mano ‘dash4rk’ paul cissp, csslp, ambci, mcad, mcsd, comptia network+, ecsa sql injection &...
TRANSCRIPT
![Page 1: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/1.jpg)
Mano ‘dash4rk’ PaulCISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA
SQL Injection &
Soul Injection attacks
![Page 2: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/2.jpg)
2
ABC’s about me --
• Author– The 7 Qualities of Highly Secure Software– The Official (ISC)2 Guide to the CSSLP
• Advisor– Software Assurance Advisor
• Biologist – Shark Researcher – Bimini Islands, Bahamas
• Christian• CEO– SecuRisk Solutions / Express Certifications
www.hackformers.org
![Page 3: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/3.jpg)
3
Agenda
• Teach Security (SQL Injection)• Teach Christ (Soul Injection)• Teach Security In Christ (Discussion)
www.hackformers.org
![Page 4: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/4.jpg)
SQL Injection
Teach Security
![Page 5: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/5.jpg)
5
Going down memory lane
www.hackformers.org
![Page 6: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/6.jpg)
6
Problem on the rise
• OWASP Top 10 rankings– 6th (2004)– 2nd (2007)– 1st (2010)
www.hackformers.org
![Page 7: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/7.jpg)
7
No(thing/ one) is safe
www.hackformers.org
![Page 8: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/8.jpg)
9
Is this still a problem?
www.hackformers.org
![Page 9: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/9.jpg)
10
So what is SQL Injection?
• An attack where the attacker supplies input which gets concatenated with internal SQL commands and gets executed.
www.hackformers.org
SQL Command + User Input(s)
SQL Command(s)
![Page 10: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/10.jpg)
11
The Hacker
• Attempts to exploit vulnerabilities and execute their own commands within your application
• Seeks control upon compromise
www.hackformers.org
![Page 11: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/11.jpg)
12
Tell me, and I’ll forgetShow me, and I may rememberInvolve me, and I’ll understand
DEMO
www.hackformers.org
![Page 12: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/12.jpg)
13
Root Cause Analysis
• External: Input not handled properly• Internal: Dynamic Query Construction
string _sQry = "SELECT * FROM USERS WHERE uname = '" + txtUserName.Text + "'
AND pwd = '" + txtPassword.Text + "'”;
Attacker supplies ' OR 1=1 -- string _sQry = "SELECT * FROM USERS
WHERE uname = '' OR 1=1 –- ' AND pwd = '" + txtPassword.Text + "'";
www.hackformers.org
![Page 13: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/13.jpg)
14
Impact
• Theft / Disclosure (Confidentiality)– ' UNION SELECT min(uname) '', '' FROM USERS, WHERE uname > 'a’ --
• Alteration (Integrity)– '; UPDATE USERS SET pwd = 'h@x0r' WHERE uname = 'administrator’ --
• Destruction / DoS (Availability)– '; DROP TABLE USERS --
www.hackformers.org
![Page 14: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/14.jpg)
Mitigation Controls
• Handle Input – Replace Quotes– Validate (Format, Length, Range, Type)– Filter (Blacklist / Whitelist)
• Error/Exception Handling– Laconic messages– Catch all exceptions– Don’t show the Error
![Page 15: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/15.jpg)
16
Mitigation Controls (Continued)
• Implement Least privilege– Reader/writer accounts instead of database owner
(dbo)– Remove unneeded functions/procedures– Harden the database server
• Re-architect the Application– Change the way the application processes input
www.hackformers.org
![Page 16: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/16.jpg)
20
Re-architect the Application
• Disallow dynamic query construction• Use parameterized procedures/statements• Use Language Integrated Query (LINQ) (if
supported)
Parameterization renders ineffective all input data that are concatenated with SQL commands
www.hackformers.org
This is the BEST defense against SQL Injection
![Page 17: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/17.jpg)
Soul Injection
Teach Christ
![Page 18: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/18.jpg)
22
What is Soul Injection?
• An attack where the devil supplies temptations which gets concatenated with our internal commands and gets executed.
www.hackformers.org
![Page 19: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/19.jpg)
23
The attacker
• Devil a.k.a. Satan, attempts to exploit human weaknesses and execute his own commands within your life
• Seeks control upon compromise
Satan, the attacker, is like a roaring lion, seeking whom he may devour (1 Peter 5:8)
www.hackformers.org
![Page 20: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/20.jpg)
24
Since the beginning of time
• In the Garden of Edenthrough time till
• Today and still rising …
Satan, the attacker has blinded the minds of many, lest they see the glorious light of the
Gospel in Jesus Christ (2 Corinthians 4:4)
www.hackformers.org
![Page 21: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/21.jpg)
25
No one is safe
• Irrespective of race, color, sex, age, nationality, or even religion.
All have sinned and have fallen short of the glory of God (Romans 3:23)
The wages of sin is death (Romans 6:23)
www.hackformers.org
![Page 22: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/22.jpg)
26
Root Cause Analysis
• External: Not handling temptations properly– Sin is crouching at your door, don’t let it master
you (Genesis 4:7)• Internal: Conceived in sin (the way we are
architected) – Each person is tempted when he is lured and
enticed by his own desire (Psalm 51:5, James 1:14-15; ESV)
www.hackformers.org
![Page 23: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/23.jpg)
27
Impact
• Theft / Disclosure (Confidentiality)– The thief (devil) cometh not, but for to steal, and to kill, and
to destroy: I (Jesus) have come so that you might have life, and that you might have it more abundantly (John 10:10)
• Alteration (Integrity)– The devil is the father of lies (John 8:44) who alters the truth
• Destruction / DoS (Availability)– Then desire when it (desire) has conceived (concatenated
with temptation) gives birth to sin (action), and sin when it is fully grown brings forth death (destruction) (James 1:15)
– No man can serve 2 masters (Matthew 6:24); DoS to God
www.hackformers.org
![Page 24: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/24.jpg)
28
Mitigating Controls
• Handle Temptation– Replace / Validate / Filter
• Be laconic – Let your ‘Yes’ be ‘Yes’ and your ‘No’ be ‘No’; all
else beyond this is from the evil one (Matthew 5:37)
• Implement least privilege– Be humble, putting on the mind of Christ
(Philippians 2:5-8)
www.hackformers.org
![Page 25: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/25.jpg)
29
The Control
• Re-architect your life– Change the way you handle temptation; repent and
disallow responses to temptation input– Store inside of you, the Holy Spirit of Jesus Christ, who is
given to all who believe in his Name.
The Holy Spirit will help you render ineffective all temptations and he will help you handle them.
THE BEST (and only) DEFENSE against SOUL INJECTION is JESUS CHRIST
www.hackformers.org
![Page 26: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/26.jpg)
Points to Ponder
Teach Security In Christ
![Page 27: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/27.jpg)
31
Discussion Points
• How are you defending your soul against injection attacks by Satan (the attacker)?
All who call on the name of the Lord Jesus Christ
shall be saved (Joel 2:32)
www.hackformers.org
![Page 28: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/28.jpg)
32
Closing Thoughts
www.hackformers.org
try {if (uLikedThisPresentationAndMtg) {
subscribeViaEmail();followAndTweet(); // @hackformersgetLinkedIn();emailUs(); // [email protected]
} else {
giveFeedback(); // [email protected] }
} catch(Temptations t) {
applyControl(God JesusChrist);} finally {
ThankUandGodBless(); }
![Page 29: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/29.jpg)
References
![Page 30: Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA SQL Injection & Soul Injection attacks](https://reader034.vdocument.in/reader034/viewer/2022051000/56649d935503460f94a79f60/html5/thumbnails/30.jpg)
Backup