group 4 sql injection - cse.hcmut.edu.vn
TRANSCRIPT
1
www.powerpoint.vn * [email protected] * 0988881313
Step 1
Step 3
Step 4
Step 2
Definitions SQL Injection
Demo for SQL Injection
How does SQL Injection work?
Defenses for SQL injection
Overview
WHAT IS THE SQL INJECTION?DEFINITIONS ABOUT SQL & SQL INJECTION
3
1986ANSI
standard
1987ISO
standard
SQL DEFINITION
4
¡ SQL was created in the early 1970s by IBM.
¡ In 1974, Donald Chamberlin and Raymond Boyce published thearticle sequel: a structured English query language, whichintroduced SQL to the world.
¡ The first SQL standard was SQL-86. It was published in 1986 asANSI standard and in 1987 as International Organization forStandardization (ISO) standard
¡ The most current standard is SQL-99
RELATIONAL DATABASE
5
SQL DEFINITIONS
¡ SQL stands for Structured Query Language.
¡ SQL lets you access, store, manipulate and retrieve data held in relational database (RDB).
¡ Some popular RDB:- MySQL
- SQLite
- Oracle
- Microsoft SQL server
6
SQL DEFINITIONS
7
SECURITY IMPLICATIONS OF SQL
¡ SQL code is never, at least directly, conceived to be interacted with inside anapplication.
¡ Instead, application, given user input, prepares the SQL code needed to be sent tothe database to extract (or modify) the data requested.
¡ => CODE INJECTION
¡ Being a simple (yet very powerful) language, injecting code within SQL statementsis relatively easy and can also produce quite damaging results, varying fromgranting authenticated access to anybody to utterly destroying a web applicationrelying on databases.
8
SQL INJECTION
¡ Commands are just strings of characters that are interpreted as code, and userinput is made of text à insert code syntax within user input.
¡ Part of users’ input is in SQL query and treated as SQL code.
¡ SQL injection Is an attack that tries to exploit the syntax of SQL language.
¡ Attackers trick the SQL engine into executing unintended commands by supplyingspecially crafted string input à interact with database
¡ This vulnerability was discovered over 20 years ago
9
SQL INJECTION
¡ With SQL injection à execute arbitrary commands à interacting with the database of anapplication that is not originally intended by the application:
¡ Most important statement is SELECT
10
SQL INJECTION
¡ The main problem that makes applications and systems vulnerable to SQLinjection is the lack of controls on user-provided input.
¡ security controls can prevention of SQL injection by:
- Do not allow unnecessary special characters in queries so that SQL syntax cannot be abused.
- Do not allow suspicious commands in queries by whitelisting only specific instructions.
- Do not give the user too much freedom, thereby preventing a malicious user from injectingarbitrary code.
11
EXAMPLESHOW SQL INJECTION WORKS
12
REAL WORLD EXAMPLES
¡ On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack.
¡ In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL database server. Over 500,000 sites were exploited.
¡ In 2021, BKAV Vietnam is attacked by a anonymous user Chungxong using SQL injection attack. The incident led to the leak of all BKAV’s codebase and users’ data.
13
IMPORTANT SYNTAX
COMMENTS: “--”
Example: SELECT * FROM ‘table’ --selects everything
LOGIC: 'a'='a’
Example: SELECT * FROM 'table' WHERE 'a'='a’
MULTI STATEMENTS: S1; S2
Example: SELECT * FROM 'table'; DROP TABLE 'table';
14
EXAMPLE WEBSITE
15
EXAMPLE WEBSITE
16
EXAMPLE WEBSITE
17
timbo317
cse7330
SELECT * FROM 'login' WHERE "user"='timbo317' AND "pass"='cse7330'
LOGIN DATABASE TABLE
What Could Go Wrong??
18
user pass
timbo317 cse7330
EXAMPLE HACK
19
’ OR ‘a’=‘a
’ OR ‘a’=‘a
SELECT * FROM 'login' WHERE 'user'='' OR 'a'='a' AND 'pass'='' OR 'a'='a’;
IT GETS WORSE!
20
'; DROP TABLE `login`; --
SELECT * FROM 'login' WHERE 'user'='';DROP TABLE 'login'; --' AND 'pass'=''
ALL QUERIES ARE POSSIBLE
21
SELECT *FROM 'login' WHERE 'user'=‘’;INSERT INTO 'login' ('user','pass') VALUES('haxor','whatever');--' AND 'pass'=‘’
SELECT *FROM 'login’ WHERE 'user'=‘’;UPDATE 'login' SET 'pass'='pass123’ WHERE 'user'='timbo317';--' AND 'pass'=''
DEMOSTRATION FOR SQL INJECTIONILLUSTRATE WITH THE DEMO - ATTACK THE INTERNET BANKING APPLICATION
22
DEMO APPLICATION INTERFACE
¡ BASIC LOGIN INTERFACE
23
DEMO APPLICATION INTERFACE¡ TRY WITH ACCOUNT OF THE OTHER ONE
24
The message access denied appear due to NOT KNOWING the password.
DEMO APPLICATION INTERFACE
25
Add the special character at the postfix
¡ Login with the special character
¡ Figure out some UnknowError message
¡ SQL statement will be like
DEMO APPLICATION INTERFACE
¡ Try again with the following
26
user : typhu' ; --password: demo
¡ SQL statement will be like
¡ Success to Log in with user “typhu”
HOW TO DEFENSE FROM SQL INJECTIONGIVE SOME OPTIONS TO PROTECT THE DATABASE FROM SQL INJECTION
27
DETECTION AND PREVENTION METHOD¡ SQL injection attacks are usually accessed to page port, which looks like
ordinary Web page login. The general firewall cannot detect SQL injection attacks and therefore needs some artificial means to enhance the detection of injection attack.
¡ Common Detection Method
• Check IIS log
• Check database
• Check user’s input
28
DEFENSIVE SOLUTION
¡ Defending against SQL injection – code-level
• Input validation
• Character encoding and escaping
• Parametrized queries
• Secure coding practices
29
DEFENDING AGAINST SQL INJECTION – CODE-LEVEL
¡ Input validation
30
DEFENDING AGAINST SQL INJECTION – CODE-LEVEL¡ Parametrized queries: Parameterized queries are a means of pre-compiling an
SQL statement so that you can then supply the parameters in order for the statement to be executed. This method makes it possible for the database to recognize the code and distinguish it from input data.
31
DEFENDING AGAINST SQL INJECTION – CODE-LEVEL
¡ Character encoding and escaping: There are also times where other defenses cannot be applied for example, in databases that expect surnames, as some surnames may contain an apostrophe, such as O'Malley or O'Brian, which of course is still encoded as a single quote.
32
DEFENDING AGAINST SQL INJECTION – CODE-LEVEL
¡ Secure coding practices: In most cases, the root of all the application security problems resides in the design and development phase.
33
OWASP SAMMSEI CERT C++ Coding StandardSEI CERT Oracle Coding Standard for Java• C• Perl• Android
DEFENDING AGAINST SQL INJECTION – CODE-LEVEL
¡ Managing sensitive data securely
¡ Introducing additional abstraction layers
¡ Stored procedures
34
DEFENDING AGAINST SQL INJECTION – PLATFORM LEVEL
¡ Web application firewalls
¡ Application intrusion detection systems(IDS/IPS):
¡ Database firewalls: The last firewall we will consider is the database firewall. A database firewall is basically a proxy server positioned between the application and its database that inspects the queries that are sent to it.
¡ Protecting the database server:
¡ Patching
¡ Enforcing authentication and monitoring controls
¡ Prevent Google (and other search engine) hacking
35
REFERENCES
36
[1] Ettore Galluccio. Preventing SQL Injection with Defensive Solutions. 2020
[2] Copyright © 2002-2021 Positive Technologies
SOURCE CODE DEMO
Github: https://github.com/tquangsdh20/demo_sql_injection