SlideShare ist ein Scribd-Unternehmen logo

Software Security - Vulnerability&Attack

Emanuela Boroș
Emanuela Boroș
Technologie
1 von 15
Downloaden Sie, um offline zu lesen
Software Security Vulnerability Analysis Emanuela Boroș Emanuela Boroș “Al. I. Cuza” University, Faculty of Computer Science Master of Software Engineering, II Page 1 /15
Software Security Vulnerability Analysis Emanuela Boroș Table of Contents 1. Overview..........................................................................................................................................3 2. Web application vulnerabilities........................................................................................................3 a) Input Validation...........................................................................................................................7 3. SQL Injection...................................................................................................................................7 a) State-of-the-art.............................................................................................................................7 b) SQL Injection Example...............................................................................................................9 c) Protecting against SQL Injection...............................................................................................10 d) Java specific Protecting against SQL Injection..........................................................................11 6. SQL Injection Scanners..................................................................................................................13 a) Pangolin.....................................................................................................................................13 1. Database Support..............................................................................................................13 2. Sample use of Pangolin....................................................................................................13 b) GreenSQL.................................................................................................................................15 c) Add-ons for Firefox...................................................................................................................15 1. SQL Inject Me..................................................................................................................15 7. Bibliography...................................................................................................................................15 Page 2 /15
Software Security Vulnerability Analysis Emanuela Boroș 1. Overview Every day, increasingly, organizations face security risks imposed upon them by attackers intent on achieving fame, glory, or profit. Attackers, familiar with common vulnerabilities inherent in many of today's websites, know how to exploit those vulnerabilities with attacks designed specifically to take advantage of them. 1 A vulnerability is a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application. 2 In order to create an application that has a decreasing number of vulnerabilities it is needed a solid foundation for designing, building, and configuring secure web applications. Number 1 in the Top 10 most critical web application security vulnerabilities 3 identified by the Open Web Application Security Project (OWASP)4 is Injection Flaws. Injection happens whenever an attacker's data is able to modify a query or command sent to a database, LDAP server, operating system. Types of injections are SQL, LDAP, XPath, XSLT, HTML, XML, OS command. SQL injection and Cross-Site Scripting account for more than 80% of the vulnerabilities being discovered against web applications5 (SANS Top Cyber Security Risks6). It's hard to believe, but SQL injection has been around for 13 years. SQL injection is as prevalent as ever as highlighted in The 2011 Mid-Year Top Cyber Security Risks Report7. In 1998 – 1999, Internet security was all about firewalls and SSL. Most people tend to think of security as a network problem. The truth: security is often a software problem. 2. Web application vulnerabilities Hackers today have an ever increasing list of weaknesses in the web application structure at their disposal, which they can exploit to accomplish a wide variety of malicious tasks. New flaws in web application security measures are constantly being researched, both by hackers and by security professionals. Most of these flaws affect all dynamic web applications whilst others are dependent on specific application technologies. In both cases, one may observe how the evolution and refinement of web technologies also brings about new exploits which compromise sensitive databases, provide access to theoretically secure networks, and pose a threat to the daily operation of online businesses. Based on data pulled from The Open Source Vulnerability Database (OSVDB) 8, the total number of new vulnerabilities reported for the first half of 2011 is about 25% lower than the number of new vulnerabilities reported at mid-year 2010 and previous years. As of June 30, 2011, OSVDB cataloged 3,087 reported vulnerabilities in Internet-based 1 The 2011 Mid-Year Top Cyber Security Risks Report http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA3- 7045ENW.pdf 2 https://www.owasp.org/index.php/Category:Vulnerability 3 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 4 https://www.owasp.org/index.php/Main_Page 5 http://weblogs.java.net/blog/caroljmcdonald/archive/2009/10/02/top-10-web-security-vulnerabilities-num- ber-2-injection-flaws 6 http://www.sans.org/top-cyber-security-risks/ 7 http://www.acunetix.com/blog/web-security-zone/articles/sql-injection-prevalent-hack/ 8 The Open Source Vulnerability Database, http://osvdb.org/ Page 3 /15
Software Security Vulnerability Analysis Emanuela Boroș systems, applications, and other computing tools, as compared to 4,091 cataloged in the corresponding period in 2010. After peaking in 2006, vulnerability reporting has been in a slow decline. The reasons for this decline are varied, but several likely reasons stand out. Software makers and system developers have increased their security awareness and have taken steps to reduce vulnerabilities prior to releasing their products. The second reason is a reduction in the disclosures of discovered vulnerabilities, motivated by a desire to instead sell the vulnerability for profit. Another is that some organizations would rather announce details regarding vulnerabilities only after they've been fixed. Despite the overall decline in new vulnerabilities being discovered and reported, it is important to note that the ratio of vulnerabilities discovered in web applications still makes up 31% of all vulnerabilities disclosed. It is worth noting that roughly half of all vulnerability disclosures since 2006 have involved Web applications, so the downward trend for the first half of 2011 is yet another proof point for the overall drop in vulnerability disclosure thus far. The reason for the high number of web application vulnerabilities is a matter of opportunity and profit. First, the number of web applications in circulation grows steadily every day. A web application in its simplest form ties together an operating system, a web server, a database, and some top-level application that customers use to interact with the back-end systems. Many organizations have adopted this model for interacting with customers through retail sites, online banking or finance applications, or even appointment scheduling. In addition, many organizations have confidential or sensitive data stored in the databases connected to these applications, offering an almost limitless field of opportunity for attackers, who view it all as a very lucrative proposition. First of all, there has to be defined a set of application vulnerability categories in order to know what type of attacks can appear. There are common categories that span multiple technologies and components in a layered architecture. These categories are the focus for designing are building secure web applications. 9 9 Improving Web Application Security, Threats and Countermeasures, patterns & practices, Microsoft Corpor- ation, 2003 Page 4 /15
Software Security Vulnerability Analysis Emanuela Boroș Category Description Threats Input validation refers to how your Buffer overflow; cross- application filters, scrubs, or rejects site scripting; SQL Input Validation input before additional processing. injection Authentication is the process that an Network eavesdropping; entity uses to identify another entity, brute force attacks; Authentication typically through credentials such as dictionary attacks; cookie a user name and password. replay; credential theft Authorization is the process that an Elevation of privilege; application uses to control access to disclosure of confidential Authorization resources and operations. data; data tampering; luring attacks Unauthorized access to administration interfaces Configuration Configuration management refers to and to configuration how your application handles Management stores; overprivileged operational issues. process and service accounts Sensitive data is information that Access sensitive data in must be protected either in memory, storage; network Sensitive Data over the wire, or in persistent stores. eavesdropping; data Your application must have a tampering process for handling sensitive data. A session refers to a series of related Session hijacking; session interactions between a user and your replay; man in the middle Session Web application. Session Management management refers to how your application handles and protects these interactions. Cryptography refers to how your Poor key generation or application enforces confidentiality key management; weak Cryptography and integrity. or custom encryption Form fields, query string arguments, Query string and cookie values are frequently manipulation; form field Parameter used as parameters for your manipulation; cookie Manipulation application. Parameter manipulation manipulation; HTTP refers to both how your application header manipulation safeguards tampering of these values and how your application processes input parameters. Exception When a method call in your Information disclosure; application fails, what does your denial of service Management application do? How much does it reveal about the failure condition? Auditing and Auditing and logging refer to how User denies performing your application records security- an operation; attacker Logging related events. exploits an application without trace; attacker covers his or her tracks Page 5 /15
Software Security Vulnerability Analysis Emanuela Boroș Web application vulnerabilities are easy to exploit with a variety of attack techniques and tools. When vulnerabilities are broken down by category, some interesting trends begin to emerge. Cross-Site Scripting (XSS) and SQL Injection (SQLi) still comprise the most significant amount of new Web application vulnerability disclosures 10. XSS is commonly used for spam, phishing, and Web browser exploits. Buffer Overflow and Denial of Service (DoS) vulnerabilities round out the top four. It is interesting to note that the breakdown of popular vulnerabilities by category remains fairly consistent over the past three years, likely because XSS vulnerabilities are relatively easy to find and are very useful to attackers. Spammers and phishers are always looking for ways to make their trade more profitable, and XSS continues to be a useful vulnerability for these purposes. a) Input Validation Input validation is a security issue if an attacker discovers that your application makes unfounded assumptions about the type, length, format, or range of input data. The attacker can then supply carefully crafted input that compromises your application. When network and host level entry points are fully secured; the public interfaces exposed by your application become the only source of attack. The input to your application is a means to both test your system and a way to execute code on an attacker’s behalf. Does your application blindly trust input? If it does, your application may be susceptible to the following11: SQL injection Buffer overflows Cross-site scripting 10 The 2011 Mid-Year Top Cyber Security Risks Report http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA3- 7045ENW.pdf, pg.6 11 Improving Web Application Security, Threats and Countermeasures, patterns & practices, Microsoft Corpor- ation, 200, Chapter 2: Threats and Countermeasures, pg. 25-26 Page 6 /15
Software Security Vulnerability Analysis Emanuela Boroș 3. SQL Injection Web applications are affected by multiple types of attacks, and SQLi and XSS are just two that have received a significant amount of media attention over the last few months. SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable. An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine. a) State-of-the-art SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database. Structured Query Language (SQL) is a specialized programming language for sending queries to databases. The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements. If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user specified by the application executing the statement. This capability allows attackers to gain control of all database resources accessible by that user, up to and including the ability to execute commands on the hosting system. This is how SQLi attacks have evolved over the years: 1998 – Rain Forest Puppy (RFP) discloses/discusses the initial idea of SQL Injection in Phrack Magazine (Volume 9, Issue 54) 2000 – SQL Injection FAQ – Chip Andrews – uses the first public usage of term “SQL Injection” in a paper 2003 – The idea of blind SQL Injection is disclosed/discussed 2006 – Web application vulnerability disclosure skyrockets in part due to SQL Injection 2008 – SQL Injection vulnerability disclosure peaks Page 7 /15
Software Security Vulnerability Analysis Emanuela Boroș 2008 – The Asprox botnet leverages SQL Injection for mass drive by SQLi attacks to grow botnet (http://en.wikipedia.org/wiki/Asprox). From at least April through August, a sweep of attacks began exploiting the SQL Injection vulnerabilities of Microsoft's IIS Web server and SQL Server database server. The attack does not require guessing the name of a table or column, and it corrupts all text columns in all tables in a single request. An HTML string that references a malware JavaScript file is appended to each value. When that database value is later displayed to a website visitor, the script attempts several approaches at gaining control over a visitor's system. The number of exploited Web pages is estimated at 500,000. On August 17, 2009, the U.S. Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using a SQL Injection attack. In reportedly “the biggest case of identity theft in American history,” the man stole cards from a number of corporate victims after researching their payment processing systems. Among the companies hit were credit card processor Heartland Payment Systems, convenience store chain 7-Eleven, and supermarket chain Hannaford Brothers. On February 5, 2011, HBGary, a technology security firm, was broken into by Anonymous using a SQL Injection in their CMS-driven website. On April 11, 2011, Barracuda Networks was compromised using a SQL Injection flaw. Email addresses and usernames of employees were among the information obtained. On June 1, 2011, “hacktivists” of the group LulzSec were accused of using SQLi to steal coupons and to download keys and passwords that were stored in plaintext on Sony's website, accessing the personal information of a million users. In June 2011, Group Anonymous claims to have hacked the NATO site, using a “simple SQL Injection”. With SQLi attacks, it is readily apparent that attackers are content leveraging existing vulnerabilities for their exploits. b) SQL Injection Example 1. use of string concatenation to build query: SQL Injection can happen with dynamic database queries concatenated with user supplied input, for example with the following query: "SELECT * FROM tableName WHERE name =" + parameter;" 2. if the user supplies "name' OR 'a'='a' " as the parameter it results in the following: "SELECT * FROM tableName WHERE name ='name' OR 'a'='a';" 3. the OR 'a'='a' causes the where clause to always be true which is the equivalent of the following: "SELECT * FROM tableName;" Page 8 /15
Software Security Vulnerability Analysis Emanuela Boroș 4. if the user supplies "name' OR 'a'='a' ; DELETE FROM tableName" as the parameter it results in the following: "SELECT * FROM tableName WHERE name ='name' OR 'a'='a'; DELETE FROM tableName;" 5. the OR 'a'='a' causes the WHERE clause to always be true which is the equivalent of the following: "SELECT * FROM tableName; DELETE FROM tableName;" 6. some database servers, allow multiple SQL statements separated by semicolons to be executed at once. c) Protecting against SQL Injection SQL Injection arises from an attacker's manipulation of query data to modify query logic. The best method of preventing SQL Injection attacks is, therefore, to separate the logic of a query from its data; this will prevent commands inserted from user input from being executed. The downside of this approach is that it can have an impact on performance and that each query on the site must be structured in this method for it to be completely effective. If one query is inadvertently bypassed, that could be enough to leave the application vulnerable to SQL Injection. These are some tips in order to protect your system from SQL injection: Don't concatenate user input data to a query or command Use Query Parameter binding with typed parameters, this ensures the input data can only be interpreted as the value for the intended parameter so the attacker can not change the intent of a query Validate all input data to the application using white list (what is allowed) for type, format, length, range, reject if invalid Don't provide too much information in error messages (like SQL Exception Information, table names) to the user. Page 9 /15
Software Security Vulnerability Analysis Emanuela Boroș The following code shows a sample SQL statement that is SQL injectable. sqlStatement = "SELECT * FROM tableName"; sqlStatement = sqlStatement + "WHERE id =" + id; oCmd.CommandText = sqlStatement; The following example utilizes parameterized queries and is safe from SQL Injection attacks. sqlStatement = "SELECT * FROM tableName"; sqlStatement = sqlStatement + "WHERE id = id; oCmd.CommandText = sqlStatement; oCmd.Parameters.Add("id", id); The application will send the SQL statement to the server without including the user's input. Instead, a parameter – id – is used as a placeholder for that input. In this way, user input never becomes part of the command that SQL executes. Any input that an attacker inserts will be effectively negated. An error would still be generated, but it would be a simple data-type conversion error, and not something that a hacker could exploit. d) Java specific Protecting against SQL Injection 4. Don't concatenate user input data to a query or command: Don't do this with JDBC: String id = req.getParameter("id"); String query = "SELECT * FROM tableName WHERE id = '" + id +"'"; Don't do this with JPA: query = entityManager.createQuery("SELECT * FROM tableName t WHERE " + "t.id = '" + id + "'"); Page 10 /15
Software Security Vulnerability Analysis Emanuela Boroș 5. Use Query Parameter binding with typed parameters With JDBC you should use a PreparedStatement and set values by calling one of the setXXX methods on the PreparedStatement object String sql = "SELECT * FROM tableName WHERE id = ? "; PreparedStatement pStmt = con.prepareStatement(sql); pStmt.setString(1, id); This sets the first question mark placeholder to the value of the input parameter id in the SQL command. Any dangerous characters – such as semicolons, quotes, etc.. should be automatically escaped by the JDBC driver. With JPA or Hibernate you should use Named Parameters. Named parameters are parameters in a query that are prefixed with a colon (:). Named parameters in a query are bound to an argument by the javax.persistence.Query.setParameter(String name, Object value) method. For example: query = entityManager.createQuery( "SELECT e FROM tableName t WHERE " + "t.id = ':id'"); q.setParameter("id", id); This sets the id to the id in the SQL command, again any dangerous characters should be automatically escaped by the JDBC driver. With JPA 2.0 or Hibernate you can use the Criteria API. The JPA 2.0 criteria API providies a typesafe object-based Query API based on a metamodel of the Entity classes, rather than a string-based Query API. This allows you to develop queries that a Java compiler can verify for correctness at compile time. Below is an example using the Criteria API for the same query as before : QueryBuilder qb = em.getQueryBuilder(); CriteriaQuery<Employee> q = qb.createQuery(TableName.class); Root<TableName> t = q.from(TableName .class); ParameterExpression<String> id = cb.parameter(String.class); TypedQuery<TableName> query = em.createQuery( q.select(t).where(cb.equal(t.get(TableName_.id), id) ); query.setParameter(“id”, id); 6. SQL Injection Scanners a) Pangolin Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more. Page 11 /15
Software Security Vulnerability Analysis Emanuela Boroș 1. Database Support Access: (Database Path; Root Path; Drivers); Data MSSql: Data; FileReader; RegReader; FileWriter; Cmd; DirTree MySql: Data; FileReader; FileWriter Oracle: Version; IP; Database; Accounts, Data DB2: Data Sybase: Data PostgreSQL: Data; FileReader Sqlite: Data At present, most of the functions are directed at MSSQL and MySql coupled with Oracle and Access. Other small and medium-sized companies are using DB2, Sybase, PostgreSQL, as well as Sqlite which isn't so common. 2. Sample use of Pangolin Run Pangolin then type or paste the URL that you suspect is susceptible to SQL injection. Page 12 /15
Software Security Vulnerability Analysis Emanuela Boroș Page 13 /15
Software Security Vulnerability Analysis Emanuela Boroș b) GreenSQL GreenSQL is a Database Security solution. GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. It works as a proxy and has built in support for MySQL and PostgreSQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). Sample page protected by GreenSql at http://www.greensql.net/sql-injection-test Page 14 /15
Software Security Vulnerability Analysis Emanuela Boroș c) Add-ons for Firefox Security Compass with: 1. SQL Inject Me SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is Firefox Extension used to test for SQL Injection vulnerabilities (not available for Firefox 8.0). 7. Bibliography [The 2011 Mid-Year Top Cyber Security Risks Report, Article, HP DVLabs, HP teams: Fortify and the Application Security Center, Hewlett-Packard Development Company, L.P, September 2011, http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA3-7045ENW.pdf] [Open Web Application Security Project (OWASP), OWASP Foundation, last modified on 11 October 2011, https://www.owasp.org/] [Java.net, 2011, Oracle, http://weblogs.java.net/blog/caroljmcdonald/archive/2009/10/02/top- 10-web-security-vulnerabilities-number-2-injection-flaws] [SANS Information Security & Research, SANS Institute, September 2009, http://www.sans.org/top-cyber-security-risks/] [Acunetix, Acunetix Web Vulnerability Scanner, 2011, http://www.acunetix.com/blog/web- security-zone/articles/sql-injection-prevalent-hack/] [Open Source Vulnerability Database (OSVDB), 2011, http://osvdb.org/] [Improving Web Application Security, Threats and Countermeasures, patterns & practices, Microsoft Corporation, Microsoft Corporation, 2003, http://msdn.microsoft.com/en- us/library/ff649874.aspx] Page 15 /15

Empfohlen

Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentVESIT/University of Mumbai
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilitiesKrishna Gehlot
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118AngelaHoltby
 
How to Audit
How to AuditHow to Audit
How to Auditayousif
 
INTSUM
INTSUMINTSUM
INTSUMworldwidebranding
 

Empfohlen

Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentVESIT/University of Mumbai
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilitiesKrishna Gehlot
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118AngelaHoltby
 
How to Audit
How to AuditHow to Audit
How to Auditayousif
 
INTSUM
INTSUMINTSUM
INTSUMworldwidebranding
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Rapport X force 2014
Rapport X force 2014Rapport X force 2014
Rapport X force 2014Patrick Bouillaud
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsIJTET Journal
 
A26001006
A26001006A26001006
A26001006IJERA Editor
 
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and BrowsersAnalysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and Browserscscpconf
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Black Duck by Synopsys
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37Felipe Prado
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For CybersecurityNathan Anderson
 
Cisco Annual Security Report 2016
Cisco Annual Security Report 2016Cisco Annual Security Report 2016
Cisco Annual Security Report 2016The Internet of Things
 
Clickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s ClickClickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s ClickEswar Publications
 
Cisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportCisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportJames Gachie
 
Cisco Annual Security Report
Cisco Annual Security ReportCisco Annual Security Report
Cisco Annual Security ReportThe Internet of Things
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
Web vulnerability seminar3
Web vulnerability seminar3Web vulnerability seminar3
Web vulnerability seminar3Sakuya Izayoi
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Variables and constants
Variables and constantsVariables and constants
Variables and constantsBSCSComputingIT
 
Web vulnerability seminar4
Web vulnerability seminar4Web vulnerability seminar4
Web vulnerability seminar4Sakuya Izayoi
 
Fuzzing sucks!
Fuzzing sucks!Fuzzing sucks!
Fuzzing sucks!Yury Chemerkin
 

Weitere ähnliche Inhalte

Was ist angesagt?

Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsIJTET Journal
 
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and BrowsersAnalysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and Browserscscpconf
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Black Duck by Synopsys
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37Felipe Prado
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For CybersecurityNathan Anderson
 
Clickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s ClickClickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s ClickEswar Publications
 
Cisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportCisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportJames Gachie
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 

Was ist angesagt? (17)

Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
 
Rapport X force 2014
Rapport X force 2014Rapport X force 2014
Rapport X force 2014
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence Flaws
 
A26001006
A26001006A26001006
A26001006
 
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and BrowsersAnalysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection Model
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
 
Cisco Annual Security Report 2016
Cisco Annual Security Report 2016Cisco Annual Security Report 2016
Cisco Annual Security Report 2016
 
Clickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s ClickClickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s Click
 
Cisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportCisco 2016 Annual Security Report
Cisco 2016 Annual Security Report
 
Cisco Annual Security Report
Cisco Annual Security ReportCisco Annual Security Report
Cisco Annual Security Report
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
 

Andere mochten auch

Web vulnerability seminar3
Web vulnerability seminar3Web vulnerability seminar3
Web vulnerability seminar3Sakuya Izayoi
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Web vulnerability seminar4
Web vulnerability seminar4Web vulnerability seminar4
Web vulnerability seminar4Sakuya Izayoi
 
Codegate 2013 Junior - Music Player Exploit
Codegate 2013 Junior - Music Player ExploitCodegate 2013 Junior - Music Player Exploit
Codegate 2013 Junior - Music Player Exploitsweetchip
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
 
Web vulnerability seminar1
Web vulnerability seminar1Web vulnerability seminar1
Web vulnerability seminar1Sakuya Izayoi
 
취약점(Vulnerability) db 구조 설명
취약점(Vulnerability) db 구조 설명취약점(Vulnerability) db 구조 설명
취약점(Vulnerability) db 구조 설명eungjin cho
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsFatih Ozavci
 
Web vulnerability seminar2
Web vulnerability seminar2Web vulnerability seminar2
Web vulnerability seminar2Sakuya Izayoi
 
Inc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipInc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipsweetchip
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsPawel Rzepa
 
[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다
[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다
[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다GangSeok Lee
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 

Andere mochten auch (17)

Web vulnerability seminar3
Web vulnerability seminar3Web vulnerability seminar3
Web vulnerability seminar3
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
Variables and constants
Variables and constantsVariables and constants
Variables and constants
 
Web vulnerability seminar4
Web vulnerability seminar4Web vulnerability seminar4
Web vulnerability seminar4
 
Fuzzing sucks!
Fuzzing sucks!Fuzzing sucks!
Fuzzing sucks!
 
Codegate 2013 Junior - Music Player Exploit
Codegate 2013 Junior - Music Player ExploitCodegate 2013 Junior - Music Player Exploit
Codegate 2013 Junior - Music Player Exploit
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
 
Web vulnerability seminar1
Web vulnerability seminar1Web vulnerability seminar1
Web vulnerability seminar1
 
취약점(Vulnerability) db 구조 설명
취약점(Vulnerability) db 구조 설명취약점(Vulnerability) db 구조 설명
취약점(Vulnerability) db 구조 설명
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile Applications
 
Web vulnerability seminar2
Web vulnerability seminar2Web vulnerability seminar2
Web vulnerability seminar2
 
Inc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipInc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchip
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugs
 
EZ KEY_EZ
EZ KEY_EZEZ KEY_EZ
EZ KEY_EZ
 
[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다
[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다
[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTING
 

Ähnlich wie Software Security - Vulnerability&Attack

Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSheri Elliott
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
Qg was guide
Qg was guideQg was guide
Qg was guidenat page
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Web Applications Assessment Tools: Comparison and Discussion
Web Applications Assessment Tools: Comparison and DiscussionWeb Applications Assessment Tools: Comparison and Discussion
Web Applications Assessment Tools: Comparison and DiscussionEECJOURNAL
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEoin Keary
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdfssuserc3d7ec1
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Cisco 2016 Security Report
Cisco 2016 Security Report Cisco 2016 Security Report
Cisco 2016 Security Report Steve Fantauzzo
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsRam G Athreya
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
 
Intelligent cyber security solutions
Intelligent cyber security solutionsIntelligent cyber security solutions
Intelligent cyber security solutionsSwapnil Deshmukh
 
Malware detection and pattern classification using NPL
Malware detection and pattern classification using NPLMalware detection and pattern classification using NPL
Malware detection and pattern classification using NPLIRJET Journal
 

Ähnlich wie Software Security - Vulnerability&Attack (20)

Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application Environment
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Qg was guide
Qg was guideQg was guide
Qg was guide
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Web Applications Assessment Tools: Comparison and Discussion
Web Applications Assessment Tools: Comparison and DiscussionWeb Applications Assessment Tools: Comparison and Discussion
Web Applications Assessment Tools: Comparison and Discussion
 
Globally.docx
Globally.docxGlobally.docx
Globally.docx
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Cisco asr-2016-160121231711
Cisco asr-2016-160121231711Cisco asr-2016-160121231711
Cisco asr-2016-160121231711
 
Cisco 2016 Security Report
Cisco 2016 Security Report Cisco 2016 Security Report
Cisco 2016 Security Report
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application Security
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
Intelligent cyber security solutions
Intelligent cyber security solutionsIntelligent cyber security solutions
Intelligent cyber security solutions
 
Malware detection and pattern classification using NPL
Malware detection and pattern classification using NPLMalware detection and pattern classification using NPL
Malware detection and pattern classification using NPL
 

Kürzlich hochgeladen

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 

Kürzlich hochgeladen (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Software Security - Vulnerability&Attack

  • 1. Software Security Vulnerability Analysis Emanuela Boroș Emanuela Boroș “Al. I. Cuza” University, Faculty of Computer Science Master of Software Engineering, II Page 1 /15
  • 2. Software Security Vulnerability Analysis Emanuela Boroș Table of Contents 1. Overview..........................................................................................................................................3 2. Web application vulnerabilities........................................................................................................3 a) Input Validation...........................................................................................................................7 3. SQL Injection...................................................................................................................................7 a) State-of-the-art.............................................................................................................................7 b) SQL Injection Example...............................................................................................................9 c) Protecting against SQL Injection...............................................................................................10 d) Java specific Protecting against SQL Injection..........................................................................11 6. SQL Injection Scanners..................................................................................................................13 a) Pangolin.....................................................................................................................................13 1. Database Support..............................................................................................................13 2. Sample use of Pangolin....................................................................................................13 b) GreenSQL.................................................................................................................................15 c) Add-ons for Firefox...................................................................................................................15 1. SQL Inject Me..................................................................................................................15 7. Bibliography...................................................................................................................................15 Page 2 /15
  • 3. Software Security Vulnerability Analysis Emanuela Boroș 1. Overview Every day, increasingly, organizations face security risks imposed upon them by attackers intent on achieving fame, glory, or profit. Attackers, familiar with common vulnerabilities inherent in many of today's websites, know how to exploit those vulnerabilities with attacks designed specifically to take advantage of them. 1 A vulnerability is a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application. 2 In order to create an application that has a decreasing number of vulnerabilities it is needed a solid foundation for designing, building, and configuring secure web applications. Number 1 in the Top 10 most critical web application security vulnerabilities 3 identified by the Open Web Application Security Project (OWASP)4 is Injection Flaws. Injection happens whenever an attacker's data is able to modify a query or command sent to a database, LDAP server, operating system. Types of injections are SQL, LDAP, XPath, XSLT, HTML, XML, OS command. SQL injection and Cross-Site Scripting account for more than 80% of the vulnerabilities being discovered against web applications5 (SANS Top Cyber Security Risks6). It's hard to believe, but SQL injection has been around for 13 years. SQL injection is as prevalent as ever as highlighted in The 2011 Mid-Year Top Cyber Security Risks Report7. In 1998 – 1999, Internet security was all about firewalls and SSL. Most people tend to think of security as a network problem. The truth: security is often a software problem. 2. Web application vulnerabilities Hackers today have an ever increasing list of weaknesses in the web application structure at their disposal, which they can exploit to accomplish a wide variety of malicious tasks. New flaws in web application security measures are constantly being researched, both by hackers and by security professionals. Most of these flaws affect all dynamic web applications whilst others are dependent on specific application technologies. In both cases, one may observe how the evolution and refinement of web technologies also brings about new exploits which compromise sensitive databases, provide access to theoretically secure networks, and pose a threat to the daily operation of online businesses. Based on data pulled from The Open Source Vulnerability Database (OSVDB) 8, the total number of new vulnerabilities reported for the first half of 2011 is about 25% lower than the number of new vulnerabilities reported at mid-year 2010 and previous years. As of June 30, 2011, OSVDB cataloged 3,087 reported vulnerabilities in Internet-based 1 The 2011 Mid-Year Top Cyber Security Risks Report http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA3- 7045ENW.pdf 2 https://www.owasp.org/index.php/Category:Vulnerability 3 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 4 https://www.owasp.org/index.php/Main_Page 5 http://weblogs.java.net/blog/caroljmcdonald/archive/2009/10/02/top-10-web-security-vulnerabilities-num- ber-2-injection-flaws 6 http://www.sans.org/top-cyber-security-risks/ 7 http://www.acunetix.com/blog/web-security-zone/articles/sql-injection-prevalent-hack/ 8 The Open Source Vulnerability Database, http://osvdb.org/ Page 3 /15
  • 4. Software Security Vulnerability Analysis Emanuela Boroș systems, applications, and other computing tools, as compared to 4,091 cataloged in the corresponding period in 2010. After peaking in 2006, vulnerability reporting has been in a slow decline. The reasons for this decline are varied, but several likely reasons stand out. Software makers and system developers have increased their security awareness and have taken steps to reduce vulnerabilities prior to releasing their products. The second reason is a reduction in the disclosures of discovered vulnerabilities, motivated by a desire to instead sell the vulnerability for profit. Another is that some organizations would rather announce details regarding vulnerabilities only after they've been fixed. Despite the overall decline in new vulnerabilities being discovered and reported, it is important to note that the ratio of vulnerabilities discovered in web applications still makes up 31% of all vulnerabilities disclosed. It is worth noting that roughly half of all vulnerability disclosures since 2006 have involved Web applications, so the downward trend for the first half of 2011 is yet another proof point for the overall drop in vulnerability disclosure thus far. The reason for the high number of web application vulnerabilities is a matter of opportunity and profit. First, the number of web applications in circulation grows steadily every day. A web application in its simplest form ties together an operating system, a web server, a database, and some top-level application that customers use to interact with the back-end systems. Many organizations have adopted this model for interacting with customers through retail sites, online banking or finance applications, or even appointment scheduling. In addition, many organizations have confidential or sensitive data stored in the databases connected to these applications, offering an almost limitless field of opportunity for attackers, who view it all as a very lucrative proposition. First of all, there has to be defined a set of application vulnerability categories in order to know what type of attacks can appear. There are common categories that span multiple technologies and components in a layered architecture. These categories are the focus for designing are building secure web applications. 9 9 Improving Web Application Security, Threats and Countermeasures, patterns & practices, Microsoft Corpor- ation, 2003 Page 4 /15
  • 5. Software Security Vulnerability Analysis Emanuela Boroș Category Description Threats Input validation refers to how your Buffer overflow; cross- application filters, scrubs, or rejects site scripting; SQL Input Validation input before additional processing. injection Authentication is the process that an Network eavesdropping; entity uses to identify another entity, brute force attacks; Authentication typically through credentials such as dictionary attacks; cookie a user name and password. replay; credential theft Authorization is the process that an Elevation of privilege; application uses to control access to disclosure of confidential Authorization resources and operations. data; data tampering; luring attacks Unauthorized access to administration interfaces Configuration Configuration management refers to and to configuration how your application handles Management stores; overprivileged operational issues. process and service accounts Sensitive data is information that Access sensitive data in must be protected either in memory, storage; network Sensitive Data over the wire, or in persistent stores. eavesdropping; data Your application must have a tampering process for handling sensitive data. A session refers to a series of related Session hijacking; session interactions between a user and your replay; man in the middle Session Web application. Session Management management refers to how your application handles and protects these interactions. Cryptography refers to how your Poor key generation or application enforces confidentiality key management; weak Cryptography and integrity. or custom encryption Form fields, query string arguments, Query string and cookie values are frequently manipulation; form field Parameter used as parameters for your manipulation; cookie Manipulation application. Parameter manipulation manipulation; HTTP refers to both how your application header manipulation safeguards tampering of these values and how your application processes input parameters. Exception When a method call in your Information disclosure; application fails, what does your denial of service Management application do? How much does it reveal about the failure condition? Auditing and Auditing and logging refer to how User denies performing your application records security- an operation; attacker Logging related events. exploits an application without trace; attacker covers his or her tracks Page 5 /15
  • 6. Software Security Vulnerability Analysis Emanuela Boroș Web application vulnerabilities are easy to exploit with a variety of attack techniques and tools. When vulnerabilities are broken down by category, some interesting trends begin to emerge. Cross-Site Scripting (XSS) and SQL Injection (SQLi) still comprise the most significant amount of new Web application vulnerability disclosures 10. XSS is commonly used for spam, phishing, and Web browser exploits. Buffer Overflow and Denial of Service (DoS) vulnerabilities round out the top four. It is interesting to note that the breakdown of popular vulnerabilities by category remains fairly consistent over the past three years, likely because XSS vulnerabilities are relatively easy to find and are very useful to attackers. Spammers and phishers are always looking for ways to make their trade more profitable, and XSS continues to be a useful vulnerability for these purposes. a) Input Validation Input validation is a security issue if an attacker discovers that your application makes unfounded assumptions about the type, length, format, or range of input data. The attacker can then supply carefully crafted input that compromises your application. When network and host level entry points are fully secured; the public interfaces exposed by your application become the only source of attack. The input to your application is a means to both test your system and a way to execute code on an attacker’s behalf. Does your application blindly trust input? If it does, your application may be susceptible to the following11: SQL injection Buffer overflows Cross-site scripting 10 The 2011 Mid-Year Top Cyber Security Risks Report http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA3- 7045ENW.pdf, pg.6 11 Improving Web Application Security, Threats and Countermeasures, patterns & practices, Microsoft Corpor- ation, 200, Chapter 2: Threats and Countermeasures, pg. 25-26 Page 6 /15
  • 7. Software Security Vulnerability Analysis Emanuela Boroș 3. SQL Injection Web applications are affected by multiple types of attacks, and SQLi and XSS are just two that have received a significant amount of media attention over the last few months. SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable. An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine. a) State-of-the-art SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database. Structured Query Language (SQL) is a specialized programming language for sending queries to databases. The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements. If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user specified by the application executing the statement. This capability allows attackers to gain control of all database resources accessible by that user, up to and including the ability to execute commands on the hosting system. This is how SQLi attacks have evolved over the years: 1998 – Rain Forest Puppy (RFP) discloses/discusses the initial idea of SQL Injection in Phrack Magazine (Volume 9, Issue 54) 2000 – SQL Injection FAQ – Chip Andrews – uses the first public usage of term “SQL Injection” in a paper 2003 – The idea of blind SQL Injection is disclosed/discussed 2006 – Web application vulnerability disclosure skyrockets in part due to SQL Injection 2008 – SQL Injection vulnerability disclosure peaks Page 7 /15
  • 8. Software Security Vulnerability Analysis Emanuela Boroș 2008 – The Asprox botnet leverages SQL Injection for mass drive by SQLi attacks to grow botnet (http://en.wikipedia.org/wiki/Asprox). From at least April through August, a sweep of attacks began exploiting the SQL Injection vulnerabilities of Microsoft's IIS Web server and SQL Server database server. The attack does not require guessing the name of a table or column, and it corrupts all text columns in all tables in a single request. An HTML string that references a malware JavaScript file is appended to each value. When that database value is later displayed to a website visitor, the script attempts several approaches at gaining control over a visitor's system. The number of exploited Web pages is estimated at 500,000. On August 17, 2009, the U.S. Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using a SQL Injection attack. In reportedly “the biggest case of identity theft in American history,” the man stole cards from a number of corporate victims after researching their payment processing systems. Among the companies hit were credit card processor Heartland Payment Systems, convenience store chain 7-Eleven, and supermarket chain Hannaford Brothers. On February 5, 2011, HBGary, a technology security firm, was broken into by Anonymous using a SQL Injection in their CMS-driven website. On April 11, 2011, Barracuda Networks was compromised using a SQL Injection flaw. Email addresses and usernames of employees were among the information obtained. On June 1, 2011, “hacktivists” of the group LulzSec were accused of using SQLi to steal coupons and to download keys and passwords that were stored in plaintext on Sony's website, accessing the personal information of a million users. In June 2011, Group Anonymous claims to have hacked the NATO site, using a “simple SQL Injection”. With SQLi attacks, it is readily apparent that attackers are content leveraging existing vulnerabilities for their exploits. b) SQL Injection Example 1. use of string concatenation to build query: SQL Injection can happen with dynamic database queries concatenated with user supplied input, for example with the following query: "SELECT * FROM tableName WHERE name =" + parameter;" 2. if the user supplies "name' OR 'a'='a' " as the parameter it results in the following: "SELECT * FROM tableName WHERE name ='name' OR 'a'='a';" 3. the OR 'a'='a' causes the where clause to always be true which is the equivalent of the following: "SELECT * FROM tableName;" Page 8 /15
  • 9. Software Security Vulnerability Analysis Emanuela Boroș 4. if the user supplies "name' OR 'a'='a' ; DELETE FROM tableName" as the parameter it results in the following: "SELECT * FROM tableName WHERE name ='name' OR 'a'='a'; DELETE FROM tableName;" 5. the OR 'a'='a' causes the WHERE clause to always be true which is the equivalent of the following: "SELECT * FROM tableName; DELETE FROM tableName;" 6. some database servers, allow multiple SQL statements separated by semicolons to be executed at once. c) Protecting against SQL Injection SQL Injection arises from an attacker's manipulation of query data to modify query logic. The best method of preventing SQL Injection attacks is, therefore, to separate the logic of a query from its data; this will prevent commands inserted from user input from being executed. The downside of this approach is that it can have an impact on performance and that each query on the site must be structured in this method for it to be completely effective. If one query is inadvertently bypassed, that could be enough to leave the application vulnerable to SQL Injection. These are some tips in order to protect your system from SQL injection: Don't concatenate user input data to a query or command Use Query Parameter binding with typed parameters, this ensures the input data can only be interpreted as the value for the intended parameter so the attacker can not change the intent of a query Validate all input data to the application using white list (what is allowed) for type, format, length, range, reject if invalid Don't provide too much information in error messages (like SQL Exception Information, table names) to the user. Page 9 /15
  • 10. Software Security Vulnerability Analysis Emanuela Boroș The following code shows a sample SQL statement that is SQL injectable. sqlStatement = "SELECT * FROM tableName"; sqlStatement = sqlStatement + "WHERE id =" + id; oCmd.CommandText = sqlStatement; The following example utilizes parameterized queries and is safe from SQL Injection attacks. sqlStatement = "SELECT * FROM tableName"; sqlStatement = sqlStatement + "WHERE id = id; oCmd.CommandText = sqlStatement; oCmd.Parameters.Add("id", id); The application will send the SQL statement to the server without including the user's input. Instead, a parameter – id – is used as a placeholder for that input. In this way, user input never becomes part of the command that SQL executes. Any input that an attacker inserts will be effectively negated. An error would still be generated, but it would be a simple data-type conversion error, and not something that a hacker could exploit. d) Java specific Protecting against SQL Injection 4. Don't concatenate user input data to a query or command: Don't do this with JDBC: String id = req.getParameter("id"); String query = "SELECT * FROM tableName WHERE id = '" + id +"'"; Don't do this with JPA: query = entityManager.createQuery("SELECT * FROM tableName t WHERE " + "t.id = '" + id + "'"); Page 10 /15
  • 11. Software Security Vulnerability Analysis Emanuela Boroș 5. Use Query Parameter binding with typed parameters With JDBC you should use a PreparedStatement and set values by calling one of the setXXX methods on the PreparedStatement object String sql = "SELECT * FROM tableName WHERE id = ? "; PreparedStatement pStmt = con.prepareStatement(sql); pStmt.setString(1, id); This sets the first question mark placeholder to the value of the input parameter id in the SQL command. Any dangerous characters – such as semicolons, quotes, etc.. should be automatically escaped by the JDBC driver. With JPA or Hibernate you should use Named Parameters. Named parameters are parameters in a query that are prefixed with a colon (:). Named parameters in a query are bound to an argument by the javax.persistence.Query.setParameter(String name, Object value) method. For example: query = entityManager.createQuery( "SELECT e FROM tableName t WHERE " + "t.id = ':id'"); q.setParameter("id", id); This sets the id to the id in the SQL command, again any dangerous characters should be automatically escaped by the JDBC driver. With JPA 2.0 or Hibernate you can use the Criteria API. The JPA 2.0 criteria API providies a typesafe object-based Query API based on a metamodel of the Entity classes, rather than a string-based Query API. This allows you to develop queries that a Java compiler can verify for correctness at compile time. Below is an example using the Criteria API for the same query as before : QueryBuilder qb = em.getQueryBuilder(); CriteriaQuery<Employee> q = qb.createQuery(TableName.class); Root<TableName> t = q.from(TableName .class); ParameterExpression<String> id = cb.parameter(String.class); TypedQuery<TableName> query = em.createQuery( q.select(t).where(cb.equal(t.get(TableName_.id), id) ); query.setParameter(“id”, id); 6. SQL Injection Scanners a) Pangolin Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more. Page 11 /15
  • 12. Software Security Vulnerability Analysis Emanuela Boroș 1. Database Support Access: (Database Path; Root Path; Drivers); Data MSSql: Data; FileReader; RegReader; FileWriter; Cmd; DirTree MySql: Data; FileReader; FileWriter Oracle: Version; IP; Database; Accounts, Data DB2: Data Sybase: Data PostgreSQL: Data; FileReader Sqlite: Data At present, most of the functions are directed at MSSQL and MySql coupled with Oracle and Access. Other small and medium-sized companies are using DB2, Sybase, PostgreSQL, as well as Sqlite which isn't so common. 2. Sample use of Pangolin Run Pangolin then type or paste the URL that you suspect is susceptible to SQL injection. Page 12 /15
  • 13. Software Security Vulnerability Analysis Emanuela Boroș Page 13 /15
  • 14. Software Security Vulnerability Analysis Emanuela Boroș b) GreenSQL GreenSQL is a Database Security solution. GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. It works as a proxy and has built in support for MySQL and PostgreSQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). Sample page protected by GreenSql at http://www.greensql.net/sql-injection-test Page 14 /15
  • 15. Software Security Vulnerability Analysis Emanuela Boroș c) Add-ons for Firefox Security Compass with: 1. SQL Inject Me SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is Firefox Extension used to test for SQL Injection vulnerabilities (not available for Firefox 8.0). 7. Bibliography [The 2011 Mid-Year Top Cyber Security Risks Report, Article, HP DVLabs, HP teams: Fortify and the Application Security Center, Hewlett-Packard Development Company, L.P, September 2011, http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA3-7045ENW.pdf] [Open Web Application Security Project (OWASP), OWASP Foundation, last modified on 11 October 2011, https://www.owasp.org/] [Java.net, 2011, Oracle, http://weblogs.java.net/blog/caroljmcdonald/archive/2009/10/02/top- 10-web-security-vulnerabilities-number-2-injection-flaws] [SANS Information Security & Research, SANS Institute, September 2009, http://www.sans.org/top-cyber-security-risks/] [Acunetix, Acunetix Web Vulnerability Scanner, 2011, http://www.acunetix.com/blog/web- security-zone/articles/sql-injection-prevalent-hack/] [Open Source Vulnerability Database (OSVDB), 2011, http://osvdb.org/] [Improving Web Application Security, Threats and Countermeasures, patterns & practices, Microsoft Corporation, Microsoft Corporation, 2003, http://msdn.microsoft.com/en- us/library/ff649874.aspx] Page 15 /15