SQL Injection: From Basics To Botnet-Based Attack Automation

Size: px

Start display at page:

Download "SQL Injection: From Basics To Botnet-Based Attack Automation"

Philomena Lamb
6 years ago
Views:

1 SQL Injection: From Basics To Botnet-Based Attack Automation Neil Daswani June 2008

2 Is the sky falling? ( 2007 TJX (March owns TJ Maxx, Marshalls, and other dept stores attacks exploited WEP used at branches over 47 million credit card (CC) #s dating back to 2002 ( 2005 CardSystems (June credit card payment processing company: out of business 263,000 CC #s stolen from database via SQL Injection 43 million CC #s stored unencrypted / compromised Enter sql injection on news.google.com for more... Additional Data Theft:

3 Why Should I Care? Compliance SOX, PCI, HIPPA, etc Data Breach Laws Social responsibility Reputation / Revenue Expense per lost or stolen record Credit monitoring Lawsuits

4 Cybercriminal Goals End goal: $$$ Average Attacker Profile: yesterday: teenager looking for fame today: organized crime Intermediate goals: (. etc Data Theft (Identity, credit cards, (. etc Extortion (denial-of-service, blackmail, (. etc Malware distribution (drive-by-downloads, Example: RBN (Russian Business Network): responsible for Storm, MalwareAlarm, much more...

5 Cybercrime Pseudo-Goals

6 OWASP Top 10

7 SQL Injection Example Web Browser Web Server Database Username & Password Normal Query SELECT passwd FROM USERS WHERE uname IS $username

8 QL Injection Example Attacker Provides This Input

9 QL Injection Example Web Browser Username & Password Web Server Malicious Query SELECT passwd FROM USERS WHERE uname IS ; DROP TABLE USERS; -- ' Database Eliminates all user accounts

11 Innovative Injection Attacks It is not just about web applications: Airline boarding passes Malicious credit card merchants

12 QL Injection Example View pizza order history:<br br> <form method="post" action="..."> Month <select> <option name="month" value="1"> Jan</option>... <option name="month" value="12"> Dec</option> </select> <p> <input type=submit name=submit value=view> </form>

13 QL Injection Example Normal SQL Query SELECT pizza, toppings, quantity, order_day FROM orders WHERE userid=4123 AND order_month=10 Type 2 For order_month parameter, attacker could Attack input 0 OR 1=1 Malicious Query WHERE userid=4123 WHERE condition is always true! Gives attacker access to other users private data! <option name="month" value= 0 OR 1=1"> Dec</option>

14 QL Injection Example All User Data Compromised

15 QL Injection Example A more damaging breach of user privacy: For order_month parameter, attacker could input: 0 AND 1=0 UNION SELECT cardholder, number, exp_month, exp_year FROM creditcards Attacker is able to Combine the results of two queries Empty table from first query with the sensitive credit card info of all users from second query

16 QL Injection Example Credit Card Info Compromised

17 Where You Can Learn More The Ultimate Online Software Security Course What Every Developer Needs to Know 9 Hours / Six modules for only $249! Online multimedia experience Presented by Neil Daswani, Ph.D. Free copy of Neil's book included NO Shipping Charges!

18 Log keystrokes, DoS, etc. Building Botnets with SQL Injection Attacker Query for vulnerable sites Search Engine Inject malicious Javascript/ActiveX Target ( Site(s User View Page What do you want to do today? Get Infected: Drive-by-download

19 Preventing SQL Injection Whitelisting Why? Blacklisting chars doesn t work: Doesn t prevent many attacks Forget to filter out some characters ( O Brien Could prevent valid input (e.g. username Allow well-defined set of safe values via reg ex: [A-Za-z0-9]* [0-1][0-9] Can be implemented in a web application firewall ( mod_security (e.g., Escaping For valid string inputs like username o connor, use escape characters. Ex: escape(o connor) = o connor

20 Prepared Statements & Bind Variables reparedstatement ps = db.preparestatement( "SELECT pizza, toppings, quantity, order_day FROM orders WHERE userid=? AND order_month=?"); s.setint(1, session.getcurrentuserid()); s.setint(2, Integer.parseInt( request.getparameter("month"))) esultset res = ps.executequery(); query parsed w/o parameters bind variables are typed e.g. int, string, etc * Bind Variables: Data Placeholders

21 Web Application Firewalls ( WAF ) Without a WAF: Webserver With a WAF: WAF Webserver

22 Web Application Firewalls Can prevent some attacks ModSecurity Core Rule Example:: SecRule REQUEST_FILENAME ARGS "\b(?:user_(?:(?:object table user)s password group) a(?:tt(?:rel typ)id ll_objects) object_(?:(?:nam ty p)e id) pg_(?:attribute class) column_(?:name id) su bstr(?:ing)? table_name mb_users rownum)\b" \ capture,t:htmlentitydecode,t:lowercase,t:replacecomm ents,ctl:auditlogparts=+e,log,auditlog,msg:'sql Injection Attack. Matched signature <%{TX.0}>',id:'950906',severity:'2' Can develop application-specific rules as well

23 Additional Mitigations What else helps? ( Defense-in-Depth ) Limit Privileges Harden DB Server and Host OS What else do I need to learn about SQL Injection? Second Order SQL Injection Blind SQL Injection

24 Trends In the second half of 2007, 58 percent of all vulnerabilities affected Web applications Symantec better to compromise a specific popular site with a single vulnerability Symantec 80% of sites hosting malware are legitimate sites that have been hacked -- Sophos Today over 70% of attacks against a company s web site or web application come at the application layer not the network or the system layer. -- Gartner

25 Where to learn more Foundations of Security: What Every Programmer Needs To Know (Daswani / Kern / Kesavan)

26 Where to learn more The Ultimate Online Software Security Course: Secure Design and Principles Worms and Malware Client-State Manipulation SQL Injection Cross-Domain Attacks Password Security Cryptography: Symmetric, Public-Key Hashing, Digital Signatures, Key Mgmt

27 To conclude... Software and database security is everyone's problem! To learn more visit:

SQL Injection SPRING 2018: GANG WANG

SQL Injection SPRING 2018: GANG WANG SQL Injection Another reason to validate user input data Slides credit to Neil Daswani and Adam Doupé 2 3 http://xkcd.com/327/ Produce More Secure Code Operating system