECT user, pwd FROM users WHERE user = ‘ + request.getParameter(“user”) • Great, you can enumerate all the users and their passwords • What if you are interested in the content of the credit_card table? • UNION operator to the rescue foo’ UNION SELECT cc_n, cc_name FROM credit_card

  16. Exploiting SQL injection – cont’d • Finding out more information about the database – Examples specific to MySQL (similar for other DBs) – Examples may fail depending on the specific configuration of the DB • List users of database select distinct user from mysql.user • List tables in database select table_name, table_schema from information_schema.tables • Get column name and type for a table in a given DB select column_name, column_type from information_schema.columns where table_schema = ”mydb” and table_name = “users” Eike Ritter Network Security - Lecture 9 15

  17. Blind SQL injection • Suppose error messages are disabled – Unsure whether command is executed correctly • How do we know if execution was successful? • Technique: – Conditional responses • Special case: timing techniques – Out-of-band channel Eike Ritter Network Security - Lecture 9 16

  18. Conditional responses • We leverage the SQL injection to ask boolean questions to the server – Questions that have a true/false answer • Are we running as root? • Is the first letter of the current database ‘a’? • Technique – Establish baseline: determine what response is provided by the application for a true question and for a false question • “true page”: page returned for a true question • “false page”: page returned for a false question – Inject question – Compare result with baseline • Did we obtain a true page or a false page Eike Ritter Network Security - Lecture 9 17

  19. Conditional responses • Scenario: – Assume there is a SQL injection on product_id parameter: /view?product_id=N – True page “Details about product…” – False page “No information about the product you searched” • Injections: – product_id=42 AND user() = “root” – product_id=42 AND substring(database(), 1, 1) = ‘a' Eike Ritter Network Security - Lecture 9 18

  20. Establishing the baseline • Keywords – Search for keywords that appear in the true page only and in the false page only • MD5 – Hash the resulting page • HTML structure differences – Differences in the DOM tree structure • Useful inputs to determine baseline – True question: 1=1 – False question: 1=0 Eike Ritter Network Security - Lecture 9 19

  21. Time-based techniques • Leverage time delays to infer execution status • Often attacker can force query to take long time if certain condition is met – waitfor (SQL Server) – sleep (MySQL) • Technique: – Hypothesis: “we are running as root” – Validation: issue a query that takes 5 seconds if the current user is actually root, else it terminates very quickly Eike Ritter Network Security - Lecture 9 20

  22. Time-based techniques (MySQL) • Are we running as root? select if ( user() = "root", sleep(5), 1); • Is the first letter of the user ‘a’? select if(substring(user(), 1, 1) = 'a', sleep(10), 2); 1 row in set (0.00 sec) • Is the first letter of the user ‘n’? select if(substring(user(), 1, 1) = 'n', sleep(10), 2); 1 row in set (10.00 sec) • How do we determine all the letters in the username? – 10 seconds per try – Binary search, anyone? Eike Ritter Network Security - Lecture 9 21

  23. NEXT ON Eike Ritter Network Security - Lecture 9 22

  24. Take away point and next time SQL injection Next time • Basic techniques • More SQL injection • More advanced techniques • Cross-site scripting vulnerabilities (XSS) – E.g., UNION queries • Blind injection • Cross-site request forgery (CSRF) – Conditional responses – Time-based techniques Eike Ritter Network Security - Lecture 9 23

  25. Read more • C. Anley, (more) Advanced SQL injection • K. Spett, Blind SQL Injection • C. Hotchkies, Blind SQL Injection Automation Techniques • F. Mavituna, SQL Injection Cheat Sheet • B. Damele and A. Guimaraes, Advanced SQL injection to operating system full control Eike Ritter Network Security - Lecture 9 24

Recommend

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting

516 views • 26 slides
Outline The web from a security perspective (contd) SQL injection CSci 5271 Announcements

Outline The web from a security perspective (contd) SQL injection CSci 5271 Announcements

Outline The web from a security perspective (contd) SQL injection CSci 5271 Announcements intermission Introduction to Computer Security Web security, combined slides Web authentication failures Cross-site scripting Stephen McCamant

333 views • 9 slides
NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM AppScan Excellence Aviv Ron Emanuel Bronshtein Alexandra Shulman-Peleg IBM Security Systems Cyber Center of Excellence AVIV RON Security

452 views • 27 slides
Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5, 2016 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

702 views • 37 slides
Web Security: Injection CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Web Security: Injection CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Web Security: Injection CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca Portnoff,

801 views • 63 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
PUFFIN PUFFIN FREE WEBAPP HOSTING FOR AVERAGE USERS FREE WEBAPP HOSTING FOR AVERAGE USERS Jarek

PUFFIN PUFFIN FREE WEBAPP HOSTING FOR AVERAGE USERS FREE WEBAPP HOSTING FOR AVERAGE USERS Jarek

PUFFIN PUFFIN FREE WEBAPP HOSTING FOR AVERAGE USERS FREE WEBAPP HOSTING FOR AVERAGE USERS Jarek Lipski / loomchild.net puffin.rocks / LET'S START WITH... LET'S START WITH... A DEMO A DEMO WHAT IS IT? WHAT IS IT? Platform Catalog

373 views • 8 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

1.13k views • 91 slides
A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web Tangled Itself: Uncovering the History of Client- Side Web (In)Security, USENIX Security 2017 But first..JavaScript security Pages now loaded

482 views • 46 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 |

End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 |

End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 | About me Security engineer @ Google Hacks libraries, tools, languages TC39 member ( JavaScript language committee ) Editor of "A Roadmap

407 views • 29 slides
Web Application Security John Mitchell Three top web site vulnerabilites SQL Injection

Web Application Security John Mitchell Three top web site vulnerabilites SQL Injection

CS 155 Spring 2013 Web Application Security John Mitchell Three top web site vulnerabilites SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query CSRF Cross-site request forgery

1.76k views • 90 slides
Introduction to SQL Injection Professor Larry Heimann Web Application Security Information Systems

Introduction to SQL Injection Professor Larry Heimann Web Application Security Information Systems

Introduction to SQL Injection Professor Larry Heimann Web Application Security Information Systems Lab 4 Review Fastest crackers Jake Correa Achal Channarasappa Swathi Anand Peter Podniesinski Chanamon Ratanalert Review

472 views • 22 slides
Overflows, Injection, and Memory Safety CS 161: Computer Security Prof. Vern Paxson TAs: Paul

Overflows, Injection, and Memory Safety CS 161: Computer Security Prof. Vern Paxson TAs: Paul

Overflows, Injection, and Memory Safety CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar,

665 views • 42 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
Other Forms of Injection Attack Professor Larry Heimann Web Application Security Information

Other Forms of Injection Attack Professor Larry Heimann Web Application Security Information

Other Forms of Injection Attack Professor Larry Heimann Web Application Security Information Systems Course exam scheduled on October 19 th There is an alternative exam on October 17 th at 6:00pm In Wean 5310 Lab 5 key lessons Lab was a form

300 views • 19 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides

More recommend