group 4 sql injection - cse.hcmut.edu.vn

1

www.powerpoint.vn * slideviet@gmail.com * 0988881313

Step 1

Step 3

Step 4

Step 2

Definitions SQL Injection

Demo for SQL Injection

How does SQL Injection work?

Defenses for SQL injection

Overview

WHAT IS THE SQL INJECTION?DEFINITIONS ABOUT SQL & SQL INJECTION

3

1986ANSI

standard

1987ISO

standard

SQL DEFINITION

4

¡ SQL was created in the early 1970s by IBM.

¡ In 1974, Donald Chamberlin and Raymond Boyce published thearticle sequel: a structured English query language, whichintroduced SQL to the world.

¡ The first SQL standard was SQL-86. It was published in 1986 asANSI standard and in 1987 as International Organization forStandardization (ISO) standard

¡ The most current standard is SQL-99

RELATIONAL DATABASE

5

SQL DEFINITIONS

¡ SQL stands for Structured Query Language.

¡ SQL lets you access, store, manipulate and retrieve data held in relational database (RDB).

¡ Some popular RDB:- MySQL

- SQLite

- Oracle

- Microsoft SQL server

6

SQL DEFINITIONS

7

SECURITY IMPLICATIONS OF SQL

¡ SQL code is never, at least directly, conceived to be interacted with inside anapplication.

¡ Instead, application, given user input, prepares the SQL code needed to be sent tothe database to extract (or modify) the data requested.

¡ => CODE INJECTION

¡ Being a simple (yet very powerful) language, injecting code within SQL statementsis relatively easy and can also produce quite damaging results, varying fromgranting authenticated access to anybody to utterly destroying a web applicationrelying on databases.

8

SQL INJECTION

¡ Commands are just strings of characters that are interpreted as code, and userinput is made of text à insert code syntax within user input.

¡ Part of users’ input is in SQL query and treated as SQL code.

¡ SQL injection Is an attack that tries to exploit the syntax of SQL language.

¡ Attackers trick the SQL engine into executing unintended commands by supplyingspecially crafted string input à interact with database

¡ This vulnerability was discovered over 20 years ago

9

SQL INJECTION

¡ With SQL injection à execute arbitrary commands à interacting with the database of anapplication that is not originally intended by the application:

¡ Most important statement is SELECT

10

SQL INJECTION

¡ The main problem that makes applications and systems vulnerable to SQLinjection is the lack of controls on user-provided input.

¡ security controls can prevention of SQL injection by:

- Do not allow unnecessary special characters in queries so that SQL syntax cannot be abused.

- Do not allow suspicious commands in queries by whitelisting only specific instructions.

- Do not give the user too much freedom, thereby preventing a malicious user from injectingarbitrary code.

11

EXAMPLESHOW SQL INJECTION WORKS

12

REAL WORLD EXAMPLES

¡ On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack.

¡ In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL database server. Over 500,000 sites were exploited.

¡ In 2021, BKAV Vietnam is attacked by a anonymous user Chungxong using SQL injection attack. The incident led to the leak of all BKAV’s codebase and users’ data.

13

IMPORTANT SYNTAX

COMMENTS: “--”

Example: SELECT * FROM ‘table’ --selects everything

LOGIC: 'a'='a’

Example: SELECT * FROM 'table' WHERE 'a'='a’

MULTI STATEMENTS: S1; S2

Example: SELECT * FROM 'table'; DROP TABLE 'table';

14

EXAMPLE WEBSITE

15

EXAMPLE WEBSITE

16

EXAMPLE WEBSITE

17

timbo317

cse7330

SELECT * FROM 'login' WHERE "user"='timbo317' AND "pass"='cse7330'

LOGIN DATABASE TABLE

What Could Go Wrong??

18

user pass

timbo317 cse7330

EXAMPLE HACK

19

’ OR ‘a’=‘a

’ OR ‘a’=‘a

SELECT * FROM 'login' WHERE 'user'='' OR 'a'='a' AND 'pass'='' OR 'a'='a’;

IT GETS WORSE!

20

'; DROP TABLE `login`; --

SELECT * FROM 'login' WHERE 'user'='';DROP TABLE 'login'; --' AND 'pass'=''

ALL QUERIES ARE POSSIBLE

21

SELECT *FROM 'login' WHERE 'user'=‘’;INSERT INTO 'login' ('user','pass') VALUES('haxor','whatever');--' AND 'pass'=‘’

SELECT *FROM 'login’ WHERE 'user'=‘’;UPDATE 'login' SET 'pass'='pass123’ WHERE 'user'='timbo317';--' AND 'pass'=''

DEMOSTRATION FOR SQL INJECTIONILLUSTRATE WITH THE DEMO - ATTACK THE INTERNET BANKING APPLICATION

22

DEMO APPLICATION INTERFACE

¡ BASIC LOGIN INTERFACE

23

DEMO APPLICATION INTERFACE¡ TRY WITH ACCOUNT OF THE OTHER ONE

24

The message access denied appear due to NOT KNOWING the password.

DEMO APPLICATION INTERFACE

25

Add the special character at the postfix

¡ Login with the special character

¡ Figure out some UnknowError message

¡ SQL statement will be like

DEMO APPLICATION INTERFACE

¡ Try again with the following

26

user : typhu' ; --password: demo

¡ SQL statement will be like

¡ Success to Log in with user “typhu”

HOW TO DEFENSE FROM SQL INJECTIONGIVE SOME OPTIONS TO PROTECT THE DATABASE FROM SQL INJECTION

27

DETECTION AND PREVENTION METHOD¡ SQL injection attacks are usually accessed to page port, which looks like

ordinary Web page login. The general firewall cannot detect SQL injection attacks and therefore needs some artificial means to enhance the detection of injection attack.

¡ Common Detection Method

• Check IIS log

• Check database

• Check user’s input

28

DEFENSIVE SOLUTION

¡ Defending against SQL injection – code-level

• Input validation

• Character encoding and escaping

• Parametrized queries

• Secure coding practices

29

DEFENDING AGAINST SQL INJECTION – CODE-LEVEL

¡ Input validation

30

DEFENDING AGAINST SQL INJECTION – CODE-LEVEL¡ Parametrized queries: Parameterized queries are a means of pre-compiling an

SQL statement so that you can then supply the parameters in order for the statement to be executed. This method makes it possible for the database to recognize the code and distinguish it from input data.

31

DEFENDING AGAINST SQL INJECTION – CODE-LEVEL

¡ Character encoding and escaping: There are also times where other defenses cannot be applied for example, in databases that expect surnames, as some surnames may contain an apostrophe, such as O'Malley or O'Brian, which of course is still encoded as a single quote.

32

DEFENDING AGAINST SQL INJECTION – CODE-LEVEL

¡ Secure coding practices: In most cases, the root of all the application security problems resides in the design and development phase.

33

OWASP SAMMSEI CERT C++ Coding StandardSEI CERT Oracle Coding Standard for Java• C• Perl• Android

DEFENDING AGAINST SQL INJECTION – CODE-LEVEL

¡ Managing sensitive data securely

¡ Introducing additional abstraction layers

¡ Stored procedures

34

DEFENDING AGAINST SQL INJECTION – PLATFORM LEVEL

¡ Web application firewalls

¡ Application intrusion detection systems(IDS/IPS):

¡ Database firewalls: The last firewall we will consider is the database firewall. A database firewall is basically a proxy server positioned between the application and its database that inspects the queries that are sent to it.

¡ Protecting the database server:

¡ Patching

¡ Enforcing authentication and monitoring controls

¡ Prevent Google (and other search engine) hacking

35

REFERENCES

36

[1] Ettore Galluccio. Preventing SQL Injection with Defensive Solutions. 2020

[2] Copyright © 2002-2021 Positive Technologies

SOURCE CODE DEMO

Github: https://github.com/tquangsdh20/demo_sql_injection