2. What is an Injection Attack?
• Exploits weak application level security around the “system” type
ID
• Exploit allows the client, a.k.a. attacker, to “piggyback” code into
a web page, and have the “system” ID execute it for them
• Can both execute commands and insert / update / delete data
Conversys Technologies PVT. Ltd.
3. What is the Danger?
• Typically “system” IDs have “all access” rights to the
database
• When exploited, the attacker can do anything the “system”
ID can
• Utilizes no special equipment or advanced knowledge
Conversys Technologies PVT. Ltd.
4. Industry
Joint study by the US department of Commerce and Visa
Ranked as one of the top 5 greatest data security vulnerabilities
“SQL injection is a technique used to exploit Web-based
applications by using client-supplied data in SQL queries. SQL
injection attacks are caused primarily by applications that lack input
validation checks. Recently, commercial shopping cart products
have been the focus of attack by hackers who seek account
information. PCI DSS Requirement 6.5 requires that Web-facing
applications be developed in accordance with secure coding
guidelines to guard against such attacks. “
Conversys Technologies PVT. Ltd.
5. Different Types of Code Injection
• SQL Injection (Most prevalent)
• LDAP Injection
• XML Injection
• Others......
* Flaw is not code specific, rather in the web application it is embedded in
Conversys Technologies PVT. Ltd.
6. Structure of Web Based Systems
• Application logic– Typically built with a scripting language
(php, jsp, asp), a lightweight tool that interfaces with the
data source and controls the behavior of the program
• Data Source – Typically a database, but could also be a
flat file, XML file, or another application
• The interface between the application and data source is
typically done with an embedded language. Embedded
systems integrate one type of code into another (such as a
php script executing SQL commands)
Conversys Technologies PVT. Ltd.
7. How does it work?
Review on Client-Server Architecture
You (client) request a web page
Server responds with the page, as displayed on the client computer
Client enters data
Server takes data, runs server side script, queries database, returns results
Conversys Technologies PVT. Ltd.
8. What really happens when you search?
Server has a prewritten SQL query stored in a script
select item, picture, from ItemDB where description = ‘$client_input’;
You input “american psycho 1st”
Prewritten script is then executed by “system” as :
select item, picture, from ItemDB where description = “american psycho 1st”;
Please Note: You just used the “system” ID to execute a query that YOU wrote. In practice, most “system” ID’s have DBA level
access, and are only restricted by the logic built into the application itself.
Conversys Technologies PVT. Ltd.
9. Code Example
<?PHP
session_start();
header("Cache-control: private"); // IE 6 Fix.
error_reporting(E_ALL);
?>
<html>
<body bgcolor = white>
<?php
$email = $_SESSION['email']; // Variable holding user’s email address
$value = stripslashes($_POST['newdata']); // Variable holding data entered
$fieldname = $_POST['type']; // Variable holding fieldname to update
if ($_SESSION['access_rights'] == 1)
{
$db = mysql_connect("localhost", "system_id", “password"); // Connects to local DB
mysql_select_db("payroll",$db); // selects database to query
$query = "update data SET $fieldname='$value' WHERE email = '$email'"; // Prewritten Query
$result = mysql_query($query,$db); // executes query
echo "<META HTTP-EQUIV='Refresh' CONTENT='0; URL=return.php'>";
}
?>
Conversys Technologies PVT. Ltd.
10. How can we exploit this?
SQL Query Stored in Application:
select item, picture, from ItemDB where description = ‘$client_input’
To commit a SQL Injection Attack, enter into the web site form:
x‘;drop table ‘ItemDB
The query executed by the “System” ID will now be:
select item, picture, from ItemDB where description = ‘x‘;drop table
‘ItemDB’
The server just executed the stored query, and we just effectively destroyed the
entire “ItemDB” database!
Conversys Technologies PVT. Ltd.
11. Even More Fun…
“Add A New User”
Canned Query: SELECT email, passwd, login_id, full_name FROM members WHERE
email = ‘$user_input’;
SQL Attack: x'; INSERT INTO members ('email', 'passwd', 'login_id', 'full_name')
VALUES (‘mike@pinch.com',‘mynewPW',‘pinch',‘Mike Pinch')
System then Executes: SELECT email, passwd, login_id, full_name FROM members
WHERE email = ‘x'; INSERT INTO members ('email', 'passwd', 'login_id', 'full_name')
VALUES (‘mike@pinch.com',‘mynewPW',‘pinch',‘Mike Pinch');
I now have my very own account!
Conversys Technologies PVT. Ltd.
12. One More for Good Measure
“Forgot my Password”
Canned Query: SELECT email, passwd, login_id, full_name FROM members WHERE
email = ‘$UserInput’;
SQL Attack: x'; UPDATE members SET email = ‘pinch@CLIENTX.com' WHERE email =
‘sysadmin@CLIENTX.com
System then Executes: SELECT email, passwd, login_id, full_name FROM members
WHERE email = x'; UPDATE members SET email = ‘pinch@CLIENTX.com' WHERE
email = ‘sysadmin@CLIENTX.com
Now just go to forgot my password, type pinch@CLIENTX.com, and the system will
conveniently email me the system admin’s password!
Conversys Technologies PVT. Ltd.
15. Error Masking
• Blocks real error messages from being displayed to the
client
• Best Practice
All specific errors messages are suppressed, either
through using a generic error message, or blocking them
altogether.
Conversys Technologies PVT. Ltd.
16. How are Attacks Prevented?
Sanitize all input including:
• Data collected in Forms through browsers
• Data collected in URL’s
• Data collected through cookies
• White/Black List
• Mask Error Messages
• Continuous Monitoring
• New Technique: SQL Firewalls
Conversys Technologies PVT. Ltd.
17. Prevalence of Attacks
• Injection attacks are extremely powerful, almost always
malicious, and nearly undetectable (until its too late)
• Danger comes from simplicity – no special hardware or
software is necessary. Just syntax knowledge and a
browser!
• In 2006, 14% of newly released commercial application
and open source tools were vulnerable to SQL injection
attacks.
• A recent study of web sites not masking error messages
returned a total of 10.3%
Conversys Technologies PVT. Ltd.
18. Integrating into the Audit
• Weak controls related to • Cobit Framework
preventing injection attacks may – DS 5.3, Identity Management
require nature, timing and extent • “All users (internal, external and temporary)
of financial statement substantive and their activity on IT systems (business
audit procedures. application, system operation, development
and maintenance) should be uniquely
identifiable. User access rights to systems
and data should be in line with defined and
• Assistance may be needed from documented business needs and job
systems or data management requirements. User access rights are
professionals to help identify if requested by user management, approved
there were instances in which the by system owner and implemented by the
control weaknesses were security-responsible person. User identities
and access rights are maintained in a
exploited. central repository. Cost-effective
technical and procedural measures are
deployed and kept current to establish
• Cobit Framework (See excerpt) user identification, implement
– DS 5.3, Identity Management authentication and enforce access
rights.”
Conversys Technologies PVT. Ltd.
19. What Systems are Vulnerable?
• Predominantly internally developed applications
• Web based client-server architecture
• Any system where access is available via the web
Conversys Technologies PVT. Ltd.
20. How do you determine if a system is vulnerable?
• Inquire
– Do you have database and server error messages masked?
– Do you have a strategy to sanitize all user input to detect SQL injection
attacks?
– Walk me through how your system prevents SQL injection attempts, IE
filtering input, limiting rights.
• Observe
– Ask client to generate an error message
• Should either be generic or non-existent
• Inspect
– Request code sample showing filtering module logic
• Should filter out suspicious characters such as “’,/;&%$” etc
• View White/Black List
• Attack and Penetration Testing
Conversys Technologies PVT. Ltd.
21. Created and Presented by Krishnendu Paul
Vice President – Technologies
Conversys Technologies Pvt. Ltd.
A Maxelor Company
References
http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/Top_5_Vulnerabilities
_Bulletin_August2006.pdf - 2006 Visa USA
"Applying an improved economic model to software buy-versus-build decisions", Higaki,Wesley.
Hewlett-Packard Journal, August 1995.
"Cobit 4.0", IT Governance Institute, 2005
Mitre Corporation, 2006
Conversys Technologies PVT. Ltd.
22. Thanks
Conversys Technologies Pvt. Ltd.
• Kolkata Office : 7, Bondel Road, Kolkata, West Bengal India – 700019
E-mail: info@conversys.in
Telephone: +91-33-64602675
• Pune Office: #204, Casa Grande, Lane No. 8. Koregaon Park, Pune - 411 001
Telephone: +91 20 26052014
• US Office: 15 Corporate Place, Suite# 333 Piscataway, , NJ, 08854 USA
Conversys Technologies PVT. Ltd.