web security: sql injection - university of maryland · sql (standard query language) users name...
TRANSCRIPT
![Page 1: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/1.jpg)
WEB SECURITY: SQL INJECTION
CMSC 414FEB 15 2018
![Page 2: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/2.jpg)
A very basic web architecture
Client Server
![Page 3: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/3.jpg)
A very basic web architecture
Client Server
![Page 4: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/4.jpg)
A very basic web architecture
Client Server
![Page 5: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/5.jpg)
A very basic web architecture
Browser Web server
Client Server
![Page 6: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/6.jpg)
A very basic web architecture
Browser Web server
Database
Client Server
![Page 7: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/7.jpg)
A very basic web architecture
Browser Web server
Database
Client Server
(Private) Data
![Page 8: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/8.jpg)
A very basic web architecture
Browser Web server
Database
Client Server
(Private) Data
DB is a separate entity,logically (and often physically)
![Page 9: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/9.jpg)
SQL security
![Page 10: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/10.jpg)
Databases• Provide data storage & data manipulation
• Database designer lays out the data into tables
• Programmers query the database
• Database Management Systems (DBMSes) provide • semantics for how to organize data • transactions for manipulating data sanely • a language for creating & querying data
- and APIs to interoperate with other languages • management via users & permissions
![Page 11: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/11.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 12: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/12.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
Table
![Page 13: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/13.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 14: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/14.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
Table name
![Page 15: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/15.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 16: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/16.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
Column
![Page 17: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/17.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 18: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/18.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
Row(Record)
![Page 19: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/19.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 20: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/20.jpg)
Database transactionsTransactions are the unit of work on a database
![Page 21: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/21.jpg)
Database transactionsTransactions are the unit of work on a database
“Deduct $100 from Alice; Add $100 to Bob”
“Give me everyone in the User table who is listed as taking CMSC414 in the Classes table”
![Page 22: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/22.jpg)
Database transactionsTransactions are the unit of work on a database
“Deduct $100 from Alice; Add $100 to Bob”
“Give me everyone in the User table who is listed as taking CMSC414 in the Classes table” 2 reads
2 writes
![Page 23: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/23.jpg)
Database transactionsTransactions are the unit of work on a database
“Deduct $100 from Alice; Add $100 to Bob”
“Give me everyone in the User table who is listed as taking CMSC414 in the Classes table”
1 transaction2 reads
2 writes
![Page 24: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/24.jpg)
Database transactions
• Typically want ACID transactions • Atomicity: Transactions complete entirely or not at all • Consistency: The database is always in a valid state
(but not necessarily correct) • Isolation: Results from a transaction aren’t visible
until it is complete • Durability: Once a transaction is committed, it
remains, despite, e.g., power failures
Transactions are the unit of work on a database
“Deduct $100 from Alice; Add $100 to Bob”
“Give me everyone in the User table who is listed as taking CMSC414 in the Classes table”
1 transaction2 reads
2 writes
![Page 25: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/25.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 26: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/26.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’;
![Page 27: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/27.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28
![Page 28: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/28.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
![Page 29: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/29.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
![Page 30: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/30.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
INSERT INTO Users Values(‘Frank’, ‘M’, 57, ...);
![Page 31: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/31.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
INSERT INTO Users Values(‘Frank’, ‘M’, 57, ...);
![Page 32: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/32.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
INSERT INTO Users Values(‘Frank’, ‘M’, 57, ...);DROP TABLE Users;
![Page 33: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/33.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
INSERT INTO Users Values(‘Frank’, ‘M’, 57, ...);DROP TABLE Users;
![Page 34: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/34.jpg)
Server-side code
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
Website
“Login code” (php)
Suppose you successfully log in as $user if this query returns any rows whatsoever
![Page 35: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/35.jpg)
Server-side code
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
Website
“Login code” (php)
Suppose you successfully log in as $user if this query returns any rows whatsoever
How could you exploit this?
![Page 36: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/36.jpg)
SQL injection
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
![Page 37: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/37.jpg)
SQL injection
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
frank’ OR 1=1); --
![Page 38: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/38.jpg)
SQL injection
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
frank’ OR 1=1); --
$result = mysql_query(“select * from Users where (name=‘frank’ OR 1=1); -- ‘ and password=‘x’);”);
![Page 39: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/39.jpg)
SQL injection
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
frank’ OR 1=1); DROP TABLE Users; --
Can chain together statements with semicolon:STATEMENT 1 ; STATEMENT 2
![Page 40: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/40.jpg)
SQL injection
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
frank’ OR 1=1); DROP TABLE Users; --
$result = mysql_query(“select * from Users where(name=‘frank’ OR 1=1); DROP TABLE Users; --
‘ and password=‘whocares’);”);
Can chain together statements with semicolon:STATEMENT 1 ; STATEMENT 2
![Page 41: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/41.jpg)
SQL injection
Buffer “errors”
XSS
CSRF
![Page 42: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/42.jpg)
SQL injection
Buffer “errors”
XSS
CSRF
![Page 43: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/43.jpg)
![Page 44: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/44.jpg)
![Page 45: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/45.jpg)
SQL injection countermeasures• Blacklisting: Delete the characters you don’t want
• ’ • -- • ;
• Downside: “Peter O’Connor” • You want these characters sometimes! • How do you know if/when the characters are bad?
![Page 46: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/46.jpg)
SQL injection countermeasures
• Check that the user-provided input is in some set of values known to be safe • Integer within the right range
• Given an invalid input, better to reject than to fix • “Fixes” may introduce vulnerabilities • Principle of fail-safe defaults
• Downside: • Um.. Names come from a well-known dictionary?
1. Whitelisting
![Page 47: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/47.jpg)
SQL injection countermeasures
• Escape characters that could alter control • ’ ⇒ \’ • ; ⇒ \; • - ⇒ \- • \ ⇒ \\
• Hard by hand, but there are many libs & methods • magic_quotes_gpc = On • mysql_real_escape_string()
• Downside: Sometimes you want these in your SQL!
2. Escape characters
![Page 48: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/48.jpg)
The underlying issue
• This one string combines the code and the data
• Similar to buffer overflows:
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
When the boundary between code and data blurs,we open ourselves up to vulnerabilities
![Page 49: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/49.jpg)
The underlying issue$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
select / from / where
* Users and
=
name $user
=
password $pass
![Page 50: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/50.jpg)
The underlying issue$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
select / from / where
* Users and
=
name $user
=
password $pass$user
![Page 51: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/51.jpg)
SQL injection countermeasures
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
3. Prepared statements & bind variablesKey idea: Decouple the code and the data
![Page 52: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/52.jpg)
SQL injection countermeasures
$db = new mysql(“localhost”, “user”, “pass”, “DB”);
$statement = $db->prepare(“select * from Userswhere(name=? and password=?);”);
$statement->bind_param(“ss”, $user, $pass);$statement->execute();
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
3. Prepared statements & bind variablesKey idea: Decouple the code and the data
![Page 53: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/53.jpg)
SQL injection countermeasures
$db = new mysql(“localhost”, “user”, “pass”, “DB”);
$statement = $db->prepare(“select * from Userswhere(name=? and password=?);”);
$statement->bind_param(“ss”, $user, $pass);$statement->execute();
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
Bind variables
3. Prepared statements & bind variablesKey idea: Decouple the code and the data
![Page 54: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/54.jpg)
SQL injection countermeasures
$db = new mysql(“localhost”, “user”, “pass”, “DB”);
$statement = $db->prepare(“select * from Userswhere(name=? and password=?);”);
$statement->bind_param(“ss”, $user, $pass);$statement->execute();
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
Bind variables
Bind variables are typed
3. Prepared statements & bind variablesKey idea: Decouple the code and the data
![Page 55: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/55.jpg)
SQL injection countermeasures
$db = new mysql(“localhost”, “user”, “pass”, “DB”);
$statement = $db->prepare(“select * from Userswhere(name=? and password=?);”);
$statement->bind_param(“ss”, $user, $pass);$statement->execute();
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
Bind variables
Bind variables are typed
Decoupling lets us compile now, before binding the data
3. Prepared statements & bind variablesKey idea: Decouple the code and the data
![Page 56: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/56.jpg)
The underlying issue$statement = $db->prepare(“select * from Users
where(name=? and password=?);”);
select / from / where
* Users and
=
name ?
=
password ?$user $pass
![Page 57: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/57.jpg)
The underlying issue$statement = $db->prepare(“select * from Users
where(name=? and password=?);”);
select / from / where
* Users and
=
name ?
=
password ?
![Page 58: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/58.jpg)
The underlying issue$statement = $db->prepare(“select * from Users
where(name=? and password=?);”);
select / from / where
* Users and
=
name ?
=
password ?
Prepare is only appliedto the leaves, so thestructure of the treeis fixed
![Page 59: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/59.jpg)
Mitigating the impact• Limit privileges
• Can limit commands and/or tables a user can access - Allow SELECT queries on Orders_Table but not on
Creditcards_Table • Follow the principle of least privilege • Incomplete fix, but helpful
• Encrypt sensitive data stored in the database • May not need to encrypt Orders_Table • But certainly encrypt Creditcards_Table.cc_numbers
![Page 60: WEB SECURITY: SQL INJECTION - University Of Maryland · SQL (Standard Query Language) Users Name Gender Age Email Password Dee F 28 dee@pp.com j3i8g8ha Mac M 7 bouncer@pp.com a0u23bt](https://reader036.vdocument.in/reader036/viewer/2022081612/5f2370b518e73d65494dad20/html5/thumbnails/60.jpg)
FOLLOWUP READING