SQL Server Security

Document Sample
SQL Server Security Powered By Docstoc
					SQL Server Security "The Hackers
                       Goldmine
                     Secure Software Forum (SSF)

• Annual education series dedicated to secure software
• Leading security experts collaborate on education initiatives
• Yearly programs include:
   – February kick-off event in San Jose



   – Free workshop series
   – Executive dinner series
   – Webcast series
• Workshops sponsored by Microsoft & SPI Dynamics




                                                                  2
                               SPI Dynamics Overview

• Founded January 2000 by Web
  application and security experts
• The leader in Web application security
  assessment throughout the lifecycle
• Eight patents pending or issued
• 700+ Customers in Global 2000
   – Strong in F500, all industries and
     government
   – Over 100% customer and revenue
     growth percentage year-to-year
     since inception




                                                3
The History of Application Security
          History of Web Applications

 Simple, single server solutions


Browser                    Web Server
                           HTML




                                        5
                    Web Application Architecture

Web Services




                              Application   Database
               Web Servers    Server        Server
 Wireless      Presentation   Business      Customer
               Layer          Logic         Identification
               Media Store    Content       Access
                              Services      Controls

                                            Transaction
 Browser                                    Information

                                            Core Business
                                            Data




                                                       6
KD7

                      Web Applications Breach the Perimeter



                 Internet                    DMZ                Trusted
                                                                 Inside
                           IIS                      ASP
                       SunOne                      .NET
                                                                                             SQL
                                              WebSphere
                       Apache                                                                Oracle
                                                   Java
                                                                                             DB2


 HTTP(S)
                                                                                                  Corporate
                                                                                                   Inside
                          Firewall only             Firewall only       Firewall only
      IMAP FTP            allows PORT 80            allows              allows application
      SSH    TELNET       (or 443 SSL)              applications        server to talk to
                          traffic from the          on the web          database server.
      POP3
                          Internet to the           server to talk to
                          web server.               application
                                                    server.
                          Any – Web
                          Server: 80




                                                                                                       7
Slide 7

KD7       There should be a new version of this somewhere...Mario?
          Kim.Dinerman, 2/23/2006
Application Vulnerability Overview
                Web Application Vulnerabilities

Web application vulnerabilities occur in three major areas:




                                Administration


                     Platform


                                  Application




                                                              9
KD6


                         Web Application Vulnerabilities

      Platform
      • Known vulnerabilities can be
         exploited immediately with a
         minimum amount of skill or
                                          Platform
         experience – “script kiddies”
      • Most easily defendable of all
         web vulnerabilities
      • Must have streamlined
         patching procedures
      • Must have inventory process      Examples:
                                           IIS UNICODE
                                           Apache chunked encoding




                                                                 10
Slide 10

KD6        take off words, just put platform
           Kim.Dinerman, 2/23/2006
                   Web Application Vulnerabilities

Administration
• More difficult to correct than             Administration
  known issues
• Require increased awareness
• More than just configuration,
  must be aware of security
  flaws in actual content
• Remnant files can reveal
  applications and versions in
                                   Examples:
  use                                Extension Checking
• Backup files can reveal source     Common File Checks
  code and database connection       Data Extension Checking
                                     Backup Checking
  strings                            Directory Enumeration
                                     Path Truncation
                                     Hidden Web Paths
                                     Forceful Browsing
                                                               11
                    Web Application Vulnerabilities

 Application
• Coding techniques do not include
   security
• Input is assumed to be valid, but not
   tested
• Inappropriate file calls reveal source
   code & system files                                Application
• Unexamined input from a browser
   can inject scripts into page for replay
   against later visitors
• Unhandled error messages reveal            Examples:
                                               Application Mapping
   application and database structures         Cookie Manipulation
• Unchecked database calls can be              Custom Application Scripting
   ‘piggybacked’ with a hacker’s own           Parameter Manipulation
   database call, giving direct access to      SQL Injection
                                               Hidden Web Paths
   business data through a web browser
                                               Forceful Browsing

                                                                    12
              Demonstration
SQL Injection / Blind SQL Injection
               SQL Injection – Vulnerable Code

• Vulnerable code
                                             Request["cboLocation"]
      sSql = sSql + " where LocationID = " + Request["cboLocation"] + "";
                         sSql;
      oCmd.CommandText = sSql;
• URL




                                                                            14
          SQL Injection – Vulnerable Code


• Debug View
 ? oCmd.CommandText
         EventName, EndDate,                            …….
 "SELECT EventName, EndDate, [Description], [Location], …….
    from Events
                                                            sysobjects))"
    where LocationID = convert(int,(select top 1 name from sysobjects))"




                                                                     15
                             SQL Remediation



• Do not build SQL Statements with user
  provided data in the command
• Parameterized queries
• Mimimum necessary rights on application user
• Disable error messages




                                             16
                           SQL Injection – Safe Code
• Simple but safe code
                                        @LocationID";
     sSql = sSql + " where LocationID = @LocationID";
                        sSql;
     oCmd.CommandText = sSql;
     oCmd.Parameters.Add("@LocationID", Request["cboLocation"]);
     oCmd.Parameters.Add("@LocationID", Request["cboLocation"]);

• URL




                                                                   17
                     SQL Injection – Safe Code

• Debug view
 ? oCmd.CommandText
        EventName,[Description],
 SELECT EventName,[Description], [Location]
   from Events
                      @LocationID
   where LocationID = @LocationID




                                              18
                           SQL Injection – Safe Code
• Safe code
                                                    @LocationID";
     oCmd.CommandText = sSql + " where LocationID = @LocationID";
                       SqlParameter("@LocationID", SqlDbType.Int);
     pLocationID = new SqlParameter("@LocationID", SqlDbType.Int);
                                                 Request["cboLocation"]);
     pLocationID.Value = System.Convert.ToInt32( Request["cboLocation"]);
     oCmd.Parameters.Add(pLocationID);
     oCmd.Parameters.Add(pLocationID);
• URL




• Debug view
   – None, command object was never executed

                                                                            19
                 Java Prepared Statement

• http://java.sun.com/docs/books/tutorial/jdbc/
  basics/prepared.html

PreparedStatement updateSales =
  con.prepareStatement( "UPDATE COFFEES
  SET SALES = ? WHERE COF_NAME LIKE ? ");

updateSales.setInt(1, 75);
updateSales.setString(2, "Colombian");
updateSales.executeUpdate();

                                              20
                                References



• Whitepaper
  – http://www.spidynamics.com (education)

• PDF
   – http://portal.spidynamics.com/blogs/dennis

• Downloads
  – http://www.spidynamics.com (trial)


                                              21