Get documents about "Web Application Security SQL Injection Attack (SIA)
Document Sample
Outline
A Static Analysis Framework for
Detecting SQL Injection Vulnerabilities
!" # $
#% &
'
' (
Web Application Security SQL Injection Attack (SIA)
4 ( 5 &* $ * (
) % ** + + , (- 6* 5
% % . % ) %+ # &+ ( 2 # 7* (3
/1 + % *
0 ) * + +#
+ * ! 8 8+
2 "3 ) + *( ( 9
(
Example: Log-in Page Example: Log-in Page
& #* 5 # ;admin< ( ;abc123” & #* 5 # ;admin’--< ( “”
6 & + ( 5tUname tPwd 6 & + ( 5tUname tPwd
4 $ (' :
SELECT uname, pwd (
FROM users 4 uname, pwd FROM users
SELECT $ (' : (
WHERE uname = ’admin’ AND pwd=’abc123’ WHERE uname = ’admin’--’AND pwd=’’
##
string sState = string sState = ! 8 = * (-
“SELECT uname, pwd FROM users \n” + “SELECT uname, pwd FROM users \n” +
“WHERE uname = ’” + tUname.Text + “WHERE uname = ’” + tUname.Text +
“’ AND pwd =’” + tPwd.Text + “’” “’ AND pwd =’” + tPwd.Text + “’”
1
Motivating Example String Massage Against SIA
) % * ,+ ( " 4
* String massage(String strInput)
{
+
//1. SQL keyword search
> if(strInput.IndexOf("--")!=-1
? @ ) $ 6# || strInput.IndexOf("OR")!=-1
|| strInput.IndexOf("drop")!=-1)
throw new Exception(
@ & & #* 4 ( "Possible SQL Injection Attack: " + strInput
' );
//2. massage the data for single quote
00 String sOut = strInput.Replace("’","’’");
sOut = sOut.Substring(0,16);
return sOut;
}
!"#
Comments The Cracking Process
' A admin’-- 123456789012345’
23 !$ (
23 % + B OR uname<>’
$ % &
? ( (+ ( '
("() )
)) 123456789012345’’
()
(* $
# + , -
) . 0//.
% /.. &1
//
123456789012345’ + , + ) 2 3 " &1
% 0#
OR uname<>’ * ( + 1
4 123456789012345’
@ 5% "# OR uname<>’
SQL Statement Constructed Lesson Learned
SELECT uname,pwd FROM users WHERE 6 & 6 $ 4 -
uname=’123456789012345’’ AND pwd=’ OR uname<>’’
? , 6 #9
%
4 $ & ( $
' ( @ ( ( + (
6 ( ' (
B
5 5 8 # (* (-
2
8
< 2 6
-
Contribution of This Paper ; ; 2
6 $ 4 (
" #
% &
, % %+ (* # - $
5
8
( ( + %
( ( * % # #% &
2 ! # (
$* %
7 ( %# 3
?%(
9
2 9
% : &
Review of Symbolic Execution String Solver
, (4 $ CD
/0 +2 5 +
@ (? ( ' ## F*
E "
!5 5
. % >( #% $
# * & ( * ( %
% %
& * # * 2 %# !3
$ %
' ( %#
%
, * E* ( E &*
@ ( 4 ( " # !
E" ' ( ( F*
String Length Replace (Single Char)
B 5 B 5
s.length = k s.replace(a, b) = r
s ≡ Σk s ≡ r( a|b ) / b
E* +% %
2G 3
+ s.replace(' a ' , ' b' ) = b*c +
s ≡ ( a | b) * c +
3
String Concatenation Example
@ B
Σ H * %
*
uname = ' + s + ' AND pwd = ' ≡ uname = ' Σ + '
* % & ( B
Σ _ = Σ − {' } 5
' ( !)? E
* % B * (%
% A s
* *
Σ + = Σ _+ {' '}
Example (cont’d) Example (cont’d)
*
s1 + ' AND pwd = ' ≡ uname = ' Σ + ' (I)
* +2 5 B + +#
uname = ' + s + ' AND pwd = ' ≡ uname = ' Σ + '
v+c = r
* v $ ( $ &*
s1 + ' AND pwd = ' ≡ uname = ' Σ + ' (I)
' + Σ*c ∩ r
s1 ≡ uname = ' + s (II)
( * ; < +
I $ + ( #
( +# +
J@ * + v
s1 + ' AND pwd =' ≡ uname =' Σ + '
* 6
(I) + ""
0
0
"A
Σ * ' AND pwd = ' / CD
/
/
0
"B
0
"*
7 1 7 / 1
1 p 1 p 0
*A
a n u a n u
’ 8 3 2 ’ 8 "=
0 3 2
4 4
2 w m 2 w m
_ _
9 5 9 ">
0 5
3 d e 3 d e
A 9 A $ 9 EF ,/
10 6 10 6
4 = ’ ’ 4 = 0
"? ’ ’
N = N = *"
" 03
_ _
11 7 ’ 8 11 7 ’ 8
5 5 ,
’ ’ ’ ’
D D 0
"#
6 12 10 6 12 "@
0 10
/
4
@& *5 ""
0 0
"A
"
( + / / CD
+ / *
0
"*
0
"B s1 +' AND pwd =' ≡ uname =' Σ + ' (I)
' AND pwd ='
/
0
*A +
0
"=
+
uname = | uname = ' (' ' | Σ _) * '
0
">
uname = | uname =' (' ' | Σ_) ' *
EF ,/
$ #
"?
0 " 03
*" s = (' ' | Σ_)* '
,
0
"#
0
"@
/
+
uname = | uname = ' (' ' | Σ_) * '
Verification Verification
& #* 5s1 ≡ uname = & #* 5s1 ≡ uname = ' abc' ' cc'
) + + 9 ) + + 9
s1 + ' AND pwd =' s1 + ' AND pwd ='
uname =' AND pwd =' uname =' abc' ' cc' ' AND pwd ='
uname =' Σ* '
+ uname =' Σ* '
+
SQL-STATMT
Put All Together
SELECT-STMT Conclusion
) *
( *
COL_LIST FROM WHERE +# % ) ? + !"
'
uname pwd users EXPR
4 + + !"
( , * % # %+ (* #
AND "
! % ( ( %
=
* # > (%
= "
!' ( , *#
%
uname ’
uText.txt’ pwd ’uPwd.txt ’ 8 # ) $5
# +6 )
OR '
= <>
uname ‘ * ’ pwd ’ ’
5
Related docs
