SlideShare una empresa de Scribd logo

SQL Injection Intro and Attack Scenarios

Descargar como KEY, PDF
Michael Coates
Michael Coates
Tecnología
1 de 34
Mozilla Security Learning Center SQL Injection
Intro • Michael Coates • Infrastructure Security • mcoates@mozilla.com - @_mwc • Questions / comments during presentation? • Use IRC at air.mozilla.org
Agenda • Business risk of XSS • Understanding the vulnerability • Attack scenarios • Mitigation techniques
Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
Risks of SQL Injection • Injection attacks (SQL, LDAP, OS, etc) - #1 Issue on OWASP Top 10 • Impact: Vulnerability allows attacker to change intent of SQL statement • Business Impact: • Theft of sensitive/PII data (account data, password hashes) • Data Corruption • Unauthorized application/feature access • Inject other attacks (XSS) into databases
SQL Injection in the News
Setup • http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation • http://bit.ly/MozLab • Download Virtual Box, OWASP Broken Web App VM
Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
Fundamental Problem • User controlled data improperly used with SQL statements • Example Vulnerable Query: sqlQ = “Select user from UserTable where name= '+username + ' and pass = '+password+ ' ” Login: ___ My username is o’malley ? Pass: ____
Fundamental Problem • User controlled data improperly used with SQL statements • o’malley scenario Select user from UserTable where name= 'o'malley' and pass = 'foo' • Result: Error, syntax is not valid Error: Invalid syntax
Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
SQL Attack Examples • Basic SQL Injection Tests: OR 1=1 -- ' OR '1'= '1'-- • Select user from UserTable where name= 'joe' and pass = ' ' OR '1'= '1'-- ' • Looks for username of joe and password of (blank || TRUE)
Variations • SQL Injection • Error message or different text returned based on SQL statement results • Example: Error message, db data displayed in page • Blind SQL Injection • No visible response to user indicating success of fail of query
Blind SQL Injection • Use time of results to deduce boolean • Injected SQL uses IF statements and delays to enumerate data, 1 char at a time
Blind SQL Examples mysql> select * from example; +----+-----------------+------+ | id | name | age | +----+-----------------+------+ | 1 | Timmy Mellowman | 23 | Text| | 2 | Sandy Smith | 21 +----+-----------------+------+ 2 rows in set (0.00 sec)
Blind SQL Examples • mysql> SELECT IF( name = 'Sandy Smith', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM example; • Command line result - 2 rows in set (5.25 sec) • mysql> SELECT IF( name = 'Joe Bob', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM example; • Command line result - 2 rows in set (0.00 sec) • The actual data returned is not important the delay indicates True of False +----+-----------------+------+ | 1 | Timmy Mellowman | 23 | | 2 | Sandy Smith | 21 | +----+-----------------+------+
Blind SQL Injection • mysql> select headerName from header_store UNION select IF(SUBSTRING(name, 1,1)='T',BENCHMARK(1000000,MD5( 'x' )),'y') from example where age=23 limit 1; • 1 row in set (6.01 sec) • Test if the first character of "name" from the example table (where age=23) is the letter T. +----+-----------------+------+ | 1 | Timmy Mellowman | 23 |
WebGoat • Click First Link - OWASP WebGoat version 5.3.x • Username / Password is guest / guest
Setup • http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation • http://bit.ly/MozLab • Download Virtual Box, OWASP Broken Web App VM
Using A Proxy • Burp - Configure to listen on 8080 • Ensure “loopback only” is checked (will be by default)
Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences -> Advanced -> Network -> Settings • Set HTTP Proxy • Important - clear “No Proxy for” line
Confirm Setup Works • Refresh Web Browser - it should hang • Go to Burp -> Proxy -> Intercept (they are highlighted) • Click “Forward” for all messages • Should now see page in browser
Confirm Setup Works • Intercept is on • Each request will be caught by proxy • Requires you to hit forward each time • Intercept is off • Requests sent through proxy automatically • Logged in tab “proxy”->”history”
“Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue Attacker’s euS euS Web Proxy Web Server Browser
SQL Injection • Problem: User controlled data improperly used with SQL statements • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests: OR 1=1 -- ' OR '1'= '1'-- • Example Vulnerable Query: sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
Lab! - SQL Lesson
SQL Injection • Lesson: Injection Flaws -> Lab: SQL Injection -> Stage 1: String SQL Injection • Proxy Needed • Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
SQL Injection • HTTP Post employee_id=112&password=x' OR '1'='1&action=Login • Vulnerable SQL Select user from UserTable where name= '+username+ ' and pass = '+password+ ' Select user from UserTable where name= '112' and pass = 'x' OR '1'='1' • Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
SQL Injection • Parameterized Queries No confusion with control characters • Input Validation Are special characters needed for most fields? What about non-printable characters %00-%0A? Just a layer of defense - remember o’malley example
Parameterized Query • HTTP Post employee_id=112&password=x' OR '1'='1&action=Login • Parameterized Query Look for employee_id 112 with password of x' OR '1'='1 • Result: Login fail - password is foo not x' OR '1'='1
Language Examples • User data + string concatenation == SQL injection disaster • DJANGO • Model Query API-> Safe • raw() manager -> Dangerous, Avoid! • Java String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( );
Additional Resources • OWASP SQL Prevention Cheat Sheet • https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet • 10 Minute Crash Course • Episode 3 - http://www.youtube.com/user/ AppsecTutorialSeries
Questions • Next Events • Aug 24 - CEF Logging for Attack Aware Applications • Aug 25 - OWASP Bay Area Chapter Meeting • https://wiki.mozilla.org/index.php? title=WebAppSec#Schedule

Recomendados

SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Siteijtsrd
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL InjectionMd Syed Ahamad
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLPradeep Kumar
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacksKumar
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRajKumar Rampelli
 

Recomendados

SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Siteijtsrd
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL InjectionMd Syed Ahamad
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLPradeep Kumar
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacksKumar
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRajKumar Rampelli
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSiddhesh Bhobe
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicJW CyberNerd
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL InjectionVortana Say
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)n|u - The Open Security Community
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksMohamed Talaat
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
C days2015
C days2015C days2015
C days2015Nuno Loureiro
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attackschaitanya Lotankar
 
Web application penetration using SQLMAP.
Web application penetration using SQLMAP.Web application penetration using SQLMAP.
Web application penetration using SQLMAP.asmitaanpat
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Full MSSQL Injection PWNage
Full MSSQL Injection PWNageFull MSSQL Injection PWNage
Full MSSQL Injection PWNagePrathan Phongthiproek
 
Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Mark Niebergall
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 

Más contenido relacionado

La actualidad más candente

Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSiddhesh Bhobe
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicJW CyberNerd
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL InjectionVortana Say
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksMohamed Talaat
 
Web application penetration using SQLMAP.
Web application penetration using SQLMAP.Web application penetration using SQLMAP.
Web application penetration using SQLMAP.asmitaanpat
 

La actualidad más candente (20)

Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? Infographic
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
 
Sql injection
Sql injectionSql injection
Sql injection
 
C days2015
C days2015C days2015
C days2015
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
 
Web application penetration using SQLMAP.
Web application penetration using SQLMAP.Web application penetration using SQLMAP.
Web application penetration using SQLMAP.
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
Full MSSQL Injection PWNage
Full MSSQL Injection PWNageFull MSSQL Injection PWNage
Full MSSQL Injection PWNage
 

Destacado

Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Mark Niebergall
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
Sql, Sql Injection ve Sqlmap Kullanımı
Sql, Sql Injection ve Sqlmap KullanımıSql, Sql Injection ve Sqlmap Kullanımı
Sql, Sql Injection ve Sqlmap KullanımıBGA Cyber Security
 
Alphorm.com Formation CEHV9 III
Alphorm.com Formation CEHV9 IIIAlphorm.com Formation CEHV9 III
Alphorm.com Formation CEHV9 IIIAlphorm
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 

Destacado (8)

Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
 
Sql, Sql Injection ve Sqlmap Kullanımı
Sql, Sql Injection ve Sqlmap KullanımıSql, Sql Injection ve Sqlmap Kullanımı
Sql, Sql Injection ve Sqlmap Kullanımı
 
Alphorm.com Formation CEHV9 III
Alphorm.com Formation CEHV9 IIIAlphorm.com Formation CEHV9 III
Alphorm.com Formation CEHV9 III
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
 

Similar a SQL Injection Intro and Attack Scenarios

Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentLesa Cote
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)Sam Bowne
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionChema Alonso
 
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)Sam Bowne
 
Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Sam Bowne
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Sql injection presentation
Sql injection presentationSql injection presentation
Sql injection presentationZara Joe
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers dofangjiafu
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoSEmil Tan
 
Locking Down Your MySQL Database.pptx
Locking Down Your MySQL Database.pptxLocking Down Your MySQL Database.pptx
Locking Down Your MySQL Database.pptxDave Stokes
 
Fluentd 20150918 no_demo_public
Fluentd 20150918 no_demo_publicFluentd 20150918 no_demo_public
Fluentd 20150918 no_demo_publicSaewoong Lee
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentationMahdi Dolati
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 

Similar a SQL Injection Intro and Attack Scenarios (20)

SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVA
 
Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP Assignment
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
 
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
 
Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)Ch 9 Attacking Data Stores (Part 2)
Ch 9 Attacking Data Stores (Part 2)
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Sql injection presentation
Sql injection presentationSql injection presentation
Sql injection presentation
 
Sql
SqlSql
Sql
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoS
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
Locking Down Your MySQL Database.pptx
Locking Down Your MySQL Database.pptxLocking Down Your MySQL Database.pptx
Locking Down Your MySQL Database.pptx
 
Fluentd 20150918 no_demo_public
Fluentd 20150918 no_demo_publicFluentd 20150918 no_demo_public
Fluentd 20150918 no_demo_public
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
Code injection
Code injectionCode injection
Code injection
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 

Más de Michael Coates

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The WebMichael Coates
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIMichael Coates
 

Más de Michael Coates (10)

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
Sf startup-security
Sf startup-securitySf startup-security
Sf startup-security
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
 
SSL Screw Ups
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
 

Último

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Último (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

SQL Injection Intro and Attack Scenarios

  • 2. Intro • Michael Coates • Infrastructure Security • mcoates@mozilla.com - @_mwc • Questions / comments during presentation? • Use IRC at air.mozilla.org
  • 3. Agenda • Business risk of XSS • Understanding the vulnerability • Attack scenarios • Mitigation techniques
  • 4. Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
  • 5. Risks of SQL Injection • Injection attacks (SQL, LDAP, OS, etc) - #1 Issue on OWASP Top 10 • Impact: Vulnerability allows attacker to change intent of SQL statement • Business Impact: • Theft of sensitive/PII data (account data, password hashes) • Data Corruption • Unauthorized application/feature access • Inject other attacks (XSS) into databases
  • 6. SQL Injection in the News
  • 7. Setup • http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation • http://bit.ly/MozLab • Download Virtual Box, OWASP Broken Web App VM
  • 8. Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
  • 9. Fundamental Problem • User controlled data improperly used with SQL statements • Example Vulnerable Query: sqlQ = “Select user from UserTable where name= '+username + ' and pass = '+password+ ' ” Login: ___ My username is o’malley ? Pass: ____
  • 10. Fundamental Problem • User controlled data improperly used with SQL statements • o’malley scenario Select user from UserTable where name= 'o'malley' and pass = 'foo' • Result: Error, syntax is not valid Error: Invalid syntax
  • 11. Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
  • 12. SQL Attack Examples • Basic SQL Injection Tests: OR 1=1 -- ' OR '1'= '1'-- • Select user from UserTable where name= 'joe' and pass = ' ' OR '1'= '1'-- ' • Looks for username of joe and password of (blank || TRUE)
  • 13. Variations • SQL Injection • Error message or different text returned based on SQL statement results • Example: Error message, db data displayed in page • Blind SQL Injection • No visible response to user indicating success of fail of query
  • 14. Blind SQL Injection • Use time of results to deduce boolean • Injected SQL uses IF statements and delays to enumerate data, 1 char at a time
  • 15. Blind SQL Examples mysql> select * from example; +----+-----------------+------+ | id | name | age | +----+-----------------+------+ | 1 | Timmy Mellowman | 23 | Text| | 2 | Sandy Smith | 21 +----+-----------------+------+ 2 rows in set (0.00 sec)
  • 16. Blind SQL Examples • mysql> SELECT IF( name = 'Sandy Smith', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM example; • Command line result - 2 rows in set (5.25 sec) • mysql> SELECT IF( name = 'Joe Bob', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM example; • Command line result - 2 rows in set (0.00 sec) • The actual data returned is not important the delay indicates True of False +----+-----------------+------+ | 1 | Timmy Mellowman | 23 | | 2 | Sandy Smith | 21 | +----+-----------------+------+
  • 17. Blind SQL Injection • mysql> select headerName from header_store UNION select IF(SUBSTRING(name, 1,1)='T',BENCHMARK(1000000,MD5( 'x' )),'y') from example where age=23 limit 1; • 1 row in set (6.01 sec) • Test if the first character of "name" from the example table (where age=23) is the letter T. +----+-----------------+------+ | 1 | Timmy Mellowman | 23 |
  • 18. WebGoat • Click First Link - OWASP WebGoat version 5.3.x • Username / Password is guest / guest
  • 19. Setup • http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation • http://bit.ly/MozLab • Download Virtual Box, OWASP Broken Web App VM
  • 20. Using A Proxy • Burp - Configure to listen on 8080 • Ensure “loopback only” is checked (will be by default)
  • 21. Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences -> Advanced -> Network -> Settings • Set HTTP Proxy • Important - clear “No Proxy for” line
  • 22. Confirm Setup Works • Refresh Web Browser - it should hang • Go to Burp -> Proxy -> Intercept (they are highlighted) • Click “Forward” for all messages • Should now see page in browser
  • 23. Confirm Setup Works • Intercept is on • Each request will be caught by proxy • Requires you to hit forward each time • Intercept is off • Requests sent through proxy automatically • Logged in tab “proxy”->”history”
  • 24. “Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue Attacker’s euS euS Web Proxy Web Server Browser
  • 25. SQL Injection • Problem: User controlled data improperly used with SQL statements • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests: OR 1=1 -- ' OR '1'= '1'-- • Example Vulnerable Query: sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
  • 26. Lab! - SQL Lesson
  • 27. SQL Injection • Lesson: Injection Flaws -> Lab: SQL Injection -> Stage 1: String SQL Injection • Proxy Needed • Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
  • 28. SQL Injection • HTTP Post employee_id=112&password=x' OR '1'='1&action=Login • Vulnerable SQL Select user from UserTable where name= '+username+ ' and pass = '+password+ ' Select user from UserTable where name= '112' and pass = 'x' OR '1'='1' • Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
  • 29. Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
  • 30. SQL Injection • Parameterized Queries No confusion with control characters • Input Validation Are special characters needed for most fields? What about non-printable characters %00-%0A? Just a layer of defense - remember o’malley example
  • 31. Parameterized Query • HTTP Post employee_id=112&password=x' OR '1'='1&action=Login • Parameterized Query Look for employee_id 112 with password of x' OR '1'='1 • Result: Login fail - password is foo not x' OR '1'='1
  • 32. Language Examples • User data + string concatenation == SQL injection disaster • DJANGO • Model Query API-> Safe • raw() manager -> Dangerous, Avoid! • Java String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( );
  • 33. Additional Resources • OWASP SQL Prevention Cheat Sheet • https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet • 10 Minute Crash Course • Episode 3 - http://www.youtube.com/user/ AppsecTutorialSeries
  • 34. Questions • Next Events • Aug 24 - CEF Logging for Attack Aware Applications • Aug 25 - OWASP Bay Area Chapter Meeting • https://wiki.mozilla.org/index.php? title=WebAppSec#Schedule

Notas del editor

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n