SlideShare una empresa de Scribd logo

Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

Pablo Orduña
Pablo Orduña

Presenation at JSWEB2010, Valencia, September 2010

Tecnología
1 de 25
Descargar para leer sin conexión
Introduction Vulnerable code samples Addressing code injection Conclusions Addressing Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages Pablo Ordu˜a, Aitor Almeida, Unai Aguilera, Xabier Laiseca, n Diego L´pez-de-Ipi˜a, Aitor G´mez-Goiri o n o September 9th, 2010 Future Internet - Elkarlaneko ikerkuntza estrategikorako programa; ETORTEK 2008 img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Introduction The Semantic Web is based on a set of technologies: XML RDF OWL ... img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Query Languages New technologies have been developed to query the ontologies later later RDQL − − SPARQL − − SPARUL −→ −→ These new query languages are based on SQL RDQL and SPARQL → Read-only query languages introduces SPARUL (SPARQL/Update) − − − − modification − − −→ capabilities SPARQL Sample: 1 PREFIX injection: <http://www.morelab.deusto.es/ injection.owl#> 2 SELECT ?p1 3 WHERE { 4 ?p1 a injection:Person . 5 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Security issues The use of these new query languages introduce vulnerabilities already found in a bad use of query languages Attacks like SQL Injection, LDAP Injection or even XPath Injection are already well known Libraries provide tools to sanitize user input in these languages A proper usage of the query languages is required in order to face new techniques, including: (Blind) SPARQL Injection SPARUL Injection img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection The following query is assumed to retrieve the friends of a user whom fullName is provided by the variable name The ontology is available in http://www.morelab.deusto.es/injection.owl img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 " + 4 "WHERE {" + 5 " ?p1 a injection:Person . " + 6 " ?p2 a injection:Person . " + 7 " ?p1 injection:fullName ’" + name + "’ . " + 8 " ?p1 injection:isFriendOf ?p2 . " + 9 " ?p1 injection:fullName ?name1 . " + 10 " ?p2 injection:fullName ?name2 . " + 11 "}"; 12 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection This code can be exploited to retrieve any information in the ontology The problem is that the variable name has not been sanitized This variable can include SPARQL code, and thus modify the query itself A variable with malicious content can be found in the next slide img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 " ?p1 injection:fullName ?name1 . " + 9 " ?p2 injection:fullName ?name2 . " + 10 "}"; 11 String name = "Pablo Orduna’ . " + 12 "?b1 a injection:Building . " + 13 "?b1 injection:name ?name1 . " + 14 "} #"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + "Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + "’ . " + 10 " ?p1 injection:isFriendOf ?p2 . " + 11 " ?p1 injection:fullName ?name1 . " + 12 " ?p2 injection:fullName ?name2 . " + 13 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + /* From this point everything 10 is commented and thus ignored */ "’ . " + 11 " ?p1 injection:isFriendOf ?p2 . " + 12 " ?p1 injection:fullName ?name1 . " + 13 " ?p2 injection:fullName ?name2 . " + 14 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection This code will return the name of the building instead of the name of a user It is possible to use the flexibility of SPARQL to perform other kind of queries retrieving any information in the ontology img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Introducing Blind SPARQL Injection The previous sample was especially vulnerable since it returned a string It is possible to retrieve any information as a string Strings are usually not retrieved in SPARQL, but individuals What if the returning value is an individual? It’s still possible to retrieve any information If it’s possible to know if a given query is true or false, it’s possible to iteratively retrieve any information The following code retrieves the individuals themselves It’s possible to know if the query provided or not the individuals img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 4 "SELECT ?p1 ?p2 " + 5 "WHERE {" + 6 " ?p1 a injection:Person . " + 7 " ?p2 a injection:Person . " + 8 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 9 " ?p1 injection:isFriendOf ?p2 . " + 10 "}"; 11 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Once again, the variable name has not been sanitized So it’s still possible to inject SPARQL code The injected code can’t return a building or the building name But, adding a condition like “does the building name start by this letter” we will get: The common results → so the building name starts by that letter No results → so the building name does not start by that letter img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = /* PREFIXES ... */ 2 "SELECT ?p1 ?p2 " + 3 "WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 "}"; 9 String name = "Pablo Orduna’ . " + 10 "?b1 a injection:Building . " + 11 "?b1 injection:name ?buildingName . " + 12 "FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 13 "} #"; // }:-D img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query would be. . . 1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?p1 ?p2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?buildingName . " + 9 " FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 10 " } #" + /* from here ignored*/ "’ˆˆxsd:string . " + 11 " ?p1 injection:isFriendOf ?p2 . }"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Querying recursively. . . 1 public static String recursively(String letters) throws Exception{ 2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++ i){ 3 char c = POSSIBLE_LETTERS.charAt(i); 4 if(tryBlind(letters + c)){ 5 System.out.println(c); 6 return "" + c + recursively(letters + c); 7 } 8 } 9 return ""; 10 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection It is possible to optimize this system using binary search Performing queries using Regular Expressions like ˆ[A-M].* to know if the char is between the char A and M Given a charset of length 64, we would reduce the number of iterations from 64 times 10 (640) to 6 times 10 (60) Using the whole UTF-16 charset, it would reduce the number of iterations from 65536 times 10 (655360) to 16 times 10 (160) The point is that it’s possible to retrieve any information in the ontology independently from the values returned by the query img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection Introducing SPARQL/Update Injection All the previous examples are executed in read-only query languages SPARUL introduces the chance to modify the ontology INSERT, MODIFY and DELETE statements are available The following sample modifies the fullName of the resource injection:Pablo, setting it to the value of the variable name img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String updateString = "PREFIX injection: <http:// www.morelab.deusto.es/injection.owl#> " + 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "DELETE {" + 4 " injection:Pablo injection:fullName ?name1 "+ 5 "} WHERE {" + 6 " injection:Pablo injection:fullName ?name1" + 7 "}n INSERT {" + 8 " injection:Pablo injection:fullName ’" + name + "’ˆˆxsd:string" + 9 "}"; 10 UpdateRequest update = UpdateFactory.create( updateString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String name = "Pablo Ordunya’ˆˆxsd:string" + 2 "} n " + 3 "INSERT {" + 4 " injection:Pablo injection:isFriendOf injection:EvilMonkey" + 5 "} #"; // }:-D 6 String result = sample.run(name); With this vulnerability, it is possible to modify the whole ontology. img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Addressing code injection Mechanisms provided by the library must be used (if provided) Not as simple as scaping the ’ characters: the string u0027 is a simple quote, just as in Java 1 System.out.println("au0022.length() + u0022b".length()); 2 // This code prints "2", the result of ("a".length() + "b".length()) 3 // since u0022 will be replaced by " even if it is commented or inside 4 // String img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Frameworks In Jena, the initialBinding argument can be used in the QueryExecutionFactory 1 // initial binding 2 QuerySolutionMap initialBinding = new QuerySolutionMap(); 3 RDFNode parameterizedName = model.createLiteral( name); 4 initialSetting.add("thename", parameterizedName); 5 6 // Perform the query 7 Query query = QueryFactory.create(queryString); 8 QueryExecution qe = QueryExecutionFactory.create( query, model, initialBinding); 9 ResultSet results = qe.execSelect(); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Addressing code injection Conclusions Conclusions Not sanitizing the user input might add a set of security vulnerabilities in our systems In the paper it is presented how new query languages inherit security issues present in older query languages, and therefore they should also be taken into account when working with them img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Addressing code injection Conclusions Questions? DeustoTech - Internet http://www.morelab.deusto.es Pablo Ordu˜an pablo.orduna@deusto.es Aitor Almeida aitor.almeida@deusto.es Unai Aguilera unai.aguilera@deusto.es Xabier Laiseca xabier.laiseca@deusto.es Diego L´pez-de-Ipi˜a o n dipina@deusto.es Aitor G´mez-Goiri o aitor.gomez@deusto.es img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .

Recomendados

Rr 7944
Rr 7944Rr 7944
Rr 7944fangjiafu
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationAlex Senkevitch
 
Research Overview
Research OverviewResearch Overview
Research Overviewavinashvarna
 
Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)johnwilander
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
 
Designing Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote LaboratoriesDesigning Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote LaboratoriesPablo Orduña
 
Taller Ria
Taller RiaTaller Ria
Taller RiaPablo Orduña
 
Mumbai Moods
Mumbai MoodsMumbai Moods
Mumbai Moodsrajshah
 

Recomendados

Rr 7944
Rr 7944Rr 7944
Rr 7944fangjiafu
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationAlex Senkevitch
 
Research Overview
Research OverviewResearch Overview
Research Overviewavinashvarna
 
Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)johnwilander
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
 
Designing Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote LaboratoriesDesigning Experiment Agnostic Remote Laboratories
Designing Experiment Agnostic Remote LaboratoriesPablo Orduña
 
Taller Ria
Taller RiaTaller Ria
Taller RiaPablo Orduña
 
Mumbai Moods
Mumbai MoodsMumbai Moods
Mumbai Moodsrajshah
 
Taller Test Driven Development
Taller Test Driven DevelopmentTaller Test Driven Development
Taller Test Driven DevelopmentPablo Orduña
 
GWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouGWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouRobert Cooper
 
WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]Pablo Orduña
 
DeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectDeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectPablo Orduña
 
MVP mit dem Google Web Toolkit
MVP mit dem Google Web ToolkitMVP mit dem Google Web Toolkit
MVP mit dem Google Web ToolkitCenarion Information Systems GmbH
 
GWT – Google Web Toolkit in der Praxis
GWT – Google Web Toolkit in der PraxisGWT – Google Web Toolkit in der Praxis
GWT – Google Web Toolkit in der PraxisCenarion Information Systems GmbH
 
SPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionSPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionMoreLab
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeSamuele Reghenzi
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upDileep Kalidindi
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Pangolin whitepaper
Pangolin whitepaperPangolin whitepaper
Pangolin whitepapermattotamhe
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
163 166
163 166163 166
163 166Editor IJARCET
 
163 166
163 166163 166
163 166Editor IJARCET
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Mario-Leander Reimer
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREAyanda Demilade
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsDSBW 2011/2002 - Carles Farré - Barcelona Tech
 

Más contenido relacionado

Destacado

Taller Test Driven Development
Taller Test Driven DevelopmentTaller Test Driven Development
Taller Test Driven DevelopmentPablo Orduña
 
GWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouGWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouRobert Cooper
 
WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]Pablo Orduña
 
DeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectDeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectPablo Orduña
 

Destacado (6)

Taller Test Driven Development
Taller Test Driven DevelopmentTaller Test Driven Development
Taller Test Driven Development
 
GWT 2 Is Smarter Than You
GWT 2 Is Smarter Than YouGWT 2 Is Smarter Than You
GWT 2 Is Smarter Than You
 
WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]WebLab-Deusto [TARET3]
WebLab-Deusto [TARET3]
 
DeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS projectDeustoTech Talk: ACROSS project
DeustoTech Talk: ACROSS project
 
MVP mit dem Google Web Toolkit
MVP mit dem Google Web ToolkitMVP mit dem Google Web Toolkit
MVP mit dem Google Web Toolkit
 
GWT – Google Web Toolkit in der Praxis
GWT – Google Web Toolkit in der PraxisGWT – Google Web Toolkit in der Praxis
GWT – Google Web Toolkit in der Praxis
 

Similar a Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

SPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionSPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionMoreLab
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeSamuele Reghenzi
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upDileep Kalidindi
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Pangolin whitepaper
Pangolin whitepaperPangolin whitepaper
Pangolin whitepapermattotamhe
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Mario-Leander Reimer
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREAyanda Demilade
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 

Similar a Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages (20)

SPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL InjectionSPARQL/RDQL/SPARUL Injection
SPARQL/RDQL/SPARUL Injection
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In Code
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Pangolin whitepaper
Pangolin whitepaperPangolin whitepaper
Pangolin whitepaper
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
163 166
163 166163 166
163 166
 
163 166
163 166163 166
163 166
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web Applications
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 

Último

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Último (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

  • 1. Introduction Vulnerable code samples Addressing code injection Conclusions Addressing Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages Pablo Ordu˜a, Aitor Almeida, Unai Aguilera, Xabier Laiseca, n Diego L´pez-de-Ipi˜a, Aitor G´mez-Goiri o n o September 9th, 2010 Future Internet - Elkarlaneko ikerkuntza estrategikorako programa; ETORTEK 2008 img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 2. Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Introduction The Semantic Web is based on a set of technologies: XML RDF OWL ... img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 3. Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Query Languages New technologies have been developed to query the ontologies later later RDQL − − SPARQL − − SPARUL −→ −→ These new query languages are based on SQL RDQL and SPARQL → Read-only query languages introduces SPARUL (SPARQL/Update) − − − − modification − − −→ capabilities SPARQL Sample: 1 PREFIX injection: <http://www.morelab.deusto.es/ injection.owl#> 2 SELECT ?p1 3 WHERE { 4 ?p1 a injection:Person . 5 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 4. Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Security issues The use of these new query languages introduce vulnerabilities already found in a bad use of query languages Attacks like SQL Injection, LDAP Injection or even XPath Injection are already well known Libraries provide tools to sanitize user input in these languages A proper usage of the query languages is required in order to face new techniques, including: (Blind) SPARQL Injection SPARUL Injection img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 5. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection The following query is assumed to retrieve the friends of a user whom fullName is provided by the variable name The ontology is available in http://www.morelab.deusto.es/injection.owl img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 6. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 " + 4 "WHERE {" + 5 " ?p1 a injection:Person . " + 6 " ?p2 a injection:Person . " + 7 " ?p1 injection:fullName ’" + name + "’ . " + 8 " ?p1 injection:isFriendOf ?p2 . " + 9 " ?p1 injection:fullName ?name1 . " + 10 " ?p2 injection:fullName ?name2 . " + 11 "}"; 12 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 7. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection This code can be exploited to retrieve any information in the ontology The problem is that the variable name has not been sanitized This variable can include SPARQL code, and thus modify the query itself A variable with malicious content can be found in the next slide img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 8. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 " ?p1 injection:fullName ?name1 . " + 9 " ?p2 injection:fullName ?name2 . " + 10 "}"; 11 String name = "Pablo Orduna’ . " + 12 "?b1 a injection:Building . " + 13 "?b1 injection:name ?name1 . " + 14 "} #"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 9. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + "Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + "’ . " + 10 " ?p1 injection:isFriendOf ?p2 . " + 11 " ?p1 injection:fullName ?name1 . " + 12 " ?p2 injection:fullName ?name2 . " + 13 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 10. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + /* From this point everything 10 is commented and thus ignored */ "’ . " + 11 " ?p1 injection:isFriendOf ?p2 . " + 12 " ?p1 injection:fullName ?name1 . " + 13 " ?p2 injection:fullName ?name2 . " + 14 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 11. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection This code will return the name of the building instead of the name of a user It is possible to use the flexibility of SPARQL to perform other kind of queries retrieving any information in the ontology img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 12. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Introducing Blind SPARQL Injection The previous sample was especially vulnerable since it returned a string It is possible to retrieve any information as a string Strings are usually not retrieved in SPARQL, but individuals What if the returning value is an individual? It’s still possible to retrieve any information If it’s possible to know if a given query is true or false, it’s possible to iteratively retrieve any information The following code retrieves the individuals themselves It’s possible to know if the query provided or not the individuals img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 13. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 4 "SELECT ?p1 ?p2 " + 5 "WHERE {" + 6 " ?p1 a injection:Person . " + 7 " ?p2 a injection:Person . " + 8 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 9 " ?p1 injection:isFriendOf ?p2 . " + 10 "}"; 11 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 14. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Once again, the variable name has not been sanitized So it’s still possible to inject SPARQL code The injected code can’t return a building or the building name But, adding a condition like “does the building name start by this letter” we will get: The common results → so the building name starts by that letter No results → so the building name does not start by that letter img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 15. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = /* PREFIXES ... */ 2 "SELECT ?p1 ?p2 " + 3 "WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 "}"; 9 String name = "Pablo Orduna’ . " + 10 "?b1 a injection:Building . " + 11 "?b1 injection:name ?buildingName . " + 12 "FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 13 "} #"; // }:-D img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 16. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query would be. . . 1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?p1 ?p2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?buildingName . " + 9 " FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 10 " } #" + /* from here ignored*/ "’ˆˆxsd:string . " + 11 " ?p1 injection:isFriendOf ?p2 . }"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 17. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Querying recursively. . . 1 public static String recursively(String letters) throws Exception{ 2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++ i){ 3 char c = POSSIBLE_LETTERS.charAt(i); 4 if(tryBlind(letters + c)){ 5 System.out.println(c); 6 return "" + c + recursively(letters + c); 7 } 8 } 9 return ""; 10 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 18. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection It is possible to optimize this system using binary search Performing queries using Regular Expressions like ˆ[A-M].* to know if the char is between the char A and M Given a charset of length 64, we would reduce the number of iterations from 64 times 10 (640) to 6 times 10 (60) Using the whole UTF-16 charset, it would reduce the number of iterations from 65536 times 10 (655360) to 16 times 10 (160) The point is that it’s possible to retrieve any information in the ontology independently from the values returned by the query img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 19. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection Introducing SPARQL/Update Injection All the previous examples are executed in read-only query languages SPARUL introduces the chance to modify the ontology INSERT, MODIFY and DELETE statements are available The following sample modifies the fullName of the resource injection:Pablo, setting it to the value of the variable name img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 20. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String updateString = "PREFIX injection: <http:// www.morelab.deusto.es/injection.owl#> " + 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "DELETE {" + 4 " injection:Pablo injection:fullName ?name1 "+ 5 "} WHERE {" + 6 " injection:Pablo injection:fullName ?name1" + 7 "}n INSERT {" + 8 " injection:Pablo injection:fullName ’" + name + "’ˆˆxsd:string" + 9 "}"; 10 UpdateRequest update = UpdateFactory.create( updateString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 21. Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String name = "Pablo Ordunya’ˆˆxsd:string" + 2 "} n " + 3 "INSERT {" + 4 " injection:Pablo injection:isFriendOf injection:EvilMonkey" + 5 "} #"; // }:-D 6 String result = sample.run(name); With this vulnerability, it is possible to modify the whole ontology. img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 22. Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Addressing code injection Mechanisms provided by the library must be used (if provided) Not as simple as scaping the ’ characters: the string u0027 is a simple quote, just as in Java 1 System.out.println("au0022.length() + u0022b".length()); 2 // This code prints "2", the result of ("a".length() + "b".length()) 3 // since u0022 will be replaced by " even if it is commented or inside 4 // String img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 23. Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Frameworks In Jena, the initialBinding argument can be used in the QueryExecutionFactory 1 // initial binding 2 QuerySolutionMap initialBinding = new QuerySolutionMap(); 3 RDFNode parameterizedName = model.createLiteral( name); 4 initialSetting.add("thename", parameterizedName); 5 6 // Perform the query 7 Query query = QueryFactory.create(queryString); 8 QueryExecution qe = QueryExecutionFactory.create( query, model, initialBinding); 9 ResultSet results = qe.execSelect(); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 24. Introduction Vulnerable code samples Addressing code injection Conclusions Conclusions Not sanitizing the user input might add a set of security vulnerabilities in our systems In the paper it is presented how new query languages inherit security issues present in older query languages, and therefore they should also be taken into account when working with them img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 25. Introduction Vulnerable code samples Addressing code injection Conclusions Questions? DeustoTech - Internet http://www.morelab.deusto.es Pablo Ordu˜an pablo.orduna@deusto.es Aitor Almeida aitor.almeida@deusto.es Unai Aguilera unai.aguilera@deusto.es Xabier Laiseca xabier.laiseca@deusto.es Diego L´pez-de-Ipi˜a o n dipina@deusto.es Aitor G´mez-Goiri o aitor.gomez@deusto.es img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .