java web application security - introduction to sql injection

Java Web Application SecurityIntroduction to SQL Injection (SQLi)

Joseph Konieczka

Sales Engineer

BrixBits

Agenda

• First of several sessions on SQL Injection

• Definition

• Prevalence

• Coding Guidance

• Testing Methods

• Defensive Protection

• Homework

What is SQL Injection (SQLi)?

• At its most basic level, an injection flaw exists when user supplied input is combined with programming logic

• Once the attacker has the ability to morph the SQL query, the damage is only limited by the controls implemented in the application, web server, OS, and infrastructure

OWASP Definition of SQLi

• https://www.owasp.org/index.php/SQL_Injection• A SQL injection attack consists of insertion or "injection" of

a SQL query via the input data from the client to the application.

• A successful SQL injection exploit can – read sensitive data from the database, – modify database data (Insert/Update/Delete)– execute administration operations on the database (such as

shutdown the DBMS), – recover the content of a given file present on the DBMS file

system – and in some cases issue commands to the operating system.

How widespread is it?

• In 2015, more than 200 SQLi vulnerabilities were reported

• In 2016, 10 were already reported just by the end of February

• Year after year, SQLi is listed as one of the OWASP Top 10 risks seen in the wild

CWE, CVE, and NVD

• The Common Weakness Enumeration (CWE™) is a list of software weaknesses.– https://cwe.mitre.org/

• Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known cybersecurity vulnerabilities. – http://cve.mitre.org/

• National Vulnerability Database– https://nvd.nist.gov/home.cfm

How do you avoid it?

• Query parameterization

• SQL code is first defined

• Parameters are then passed to the query (ideally after the input has been validated)

• Distinct boundary between code and data

• PreparedStatement prepareStatement(String sql)

Example

• https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet

• String custname = request.getParameter("customerName");

• String query = "SELECT account_balance FROM user_dataWHERE user_name = ? ";

• PreparedStatement pstmt = connection.prepareStatement( query );

• pstmt.setString( 1, custname);

• ResultSet results = pstmt.executeQuery( );

How do you test for it?

• Static Analysis tools such as FindBugs with the FindSecurityBugs plugin

• Automated tools such as sqlmap (covered in Advanced section)

• Manual penetration testing for complex situations

WebGoat Numeric SQL Injection

View intercepted traffic

Key parameter is station

Returns temp info for that station

Retry but add OR 1=1

Statement evaluated to TRUEAll results returned

How can you protect production?

• Implement change control procedures to effectively patch during normal vendor update cycles

• Setup an expedited approval process for critical vulnerabilities

• Setup firewalls and other traffic analysis tools

• Leverage Runtime Application Self Protection (RASP) such as BrixBits Security Analyzer

Defense in Depth

Homework

• Complete the BodgeIt labs outlined in Testing VM Setup Guide

• Begin working with the WebGoat Injection Flaws Lessons

• Review the SQL Injection and Query Parameterization Cheat Sheets

• Signup for next week’s webinar

http://brixbits.com/

http://brixbits.com/request-a-demo/