![Page 1: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/1.jpg)
1
Breaking Databases via SQLi attacks
Azqa NadeemPhD Student @ Cyber Security Group
The Cyber Security lecture series
![Page 2: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/2.jpg)
2
About Cyber Security lecture series
• A hot topic, a buzz term
• Introducing the Cyber Security lecture series
– Cyber security topics in existing courses
• Announcements
– Assignment 3
– Exam questions
https://www.tudelft.nl/cybersecurity/
![Page 3: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/3.jpg)
3
Agenda for today
• Part I
– Data breaches and their threat landscape
– Information Security principles
– Top threats for databases
– Mitigating security threats
• Part II
– SQL injection attacks
– Injecting SQL queries ← Hands-on!
– Analysing SQLi attacks
– Best practices to avoid SQLi
The Cyber Security lecture series
![Page 4: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/4.jpg)
4
Go to https://b.socrative.com/login/student/
Room Name: IDMQ3
The Cyber Security lecture series
![Page 5: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/5.jpg)
5
Why would anyone ever
hack a database?
The Cyber Security lecture series
![Page 6: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/6.jpg)
6
The role of databases
• A database is the heart of an organization.
• “Database servers are the
most compromised asset in
an organization.”
– Verizon 2018
![Page 7: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/7.jpg)
7
… In the news
https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online
![Page 8: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/8.jpg)
8
… In the news
https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-
plain-text-for-years/
![Page 9: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/9.jpg)
9
… In the news
https://www.forbes.com/sites/davidvolodzko/2018/12/04/marriott-breach-exposes-far-more-than-
just-data/#1f0d3c276297
![Page 10: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/10.jpg)
10
… In the news
https://steemit.com/bitcoin/@hacker0/how-i-hacked-hundreds-of-bitcoins-ama
![Page 11: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/11.jpg)
11
… In the news
https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Extra notes:
MyHeritage does
DNA sequencing
![Page 12: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/12.jpg)
12
The CIA triad
Information
Security
Availability
Is the
information
protected?
Is the
information
accurate?
Can I access the
information?
Extra notes:
. Can unauth see
it?
. Can unauth
change it?
. Can legit user
access it?
![Page 13: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/13.jpg)
13
Threats to DB Security
https://www.securitymagazine.com/articles/89694-the-top-100-worst-passwords
Room: IDMQ3
![Page 14: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/14.jpg)
14
Threats to DB Security
1. Weak authentication
Verizon 2017-2018 Data Breach Investigations Report
![Page 15: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/15.jpg)
15
Threats to DB Security
1. Weak authentication
Verizon 2017-2018 Data Breach Investigations Report
Extra notes:
. Default
username/passwo
rds
. Easy-to-guess
passwords
. Passwords
written on sticky
notes
![Page 16: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/16.jpg)
16
Threats to DB Security
1. Weak authentication
2. ?
![Page 17: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/17.jpg)
17
Threats to DB Security
1. Weak authentication
2. Excessive database privileges
3. (Inadvertent) Insider threats
Verizon 2017-2018 Data Breach Investigations Report
![Page 18: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/18.jpg)
18
Threats to DB Security
1. Weak authentication
2. Excessive database privileges
3. (Inadvertent) Insider threats
Verizon 2017-2018 Data Breach Investigations Report
Extra notes:
. Giving away
privileges like
they’re candy.
. Insider threats –
Tricky business --
balance between
convenience and
security
. Phishing attacks
![Page 19: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/19.jpg)
19
Threats to DB Security
1. Weak authentication
2. Excessive database privileges
3. (Inadvertent) Insider threats
4. ?
![Page 20: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/20.jpg)
20
Threats to DB Security
1. Weak authentication
2. Excessive database privileges
3. (Inadvertent) Insider threats
4. DB injection attacks
– SQL injection attacks
Verizon 2017-2018 Data Breach Investigations Report
![Page 21: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/21.jpg)
21
Threats to DB Security
1. Weak authentication
2. Excessive database privileges
3. (Inadvertent) Insider threats
4. DB injection attacks
– SQL injection attacks
– NoSQL injection (NoSQL does not mean you are safe!)
Verizon 2017-2018 Data Breach Investigations Report
![Page 22: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/22.jpg)
22
Threats to DB Security
1. Weak authentication
2. Excessive database privileges
3. (Inadvertent) Insider threats
4. DB injection attacks
5. ?
![Page 23: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/23.jpg)
23
Threats to DB Security
1. Weak authentication
2. Excessive database privileges
3. (Inadvertent) Insider threats
4. DB injection attacks
5. Unmanaged sensitive data
– Storing sensitive data unprotected
![Page 24: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/24.jpg)
24
Threats to DB Security
1. Weak authentication
2. Excessive database privileges
3. (Inadvertent) Insider threats
4. DB injection attacks
5. Unmanaged sensitive data
6. ?
![Page 25: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/25.jpg)
25
Threats to DB Security
1. Weak authentication
2. Excessive database privileges
3. (Inadvertent) Insider threats
4. DB injection attacks
5. Unmanaged sensitive data
6. Vulnerable DBs
– or unpatched Operating System
– Causing DoS attack
Extra notes:
Equifax (credit risk assessment) had a major breach exposing personal information of about
143M people. The breach of was caused due to an unpatched apache web server.
![Page 26: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/26.jpg)
26
The CIA triad
Information
Security
Availability
Is the
information
protected?
Is the
information
accurate?
Can I access the
information?
![Page 27: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/27.jpg)
27
Mitigating DB security threats
• Encrypting databases– Data-in-transit
– Data-at-rest
• Never use default usernames/passwords
• Use 2nd Factor Authentication
• Least privilege – need-to-know basis
• Log everything!!
• Update everything regularly
• Maintaining regular backups in air gapped environment
• Disable public error reporting
• Messy architecture means difficult maintenance
• Employee awareness – humans are the weakest link
Extra notes:Encrypting the
entire database
and performing
encrypted query
operations is
expensive and
may not be
feasible in all
settings.
Read more about
it: 1)
https://en.wikipedi
a.org/wiki/Databa
se_encryption
2)
https://arxiv.org/a
bs/1512.03498
![Page 28: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/28.jpg)
28
Summary Part I
• Databases are the heart of an organization
• Information security – CIA triad
• Databases face a number of threats
– Weak authentication and insider threats are the most common
• Awareness and simple security practices can mitigate
those threats
![Page 29: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/29.jpg)
29
Agenda for today
• Part I
– Data breaches and their threat landscape
– Information Security principles
– Top threats for databases
– Mitigating security threats
• Part II
– SQL injection attacks
– Injecting SQL queries ← Hands-on!
– Analysing SQLi attacks
– Best practices to avoid SQLi
The Cyber Security lecture series
![Page 30: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/30.jpg)
30
SQL Injection
• SQL Injection (SQLi) refers to an injection attack wherein
an attacker can execute malicious SQL statements that
control a web application’s database server (also known
as RDBMS).
• Look out if you have:
– Web application
– Data stored in databases
– User-controlled parameters
https://www.acunetix.com/websitesecurity/sql-injection/
Extra notes:
Can affect any website or web
application that makes use of an SQL-
based database, so this vulnerability is
one of the oldest, most prevalent and
most dangerous of web application
vulnerabilities.
![Page 31: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/31.jpg)
31
How does a typical web app work?
Databasewebshop.tudelft.nl
Extra notes:
Who is to blame?
- Database
developers?
Oracle?
- Web developer?
- Schema
designers?
![Page 32: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/32.jpg)
32
What can attackers do?
• Insert backdoor
– INSERT INTO users (username, password)
VALUES (‘attacker’, ‘youvebeenhacked’)
• Steal information
– SELECT * FROM users
WHERE userType=‘admin’
• Delete records/tables
– DELETE FROM users;
– DROP SCHEMA webshop;
![Page 33: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/33.jpg)
33
Scenario
SQL database
webshop.tudelft.nl
Search for an item
Keyword
itemName itemPicture
Shirt X
Pen X
Car X
Inventory
![Page 34: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/34.jpg)
34
Scenario
SQL database
webshop.tudelft.nl
Search for an item
carKeyword
car
itemName itemPicture
Shirt X
Pen X
Car X
Inventory
![Page 35: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/35.jpg)
35
Search for an item
??Keyword
Task1: How to list all items?
SQL database
webshop.tudelft.nl
itemName itemPicture
Shirt X
Pen X
Car X
?? Inventory
![Page 36: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/36.jpg)
36
Task1: How to list all items?
Search for an item
car’ OR 1 #Keyword
SQL database
webshop.tudelft.nl
itemName itemPicture
Shirt X
Pen X
Car X
Inventory→ Tautology
Room: IDMQ3
![Page 37: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/37.jpg)
37
SQL database
webshop.tudelft.nl
Log in Form
??
??
Username
Password
Go
??
??
The login scenario…
Extra notes:
= missing after username
![Page 38: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/38.jpg)
38
Another Tautology-based SQLi
SQL database
webshop.tudelft.nl
Log in Form
Blah’ OR 1#
Blah
Username
Password
Go
![Page 39: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/39.jpg)
39
Running multiple queries
• Useful keywords:
– JOIN (Append horizontally)
– UNION (Append vertically)
•
•
Fluffy Bunny
Fluffy Bunny
1 2
Extra notes:
Dual is a one row,
one column table
in Oracle
databases, called
Dummy with value
X.
![Page 40: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/40.jpg)
40
Task 2: How to dump user data?
username password
fluffyBunny cArR0T
admin admin123
SQL database
webshop.tudelft.nl
Search for an item
??Keyword
??
itemName itemPicture
Shirt X
Pen X
Car X
Inventory
Users
![Page 41: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/41.jpg)
41
Task 2: How to dump user data?
SQL database
webshop.tudelft.nl
Search for an item
car’ UNION SELECT
password FROM
users#
Keyword
itemName itemPicture
Shirt X
Pen X
Car X
Inventory
Usersusername password
fluffyBunny cArR0T
admin admin123
Room: IDMQ3
Extra notes:
It’s called: Union-based SQLi attack
![Page 42: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/42.jpg)
42https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom
Piggy backed query
![Page 43: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/43.jpg)
43
Why is it happening?
• Mixing of Code and data
SELECT profile FROM users WHERE
uname=‘Blah‘ OR 1=1 # ‘ AND pwd= ‘Blah‘
SELECT profile FROM users WHERE
uname= ‘Blah‘ AND pwd= ‘Blah‘
![Page 44: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/44.jpg)
44
Why is it happening?
• Mixing of Code and data
SELECT profile FROM users WHERE
uname= ‘Blah‘ AND pwd= ‘Blah‘
SELECT profile FROM users WHERE
uname=‘Blah‘ OR 1=1 # ‘ AND pwd= ‘Blah‘
![Page 45: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/45.jpg)
45
SQLi Avoidance
1. Input sanitization
– Clean the input in order to use it
• Problem:
– Not all scenarios are known
![Page 46: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/46.jpg)
46
SQLi Avoidance
1. Input sanitization
2. Escaping the input
– To avoid data being mistaken as code
– Input: ‘what is ‘www’’
– Processed as:
– Must be processed as:
• Problem:
– Possibly a 2nd Order SQLi attack
• Effect not seen immediately
![Page 47: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/47.jpg)
47
2nd Order SQLi
Robert’; Drop table users;#
Blah
Username
Password
Register
Users
username password
fluffyBunny cArR0T
admin admin123
Robert’; Drop
table users;#
Blah
username password
fluffyBunny cArR0T
admin admin123
Blah2
Blah2
Password
Confirm
Update password
Welcome, Robert’; Drop table users;#
1)
2)
Robert’; Drop table users;#
Blah
Username
Password
Login
3)
![Page 48: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/48.jpg)
48
SQLi Avoidance
1. Input sanitization
2. Escaping the input
3. Prepared statements
– Separation of concerns
– Pre-compile legitimate query
– Add placeholders for data
Code Data
Query
Extra notes:
Learn more about Prepared statements here: https://youtu.be/jTasm64rz-c and
https://stackoverflow.com/questions/23845383/what-does-it-mean-when-i-say-prepared-
statement-is-pre-compiled
![Page 49: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/49.jpg)
49
Summary Part II
• Executing SQL code on a database is called an SQL
Injection attack
• SQLi is caused by mixing of code and data
• Prepared statements are the most useful in avoiding SQLi
• However, user input must always be sanitized
Extra notes:
Prepared statements can be used in all cases EXCEPT when using Dynamic Object Mappers
(e.g. Hibernate, Jackson) because we don’t have variables to bind with beforehand. In such
cases, escaping and sanitizing user input are the only options.
![Page 50: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/50.jpg)
50
Additional material
• https://www.esecurityplanet.com/network-security/6-database-security-best-practices.html
• NoSQL injection attacks:– https://www.owasp.org/images/e/ed/GOD16-NOSQL.pdf
– https://www.owasp.org/index.php/Testing_for_NoSQL_injection
– http://blogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security.pdf?file=2011/04/NoSQL-But-Even-Less-Security.pdf
• https://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
• Type of SQLi attacks: https://pdfs.semanticscholar.org/81a5/02b52485e52713ccab6d260f15871c2acdcb.pdf
• Try it yourself:
– https://www.codingame.com/playgrounds/154/sql-injection-demo/sql-injection
– http://leettime.net/sqlninja.com/
– https://www.veracode.com/security/sql-injection
![Page 51: Breaking Databases - Delft University of Technologyhomepage.tudelft.nl/j9y2d/SQL-injection_v2.pdf · Breaking Databases via SQLi attacks Azqa Nadeem PhD Student @ Cyber Security Group](https://reader035.vdocument.in/reader035/viewer/2022070803/5f0303817e708231d4071c39/html5/thumbnails/51.jpg)
51
Time for questions