Injection Rejection or

Injection Rejection, or



How I Learned To Stop Worrying

And Love Bobby Tables

What’s an “injection” attack?



An injection interprets user-supplied

data—as malicious code.

Attack surfaces

• Direct user input.

• Filesystem.

• Environment variables.

• Database values.

• Anything interpreted at runtime.

• Anything “just-in-time” compiled.



April 17, 2009 Injection Rejection 3

CGI example in Perl



use CGI;

use DBI;





my @flagged = getFlaggedEntries();

my $bogus = join(',',@flagged);

my $sql = "delete from student where id in ($bogus)\n";

my $sh = $db->prepare ($sql) || die "Couldn't prepare SQL statement: $!";

$sh->execute() || die "Couldn't execute SQL statement: $!";









April 17, 2009 Injection Rejection 4

What it’s supposed to do

Sane input:

303,101,404





delete from student where id in (303,101,404)









April 17, 2009 Injection Rejection 5

What it actually does

Not-so-sane input:

303); truncate table users; --

delete from student where id in (303); truncate table users; --)









April 17, 2009 Injection Rejection 6

Rubber, meet road

# return array of CGI parameters named flag#### where

# the #### indicates one or more characters. Strips the

# “flag” prefix.

sub getFlaggedEntries()

{

my @f = (); # return value

foreach (keys %{$cgi->Vars()})

{

next unless m/^flag(.+)$/;

push @f, $1;

}

Perl

@f; # return value

untainting

}



April 17, 2009 Injection Rejection 7

A simple exploit

$ curl ’http://example.com/cgi-bin/example.pl?

flag303)%3B%20truncate%20table%20users%3B%20--=1’









Attacker’s

payload









April 17, 2009 Injection Rejection 8

Real-Life Applications









April 17, 2009 Injection Rejection 9

“I hope you’ve learned to sanitize

your database inputs.”

• Don’t enumerate badness.

• Precompiled code. Always.

• Perl tainting: you still have to think.

• LINQ has possibilities.

• Parameterize your SQL.





April 17, 2009 Injection Rejection 10

Parameterized SQL

my $sh = db->prepare("insert into foo set name=$name, company=$company");

$sh->execute(); WRONG



my $sh = db->prepare('insert into foo set name=?, company=?');

$sh->execute($name, $company);









April 17, 2009 Injection Rejection 11

Injection’s not just for SQL I

01/06/2009 02:47 PM 20,104 CVSInstall.pdf

08/17/2008 07:41 PM 67 cweb.html

11/06/2006 02:56 AM 413,696 CWIMS.mdb

05/01/2008 01:35 PM 5,632 cwsl.dll

09/22/2007 07:07 PM 4,537 day.txt

04/14/2009 08:06 AM 5 dbappend(),fieldput('user','catfood')









dbappend(),fieldput('user','catfood')









April 17, 2009 Injection Rejection 12

Injection’s not just for SQL II



$command = "nslookup -type=ptr $inputdomain";

system($command);









I saw this in production code… actually straight C. But still.









April 17, 2009 Injection Rejection 13

Making your project not suck!

• Don’t hoard code.

• Don’t optimize yet.

• Review code constantly.

• Let unit tests drive development.

• Still don’t optimize yet.







April 17, 2009 Injection Rejection 14

A few good URLs

• 6 dumbest ideas in computer security:

http://www.ranum.com/security/computer_security/editorials/dumb/





• SQL Injection basics:

http://www.sitepoint.com/article/sql-injection-attacks-safe



• Parameterized SQL basics:

http://www.codinghorror.com/blog/archives/000275.html









April 17, 2009 Injection Rejection 15

This is me.

I make projects not suck.









http://imakeyourprojectnotsuck.com

April 17, 2009 Injection Rejection 16

Get these slides



http://criticalresults.com/notacon6









April 17, 2009 Injection Rejection 17

Next! Here!





Super Jason Scott Presentation 64









April 17, 2009 Injection Rejection 18