The document discusses SQL injection, which occurs when malicious SQL commands are injected into a backend database. It provides examples of how SQL injection can be used to bypass authentication or retrieve sensitive data from a database. The document then discusses various techniques for preventing SQL injection, including using stored procedures, parameterized queries, and object-relational mappers like Entity Framework and NHibernate which help protect against injection attacks.

1. SQL Injection
(Most common Injection
Flaw)
From Rich Helton’s October 2010
C# Web Security

2. Intro to SQL Injection…
 Many web pages communicate directly to a backend database for
processing.
 For example, a username and password is asked for on the Web
page and the web page will pass it to the database to validate the
information.
 Some applications will not validate the field adequately before
passing it to the database, and the database will process whatever it
will receive.
 Hackers will pass SQL commands directly to the database, and in
some cases tables like “passwords” are returned because the SQL
commands are not being filtered adequately.
 SQL may return errors in the web page that even lists the correct
tables to query so that the hacker may make more accurate
attempts to get data.

3. SQL Injection
 SQL Injection is the ability to inject malicious SQL commands
into the backend code.
 For example:
SELECT * FROM users WHERE username = ‘USRTEXT ' AND
password = ‘PASSTEXT’
 Passing ' OR 1=1-- in the USRTEXT field generates:
SELECT * FROM users WHERE username = ‘’ OR 1=1 -- ' AND
password = ‘PASSTEXT’
 The OR 1=1 returns true and the rest is commented out

4. ASP.NET Hacme Bank
(Let’s try it)

5. ASP.NET Hacme Bank
Authentication without username/password

6. Types of SQL Injection…
 There are really two types of SQL injection, “Blind” SQL Injection
and “Directed” SQL Injection.
 Blind SQL Injection is performed when a hacker passes SQL
commands into the web form and generic errors are returned to
the user, for instance a “404” Error page or page not found. The
hacker has to make more extensive guesses on the database behind
the web server.
 Directed SQL Injection is when the web server returns SQL errors
to the user that give information about the table that has issue
processing the SQL command. Some web pages may return
“users.password table incorrect SQL query”, which gives the hacker
the name of the database to launch the attack against.

7. Common attack strings
‘ or 27(hex) – delineates SQL string values.
“ or 22 (hex) – also delineates SQL string values.
; or 3B (hex) - terminates statements.
# or 23(hex) - also terminates a statement. (Access DB)
/* or 2F2A (hex) - comment delimiter.
-- or 2D2D (hex) – also comment delimiter.
( or 28 (hex) or ) or 29 (hex) – logical sub clauses.
{ or 7B (hex) or } or 7D (hex) – terminates a question.
exec – used to call MS-SQL stored procedures.
union – a SQL command very common to SQL injection.

8. HackmeBooks SQL Injection
(shows org.hsqldb.jdbc connection)

9. HackmeBooks SQL Injection
(attacking)
 HSQL DB, uses a SHUTDOWN to shut down the database, since
the SEARCH field uses straight SQL commands, typing in
‘;+SHUTDOWN;-- will add ‘%’; SHUTDOWN; --%’ in the SQL
statement, thus shutting down the database:
 Session is now closed because we shutdown the database:

10. Real life example
 Start by identifying the SQL Server version, table name and fields
in the error page:
 We see that it is SQL Server, and an “id” field into the
“business.dbo.urltracking” table. An Attacker can now try
inserting into the table.

11. Common fixes to SQL Injection…
 SQL Injection is caused by “Dynamic SQL” with unconstrained
validation.
 Constrain the validation to not pass SQL commands to Dynamic
SQL.
 Use Stored Procedures.
 Use Parameterized, or Prepared statements.
 Use newer technology frameworks that are built using
Parameterized statements like NHibernate and Spring.NET.
 Use the ADO.NET Entity framework.

12. Stored Procedures
 A stored procedure is a precompiled subroutine that is stored in
the data dictionary for use of applications accessing the SQL
Server.
 A sample stored procedure for exec sp_GetInventory ‘FL’ :

13. Hacking Stored Procedures
 Stored procedures can be just as dangerous as SQL Injection, if not
properly configured.
 One the most dangerous Stored Procs in SQL Server is the default
xp_cmd_shell.
 If you have admin permissions with SQL server, you can try this
simple example: exec master..xp_cmdshell ‘dir c:’
 Extending this feature, dynamic SQL may allow, in the username
form : MyUsername; exec xp_cmdshell '"echo open 192.168.10.12"
>> c:hack.txt’;
 See
http://www.informit.com/articles/article.aspx?p=30124&seqNum
=3 for an example attack.

14. Stored Procedures Hacks
(Who’s hacking them? From SANs )

15. Entity Framework
 With the ADO.NET Entity Framework, Visual Studio can be used
to create Entity Relationship Models (ERM) in order to create a
database.
 Entity Framework is part of .NET 4 and is often referred to as EF4.

16. Entity Framework
(Generate from DB)

17. Entity Framework
(Selecting ADO.NET in VS 2010)

18. A Sample Entity Framework
(Model1.edmx with the VS Model Browser)
Changes made to the model can propagate to the Database.

19. Another Example
(Has all the details of the data)

20. A Database can be generated

21. Customize the code generated by the Entity Designer with
T4 (.tt) templates
 T4 is the Text Template Transformation Toolkit.
 T4 is a means for creating code generated artifacts.
 T4 will generate a .tt file which looks like ASP classic syntax with
the brackets.
 The .tt file is the Text Template file that will generate the
background C# code from the Entity Model.
 Click on the model .edmx file and select “Add Code Generation
File…”

22. Use a T4 Editor to highlight code
 VS 2010 does not come with a T4 Visual Editor, so a plugin needs to
be installed to offer IntelliSense.
For VS 2010, I use the plugin at http://t4-editor.tangible-
engineering.com
To

23. T4 Editor
 The .tt is just the template to generate the underlying .cs (C#) file:

24. PEM
 Microsoft’s Portable Extension Metadata, a subset of shema
metadata, can be installed to add validation to the Entity Module and
its entities, http://visualstudiogallery.msdn.microsoft.com/en-
us/e6467914-d48d-4075-8885-ce5a0dcb744d

25. PEM
 After installing PEM, validation not only shows up in properties,
but generation code can be generated through T4.

26. PEM
 PemValidation.cs with the Validate method for Employee:

27. Object-Relational Mapping (ORM)
 NHibernate, the .NET version of Hibernate, can be used as a object-
relational mapping (ORM) and persistence framework that allows you
to map .NET objects to relational database tables using (XML)
configuration files.
Its purpose is to relieve the developer from a significant amount of
relational data persistence-related programming tasks.
The main advantages of Hibernate is that maps database entities to
objects and hides the details of the data access from the business logic.
Hibernate uses prepared statements, so it is protected
from direct SQL injection, but it could still be vulnerable to
injecting HQL statements which are more complex to
execute.

28. Sample Customer Mapping

29. NHibernate Validator
NHibernate has it’s own Validator plugin
http://nhforge.org/wikis/validator/nhibernate-validator-1-0-0-
documentation.aspx .
This validator (or constraint) will not only validate the values but
can also validate the size of the data before being persisted.
Sample constraint annotations:
public class Address {
[NotNull]
private string name; // Cannot be null
[NotNull]
[Length(Max = 5, Message = "{long}")]
[Pattern(Regex = "[0-9]+")] // Regex for Digits
private string zip; // 5 digits

30. Recommendations
 It is recommended to validate the data at the entity level, just in
case the Front End is compromised.
 ORM’s not only make the coding of data easier to the Database, by
not using SQL in multiple places, but also alleviates many of the
Dynamic SQL issues.