a classification of sql injection attack techniques and
play

A Classification of SQL Injection Attack Techniques and - PowerPoint PPT Presentation

Dec 20, 2022 •124 likes •425 views

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond, Jeremy Viegas & Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF award

  1. A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond, Jeremy Viegas & Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF award CCR-0209322 to Georgia Tech.

  2. Vulnerable Application String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); William Halfond – ISSSE 2006 – March 14 th , 2006

  3. Attack Scenario String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Normal Usage ¬ User submits login “ doe ” and pin “ 123 ” ¬ SELECT info FROM users WHERE login= ` doe ’ AND pin= 123 William Halfond – ISSSE 2006 – March 14 th , 2006

  4. Attack Scenario String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Malicious Usage ¬ Attacker submits “ admin’ -- ” and pin of “0” ¬ SELECT info FROM users WHERE login=‘ admin’ -- ’ AND pin=0 William Halfond – ISSSE 2006 – March 14 th , 2006

  5. Presentation Outline • SQL Injection Attacks • Intent • Input Source • Type • Countermeasures • Evaluation of countermeasures • Lessons learned William Halfond – ISSSE 2006 – March 14 th , 2006

  6. Intent • Extracting data • Adding or modifying data • Performing denial of service • Bypassing authentication • Executing remote commands William Halfond – ISSSE 2006 – March 14 th , 2006

  7. Sources of SQL Injection Injection through user input • Malicious strings in web forms. Injection through cookies • Modified cookie fields contain attack strings. Injection through server variables • Headers are manipulated to contain attack strings. Second-order injection • Trojan horse input seems fine until used in a certain situation. William Halfond – ISSSE 2006 – March 14 th , 2006

  8. Second-Order Injection Attack does not occur when it first reaches the database, but when used later on. Input: admin’-- ===> admin\’-- queryString = "UPDATE users SET pin=" + newPin + " WHERE userName=’" + userName + "’ AND pin=" + oldPin; queryString = “UPDATE users SET pin=’0’ WHERE userName= ’admin’--’ AND pin=1”; William Halfond – ISSSE 2006 – March 14 th , 2006

  9. Types of SQL Injection • Piggy-backed Queries • Tautologies • Alternate Encodings • Inference • Illegal/Logically Incorrect Queries • Union Query • Stored Procedures William Halfond – ISSSE 2006 – March 14 th , 2006

  10. Type: Piggy-backed Queries Insert additional queries to be executed by the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; DROP database webApp” queryString = “SELECT info FROM userTable WHERE login=‘name' AND pin=0; DROP database webApp” William Halfond – ISSSE 2006 – March 14 th , 2006

  11. Type: Tautologies Create a query that always evaluates to true for entries in the database. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input login as “user’ or 1=1 --” queryString = “SELECT info FROM userTable WHERE login=‘user‘ or 1=1 --' AND pin=“ William Halfond – ISSSE 2006 – March 14 th , 2006

  12. Type: Alternate Encodings Encode attacks in such a way as to avoid naïve input filtering. queryString = “SELECT info FROM userTable WHERE” + “login=‘” + login + “' AND pin=” + pin; Input pin as “0; declare @a char(20) select @a=0x73687574646f776e exec(@a)“ “SELECT info FROM userTable WHERE login=‘user' AND pin= 0; declare @a char(20) select @a=0x73687574646f776e exec(@a)” William Halfond – ISSSE 2006 – March 14 th , 2006

  13. Type: Alternate Encodings SHUTDOWN William Halfond – ISSSE 2006 – March 14 th , 2006

  14. Countermeasures Prevention Detection • Augment Code • Detect attacks at runtime • Detect vulnerabilities in code • Safe libraries Technique DB X William Halfond – ISSSE 2006 – March 14 th , 2006

  15. Prevention Techniques • Defensive Coding Best Practices • Penetration Testing • Static Analysis of Code • Safe Development Libraries • Proxy Filters William Halfond – ISSSE 2006 – March 14 th , 2006

  16. Detection Techniques • Anomaly Based Intrusion Detection Network DB William Halfond – ISSSE 2006 – March 14 th , 2006

  17. Detection Techniques • Anomaly Based Intrusion Detection • Instruction Set Randomization SELECT4287 SELECT Decrypt Proxy DB Server William Halfond – ISSSE 2006 – March 14 th , 2006

  18. Detection Techniques • Anomaly Based Intrusion Detection • Instruction Set Randomization • Dynamic Tainting • Model-based Checkers William Halfond – ISSSE 2006 – March 14 th , 2006

  19. Dynamic Tainting login = “doe” pin = 123 Taint Policy DB Checker SELECT info FROM users WHERE login= `doe’ AND pin= 123 login = “admin’--” pin = 0 Taint X Policy DB Checker SELECT info FROM users WHERE login=‘admin’ -- ’ AND pin=0 William Halfond – ISSSE 2006 – March 14 th , 2006

  20. Model-based Checkers: AMNESIA Basic Insights 1. Code contains enough information to accurately model all legitimate queries. 2. A SQL Injection Attack will violate the predicted model. Solution: Static analysis => build query models Runtime analysis => enforce models William Halfond – ISSSE 2006 – March 14 th , 2006

  21. Model-based Checkers: AMNESIA = ‘ guest ‘ login SELECT info FROM userTable WHERE login β = β = ‘ ‘ AND pin String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); William Halfond – ISSSE 2006 – March 14 th , 2006

  22. Model-based Checkers: AMNESIA = ‘ guest ‘ login SELECT info FROM userTable WHERE login β = β = ‘ ‘ AND pin Normal Usage: SELECT info FROM userTable WHERE login = ‘ doe ‘ AND pin = 123 William Halfond – ISSSE 2006 – March 14 th , 2006

  23. Model-based Checkers: AMNESIA = ‘ guest ‘ login SELECT info FROM userTable WHERE login β = β = ‘ ‘ AND pin Malicious Usage: SELECT info FROM userTable WHERE login = ‘ admin ‘ -- ‘ AND pin = 0 William Halfond – ISSSE 2006 – March 14 th , 2006

  24. Evaluation • Qualitative vs. Quantitative • Evaluate technique with respect to 1. Injection Sources 2. SQLIA Types 3. Deployment Requirements 4. Degree of automation William Halfond – ISSSE 2006 – March 14 th , 2006

  25. Summary of Results Prevention Techniques • Most effective: Java Static Tainting [livshits05] and WebSSARI [Huang04] • Not completely automated • Runner-ups: Safe Query Objects [cook05], SQL DOM [mcclure05] (Safe development libraries) • Require developers to learn and use new APIs • Effective techniques automated enforcement of Best Practices William Halfond – ISSSE 2006 – March 14 th , 2006

  26. Summary of Results Detection Techniques • Problems caused by Stored Procedures, Alternate Encodings • Most accurate: AMNESIA [halfond05], SQLCheck [su06], SQLGuard [buehrer05] (Model-based checkers) • Of those, only AMNESIA is fully automated • Runner-ups: CSSE [pietraszek05], Web App. Hardening [nguyen-tuong05] (Dynamic tainting) • Fully automated • Require custom PHP runtime interpreter William Halfond – ISSSE 2006 – March 14 th , 2006

  27. Conclusions and Lessons Learned 1. SQLIAs have: a) Many sources b) Many goals c) Many types 2. Detection techniques can be effective, but limited by lack of automation. 3. Prevention techniques can be very effective, but should move away from developer dependence. William Halfond – ISSSE 2006 – March 14 th , 2006

  28. Questions Thank you. William Halfond – ISSSE 2006 – March 14 th , 2006

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

cc cc . Earthquake attack ccc ccc . Sticker injection attack The day disaster struck the

cc cc . Earthquake attack ccc ccc . Sticker injection attack The day disaster struck the

The day disaster struck the northeastern part of Japan ' or 1=1 -- Protect Y ourself c . SQL injection attack cc cc . Earthquake attack ccc ccc . Sticker injection attack The day disaster struck the northeastern part of Japan ' or 1=1 --

546 views • 22 slides
The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators A.

The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators A.

The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators A. Theodore Markettos and Simon Moore www.cl.cam.ac.uk/research/security Computer Laboratory A.T. Markettos and S. W. Moore, The Frequency Injection Attack

796 views • 30 slides
Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics

Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics

Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics User Mode Injection Techniques Example Malware Implementations Kernel Mode Injection Techniques Advanced Code Injection Detection via

901 views • 60 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita

Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita

Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita Maruyama 1 , Satohiro Wakabayashi 1 , Tatsuya Mori 1, 2 1 Waseda University, Japan 2 RIKEN AIP, Japan Tap n Ghost An attack against smartphones

508 views • 30 slides
SQL Injection Attack 1 Brief Tutorial of SQL MySQL: an open-source relational database

SQL Injection Attack 1 Brief Tutorial of SQL MySQL: an open-source relational database

SQL Injection Attack 1 Brief Tutorial of SQL MySQL: an open-source relational database management system Log in to MySQL Create a Database : SHOW DATABSES command: list existing databases. Create a new database called

521 views • 30 slides
Other Forms of Injection Attack Professor Larry Heimann Web Application Security Information

Other Forms of Injection Attack Professor Larry Heimann Web Application Security Information

Other Forms of Injection Attack Professor Larry Heimann Web Application Security Information Systems Course exam scheduled on October 19 th There is an alternative exam on October 17 th at 6:00pm In Wean 5310 Lab 5 key lessons Lab was a form

300 views • 19 slides
Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T.

Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T.

Institut Mines-Tlcom Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T. Porteboeuf PROOFS September 17, 2015 Presentation Outline Introduction, Motivation Multi-level Formal Verification

485 views • 27 slides
Automated Oscillator Macromodelling Techniques for Capturing Amplitude Variations and Injection

Automated Oscillator Macromodelling Techniques for Capturing Amplitude Variations and Injection

Automated Oscillator Macromodelling Techniques for Capturing Amplitude Variations and Injection Locking Xiaolue Lai, Jaijeet Roychowdhury ECE Dept., University of Minnesota, Minneapolis Slide 1 December 10, 2004 Oscillators and Perturbation

502 views • 26 slides
Preview question Which of these defense techniques would completely prevent a ROP attack from

Preview question Which of these defense techniques would completely prevent a ROP attack from

Preview question Which of these defense techniques would completely prevent a ROP attack from returning from an intended CSci 5271 return instruction to an unintended gadget? Introduction to Computer Security A. ASLR Day 6: Low-level defenses

125 views • 9 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Spectral Techniques for Internet Traffic Christos Papadopoulos and John Heidemann USC/ISI Data

Spectral Techniques for Internet Traffic Christos Papadopoulos and John Heidemann USC/ISI Data

Spectral Techniques for Internet Traffic Christos Papadopoulos and John Heidemann USC/ISI Data Catalog Workshop CAIDA, June 3, 2004 christos@isi.edu, johnh@isi.edu Research Topics Security DDoS classification Attack signatures

179 views • 14 slides
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack Square Attack D.

305 views • 16 slides
CS6220: DATA MINING TECHNIQUES Chapter 8&9: Classification: Part 1 Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Chapter 8&9: Classification: Part 1 Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Chapter 8&9: Classification: Part 1 Instructor: Yizhou Sun yzsun@ccs.neu.edu February 4, 2013 Chapter 8&9. Classification: Part 1 Classification: Basic Concepts Decision Tree Induction

1.23k views • 56 slides
CS6220: DATA MINING TECHNIQUES Chapter 8&9: Classification: Part 4 Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Chapter 8&9: Classification: Part 4 Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Chapter 8&9: Classification: Part 4 Instructor: Yizhou Sun yzsun@ccs.neu.edu March 18, 2013 Chapter 8&9. Classification: Part 4 Frequent Pattern-based Classification Ensemble Methods Other

593 views • 35 slides
Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for

Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for

Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for Artificial Intelligence Dept. of Computer Science & Technology Tsinghua University 1 Background Artificial intelligence (AI) is a

917 views • 63 slides
Formal Security Analysis of Smart Embedded Systems Farid Farid Molazem

Formal Security Analysis of Smart Embedded Systems Farid Farid Molazem

Formal Security Analysis of Smart Embedded Systems Farid Farid Molazem Molazem Tabrizi Tabrizi Karthik Pattabiraman Karthik Pattabiraman http://blogs.ubc.ca/karthik/ 1 IoT Systems 2 Security Attacks

224 views • 20 slides
OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam Quanza Engineering C. Dillon, M. Berkelaar OpenFlow DDoS Mitigation Introduction Distributed Denial of Service attacks Types of attacks Application

358 views • 18 slides
Techniques for detecting compromised IoT devices Ivo van der Elzen, Jeroen van Heugten RP1

Techniques for detecting compromised IoT devices Ivo van der Elzen, Jeroen van Heugten RP1

Introduction Research questions Research Results Conclusion Questions Techniques for detecting compromised IoT devices Ivo van der Elzen, Jeroen van Heugten RP1 Presentation February 6, 2017 RIoT Van der Elzen, Van Heugten Introduction

456 views • 22 slides
September 2014 Investor Presentation Cautionary Statements And Risk Factors That May Affect

September 2014 Investor Presentation Cautionary Statements And Risk Factors That May Affect

September 2014 Investor Presentation Cautionary Statements And Risk Factors That May Affect Future Results Any statements made herein about future operating and/or financial results and/or other future events are forward-looking statements

680 views • 64 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
with Wanguard and more PLONG 21, Krakw 1 -2.10.2018 r. www.itoro.com.pl About ITORO Tuning

with Wanguard and more PLONG 21, Krakw 1 -2.10.2018 r. www.itoro.com.pl About ITORO Tuning

Multi-stage DDoS filtering with Wanguard and more PLONG 21, Krakw 1 -2.10.2018 r. www.itoro.com.pl About ITORO Tuning ing of servers an and Linux ux systems Wanguard implentations Full l su support rt before an and af after

993 views • 27 slides
POMPE DISEASE MY JOURNEY - BY SAM MURDUCK GOSH GLYCOGEN DAY 2 FEBRUARY 2011 Background 1978 -

POMPE DISEASE MY JOURNEY - BY SAM MURDUCK GOSH GLYCOGEN DAY 2 FEBRUARY 2011 Background 1978 -

POMPE DISEASE MY JOURNEY - BY SAM MURDUCK GOSH GLYCOGEN DAY 2 FEBRUARY 2011 Background 1978 - Born. Normal Milestones. Active, sporty childhood o 1992 - Teenage years still very active (ballet, sailing) but tired all o the time,

224 views • 7 slides

More recommend