SQL Injection By Bart Carroll Main Points What is SQL injection

Document Sample
SQL Injection By Bart Carroll Main Points What is SQL injection Powered By Docstoc
					SQL Injection




      By
  Bart Carroll
                  Main Points
●   What is SQL injection?
●   How is it done?
●   Examples
●   How to prevent it
           What Is SQL Injection?
●   A way of exploiting input fields in a program to
    display or drop tables or fields from a database.
●   One of the most dangerous and preventable
    database exploits.
                         How It Is Done
    ●   Assume table and field names
    ●   Assume a statement based on a user input
        field.
        –   Example statement where userName is user
            supplied input:

Statement= "SELECT * FROM users WHERE name = '" + userName + "';"
                    How It Is Done
●   Construct a malicious SQL Statement for the
    userName Parameter:
userName = “a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '%"


●   Put statement into input field.
●   Resulting Statement sent to database:

SELECT * FROM users WHERE name = 'a';
DROP TABLE users;
SELECT * FROM data WHERE name LIKE '%';
                  Result
●   The User Table has now been dropped.
                    Protection
●   Use Prepared Statements Instead of standard
    JDBC Statements (for Java).
●   Use Blind variables.
●   Use input validation to strip input of database
    characters.
●   Restrict Function access from PUBLIC to
    PRIVATE
●   Don't display error messages that tell
    everything about the database.
                           JSP Oracle Example
<%@ page import="org.alumnidb.beans.DbManage" %>
<%@ page import="java.sql.*" %>
<%
if(!request.getMethod().equals("POST")){
%>
<html>
  <head><title>SQL INJECTION EXAMPLE</title></head>
  <body>
   <form action="sqlInject.jsp" method=POST>
     Please enter your userName and password:<br>
     User:<input type="text" name=userName><br>
     Pass:<input type="text" name="password"><br>
     <input type="submit" value="submit">
   </form>
  </body>
</html>
<%
}
%>
<%
if(request.getMethod().equals("POST")){
 DbManage d = new DbManage();
 Connection con = d.makeConnection();
 String userName = request.getParameter("userName");
 String password = request.getParameter("password");
 Statement stmt = con.createStatement();
 ResultSet rs = stmt.executeQuery("SELECT * FROM Users WHERE userName = '" + userName + "' AND pass = '" + password + "'");

%>
<html>
<head><title>RESULT</title></head>
<body>
  <b>Statement</b> = <% out.println("SELECT * from Users where userName = '" + userName + "'");%><br><br>
<%
 while(rs.next()){
    out.println("userName: " + rs.getString(2) + "<br>");
    out.println("passWord: " + rs.getString(3) + "<br>");
 }%>
</body>
</html>
<%
con.close();
stmt.close();
rs.close();
}
%>
           Non-Vulnerable Version
<%@ page import="org.alumnidb.beans.DbManage" %>
<%@ page import="java.sql.*" %>
<%
if(!request.getMethod().equals("POST")){
%>
<html>
  <head><title>SQL INJECTION EXAMPLE</title></head>
  <body>
   <form action="sqlInject2.jsp" method=POST>
     Please enter your userName and password:<br>
     User:<input type="text" name=userName><br>
     Pass:<input type="text" name="password"><br>
     <input type="submit" value="submit">
   </form>
  </body>
</html>
<%
}
%>
<%
if(request.getMethod().equals("POST")){
 DbManage d = new DbManage();
 Connection con = d.makeConnection();
 String userName = request.getParameter("userName");
 String password = request.getParameter("password");
 String query = "SELECT * FROM Users WHERE userName = ? and pass= ?";
 PreparedStatement stmt = con.prepareStatement(query);
 stmt.setString(1, userName);
 stmt.setString(2, password);
 ResultSet rs = stmt.executeQuery();

%>
<html>
<head><title>RESULT</title></head>
<body>
  <b>Statement</b> = <% out.println("SELECT * from Users where userName = '" + userName + "'");%><br><br>
<%
 while(rs.next()){
    out.println("userName: " + rs.getString(2) + "<br>");
    out.println("passWord: " + rs.getString(3) + "<br>");
 }%>
</body>
</html>
<%
con.close();
stmt.close();
rs.close();
}
%>
                           Sources
●   SQL Attacks By Example, Jan. 13 2005,
    <http://www.unixwiz.net/techtips/sql-injection.html>
●   Kost, Stephen, “An introduction to SQL injection Attacks for
    Oracle Developers”,2004 Integrity Corporation
●   Wikipedia.com, “SQL Injecton”, Nov. 16 2005,
    <http://en.wikipedia.org/wiki/Sql_injection>
●   McDonald, Stuart, “SQL Injection: Modes of Attack, Defense,
    and Why It Matters”,
    <http://www.governmentsecurity.org/articles/SQLInjectionMode
    sofAttackDefenceandWhyItMatters.php>
?'s

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:14
posted:10/19/2012
language:English
pages:11