SQL INJECTION by Fabrizio dAmore faculty of Ingegneria - - PowerPoint PPT Presentation

▶

Feb 10, 2024 287 likes •508 views

SQL INJECTION by Fabrizio dAmore faculty of Ingegneria dellInformazione Universit di Roma La Sapienza WHAT IT IS , WHAT IT IS NOT December 2009 capability of giving SQL commands to a database engine exploiting a pre-existing

SLIDE 1

SQL INJECTION

by Fabrizio d’Amore faculty of Ingegneria dell’Informazione Università di Roma “La Sapienza”

SLIDE 2

WHAT IT IS, WHAT IT IS NOT

¢ capability of giving SQL commands to a database

engine exploiting a pre-existing application

¢ not exclusive to Web applications, but widespread

vulnerability in Web sites

 vulnerabilities exist in 60% of Web sites they have tested

(from: OWASP, Open Web Application Security Project)

¢ not due to inadequate development of Web

applications, nor a fault of the Web / RDBMS server

 developers not yet sufficiently aware  low-quality info in the Web on how to prevent the problem  detailed info in the Web on how to exploit vulnerabilities

December 2009

2

SQL Injection, by F. d'Amore

SLIDE 3

WHAT APPLICATIONS ARE VULNERABLE?

¢ in practice, all databases based on SQL  MS SQL Server, Oracle, MySQL, Postgres, DB 2,

Informix etc.

¢ databases accessed thru applications based on

most of modern (and non-modern) technologies

 Perl, CGI, ASP, PHP, XML, Javascript, VB, C, Java,

Cobol etc.

December 2009

3

SQL Injection, by F. d'Amore

SLIDE 4

HOW IT WORKS

¢ client injects SQL code into the input data of an

application

 typical scenario: application dynamically creates SQL

query using altered data (obtained from outside), without good validation of such data

¢ target of the attack: server of an application ¢ goal: allow the client to access the database used

by the attacked server

December 2009

4

SQL Injection, by F. d'Amore

SLIDE 5

EXAMPLE

¢ if the following query returns data...

SELECT * FROM users WHERE login = 'damore' AND password = 'qwerty'

¢ example of login syntax ASP/MS SQL Server

var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'";

¢ if

 formusr = ' or 1=1 --  formpwd arbitrary

¢ query becomes into

December 2009

5

SQL Injection, by F. d'Amore

SELECT * FROM users WHERE login = '' or 1=1

- AND password = ...

SLIDE 6

SQL INJECTION ATTACK

¢ attacker can access database in read/write/admin  depends on the vulnerability of the specific DBMS ¢ impact of the attack is potentially HIGH

December 2009

6

SQL Injection, by F. d'Amore

SLIDE 7

POSSIBLE HTML FORM

¢ from Wikipedia (

http://it.wikipedia.org/wiki/SQL_injection)

<form action='login.php' method='post'> <form action='login.php' method='post'> Username: <input type='text' name='user' /> Username: <input type='text' name='user' /> Password: <input type='password' name='pwd' /> Password: <input type='password' name='pwd' /> <input type='submit' value='Login' /> <input type='submit' value='Login' /> </form> </form>

December 2009

7

SQL Injection, by F. d'Amore

SLIDE 8

POSSIBLE LOGIN.PHP FILE

<?php //Prepares query, in a variable $query = "SELECT * FROM users WHERE user='".$_POST ['user']."' AND pwd='".$_POST['pwd']."'"; //Execute query (suppose a valid connection to database is already open and its state is stored in $db) $sql = mysql_query($query,$db); //Count number of lines that have been found if(mysql_affected_rows($sql)>0) { //authenticated! } ?>

December 2009

8

SQL Injection, by F. d'Amore

SLIDE 9

CONSEQUENCES

¢ if script does not make input analysis and

validation, user can send

user = blah pwd = ' OR user=‘blah'

¢ we get the query

SELECT * FROM users WHERE user=‘blah' AND pwd='' OR user=‘blah'

¢ if at least one tuple does exist, attacker obtains

authenticated access

December 2009

9

SQL Injection, by F. d'Amore

SLIDE 10

OTHER (WORSE) CONSEQUENCES

¢ symbol ';' is exploited, it allows to concatenate

commands

pwd = ' OR user=‘blah'; DROP TABLE users;

¢ or

pwd = ' OR user=‘blash'; INSERT INTO users (...) VALUES (...);

December 2009

10

SQL Injection, by F. d'Amore

SLIDE 11

LINKS

¢ examples  http://www.owasp.org/index.php/SQL_Injection  http://www.unixwiz.net/techtips/sql-injection.html ¢ Sqlninja: example of tool for supporting attacks

http://sqlninja.sourceforge.net/

 it tries to use SQL injection on applications based on

MS SQL Server

 its goal is to obtain an interactive shell on the remote

DB server

¢ WebScarab: example of tool for prevention

http://www.owasp.org/index.php/ Category:OWASP_WebScarab_Project

 powerful, good prevention, even against other types of

attack

December 2009

11

SQL Injection, by F. d'Amore

SLIDE 12

PREVENTING SQL INJECTION

¢ input validation  client side  to be considered within the wider subject of software

correctness and robustness

¢ parameterized queries  based on predefined query strings ¢ use of stored procedures  subroutines that are defined at server side, available

to applications accessing the RDBMS

 can validate input at server side

December 2009

12

SQL Injection, by F. d'Amore

SLIDE 13

INPUT VALIDATION AT CLIENT SIDE

¢ use scripts, e.g., Javascript ¢ can be made weaker by the security settings of the

browser

¢ in some cases, can be bypassed thru suitable

change of the HTML source code

December 2009

13

SQL Injection, by F. d'Amore

SLIDE 14

PARAMETERIZED QUERIES

¢ avoid the traditional dynamic query string, where

pre-defined substrings have to be replaced by user defined text

¢ based on pre-defined query strings, where suitable

parameters have to be inserted

¢ example: Java Prepared Statement

December 2009

14

SQL Injection, by F. d'Amore

SLIDE 15

JAVA PREPARED STATEMENTS

¢ see Sun tutorial on JDBC (

http://java.sun.com/docs/books/tutorial/jdbc/basics/ index.html)

¢ technique based on Java class PreparedStatement  initially proposed for improving the speed of

frequently executed queries

¢ when PreparedStatement is instantiated, an SQL

query is built (and compiled): it may contain the symbol '?' to denote possible parameters necessary to query

¢ query structure is fixed

December 2009

15

SQL Injection, by F. d'Amore

SLIDE 16

PRACTIC EXAMPLE

// define query schema // define query schema String String selectStatement selectStatement = "SELECT * FROM User WHERE = "SELECT * FROM User WHERE userId userId = ? "; = ? "; // instantiate // instantiate PreparedStatement PreparedStatement object by means of

bject by means of

purposed method of db connector (class Connection) purposed method of db connector (class Connection) PreparedStatement PreparedStatement prepStmt prepStmt = = con.prepareStatement con.prepareStatement (selectStatement selectStatement); ); // provide parameter thru // provide parameter thru setXXX setXXX prepStmt.setString prepStmt.setString(1, (1, userId userId); // 1 -> first ); // 1 -> first parameter parameter // execute query // execute query ResultSet ResultSet rs rs = = prepStmt.executeQuery prepStmt.executeQuery(); ();

December 2009

16

SQL Injection, by F. d'Amore

SLIDE 17

VULNERABILITIES IN PREPARED STATEMENTS

¢ Java prepared statements, if not carefully packed,

may be vulnerable to SQL injection

¢ example

String String strUserName strUserName = = request.getParameter request.getParameter(" ("Txt_UserName Txt_UserName"); "); PreparedStatement PreparedStatement prepStmt prepStmt = = con.prepareStatement con.prepareStatement("SELECT * FROM user ("SELECT * FROM user WHERE WHERE userId userId = '+ = '+strUserName strUserName+'"); +'");

¢ a prepared statement is built, using a non-

validated input parameter!

December 2009

17

SQL Injection, by F. d'Amore

SLIDE 18

STORED PROCEDURES: WHAT AND WHY

¢ compiled procedures (subroutines) made available

at server side to build/support batches operating

n DB

¢ code is optimized, but DB server incurs higher

processing costs

 also improve code readability ¢ they help to limit SQL injection attacks  but they are not exempt from vulnerabilities

December 2009

18

SQL Injection, by F. d'Amore

SLIDE 19

USE OF STORED PROCEDURES

¢ also known as proc, sproc, StoPro or SP, belong to

data dictionary

¢ typical uses  data validation  access control mechanisms  centralization of logic that was initially contained

inside the applications

¢ similar to the user-defined functions, but with

different syntax

 functions can appear everywhere in SQL strings, this

is not true for stored procedure calls

December 2009

19

SQL Injection, by F. d'Amore

SLIDE 20

SQL INJECTION

by Fabrizio d’Amore faculty of Ingegneria dell’Informazione Università di Roma “La Sapienza”

WHAT IT IS, WHAT IT IS NOT

¢ capability of giving SQL commands to a database

engine exploiting a pre-existing application

¢ not exclusive to Web applications, but widespread

vulnerability in Web sites

 vulnerabilities exist in 60% of Web sites they have tested

(from: OWASP, Open Web Application Security Project)

¢ not due to inadequate development of Web

applications, nor a fault of the Web / RDBMS server

 developers not yet sufficiently aware  low-quality info in the Web on how to prevent the problem  detailed info in the Web on how to exploit vulnerabilities

2

WHAT APPLICATIONS ARE VULNERABLE?

¢ in practice, all databases based on SQL  MS SQL Server, Oracle, MySQL, Postgres, DB 2,

Informix etc.

¢ databases accessed thru applications based on

most of modern (and non-modern) technologies

 Perl, CGI, ASP, PHP, XML, Javascript, VB, C, Java,

Cobol etc.

3

HOW IT WORKS

¢ client injects SQL code into the input data of an

application

 typical scenario: application dynamically creates SQL

query using altered data (obtained from outside), without good validation of such data

¢ target of the attack: server of an application ¢ goal: allow the client to access the database used

by the attacked server

4

EXAMPLE

¢ if the following query returns data...

SELECT * FROM users WHERE login = 'damore' AND password = 'qwerty'

¢ example of login syntax ASP/MS SQL Server

var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'";

¢ if

 formusr = ' or 1=1 --  formpwd arbitrary

¢ query becomes into

5

SELECT * FROM users WHERE login = '' or 1=1

SQL INJECTION ATTACK

¢ attacker can access database in read/write/admin  depends on the vulnerability of the specific DBMS ¢ impact of the attack is potentially HIGH

6

POSSIBLE HTML FORM

¢ from Wikipedia (

http://it.wikipedia.org/wiki/SQL_injection)

7

POSSIBLE LOGIN.PHP FILE

8

CONSEQUENCES

¢ if script does not make input analysis and

validation, user can send

user = blah pwd = ' OR user=‘blah'

¢ we get the query

SELECT * FROM users WHERE user=‘blah' AND pwd='' OR user=‘blah'

¢ if at least one tuple does exist, attacker obtains

authenticated access

9

OTHER (WORSE) CONSEQUENCES

¢ symbol ';' is exploited, it allows to concatenate

commands

pwd = ' OR user=‘blah'; DROP TABLE users;

¢ or

pwd = ' OR user=‘blash'; INSERT INTO users (...) VALUES (...);

10

LINKS

¢ examples  http://www.owasp.org/index.php/SQL_Injection  http://www.unixwiz.net/techtips/sql-injection.html ¢ Sqlninja: example of tool for supporting attacks

http://sqlninja.sourceforge.net/

 it tries to use SQL injection on applications based on

MS SQL Server

 its goal is to obtain an interactive shell on the remote

DB server

¢ WebScarab: example of tool for prevention

http://www.owasp.org/index.php/ Category:OWASP_WebScarab_Project

 powerful, good prevention, even against other types of

attack

11

PREVENTING SQL INJECTION

¢ input validation  client side  to be considered within the wider subject of software

correctness and robustness

¢ parameterized queries  based on predefined query strings ¢ use of stored procedures  subroutines that are defined at server side, available

 vulnerabilities exist in 60% of Web sites they have tested

 developers not yet sufficiently aware  low-quality info in the Web on how to prevent the problem  detailed info in the Web on how to exploit vulnerabilities

¢ in practice, all databases based on SQL  MS SQL Server, Oracle, MySQL, Postgres, DB 2,

 Perl, CGI, ASP, PHP, XML, Javascript, VB, C, Java,

 typical scenario: application dynamically creates SQL

 formusr = ' or 1=1 --  formpwd arbitrary

¢ attacker can access database in read/write/admin  depends on the vulnerability of the specific DBMS ¢ impact of the attack is potentially HIGH

¢ examples  http://www.owasp.org/index.php/SQL_Injection  http://www.unixwiz.net/techtips/sql-injection.html ¢ Sqlninja: example of tool for supporting attacks

 it tries to use SQL injection on applications based on

 its goal is to obtain an interactive shell on the remote

 powerful, good prevention, even against other types of

¢ input validation  client side  to be considered within the wider subject of software

¢ parameterized queries  based on predefined query strings ¢ use of stored procedures  subroutines that are defined at server side, available

 can validate input at server side

¢ technique based on Java class PreparedStatement  initially proposed for improving the speed of

 also improve code readability ¢ they help to limit SQL injection attacks  but they are not exempt from vulnerabilities

¢ typical uses  data validation  access control mechanisms  centralization of logic that was initially contained

 functions can appear everywhere in SQL strings, this