SQL Injection Attacks and Defense

Similar documents
Justin Clarke Lead Author and Technical Editor. Rodrigo Marcos Alvarez Dave Hartley Joseph Hemler Alexander Kornbrust Haroon Meer

Web Application Attacks

Who s Afraid of SQL Injection?! Mike Kölbl Sonja Klausburg Siegfried Goeschl

Ethical Hacking and Prevention

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Karthik Bharathy Program Manager, SQL Server Microsoft

Penetration Testing with Kali Linux

A D V I S O R Y S E R V I C E S. Web Application Assessment

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Hunting Security Bugs

ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

RiskSense Attack Surface Validation for Web Applications

Curso: Ethical Hacking and Countermeasures

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

COPYRIGHTED MATERIAL. Contents. Chapter 1: Introducing T-SQL and Data Management Systems 1. Chapter 2: SQL Server Fundamentals 23.

Secure Programming Lecture 8++: SQL Injection

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Injection attacks use specially crafted inputs to subvert the intended operation of applications.

CONTENTS IN DETAIL. FOREWORD by HD Moore ACKNOWLEDGMENTS INTRODUCTION 1 THE ABSOLUTE BASICS OF PENETRATION TESTING 1 2 METASPLOIT BASICS 7

SQL Injection. EECS Introduction to Database Management Systems

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Injection. CSC 482/582: Computer Security Slide #1

Foreword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1

"Charting the Course... MOC C: Developing SQL Databases. Course Summary

Web Application Penetration Testing

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Database Attacks, How to protect the corporate assets. Presented by: James Bleecker

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

epldt Web Builder Security March 2017

McAfee Certified Assessment Specialist Network

Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

"Charting the Course... Intermediate PHP & MySQL Course Summary

HP 2012 Cyber Security Risk Report Overview

The Android security jungle: pitfalls, threats and survival tips. Scott

Application vulnerabilities and defences

Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Notes From The field

Real Application Security Administration

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Blind XPath Injection Attack: A Case Study

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web Penetration Testing

A Web-Based Introduction

Secure coding practices

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

DreamFactory Security Guide

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Oracle Database 10g: Introduction to SQL

Secure Web App. 제목 : Secure Web Application v1.0 ( 채수민책임 ) Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 1 -

C and C++ Secure Coding 4-day course. Syllabus

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

W H IT E P A P E R. Salesforce Security for the IT Executive

Chapter 5: Database Security

C1: Define Security Requirements

Certified Ethical Hacker (CEH)

Solutions Business Manager Web Application Security Assessment

object/relational persistence What is persistence? 5

Evaluating Website Security with Penetration Testing Methodology

CSE 127 Computer Security

"Charting the Course... Oracle18c SQL (5 Day) Course Summary

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Authorization, Database Security

Who am I? Sandro Gauci and EnableSecurity Over 8 years in the security industry Published security research papers Tools - SIPVicious and SurfJack

Installing and Administering a Satellite Environment

Secure Coding, some simple steps help. OWASP EU Tour 2013

WEB SECURITY p.1

Hacking Oracle APEX. Welcome. About

dotdefender User Guide Applicure Web Application Firewall

Web Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking

"Charting the Course... Oracle 18c PL/SQL (5 Day) Course Summary

Engineering Your Software For Attack

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

Manual Trigger Sql Server 2008 Examples Update

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

A1 (Part 2): Injection SQL Injection

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites

Penetration Testing. James Walden Northern Kentucky University

Web Security. Outline

McAfee Web Gateway Administration

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Server-side web security (part 2 - attacks and defences)

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Transcription:

SQL Injection Attacks and Defense Justin Clarke Lead Author and Technical Editor Rodrigo Marcos Alvarez Dave Hartley Joseph Hemler Alexander Kornbrust Haroon Meer Gary O'Leary-Steele Alberto Revelli Marco Slaviero Dafydd Stuttard

Chapter 1 What Is SQL Injection? 1 Introduction 2 Understanding How Web Applications Work 2 A Simple Application Architecture 4 A More Complex Architecture 5 Understanding SQL Injection 6 High-Profile Examples 10 Understanding How It Happens 13 Dynamic String Building 13 Incorrectly Handled Escape Characters 14 Incorrectly Handled Types 15 Incorrectly Handled Query Assembly 17 Incorrectly Handled Errors 18 Incorrectly Handled Multiple Submissions 19 Insecure Database Configuration 21 Summary 24 Solutions Fast Track 24 Frequently Asked Questions 26 Chapter 2 Testing for SQL Injection 29 Introduction ~ 30 Finding SQL Injection 30 Testing by Inference 31 Identifying Data Entry 31 GET Requests 31 POST Requests 32 Other Injectable Data 35 Manipulating Parameters 36 Information Workflow 39 Database Errors 40 Commonly Displayed SQL Errors 41 Microsoft SQL Server Errors 41 MySQL Errors 46 Oracle Errors 49 ix

Application Response 51 Generic Errors 51 HTTP Code Errors 54 Different Response Sizes 55 Blind Injection Detection 56 Confirming SQL Injection 60 Differentiating Numbers and Strings 61 Inline SQL Injection 62 Injecting Strings Inline 62 Injecting Numeric Values Inline 65 Terminating SQL Injection 68 Database Comment Syntax 69 Using Comments 70 Executing Multiple Statements 74 Time Delays 79 Automating SQL Injection Discovery 80 Tools for Automatically Finding SQL Injection 81 HP Weblnspect 81 IBM Rational AppScan 83 HP Scrawlr 85 SQLiX 87 Paros Proxy 88 Summary 91 Solutions Fast Track 91 Frequently Asked Questions 93 Chapter 3 Reviewing Code for SQL Injection 95 Introduction 96 Reviewing Source Code for SQL Injection 96 Dangerous Coding Behaviors 98 Dangerous Functions 105 Following the Data 109 Following Data in PHP 110 Following Data in Java 114 Following Data in C# 115 Reviewing PL/SQL andt-sql Code 117 Automated Source Code Review 124 Yet Another Source Code Analyzer (YASCA) 125 Pixy 126 AppCodeScan 127

xi LAPSE 127 Security Compass Web Application Analysis Tool (SWAAT) 128 Microsoft Source Code Analyzer for SQL Injection 128 Microsoft Code Analysis Tool.NET (CAT.NET) 129 Commercial Source Code Review Tools 129 Ounce 131 Source Code Analysis 131 CodeSecure 132 Summary 133 Solutions Fast Track 133 Frequently Asked Questions 135 Chapter 4 Exploiting SQL Injection 137 Introduction 138 Understanding Common Exploit Techniques 139 Using Stacked Queries 141 Identifying the Database 142 Non-Blind Fingerprint 142 Banner Grabbing 144 Blind Fingerprint 146 Extracting Data through UNION Statements 148 Matching Columns 149 Matching Data Types 151 Using Conditional Statements 156 Approach 1: Time-based 157 Approach 2: Error-based 159 Approach 3: Content-based 161 Working with Strings...- 161 Extending the Attack 163 Using Errors for SQL Injection 164 Error Messages in Oracle 167 Enumerating the Database Schema 170 SQL Server 171 MySQL 177 Oracle 180 Escalating Privileges 183 SQL Server 184 Privilege Escalation on Unpatched Servers 189 Oracle 190

xii Stealing the Password Hashes 192 SQL Server 192 MySQL 194 Oracle 194 Oracle Components 196 APEX 196 Oracle Internet Directory 197 Out-of-Band Communication 198 E-mail 199 Microsoft SQL Server 199 Oracle 202 HTTP/DNS 203 File System 203 SQL Server ' 204 MySQL 207 Oracle 208 Automating SQL Injection Exploitation 208 Sqlmap 208 Sqlmap Example 209 Bobcat 211 BSQL 212 Other Tools 214 Summary 215 Solutions Fast Track 215 Frequently Asked Questions 218 Chapter 5 Blind SQL Injection Exploitation 219 Introduction 220 Finding and Confirming Blind SQL Injection 221 Forcing Generic Errors 221 Injecting Queries with Side Effects 222 Spitting and Balancing 222 Common Blind SQL Injection Scenarios 225 Blind SQL Injection Techniques 225 Inference Techniques 226 Increasing the Complexity of Inference Techniques 230 Alternative Channel Techniques 234 Using Time-Based Techniques 235 Delaying Database Queries 235 MySQL Delays 235

xiii Generic MySQL Binary Search Inference Exploits 237 Generic MySQL Bit-by-Bit Inference Exploits 237 SQL Server Delays 238 Generic SQL Server Binary Search Inference Exploits 240 Generic SQL Server Bit-by-Bit Inference Exploits 240 Oracle Delays 240 Time-Based Inference Considerations 241 Using Response-Based Techniques 242 MySQL Response Techniques 242 SQL Server Response Techniques 244 Oracle Response Techniques 246 Returning More Than One Bit of Information 247 Using Alternative Channels 249 Database Connections 250 DNS Exfiltration 251 E-mail Exfiltration 255 HTTP Exfiltration 256 Automating Blind SQL Injection Exploitation 258 Absinthe 258 BSQL Hacker 260 SQLBrute 263 Sqlninja 264 Squeeza 265 Summary 267 Solutions Fast Track 267 Frequently Asked Questions 270 Chapter б Exploiting the Operating System 271 Introduction 272 Accessing the File System 273 Reading Files 273 MySQL 274 Microsoft SQL Server 280 Oracle 289 Writing Files 291 MySQL 292 Microsoft SQL Server 295 Oracle 300 Executing Operating System Commands 301 Direct Execution 301

xiv Oracle 301 DBMS_SCHEDULER 302 PL/SQL Native 302 Other Possibilities 303 Alter System Set Events 303 PL/SQL Native 9i 303 Buffer Overflows 304 Custom Application Code 304 MySQL 304 Microsoft SQL Server 305 Consolidating Access 309 Summary 312 Solutions Fast Track : 312 Frequently Asked Questions 314 Endnotes 315 Chapter 7 Advanced Topics 317 Introduction 318 Evading Input Filters 318 Using Case Variation 319 Using SQL Comments 319 Using URL Encoding 320 Using Dynamic Query Execution 322 Using Null Bytes 323 Nesting Stripped Expressions 324 Exploiting Truncation 324 Bypassing Custom Filters 326 Using Non-Standard Entry Points 327 Exploiting Second-Order SQL Injection 329 Finding Second-Order Vulnerabilities 332 Using Hybrid Attacks 335 Leveraging Captured Data 335 Creating Cross-Site Scripting 335 Running Operating System Commands on Oracle 336 Exploiting Authenticated Vulnerabilities 337 Summary 338 Solutions Fast Track 338 Frequently Asked Questions 340

xv Chapter 8 Code-Level Defenses 341 Introduction 342 Using Parameterized Statements 342 Parameterized Statements in Java 344 Parameterized Statements in.net (C#) 345 Parameterized Statements in PHP 347 Parameterized Statements in PL/SQL 348 Validating Input 349 Whitelisting 349 Blacklisting 351 Validating Input in Java 353 Validating Input in.net 354 Validating Input in PHP 354 Encoding Output 355 Encoding to the Database 355 Encoding for Oracle 356 Oracle dbms_assert 357 Encoding for Microsoft SQL Server 359 Encoding for MySQL 360 Canonicalization 362 Canonicalization Approaches 363 Working with Unicode 364 Designing to Avoid the Dangers of SQL Injection 365 Using Stored Procedures 366 Using Abstraction Layers 367 Handling Sensitive Data 368 Avoiding Obvious Object Names 369 Setting Up Database Honeypots 370 Additional Secure Development Resources 371 Summary 373 Solutions Fast Track 373 Frequently Asked Questions 375 Chapter 9 Platform-Level Defenses 377 Introduction 378 Using Runtime Protection 378 Web Application Firewalls 379 Using ModSecurity 380 Configurable Rule Set 380 Request Coverage 383

Request Normalization 383 Response Analysis 384 Intrusion Detection Capabilities 385 Intercepting Filters 386 Web Server Filters 386 Application Filters 389 Implementing the Filter Pattern in Scripted Languages 390 Filtering Web Service Messages 391 Non-Editable versus Editable Input Protection 391 URL/Page-Level Strategies 392 Page Overriding 392 URL Rewriting 393 Resource Proxying/Wrapping 393 Aspect-Oriented Programming (AOP) 393 Application Intrusion Detection Systems (IDSs) 394 Database Firewall 394 Securing the Database 395 Locking Down the Application Data 395 Use the Least-Privileged Database Login 395 Revoke PUBLIC Permissions 396 Use Stored Procedures 396 Use Strong Cryptography to Protect Stored Sensitive Data 397 Maintaining an Audit Trail 398 Oracle Error Triggers 398 Locking Down the Database Server 400 Additional Lockdown of System Objects 400 Restrict Ad Hoc Querying 401 Strengthen Controls Surrounding Authentication 401 Run in the Context of the Least-Privileged Operating System Account 401 Ensure That the Database Server Software Is Patched 402 Additional Deployment Considerations 403 Minimize Unnecessary Information Leakage 403 Suppress Error Messages 403 Use an Empty Default Web Site 406 Use Dummy Host Names for Reverse DNS Lookups 406 Use Wildcard SSL Certificates 407 Limit Discovery via Search Engine Hacking 407 Disable Web Services Description Language (WSDL) Information 408

xvii Increase the Verbosity of Web Server Logs 409 Deploy the Web and Database Servers on Separate Hosts 409 Configure Network Access Control 409 Summary 410 Solutions Fast Track 410 Frequently Asked Questions 412 Chapter 10 References 415 Introduction 416 Structured Query Language (SQL) Primer 416 SQL Queries 416 SELECT Statement 417 UNION Operator 417 INSERT Statement 418 UPDATE Statement 418 DELETE Statement 418 DROP Statement 420 CREATE TABLE Statement 420 ALTER TABLE Statement 420 GROUP BY Statement 421 ORDER BY Clause 421 Limiting the Result Set 421 SQL Injection Quick Reference 422 Identifying the Database Platform 422 Identifying the Database Platform via Time Delay Inference 423 Identifying the Database Platform via SQL Dialect Inference 423 Combining Multiple Rows into a Single Row 424 Microsoft SQL Server Cheat Sheet 425 Enumerating Database Configuration Information and Schema 425 Blind SQL Injection Functions: Microsoft SQL Server 427 Microsoft SQL Server Privilege Escalation 427 OPENROWSET Reauthentication Attack 428 Attacking the Database Server: Microsoft SQL Server 429 System Command Execution via xp_cmdshell 429 xp_cmdshell Alternative 430 Cracking Database Passwords 430 Microsoft SQL Server 2005 Hashes 431 File Read/Write 431

xviii MySQL Cheat Sheet 431 Enumerating Database Configuration Information and Schema 431 Blind SQL Injection Functions: MySQL 432 Attacking the Database Server: MySQL 433 System Command Execution 433 Cracking Database Passwords 434 Attacking the Database Directly 434 File Read/Write 434 Oracle Cheat Sheet 435 Enumerating Database Configuration Information and Schema 435 Blind SQL Injection Functions: Oracle... 436 Attacking the Database Server: Oracle 437 Command Execution 437 Reading Local Files 437 Reading Local Files (PL/SQL Injection Only) 438 Writing Local Files (PL/SQL Injection Only) 439 Cracking Database Passwords 440 Bypassing Input Validation Filters 440 Quote Filters 440 HTTP Encoding 442 Troubleshooting SQL Injection Attacks 443 SQL Injection on Other Platforms 446 PostgreSQL Cheat Sheet 446 Enumerating Database Configuration Information and Schema 447 Blind SQL Injection Functions: PostgreSQL 448 Attacking the Database Server: PostgreSQL 448 System Command Execution 448 Local File Access 449 Cracking Database Passwords 449 DB2 Cheat Sheet 449 Enumerating Database Configuration Information and Schema 449 Blind SQL Injection Functions: DB2 450 Informix Cheat Sheet 451 Enumerating Database Configuration Information and Schema 451 Blind SQL Injection Functions: Informix 452

xix Ingres Cheat Sheet 452 Enumerating Database Configuration Information and Schema 452 Blind SQL Injection Functions: Ingres 453 Microsoft Access 453 Resources 453 SQL Injection White Papers 453 SQL Injection Cheat Sheets 454 SQL Injection Exploit Tools 454 Password Cracking Tools 455 Solutions Fast Track 456 Index 459

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback