14. • Fill in the blanks!
• SELECT OrderId
FROM Sales
WHERE CustomerId = ‘ ’
• SELECT OrderId
FROM Sales
WHERE CustomerId = ‘’
UNION
SELECT Table_Name
FROM INFORMATION_SCHEMA.Table; -- ’
SQL Injection
17. Hide the Error
•
• try {
resultSet = READ FROM DATABASE;
} catch(error) {
redirect(“home.html”);
}
if(resultSet.RowCount > 0)
redirect(“history.html”);
else
redirect(“home.html”);
Read From
DB
Error?
Is
Result
> 0
Go to
“home”
Go to
“history”
Yes
Yes
No
No
18. CustomerID = ‘
CustomerID = ‘ ;
delay 1 min. ;--
Wait 1 min.
Go to “home”
Go to “home”
Blind SQL Injection
19. Is the first letter of the
name of the first table an
‘A’ No, it’s not
go to “home”
Is the first letter of the
name of the first table an
‘B’ Yes, it is
go to “history”
SELECT OrderID FROM Sales WHERE CustomerID = ‘’ OR
MID(
(SELECT table_name FROM INFORMATIN_SCHEMA.tables LIMIT 1)
, 1, 1) = ‘A’
Blind SQL Injection
20. Solutions
• Validate Input
• No SQL syntax
• No single quote
• What about Mr. JohnO’Malley?
• No single quote attack
• URL encoding
• Prevent OR 1 = 1
• Regex
• Encode or escape
22. Solutions
• Validate Input
• No SQL syntax
• No single quote
• Prevent OR 1 = 1
• Regex
• Encode or escape
Regexlib.com
Search for: person’s name
Allows apostrophes
SQL injection: X’ OR A IS NOT NULL
30. SDLThreat ModelingTool
• A Data Flow Graph
• STRID
• Spoofing
• Tampering
• Information disclosure
• Denial of service
• Elevation of privilege
Add
item
into
cart
View
cart
conte
nts
User database
ProductCatalog
Cart Database
User
31. Secure Coding Libraries
• Don't reinvent the wheel
• Code review
• Correctness or Disuse
• OWASP AntiSamy or MicrosoftAnti-XSS
• OpenSSL