SQL Injection: From Basics To Botnet-Based Attack Automation http://y Neil Daswani June 2008
Is the sky falling? ( 2007 TJX (March owns TJ Maxx, Marshalls, and other dept stores attacks exploited WEP used at branches over 47 million credit card (CC) #s dating back to 2002 ( 2005 CardSystems (June credit card payment processing company: out of business 263,000 CC #s stolen from database via SQL Injection 43 million CC #s stored unencrypted / compromised Enter sql injection on news.google.com for more... Additional Data Theft: www.privacyrights.org/ar/chrondatabreaches.htm
Why Should I Care? Compliance SOX, PCI, HIPPA, etc Data Breach Laws Social responsibility Reputation / Revenue Expense per lost or stolen record Credit monitoring Lawsuits
Cybercriminal Goals End goal: $$$ Average Attacker Profile: yesterday: teenager looking for fame today: organized crime Intermediate goals: (. etc Data Theft (Identity, credit cards, (. etc Extortion (denial-of-service, blackmail, (. etc Malware distribution (drive-by-downloads, Example: RBN (Russian Business Network): responsible for Storm, MalwareAlarm, much more...
Cybercrime Pseudo-Goals
OWASP Top 10
SQL Injection Example Web Browser Web Server Database Username & Password Normal Query SELECT passwd FROM USERS WHERE uname IS $username
QL Injection Example Attacker Provides This Input
QL Injection Example Web Browser Username & Password Web Server Malicious Query SELECT passwd FROM USERS WHERE uname IS ; DROP TABLE USERS; -- ' Database Eliminates all user accounts
http://xkcd.com/327/
Innovative Injection Attacks It is not just about web applications: Airline boarding passes Malicious credit card merchants
QL Injection Example View pizza order history:<br br> <form method="post" action="..."> Month <select> <option name="month" value="1"> Jan</option>... <option name="month" value="12"> Dec</option> </select> <p> <input type=submit name=submit value=view> </form>
QL Injection Example Normal SQL Query SELECT pizza, toppings, quantity, order_day FROM orders WHERE userid=4123 AND order_month=10 Type 2 For order_month parameter, attacker could Attack input 0 OR 1=1 Malicious Query WHERE userid=4123 WHERE condition is always true! Gives attacker access to other users private data! <option name="month" value= 0 OR 1=1"> Dec</option>
QL Injection Example All User Data Compromised
QL Injection Example A more damaging breach of user privacy: For order_month parameter, attacker could input: 0 AND 1=0 UNION SELECT cardholder, number, exp_month, exp_year FROM creditcards Attacker is able to Combine the results of two queries Empty table from first query with the sensitive credit card info of all users from second query
QL Injection Example Credit Card Info Compromised
Where You Can Learn More The Ultimate Online Software Security Course What Every Developer Needs to Know 9 Hours / Six modules for only $249! Online multimedia experience Presented by Neil Daswani, Ph.D. Free copy of Neil's book included NO Shipping Charges! http://y
Log keystrokes, DoS, etc. Building Botnets with SQL Injection Attacker Query for vulnerable sites Search Engine Inject malicious Javascript/ActiveX Target ( Site(s User View Page What do you want to do today? Get Infected: Drive-by-download
Preventing SQL Injection Whitelisting Why? Blacklisting chars doesn t work: Doesn t prevent many attacks Forget to filter out some characters ( O Brien Could prevent valid input (e.g. username Allow well-defined set of safe values via reg ex: [A-Za-z0-9]* [0-1][0-9] Can be implemented in a web application firewall ( mod_security (e.g., Escaping For valid string inputs like username o connor, use escape characters. Ex: escape(o connor) = o connor
Prepared Statements & Bind Variables reparedstatement ps = db.preparestatement( "SELECT pizza, toppings, quantity, order_day FROM orders WHERE userid=? AND order_month=?"); s.setint(1, session.getcurrentuserid()); s.setint(2, Integer.parseInt( request.getparameter("month"))) esultset res = ps.executequery(); query parsed w/o parameters bind variables are typed e.g. int, string, etc * Bind Variables: Data Placeholders
Web Application Firewalls ( WAF ) Without a WAF: http://a.com/showarticle?id=278 http://a.com/showarticle?id=345 Webserver http://a.com/showarticle?id=12 With a WAF: http://a.com/showarticle?id=278 http://a.com/showarticle?id=345 WAF Webserver http://a.com/showarticle?id=12
Web Application Firewalls Can prevent some attacks ModSecurity Core Rule Example:: SecRule REQUEST_FILENAME ARGS "\b(?:user_(?:(?:object table user)s password group) a(?:tt(?:rel typ)id ll_objects) object_(?:(?:nam ty p)e id) pg_(?:attribute class) column_(?:name id) su bstr(?:ing)? table_name mb_users rownum)\b" \ capture,t:htmlentitydecode,t:lowercase,t:replacecomm ents,ctl:auditlogparts=+e,log,auditlog,msg:'sql Injection Attack. Matched signature <%{TX.0}>',id:'950906',severity:'2' Can develop application-specific rules as well
Additional Mitigations What else helps? ( Defense-in-Depth ) Limit Privileges Harden DB Server and Host OS What else do I need to learn about SQL Injection? Second Order SQL Injection Blind SQL Injection
Trends In the second half of 2007, 58 percent of all vulnerabilities affected Web applications Symantec better to compromise a specific popular site with a single vulnerability Symantec 80% of sites hosting malware are legitimate sites that have been hacked -- Sophos Today over 70% of attacks against a company s web site or web application come at the application layer not the network or the system layer. -- Gartner
Where to learn more Foundations of Security: What Every Programmer Needs To Know (Daswani / Kern / Kesavan)
Where to learn more The Ultimate Online Software Security Course: Secure Design and Principles Worms and Malware Client-State Manipulation SQL Injection Cross-Domain Attacks Password Security Cryptography: Symmetric, Public-Key Hashing, Digital Signatures, Key Mgmt http://y
To conclude... Software and database security is everyone's problem! To learn more visit: http://y