SQL Injection

Bilal Al-Qudah SQL INJECTION Databases  real_escape_chars() in MySQL  unsigned long mysql_real_escape_string(MYSQL *mysql, char *to, const char *from, unsigned long length) SQL  SQL stands for Structured Query Language  SQL is a standard open language without corporate ownership  SQL can:  execute queries against a database  retrieve data from a database  insert new records in a database  delete records from a database  update records in a database  Some common RDMS that use SQL are: Oracle, MS SQL Server, MS Access, Ingres, DB2, Sybase, Informix, etc. What is SQL Injection  SQL injection   non-validated input vulnerabilities pass SQL commands * through a Web application for execution by a backend database.  Unexpected execution ! Forms of SQL injection vulnerabilities  Incorrectly filtered escape characters ‘ “”  Incorrect type handling  Vulnerabilities inside the database server the basic issue of SQL injection  values are interpreted as SQL ASP/MS SQL Server login syntax var sql = "SELECT * FROM users WHERE login = '" + userName + "' AND password = '" + userPass+ "'"; Let userName = ' or 1=1 – – , userPass = anything  What the result will be ? Cont… The final query would be: SELECT * FROM users WHERE username = ' ' or 1=1 – – AND password = 'anything'  The attacker will login as if he is the first user stored on the table users Bad scenario  Suppose the attacker used the following input: a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '% This input renders the final SQL statement as follows:  SELECT * FROM users WHERE name = 'a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '%'; SQL Injection Characters            % wildcard attribute indicator ' or " character String Indicators -- or # single-line comment @variable local variable /*…*/ multiple-line comment + addition, concatenate (or space in url) waitfor delay '0:0:10' time delay || (double pipe) concatenate ?Param1=foo&Param2=bar URL Parameters @@variable global variable PRINT useful as non transactional command Securing applications against SQL injection  Application remediation  Database remediation  Security privileges  Stored procedures  Preventing multi-statement attacks  Disabling literals Stored procedures  GET_PASSWORD(userName)  GET_USER(userName, password) attacker could still inject code into a GET_USER call if the password is not correctly escaped: GET_USER('admin', '' || GET_PASSWORD('admin') || ''). SQL injection attack prevention Solution Imperva SecureSphere Firewalls Intrusion Detection Systems Intrusion Prevention Systems Blocks SQL injection? YES No No No  Looking to SQL signature for the incoming HTTP stream.  builds a profile consisting of all allowed SQL queries  Monitor user activity Cont… http://www.imperva.com/products/securesphere/ Performance Metric SecureSphere Throughput up to 2 Gbps . SQL Requests/sec up to 200,000 Real-world examples  On October 31, 2004, After being linked from Slashdot, the Dremel site was changed to a Goatse pumpkin  On October 26, 2005, Unknown Heise readers replaced a page by the German TV station ARD which advertised a pro-RIAA sitcom with Goatse using SQL injection  On January 13, 2006, Russian hackers broke into a Rhode Island government web site and allegedly stole credit card data from individuals who have done business online with state agencies.  On November 01, 2005, A high school student used SQL injection to break into the site of a Taiwanese information security mazagine from the Tech Target group and steal customer's information. Cont…  On March 29, 2006, Susam Pal discovered an SQL     injection flaw in www.incredibleindia.org, an official Indian government tourism site. On January 1, 2007, Dr.Jr7 SQL injected Nokia's website in a rather tame and civil way, but but then Digg users proceeded to change it to Goatse and bukkake On March 2, 2007, Sebastian Bauer discovered an SQL injection flaw in knorr.de login page. On June 29, 2007, Hacker Defaces Microsoft U.K. Web Page using SQL injection. On August 12, 2007, The United Nations web site was defaced using SQL injection. References  SQL Injection related papers        http://www.nextgenss.com/papers.htm http://www.spidynamics.com/support/whitepapers/ http://www.appsecinc.com/techdocs/whitepapers.html http://www.atstake.com/research/advisories http://www.owasp.org http://www.sqlsecurity.com http://www.securityfocus.com/infocus/1768  Other resources     http://www.imperva.com/products/securesphere/ http://en.wikipedia.org/wiki/SQL_injection Java Security , Harpreet Ganguli with NIIT http://en.wikipedia.org/wiki/SQL_injection#In_Popular _Culture  Advanced SQL Injection Victor Chapela , Sm4rt Security Services