SlideShare a Scribd company logo

libinjection: a C library for SQLi detection, from Black Hat USA 2012

Download as KEY, PDF
Nick Galbreath
Nick Galbreath

libinjection: a c library for SQLi detection and generation through lexical analysis of real world attacks

Technology
1 of 40
libinjection a C library for SQLi detection and generation through lexical analysis of real world attacks Nick Galbreath @ngalbreath nickg@client9.com Wednesday July 25, 2012 2:45PM Augustus I+II, Caesar's Palace, Las Vegas
The latest version of this presentation: http:// www.client9.com/ 20120725/ 2
whoami ‣ Director of Engineering @ Etsy ‣ Enterprise, Fraud, Security, Email, Fun ‣ Know a little bit about c, e.g. stringencoders: ‣ C library for string processing ‣ used by every ad server in the world ‣ used in Chrome browser ‣ http://code.google.com/p/stringencoders Nick Galbreath @ngalbreath
The Next 14 Minutes ‣ Why is detecting SQLi hard ‣ The algorithm behind libinjection ‣ The results ‣ Next Steps Nick Galbreath @ngalbreath
Detecting SQLi from User Input is a Hard Problem
It's Easy to Get Started with Regular Expressions! s/UNIONs+(ALL)?/i ‣ At least two open source WAF use regular expressions. ‣ Failure cases in closed-source WAFs also indicate regexp. Nick Galbreath @ngalbreath
SQL IS HUGE ‣ Turing Complete! (sorta) ‣ 1992 SQL Spec: bit.ly/10fmhZ ‣ 625 pages of plain text ‣ 2003 SQL Spec: bit.ly/OB5vfW ‣ 128 pages of pure BNF ‣ No one implements exactly ‣ Everyone has extensions, exceptions, bugs Nick Galbreath @ngalbreath
It's more complicated than you think. ‣ Recursive commenting rules ‣ A single number can't be done in a single regexp. ‣ Really Loosely Typed ‣ String rules - OMFG. You think you know but you have no idea. ‣ Come see my talk at DEFCON this Friday at... 4:20 pm Nick Galbreath @ngalbreath
RegExp Soup (?:)s*whens*d+s*then)|(?:"s*(?:#|--|{))|(?:/*!s?d+)|(?:ch(?:a)?rs*(s*d)|(?:(?:(n?and|x?or|not)s+||||&&)s*w+() (?:[s()]cases*()|(?:)s*likes*()|(?:havings*[^s]+s*[^ws])|(?:ifs?([dw]s*[=<>~]) (?:"s*ors*"?d)|(?:x(?:23|27|3d))|(?:^.?"$)|(?:(?:^["]*(?:[d"]+|[^"]+"))+s*(?:n?and|x?or|not||||&&)s*[w"[+&!@(),.-])|(?:[^ws]w+s*[|-] s*"s*w)|(?:@w+s+(and|or)s*["d]+)|(?:@[w-]+s(and|or)s*[^ws])|(?:[^ws:]s*dW+[^ws]s*".)|(?:Winformation_schema|table_nameW) (?:"s**.+(?:or|id)W*"d)|(?:^")|(?:^[ws"-]+(?<=ands)(?<=ors)(?<=xors)(?<=nands)(?<=nots)(?<=||)(?<=&&)w+()|(?:"[sd]*[^ws]+W*d W*.*["d])|(?:"s*[^ws?]+s*[^ws]+s*")|(?:"s*[^ws]+s*[Wd].*(?:#|--))|(?:".**s*d)|(?:"s*ors[^d]+[w-]+.*d)|(?:[()*<>%+-][w-]+[^ws] +"[^,]) (?:d"s+"s+d)|(?:^admins*"|(/*)+"+s?(?:--|#|/*|{)?)|(?:"s*or[ws-]+s*[+<>=(),-]s*[d"])|(?:"s*[^ws]?=s*")|(?:"W*[+=]+W*")|(?:"s*[!=|] [ds!=+-]+.*["(].*$)|(?:"s*[!=|][ds!=]+.*d+$)|(?:"s*likeW+[w"(])|(?:siss*0W)|(?:wheres[sw.,-]+s=)|(?:"[<>~]+") (?:unions*(?:all|distinct|[(!@]*)?s*[([]*s*select)|(?:w+s+likes+")|(?:likes*"%)|(?:"s*likeW*["d])|(?:"s*(?:n?and|x?or|not ||||&&)s+[s w]+=s*w+s*having)|(?:"s**s*w+W+")|(?:"s*[^?ws=.,;)(]+s*[(@"]*s*w+W+w)|(?:selects*[[]()sw.,"-]+from)|(?:find_in_sets*() (?:ins*(+s*select)|(?:(?:n?and|x?or|not ||||&&)s+[sw+]+(?:regexps*(|soundss+likes*"|[=d]+x))|("s*ds*(?:--|#))|(?:"[%&<>^=]+ds*(=| or))|(?:"W+[w+-]+s*=s*dW+")|(?:"s*iss*d.+"?w)|(?:"|?[w-]{3,}[^ws.,]+")|(?:"s*iss*[d.]+s*W.*") (?:[dW]s+ass*["w]+s*from)|(?:^[Wd]+s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename| truncate|load|alter|delete|update|insert|desc)s+(?:(?:group_)concat|char|load_file)s?(?)|(?:ends*);)|("s+regexpW)|(?:[s(]load_files*() (?:@.+=s*(s*select)|(?:d+s*ors*d+s*[-+])|(?:/w+;?s+(?:having|and|or|select)W)|(?:ds+groups+by.+()|(?:(?:;|#|--)s*(?:drop|alter))|(?: (?:;|#|--)s*(?:update|insert)s*w{2,})|(?:[^w]SETs*@w+)|(?:(?:n?and|x?or|not ||||&&)[s(]+w+[s)]*[!=+]+[sd]*["=()]) (?:"s+ands*=W)|(?:(s*selects*w+s*()|(?:*/from)|(?:+s*d+s*+s*@)|(?:w"s*(?:[-+=|@]+s*)+[d(])|(?:coalesces*(|@@w+s*[^ws])|(?:W! +"w)|(?:";s*(?:if|while|begin))|(?:"[sd]+=s*d)|(?:orders+bys+ifw*s*()|(?:[s(]+cased*W.+[tw]hen[s(]) (?:(select|;)s+(?:benchmark|if|sleep)s*?(s*(?s*w+) (?:creates+functions+w+s+returns)|(?:;s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*[[(]?w{2,}) (?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")|(?:";.*:s*goto) (?:procedures+analyses*()|(?:;s*(declare|open)s+[w-]+)|(?:creates+(procedure|function)s*w+s*(s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs* (s*@) (?:selects*pg_sleep)|(?:waitfors*delays?"+s?d)|(?:;s*shutdowns*(?:;|--|#|/*|{)) (?:sexecs+xp_cmdshell)|(?:"s*!s*["w])|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user|database|schema|connection_id)s*([^)]*)|(?:";? s*(?:select|union|having)s*[^s])|(?:wiifs*()|(?:execs+master.)|(?:union select @)|(?:union[w(s]*select)|(?:select.*w?user()|(?:into[s+]+ (?:dump|out)files*") (?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(),+-]+s*againsts*() (?:,.*[)da-f"]"(?:".*"|Z|[^"]+))|(?:Wselect.+W*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*(s*spaces*() (?:[$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)]) (?:(sleep((s*)(d*)(s*))|benchmark((.*),(.*)))) (?:(union(.*)select(.*)from)) (?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$) Nick Galbreath @ngalbreath
Guns and Butter ‣ In 2005, right here at Black Hat, Hanson and Patterson presented: Guns and Butter: Towards Formal Axioms of Validation (http://bit.ly/OBe7mJ) ‣ …formally proved that for any regex validator, we could construct either a safe query which would be flagged as dangerous, or a dangerous query which would be flagged as correct. ‣ (summary from libdejector documentation) Nick Galbreath @ngalbreath
Existing WAFs ‣ Visual inspection shows bugs ‣ Don't see very much in testing ‣ Don't see much or any false positive testing ‣ Closed source WAF have zero accountability (e.g. there is no formal disclosure of what they detect or not, and how they do it) Nick Galbreath @ngalbreath
CAN WE DO BETTER? Nick Galbreath @ngalbreath
libinjection
Key Insight ‣ A SQLi attack must be parsed as SQL with the original query. ‣ "Is it a SQLi attack?" becomes "Could it be a SQL snippet?" ‣ "does this input start as a sql snippet" Nick Galbreath @ngalbreath
Only 3 Contexts User input is only "injected" into SQL in three ways: ‣ As-Is ‣ Inside a single quoted string ‣ Inside a double quoted string (I suppose another would be inside a comment, but we can't do everything) Nick Galbreath @ngalbreath
Identification of SQL snippets without context is hard ‣ 1-917-660-3400 my phone number or an arithmetic expression? ‣ @ngalbreath my twitter account or a SQL variable? Nick Galbreath @ngalbreath
Existing SQL Parsers ‣ Only parse their flavor of SQL ‣ Not well designed to handle snippets ‣ Hard to extend ‣ Worried about correctness ... so I wrote my own! Nick Galbreath @ngalbreath
Tokenization ‣ Converts input into a stream of tokens ‣ Uses "master list" of keywords and functions across all databases. ‣ Handles comments, string, literals, weirdos. Nick Galbreath @ngalbreath
5000224' UNION USER_ID>0-- [ ('...500224', string), ('UNION', union operator), ('USER_ID', name), ('>', operator), ('0', number), ('--.....', comment) ] Nick Galbreath @ngalbreath
Meet the Tokens ‣ none/name ‣ group-like operation ‣ variable ‣ union-like operator ‣ string ‣ logical operator ‣ regular operator ‣ function ‣ unknown ‣ comma ‣ number ‣ semi-colon ‣ comment ‣ left parens ‣ keyword ‣ right parens Nick Galbreath @ngalbreath
Merging, Specialization, Disambiguation ‣ "IS", "NOT" ==> "IS NOT" (single op) ‣ "NATURAL", "JOIN" => "NATURAL JOIN" ‣ ("+", operator) -> ("+", "unary operator") ‣ (COS, function), (1, number) ==> (COS, name), (1, number) functions are followed with a parenthesis. Nick Galbreath @ngalbreath
Folding ‣ This step actually isn't needed to detect, but is needed to reduce false positives. ‣ Converts simple arithmetic expressions into a single value (don't try to evaluate them). ‣ 1-917-660-3400 -> "1" Nick Galbreath @ngalbreath
Knows nothing about SQLi ‣ So far this is purely a parsing problem. ‣ Knows nothing about SQLi (which is evolving) ‣ Can be 100% tested against any SQL input (not SQLi) for correctness. Nick Galbreath @ngalbreath
Fingerprints ‣ The token types of a user input form a hash or a fingerprint. ‣ -6270" UNION ALL SELECT 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594# AND "JWWQ"="JWWQ ‣ becomes "sUk1,1,1,1,1,1,1,1,&" ‣ Now let's generate fingerprints from Real World Data. ‣ Can we distinguish between SQLi and benign input? Nick Galbreath @ngalbreath
Training on SQLi ‣ Parse known SQLi attacks from ‣ SQLi vulnerability scanners ‣ Published reports ‣ SQLI How-Tos ‣ > 32,000 total Nick Galbreath @ngalbreath
Training on real Input ‣ 100s of Millions of user inputs from Etsy's log were also parsed. ‣ Large enough to get a good sample (Top 50 USA site) ‣ Old enough to have lots of odd ways of query string formatting. ‣ Full text search with an diverse subject domain Nick Galbreath @ngalbreath
How many tokens are needed to determine if a user input is SQLi or not?
5 No matter long the input is.
480 out of 1,048,576 are SQLi n,(k( 1))Un n)ok( s)Unk 1)o1B n,(k1 s&n&s k(vv) sosos 1oks, sk)&1 1)o1f 1)o1k n);k& 1&1Bf 1)o1o s&os n,(kf s;k; n&1o1 1o(f( f(k,( 1ok1 1oksc so1f( sk)&f soso( 1),(1 s))&( s))&1 &f()o nok(1 k1,1k 1&f(n soko1 1Unk1 1ok(1 n))kk 1Unk( soko( 1)o(1 s)ok1 sov&s n;kn( nok(k s))&f sovso 1)ok1 s))&o 1)ok( s&sos n&k(1 s&vso so1c sUk(k k1,1, 1)o(n 1)o(k 1Bf(1 1kf(1 s&ko1 s&k(o 1)k1 sk);k 1&f(1 1Unkf s)k1 sos&( 1&(k1 1))on s&kc nUk(o 1;ko( 1)B1 sokc n)o1& no1oo 1&(kn s&1oo so1o1 s)o1f 1&(kf s)o1k s)o1o f(1)o n&1o( s)o1B 1okv, sk)&( 1;kok sok1 f(k() 1Ukv, s&1of 1&1oo n&1f( 1))); 1)))& 1&1of sovo1 s&1ov s)&1o sono1 1o((f 1)))) 1o(s) s)&1f 1&1ov 1Uk1k n))ok k()ok nkksc 1Uk1c n))of s&(k1 s)&1B n;kks n)o(k kf(n, f(f(1 sovov s&1o( sovos s&1o1 vok1, sovok sUk1 1o((( 1)))k 1&1o1 f(f() 1)))o n))o( 1)))U k1k(k 1Uk1, 1&1f( so(s) 1)))B f(n() n))o1 s)&(1 1)of( 1,(k1 sk)B1 f(1,f 1,(k( 1Bk(1 1onos 1o1f( 1,f(1 1B1c s&okc s;ko( sk1os s&oko 1ono1 1,(kf sB1 1));k s;kf( n)kks s;kok sk1o1 s;k(( 1o((1 1o1Bf so(f( n;kf( s&k(1 1&1o( nof(1 s);kk sk1c 1))o( s);ko s);kn sok1, s;k(1 1)kks s);kf so(os so1ov s;k1, 1))Uk soknk s))k1 1)B1o 1)B1c n);k( n;kok s;k(o s);k( sok1o sok1c sf(n, s);k& sB1&s s;k1o sUno1 s))kk n);kf 1&so1 sokn, n;ko( n);kk n);kn n);ko s&1on sof(k n;k&k k1o(s sonos sk1&1 sof(f 1oso1 1;knc sUknk f()of n&(1) s&ko( sof() ok1o1 n,f(1 1o(1) s;kkn s;kks 1o(kn sof(1 sUkn, s)k1c 1;kn( s)k1o s;k&k skks s;n:k no(o1 s))o( k(ok( so(ks so(kk so(kn so(ko s))o1 n)&(k o1kf( s))ok ;kknc skksc so(k1 n;k(( s&o(1 s))of so(k) n;k(1 n&(o1 s&kok sov:o s)of( sU(kk sU(kn f(v,1 sk)of 1)&f( sk)ok no1f( sU(ks oUk1, 1ok1c s&(1) s&kos 1ok1k sUnk1 1)ono 1of(1 so1o( s;knn s;knk 1of() vUk1, no1of 1&no1 sk)o1 s)B1 1)&o( sUk1& s&(k) 1o1)o f()&f sk)o( n&f(1 so1of 1)on& 1)B1& so1oo no1o1 so1ok 1ok1, 1of(n no1o( so1os s;kn( 1of(f sUnkf 1o(n) s&1os no(k1 n)))o n)))k 1kk(1 1;k(o 1)()s s&k1o s)B1& n)&1f n))&( sUk1, n)&1o no1&1 n))); sf(1) 1;k(1 n)))& sokf( 1;k(( ook1, n)of( sUk1c s)B1c n&(k1 sUk1o s)B1o 1Ukf( okkkn s&vos s)o(k 1)&1f 1Uk1 1))&o 1))&f 1)&1B 1)&(k s,1), f(1o1 s)&f( s)o(1 sUkf( s&k&s 1okf( 1)&(1 1))&1 1;kf( 1))&( sokos 1))ok 1o1of 1o(1o 1kksc 1o1oo 1Uk(k 1))of 1o1ov Ukkkn 1,(f( 1ok(k so1Uk s&1f( sokok of(1) 1;k&k kf(1) sk)k1 s&v:o sok&s n)o1o n)o1f sUn(k 1o1o( 1o1o1 1))o1 sov&1 n));k n))&f sk)kk s)&(k 1)Unk n))&1 sU((k 1)k1o 1);kk s;kvc 1);ko 1);kn 1)k1c s;kvk 1);kf 1Uks, s&o(k 1);k& s)&o( s&(1o s&f() 1,1), 1);k( sk)Un sk)Uk s&f(1 1)&1o 1Uksc nUnk( so((k 1o1kf s&1Bf 1))kk kvk(1 n&o1o f(1)& &f(1) 1))k1 so((( s))Un s))Uk n,(f( 1)Uk1 s),(1 s&knk 1))B1 s)kks 1Uk no(1) n)&f( s)ok( s))B1 sos 1&(1o s)Uk1 s));k so(1) 1&o(1 sok(1 nUk(k n&1of 1B1 sB1c n&1oo so(1o 1k1c sok(s sok(o sok(k so((s so1kf 1;kks s)))B sf(s) 1&o1o n)k1o s)))U sonk1 kf(1, 1o(kf 1,s), s)))k so1&1 s)))o s&nos s&1Uk s&o1o 1o(k1 so1Bf s;k[k sB1os of()o s;k[n s)))& s&(f( so1&s s&no1 so1&o s))); Possible that more token types will be added to help reduce false positives. Nick Galbreath @ngalbreath
The Library ‣ > 100k query strings can be checked per second ‣ C, logic is under 1000 LOC ‣ No memory allocation ‣ Fixed, stable memory usage (~500 on stack) ‣ No threads ‣ Could go even faster Nick Galbreath @ngalbreath
Sample Usage sfilter sf; // on stack, ~500 bytes const char* ucg = "my user input"; bool issqli = is_sqli(&sf, ucg, strlen(ucg)); // tada metadata on input is in struct sfilter; (names subject to change, cleanup) Nick Galbreath @ngalbreath
Test Cases ‣ All input test cases available ‣ Including false positives found along the way ‣ Code coverage reports Nick Galbreath @ngalbreath
Python Prototype ‣ Algorithm in python as well ‣ Not as up-to-date as the C version ‣ Working on it ‣ Runs under PyPy (and quite fast) Nick Galbreath @ngalbreath
Make Existing Systems Work Better ‣ The Tokenizer could be ripped out, to make a "SQL normalizer/simplifier" ‣ all white space normalized ‣ all comments removed ‣ all numbers in various flavors converted to "1" ‣ all strings converted to a fixed value "foo" ‣ Makes existing regular expressions work better and detect more. Nick Galbreath @ngalbreath
Great for Fuzzers ‣ The SQLi fingerprints are actually a great source of templates for fuzzers and SQLi generators ‣ Take fingerprint and turn it back into SQL Nick Galbreath @ngalbreath
Available Now http://www.client9.com/libinjection/ ‣ source code on github ‣ BSD License (only to track how this gets used) ‣ Due to high commercial demand, I'm switching to GPL. This is only to force discussions with third-parties on integration, etc. My goal is to get this used, so if this is barrier let me know! Nick Galbreath @ngalbreath
Help! ‣ More SQLi test cases! ‣ More real-world test cases ‣ Missing some PGSQL / Oracle string insanity ‣ Need better understanding of non-ASCII usage ‣ Porting to other languages (it's not that hard). Nick Galbreath @ngalbreath
More Analysis at DEFCON 20 New Techniques in SQLi Obfuscation SQL never before used in SQLi http://www.client9.com/20120727/ July 27, 2012 Friday, 4:20pm at the Rio Nick Galbreath @ngalbreath
Slides and Source Code: http://www.client9.com/libinjection/ Contact: Nick Galbreath @ngalbreath nickg@client9.com nickg@etsy.com and... join my mailing list for updates and early access to slides, code Thanks for coming by!
Photos courtesy Ken Lee @kennysan http://flic.kr/s/ aHsjBbEnz1 40

Recommended

libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
CODE BLUE
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
Stefano Di Paola
 
ウェブセキュリティのありがちな誤解を解説する
ウェブセキュリティのありがちな誤解を解説するウェブセキュリティのありがちな誤解を解説する
ウェブセキュリティのありがちな誤解を解説する
Hiroshi Tokumaru
 
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Masashi Shibata
 
いまさら聞けないパスワードの取り扱い方
いまさら聞けないパスワードの取り扱い方いまさら聞けないパスワードの取り扱い方
いまさら聞けないパスワードの取り扱い方
Hiroshi Tokumaru
 
Let's verify the vulnerability-脆弱性を検証してみよう!-
Let's verify the vulnerability-脆弱性を検証してみよう!-Let's verify the vulnerability-脆弱性を検証してみよう!-
Let's verify the vulnerability-脆弱性を検証してみよう!-
zaki4649
 
Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解
都元ダイスケ Miyamoto
 
Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話
Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話
Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話
JustSystems Corporation
 

Recommended

libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
CODE BLUE
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
Stefano Di Paola
 
ウェブセキュリティのありがちな誤解を解説する
ウェブセキュリティのありがちな誤解を解説するウェブセキュリティのありがちな誤解を解説する
ウェブセキュリティのありがちな誤解を解説する
Hiroshi Tokumaru
 
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Masashi Shibata
 
いまさら聞けないパスワードの取り扱い方
いまさら聞けないパスワードの取り扱い方いまさら聞けないパスワードの取り扱い方
いまさら聞けないパスワードの取り扱い方
Hiroshi Tokumaru
 
Let's verify the vulnerability-脆弱性を検証してみよう!-
Let's verify the vulnerability-脆弱性を検証してみよう!-Let's verify the vulnerability-脆弱性を検証してみよう!-
Let's verify the vulnerability-脆弱性を検証してみよう!-
zaki4649
 
Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解
都元ダイスケ Miyamoto
 
Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話
Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話
Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話
JustSystems Corporation
 
Windows PowerShell によるWindows Server 管理の自動化 v4.0 2014.03.13 更新版
Windows PowerShell によるWindows Server 管理の自動化 v4.0 2014.03.13 更新版Windows PowerShell によるWindows Server 管理の自動化 v4.0 2014.03.13 更新版
Windows PowerShell によるWindows Server 管理の自動化 v4.0 2014.03.13 更新版
junichi anno
 
イルカさんチームからゾウさんチームに教えたいMySQLレプリケーション
イルカさんチームからゾウさんチームに教えたいMySQLレプリケーションイルカさんチームからゾウさんチームに教えたいMySQLレプリケーション
イルカさんチームからゾウさんチームに教えたいMySQLレプリケーション
yoku0825
 
SMTPのSTARTTLSにおけるTLSバージョンについて
SMTPのSTARTTLSにおけるTLSバージョンについてSMTPのSTARTTLSにおけるTLSバージョンについて
SMTPのSTARTTLSにおけるTLSバージョンについて
Sparx Systems Japan
 
Vocabulario Ingles,Frances ingenieria civil
Vocabulario Ingles,Frances ingenieria civilVocabulario Ingles,Frances ingenieria civil
Vocabulario Ingles,Frances ingenieria civil
INSTITUTO POLITECNICO NACIONAL
 
PHPの今とこれから2020
PHPの今とこれから2020PHPの今とこれから2020
PHPの今とこれから2020
Rui Hirokawa
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
今さら聞けないXSS
今さら聞けないXSS今さら聞けないXSS
今さら聞けないXSS
Sota Sugiura
 
単なるキャッシュじゃないよ!?infinispanの紹介
単なるキャッシュじゃないよ!?infinispanの紹介単なるキャッシュじゃないよ!?infinispanの紹介
単なるキャッシュじゃないよ!?infinispanの紹介
AdvancedTechNight
 
Windows Server 2019 で Container を使ってみる
Windows Server 2019 で Container を使ってみるWindows Server 2019 で Container を使ってみる
Windows Server 2019 で Container を使ってみる
Kazuki Takai
 
Google BigQueryのターゲットエンドポイントとしての利用
Google BigQueryのターゲットエンドポイントとしての利用Google BigQueryのターゲットエンドポイントとしての利用
Google BigQueryのターゲットエンドポイントとしての利用
QlikPresalesJapan
 
react-scriptsはwebpackで何をしているのか
react-scriptsはwebpackで何をしているのかreact-scriptsはwebpackで何をしているのか
react-scriptsはwebpackで何をしているのか
暁 三宅
 
Sql server エンジニアに知ってもらいたい!! sql server チューニングアプローチ
Sql server エンジニアに知ってもらいたい!! sql server チューニングアプローチSql server エンジニアに知ってもらいたい!! sql server チューニングアプローチ
Sql server エンジニアに知ってもらいたい!! sql server チューニングアプローチ
Masayuki Ozawa
 
とある診断員とSQLインジェクション
とある診断員とSQLインジェクションとある診断員とSQLインジェクション
とある診断員とSQLインジェクション
zaki4649
 
Azure API Management 俺的マニュアル
Azure API Management 俺的マニュアルAzure API Management 俺的マニュアル
Azure API Management 俺的マニュアル
貴志 上坂
 
ウェブセキュリティの常識
ウェブセキュリティの常識ウェブセキュリティの常識
ウェブセキュリティの常識
Hiroshi Tokumaru
 
とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達
zaki4649
 
SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021
Hiroshi Tokumaru
 
イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820
GMOサイバーセキュリティ byイエラエ株式会社
 
What's new in Spring Boot 2.6 ?
What's new in Spring Boot 2.6 ?What's new in Spring Boot 2.6 ?
What's new in Spring Boot 2.6 ?
土岐 孝平
 
ウェブ・セキュリティ基礎試験(徳丸基礎試験)の模擬試験問題
ウェブ・セキュリティ基礎試験(徳丸基礎試験)の模擬試験問題ウェブ・セキュリティ基礎試験(徳丸基礎試験)の模擬試験問題
ウェブ・セキュリティ基礎試験(徳丸基礎試験)の模擬試験問題
Hiroshi Tokumaru
 
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forumlibinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
Nick Galbreath
 
libinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレスlibinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレス
CODE BLUE
 

More Related Content

What's hot

Sql server エンジニアに知ってもらいたい!! sql server チューニングアプローチ
Sql server エンジニアに知ってもらいたい!! sql server チューニングアプローチSql server エンジニアに知ってもらいたい!! sql server チューニングアプローチ
Sql server エンジニアに知ってもらいたい!! sql server チューニングアプローチ
Masayuki Ozawa
 
とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達
zaki4649
 
SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021
Hiroshi Tokumaru
 

What's hot (20)

Windows PowerShell によるWindows Server 管理の自動化 v4.0 2014.03.13 更新版
Windows PowerShell によるWindows Server 管理の自動化 v4.0 2014.03.13 更新版Windows PowerShell によるWindows Server 管理の自動化 v4.0 2014.03.13 更新版
Windows PowerShell によるWindows Server 管理の自動化 v4.0 2014.03.13 更新版
 
イルカさんチームからゾウさんチームに教えたいMySQLレプリケーション
イルカさんチームからゾウさんチームに教えたいMySQLレプリケーションイルカさんチームからゾウさんチームに教えたいMySQLレプリケーション
イルカさんチームからゾウさんチームに教えたいMySQLレプリケーション
 
SMTPのSTARTTLSにおけるTLSバージョンについて
SMTPのSTARTTLSにおけるTLSバージョンについてSMTPのSTARTTLSにおけるTLSバージョンについて
SMTPのSTARTTLSにおけるTLSバージョンについて
 
Vocabulario Ingles,Frances ingenieria civil
Vocabulario Ingles,Frances ingenieria civilVocabulario Ingles,Frances ingenieria civil
Vocabulario Ingles,Frances ingenieria civil
 
PHPの今とこれから2020
PHPの今とこれから2020PHPの今とこれから2020
PHPの今とこれから2020
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
今さら聞けないXSS
今さら聞けないXSS今さら聞けないXSS
今さら聞けないXSS
 
単なるキャッシュじゃないよ!?infinispanの紹介
単なるキャッシュじゃないよ!?infinispanの紹介単なるキャッシュじゃないよ!?infinispanの紹介
単なるキャッシュじゃないよ!?infinispanの紹介
 
Windows Server 2019 で Container を使ってみる
Windows Server 2019 で Container を使ってみるWindows Server 2019 で Container を使ってみる
Windows Server 2019 で Container を使ってみる
 
Google BigQueryのターゲットエンドポイントとしての利用
Google BigQueryのターゲットエンドポイントとしての利用Google BigQueryのターゲットエンドポイントとしての利用
Google BigQueryのターゲットエンドポイントとしての利用
 
react-scriptsはwebpackで何をしているのか
react-scriptsはwebpackで何をしているのかreact-scriptsはwebpackで何をしているのか
react-scriptsはwebpackで何をしているのか
 
Sql server エンジニアに知ってもらいたい!! sql server チューニングアプローチ
Sql server エンジニアに知ってもらいたい!! sql server チューニングアプローチSql server エンジニアに知ってもらいたい!! sql server チューニングアプローチ
Sql server エンジニアに知ってもらいたい!! sql server チューニングアプローチ
 
とある診断員とSQLインジェクション
とある診断員とSQLインジェクションとある診断員とSQLインジェクション
とある診断員とSQLインジェクション
 
Azure API Management 俺的マニュアル
Azure API Management 俺的マニュアルAzure API Management 俺的マニュアル
Azure API Management 俺的マニュアル
 
ウェブセキュリティの常識
ウェブセキュリティの常識ウェブセキュリティの常識
ウェブセキュリティの常識
 
とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達
 
SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021
 
イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820
 
What's new in Spring Boot 2.6 ?
What's new in Spring Boot 2.6 ?What's new in Spring Boot 2.6 ?
What's new in Spring Boot 2.6 ?
 
ウェブ・セキュリティ基礎試験(徳丸基礎試験)の模擬試験問題
ウェブ・セキュリティ基礎試験(徳丸基礎試験)の模擬試験問題ウェブ・セキュリティ基礎試験(徳丸基礎試験)の模擬試験問題
ウェブ・セキュリティ基礎試験(徳丸基礎試験)の模擬試験問題
 

Viewers also liked

libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forumlibinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
Nick Galbreath
 
libinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレスlibinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレス
CODE BLUE
 
Program understanding: What programmers really want
Program understanding: What programmers really wantProgram understanding: What programmers really want
Program understanding: What programmers really want
Einar Høst
 
How to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionHow to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat Detection
AlienVault
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
AlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
AlienVault
 

Viewers also liked (11)

libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forumlibinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
 
libinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレスlibinjection : SQLi から XSS へ by ニック・ガルブレス
libinjection : SQLi から XSS へ by ニック・ガルブレス
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachine
 
Program understanding: What programmers really want
Program understanding: What programmers really wantProgram understanding: What programmers really want
Program understanding: What programmers really want
 
libinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYClibinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYC
 
How to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionHow to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat Detection
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHP
 

Similar to libinjection: a C library for SQLi detection, from Black Hat USA 2012

MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012
jackdanger
 

Similar to libinjection: a C library for SQLi detection, from Black Hat USA 2012 (20)

SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20
 
groovy & grails - lecture 6
groovy & grails - lecture 6groovy & grails - lecture 6
groovy & grails - lecture 6
 
A Re-Introduction to JavaScript
A Re-Introduction to JavaScriptA Re-Introduction to JavaScript
A Re-Introduction to JavaScript
 
Smart Client Development
Smart Client DevelopmentSmart Client Development
Smart Client Development
 
Errors detected in the Visual C++ 2012 libraries
Errors detected in the Visual C++ 2012 librariesErrors detected in the Visual C++ 2012 libraries
Errors detected in the Visual C++ 2012 libraries
 
Grails @ Java User Group Silicon Valley
Grails @ Java User Group Silicon ValleyGrails @ Java User Group Silicon Valley
Grails @ Java User Group Silicon Valley
 
An Experiment with Checking the glibc Library
An Experiment with Checking the glibc LibraryAn Experiment with Checking the glibc Library
An Experiment with Checking the glibc Library
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
 
Bringing choas to order in your node.js app
Bringing choas to order in your node.js appBringing choas to order in your node.js app
Bringing choas to order in your node.js app
 
Python and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error densityPython and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error density
 
What is the cost of a secret
What is the cost of a secretWhat is the cost of a secret
What is the cost of a secret
 
MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012
 
ruby on rails pitfalls
ruby on rails pitfallsruby on rails pitfalls
ruby on rails pitfalls
 
Como NÃO testar o seu projeto de Software. DevDay 2014
Como NÃO testar o seu projeto de Software. DevDay 2014Como NÃO testar o seu projeto de Software. DevDay 2014
Como NÃO testar o seu projeto de Software. DevDay 2014
 
Progressive Enhancement with JavaScript and Ajax
Progressive Enhancement with JavaScript and AjaxProgressive Enhancement with JavaScript and Ajax
Progressive Enhancement with JavaScript and Ajax
 
Away day
Away dayAway day
Away day
 
Beyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic AnalysisBeyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic Analysis
 

More from Nick Galbreath

Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013
Nick Galbreath
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
Nick Galbreath
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
Nick Galbreath
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012
Nick Galbreath
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Nick Galbreath
 

More from Nick Galbreath (12)

Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
DevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListDevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading List
 
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012
 
Slide show font sampler, black on white
Slide show font sampler, black on whiteSlide show font sampler, black on white
Slide show font sampler, black on white
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

libinjection: a C library for SQLi detection, from Black Hat USA 2012

  • 1. libinjection a C library for SQLi detection and generation through lexical analysis of real world attacks Nick Galbreath @ngalbreath nickg@client9.com Wednesday July 25, 2012 2:45PM Augustus I+II, Caesar's Palace, Las Vegas
  • 2. The latest version of this presentation: http:// www.client9.com/ 20120725/ 2
  • 3. whoami ‣ Director of Engineering @ Etsy ‣ Enterprise, Fraud, Security, Email, Fun ‣ Know a little bit about c, e.g. stringencoders: ‣ C library for string processing ‣ used by every ad server in the world ‣ used in Chrome browser ‣ http://code.google.com/p/stringencoders Nick Galbreath @ngalbreath
  • 4. The Next 14 Minutes ‣ Why is detecting SQLi hard ‣ The algorithm behind libinjection ‣ The results ‣ Next Steps Nick Galbreath @ngalbreath
  • 5. Detecting SQLi from User Input is a Hard Problem
  • 6. It's Easy to Get Started with Regular Expressions! s/UNIONs+(ALL)?/i ‣ At least two open source WAF use regular expressions. ‣ Failure cases in closed-source WAFs also indicate regexp. Nick Galbreath @ngalbreath
  • 7. SQL IS HUGE ‣ Turing Complete! (sorta) ‣ 1992 SQL Spec: bit.ly/10fmhZ ‣ 625 pages of plain text ‣ 2003 SQL Spec: bit.ly/OB5vfW ‣ 128 pages of pure BNF ‣ No one implements exactly ‣ Everyone has extensions, exceptions, bugs Nick Galbreath @ngalbreath
  • 8. It's more complicated than you think. ‣ Recursive commenting rules ‣ A single number can't be done in a single regexp. ‣ Really Loosely Typed ‣ String rules - OMFG. You think you know but you have no idea. ‣ Come see my talk at DEFCON this Friday at... 4:20 pm Nick Galbreath @ngalbreath
  • 9. RegExp Soup (?:)s*whens*d+s*then)|(?:"s*(?:#|--|{))|(?:/*!s?d+)|(?:ch(?:a)?rs*(s*d)|(?:(?:(n?and|x?or|not)s+||||&&)s*w+() (?:[s()]cases*()|(?:)s*likes*()|(?:havings*[^s]+s*[^ws])|(?:ifs?([dw]s*[=<>~]) (?:"s*ors*"?d)|(?:x(?:23|27|3d))|(?:^.?"$)|(?:(?:^["]*(?:[d"]+|[^"]+"))+s*(?:n?and|x?or|not||||&&)s*[w"[+&!@(),.-])|(?:[^ws]w+s*[|-] s*"s*w)|(?:@w+s+(and|or)s*["d]+)|(?:@[w-]+s(and|or)s*[^ws])|(?:[^ws:]s*dW+[^ws]s*".)|(?:Winformation_schema|table_nameW) (?:"s**.+(?:or|id)W*"d)|(?:^")|(?:^[ws"-]+(?<=ands)(?<=ors)(?<=xors)(?<=nands)(?<=nots)(?<=||)(?<=&&)w+()|(?:"[sd]*[^ws]+W*d W*.*["d])|(?:"s*[^ws?]+s*[^ws]+s*")|(?:"s*[^ws]+s*[Wd].*(?:#|--))|(?:".**s*d)|(?:"s*ors[^d]+[w-]+.*d)|(?:[()*<>%+-][w-]+[^ws] +"[^,]) (?:d"s+"s+d)|(?:^admins*"|(/*)+"+s?(?:--|#|/*|{)?)|(?:"s*or[ws-]+s*[+<>=(),-]s*[d"])|(?:"s*[^ws]?=s*")|(?:"W*[+=]+W*")|(?:"s*[!=|] [ds!=+-]+.*["(].*$)|(?:"s*[!=|][ds!=]+.*d+$)|(?:"s*likeW+[w"(])|(?:siss*0W)|(?:wheres[sw.,-]+s=)|(?:"[<>~]+") (?:unions*(?:all|distinct|[(!@]*)?s*[([]*s*select)|(?:w+s+likes+")|(?:likes*"%)|(?:"s*likeW*["d])|(?:"s*(?:n?and|x?or|not ||||&&)s+[s w]+=s*w+s*having)|(?:"s**s*w+W+")|(?:"s*[^?ws=.,;)(]+s*[(@"]*s*w+W+w)|(?:selects*[[]()sw.,"-]+from)|(?:find_in_sets*() (?:ins*(+s*select)|(?:(?:n?and|x?or|not ||||&&)s+[sw+]+(?:regexps*(|soundss+likes*"|[=d]+x))|("s*ds*(?:--|#))|(?:"[%&<>^=]+ds*(=| or))|(?:"W+[w+-]+s*=s*dW+")|(?:"s*iss*d.+"?w)|(?:"|?[w-]{3,}[^ws.,]+")|(?:"s*iss*[d.]+s*W.*") (?:[dW]s+ass*["w]+s*from)|(?:^[Wd]+s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename| truncate|load|alter|delete|update|insert|desc)s+(?:(?:group_)concat|char|load_file)s?(?)|(?:ends*);)|("s+regexpW)|(?:[s(]load_files*() (?:@.+=s*(s*select)|(?:d+s*ors*d+s*[-+])|(?:/w+;?s+(?:having|and|or|select)W)|(?:ds+groups+by.+()|(?:(?:;|#|--)s*(?:drop|alter))|(?: (?:;|#|--)s*(?:update|insert)s*w{2,})|(?:[^w]SETs*@w+)|(?:(?:n?and|x?or|not ||||&&)[s(]+w+[s)]*[!=+]+[sd]*["=()]) (?:"s+ands*=W)|(?:(s*selects*w+s*()|(?:*/from)|(?:+s*d+s*+s*@)|(?:w"s*(?:[-+=|@]+s*)+[d(])|(?:coalesces*(|@@w+s*[^ws])|(?:W! +"w)|(?:";s*(?:if|while|begin))|(?:"[sd]+=s*d)|(?:orders+bys+ifw*s*()|(?:[s(]+cased*W.+[tw]hen[s(]) (?:(select|;)s+(?:benchmark|if|sleep)s*?(s*(?s*w+) (?:creates+functions+w+s+returns)|(?:;s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*[[(]?w{2,}) (?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")|(?:";.*:s*goto) (?:procedures+analyses*()|(?:;s*(declare|open)s+[w-]+)|(?:creates+(procedure|function)s*w+s*(s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs* (s*@) (?:selects*pg_sleep)|(?:waitfors*delays?"+s?d)|(?:;s*shutdowns*(?:;|--|#|/*|{)) (?:sexecs+xp_cmdshell)|(?:"s*!s*["w])|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user|database|schema|connection_id)s*([^)]*)|(?:";? s*(?:select|union|having)s*[^s])|(?:wiifs*()|(?:execs+master.)|(?:union select @)|(?:union[w(s]*select)|(?:select.*w?user()|(?:into[s+]+ (?:dump|out)files*") (?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(),+-]+s*againsts*() (?:,.*[)da-f"]"(?:".*"|Z|[^"]+))|(?:Wselect.+W*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*(s*spaces*() (?:[$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)]) (?:(sleep((s*)(d*)(s*))|benchmark((.*),(.*)))) (?:(union(.*)select(.*)from)) (?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$) Nick Galbreath @ngalbreath
  • 10. Guns and Butter ‣ In 2005, right here at Black Hat, Hanson and Patterson presented: Guns and Butter: Towards Formal Axioms of Validation (http://bit.ly/OBe7mJ) ‣ …formally proved that for any regex validator, we could construct either a safe query which would be flagged as dangerous, or a dangerous query which would be flagged as correct. ‣ (summary from libdejector documentation) Nick Galbreath @ngalbreath
  • 11. Existing WAFs ‣ Visual inspection shows bugs ‣ Don't see very much in testing ‣ Don't see much or any false positive testing ‣ Closed source WAF have zero accountability (e.g. there is no formal disclosure of what they detect or not, and how they do it) Nick Galbreath @ngalbreath
  • 12. CAN WE DO BETTER? Nick Galbreath @ngalbreath
  • 14. Key Insight ‣ A SQLi attack must be parsed as SQL with the original query. ‣ "Is it a SQLi attack?" becomes "Could it be a SQL snippet?" ‣ "does this input start as a sql snippet" Nick Galbreath @ngalbreath
  • 15. Only 3 Contexts User input is only "injected" into SQL in three ways: ‣ As-Is ‣ Inside a single quoted string ‣ Inside a double quoted string (I suppose another would be inside a comment, but we can't do everything) Nick Galbreath @ngalbreath
  • 16. Identification of SQL snippets without context is hard ‣ 1-917-660-3400 my phone number or an arithmetic expression? ‣ @ngalbreath my twitter account or a SQL variable? Nick Galbreath @ngalbreath
  • 17. Existing SQL Parsers ‣ Only parse their flavor of SQL ‣ Not well designed to handle snippets ‣ Hard to extend ‣ Worried about correctness ... so I wrote my own! Nick Galbreath @ngalbreath
  • 18. Tokenization ‣ Converts input into a stream of tokens ‣ Uses "master list" of keywords and functions across all databases. ‣ Handles comments, string, literals, weirdos. Nick Galbreath @ngalbreath
  • 19. 5000224' UNION USER_ID>0-- [ ('...500224', string), ('UNION', union operator), ('USER_ID', name), ('>', operator), ('0', number), ('--.....', comment) ] Nick Galbreath @ngalbreath
  • 20. Meet the Tokens ‣ none/name ‣ group-like operation ‣ variable ‣ union-like operator ‣ string ‣ logical operator ‣ regular operator ‣ function ‣ unknown ‣ comma ‣ number ‣ semi-colon ‣ comment ‣ left parens ‣ keyword ‣ right parens Nick Galbreath @ngalbreath
  • 21. Merging, Specialization, Disambiguation ‣ "IS", "NOT" ==> "IS NOT" (single op) ‣ "NATURAL", "JOIN" => "NATURAL JOIN" ‣ ("+", operator) -> ("+", "unary operator") ‣ (COS, function), (1, number) ==> (COS, name), (1, number) functions are followed with a parenthesis. Nick Galbreath @ngalbreath
  • 22. Folding ‣ This step actually isn't needed to detect, but is needed to reduce false positives. ‣ Converts simple arithmetic expressions into a single value (don't try to evaluate them). ‣ 1-917-660-3400 -> "1" Nick Galbreath @ngalbreath
  • 23. Knows nothing about SQLi ‣ So far this is purely a parsing problem. ‣ Knows nothing about SQLi (which is evolving) ‣ Can be 100% tested against any SQL input (not SQLi) for correctness. Nick Galbreath @ngalbreath
  • 24. Fingerprints ‣ The token types of a user input form a hash or a fingerprint. ‣ -6270" UNION ALL SELECT 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594# AND "JWWQ"="JWWQ ‣ becomes "sUk1,1,1,1,1,1,1,1,&" ‣ Now let's generate fingerprints from Real World Data. ‣ Can we distinguish between SQLi and benign input? Nick Galbreath @ngalbreath
  • 25. Training on SQLi ‣ Parse known SQLi attacks from ‣ SQLi vulnerability scanners ‣ Published reports ‣ SQLI How-Tos ‣ > 32,000 total Nick Galbreath @ngalbreath
  • 26. Training on real Input ‣ 100s of Millions of user inputs from Etsy's log were also parsed. ‣ Large enough to get a good sample (Top 50 USA site) ‣ Old enough to have lots of odd ways of query string formatting. ‣ Full text search with an diverse subject domain Nick Galbreath @ngalbreath
  • 27. How many tokens are needed to determine if a user input is SQLi or not?
  • 28. 5 No matter long the input is.
  • 29. 480 out of 1,048,576 are SQLi n,(k( 1))Un n)ok( s)Unk 1)o1B n,(k1 s&n&s k(vv) sosos 1oks, sk)&1 1)o1f 1)o1k n);k& 1&1Bf 1)o1o s&os n,(kf s;k; n&1o1 1o(f( f(k,( 1ok1 1oksc so1f( sk)&f soso( 1),(1 s))&( s))&1 &f()o nok(1 k1,1k 1&f(n soko1 1Unk1 1ok(1 n))kk 1Unk( soko( 1)o(1 s)ok1 sov&s n;kn( nok(k s))&f sovso 1)ok1 s))&o 1)ok( s&sos n&k(1 s&vso so1c sUk(k k1,1, 1)o(n 1)o(k 1Bf(1 1kf(1 s&ko1 s&k(o 1)k1 sk);k 1&f(1 1Unkf s)k1 sos&( 1&(k1 1))on s&kc nUk(o 1;ko( 1)B1 sokc n)o1& no1oo 1&(kn s&1oo so1o1 s)o1f 1&(kf s)o1k s)o1o f(1)o n&1o( s)o1B 1okv, sk)&( 1;kok sok1 f(k() 1Ukv, s&1of 1&1oo n&1f( 1))); 1)))& 1&1of sovo1 s&1ov s)&1o sono1 1o((f 1)))) 1o(s) s)&1f 1&1ov 1Uk1k n))ok k()ok nkksc 1Uk1c n))of s&(k1 s)&1B n;kks n)o(k kf(n, f(f(1 sovov s&1o( sovos s&1o1 vok1, sovok sUk1 1o((( 1)))k 1&1o1 f(f() 1)))o n))o( 1)))U k1k(k 1Uk1, 1&1f( so(s) 1)))B f(n() n))o1 s)&(1 1)of( 1,(k1 sk)B1 f(1,f 1,(k( 1Bk(1 1onos 1o1f( 1,f(1 1B1c s&okc s;ko( sk1os s&oko 1ono1 1,(kf sB1 1));k s;kf( n)kks s;kok sk1o1 s;k(( 1o((1 1o1Bf so(f( n;kf( s&k(1 1&1o( nof(1 s);kk sk1c 1))o( s);ko s);kn sok1, s;k(1 1)kks s);kf so(os so1ov s;k1, 1))Uk soknk s))k1 1)B1o 1)B1c n);k( n;kok s;k(o s);k( sok1o sok1c sf(n, s);k& sB1&s s;k1o sUno1 s))kk n);kf 1&so1 sokn, n;ko( n);kk n);kn n);ko s&1on sof(k n;k&k k1o(s sonos sk1&1 sof(f 1oso1 1;knc sUknk f()of n&(1) s&ko( sof() ok1o1 n,f(1 1o(1) s;kkn s;kks 1o(kn sof(1 sUkn, s)k1c 1;kn( s)k1o s;k&k skks s;n:k no(o1 s))o( k(ok( so(ks so(kk so(kn so(ko s))o1 n)&(k o1kf( s))ok ;kknc skksc so(k1 n;k(( s&o(1 s))of so(k) n;k(1 n&(o1 s&kok sov:o s)of( sU(kk sU(kn f(v,1 sk)of 1)&f( sk)ok no1f( sU(ks oUk1, 1ok1c s&(1) s&kos 1ok1k sUnk1 1)ono 1of(1 so1o( s;knn s;knk 1of() vUk1, no1of 1&no1 sk)o1 s)B1 1)&o( sUk1& s&(k) 1o1)o f()&f sk)o( n&f(1 so1of 1)on& 1)B1& so1oo no1o1 so1ok 1ok1, 1of(n no1o( so1os s;kn( 1of(f sUnkf 1o(n) s&1os no(k1 n)))o n)))k 1kk(1 1;k(o 1)()s s&k1o s)B1& n)&1f n))&( sUk1, n)&1o no1&1 n))); sf(1) 1;k(1 n)))& sokf( 1;k(( ook1, n)of( sUk1c s)B1c n&(k1 sUk1o s)B1o 1Ukf( okkkn s&vos s)o(k 1)&1f 1Uk1 1))&o 1))&f 1)&1B 1)&(k s,1), f(1o1 s)&f( s)o(1 sUkf( s&k&s 1okf( 1)&(1 1))&1 1;kf( 1))&( sokos 1))ok 1o1of 1o(1o 1kksc 1o1oo 1Uk(k 1))of 1o1ov Ukkkn 1,(f( 1ok(k so1Uk s&1f( sokok of(1) 1;k&k kf(1) sk)k1 s&v:o sok&s n)o1o n)o1f sUn(k 1o1o( 1o1o1 1))o1 sov&1 n));k n))&f sk)kk s)&(k 1)Unk n))&1 sU((k 1)k1o 1);kk s;kvc 1);ko 1);kn 1)k1c s;kvk 1);kf 1Uks, s&o(k 1);k& s)&o( s&(1o s&f() 1,1), 1);k( sk)Un sk)Uk s&f(1 1)&1o 1Uksc nUnk( so((k 1o1kf s&1Bf 1))kk kvk(1 n&o1o f(1)& &f(1) 1))k1 so((( s))Un s))Uk n,(f( 1)Uk1 s),(1 s&knk 1))B1 s)kks 1Uk no(1) n)&f( s)ok( s))B1 sos 1&(1o s)Uk1 s));k so(1) 1&o(1 sok(1 nUk(k n&1of 1B1 sB1c n&1oo so(1o 1k1c sok(s sok(o sok(k so((s so1kf 1;kks s)))B sf(s) 1&o1o n)k1o s)))U sonk1 kf(1, 1o(kf 1,s), s)))k so1&1 s)))o s&nos s&1Uk s&o1o 1o(k1 so1Bf s;k[k sB1os of()o s;k[n s)))& s&(f( so1&s s&no1 so1&o s))); Possible that more token types will be added to help reduce false positives. Nick Galbreath @ngalbreath
  • 30. The Library ‣ > 100k query strings can be checked per second ‣ C, logic is under 1000 LOC ‣ No memory allocation ‣ Fixed, stable memory usage (~500 on stack) ‣ No threads ‣ Could go even faster Nick Galbreath @ngalbreath
  • 31. Sample Usage sfilter sf; // on stack, ~500 bytes const char* ucg = "my user input"; bool issqli = is_sqli(&sf, ucg, strlen(ucg)); // tada metadata on input is in struct sfilter; (names subject to change, cleanup) Nick Galbreath @ngalbreath
  • 32. Test Cases ‣ All input test cases available ‣ Including false positives found along the way ‣ Code coverage reports Nick Galbreath @ngalbreath
  • 33. Python Prototype ‣ Algorithm in python as well ‣ Not as up-to-date as the C version ‣ Working on it ‣ Runs under PyPy (and quite fast) Nick Galbreath @ngalbreath
  • 34. Make Existing Systems Work Better ‣ The Tokenizer could be ripped out, to make a "SQL normalizer/simplifier" ‣ all white space normalized ‣ all comments removed ‣ all numbers in various flavors converted to "1" ‣ all strings converted to a fixed value "foo" ‣ Makes existing regular expressions work better and detect more. Nick Galbreath @ngalbreath
  • 35. Great for Fuzzers ‣ The SQLi fingerprints are actually a great source of templates for fuzzers and SQLi generators ‣ Take fingerprint and turn it back into SQL Nick Galbreath @ngalbreath
  • 36. Available Now http://www.client9.com/libinjection/ ‣ source code on github ‣ BSD License (only to track how this gets used) ‣ Due to high commercial demand, I'm switching to GPL. This is only to force discussions with third-parties on integration, etc. My goal is to get this used, so if this is barrier let me know! Nick Galbreath @ngalbreath
  • 37. Help! ‣ More SQLi test cases! ‣ More real-world test cases ‣ Missing some PGSQL / Oracle string insanity ‣ Need better understanding of non-ASCII usage ‣ Porting to other languages (it's not that hard). Nick Galbreath @ngalbreath
  • 38. More Analysis at DEFCON 20 New Techniques in SQLi Obfuscation SQL never before used in SQLi http://www.client9.com/20120727/ July 27, 2012 Friday, 4:20pm at the Rio Nick Galbreath @ngalbreath
  • 39. Slides and Source Code: http://www.client9.com/libinjection/ Contact: Nick Galbreath @ngalbreath nickg@client9.com nickg@etsy.com and... join my mailing list for updates and early access to slides, code Thanks for coming by!
  • 40. Photos courtesy Ken Lee @kennysan http://flic.kr/s/ aHsjBbEnz1 40

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n