Advanced Topics on SQL Injection Protection

Advanced Topics on SQL Injection Protection Sam NG CISA, CISSP SQLBlock.com [email_address] Feb 27 th , 2006

Introduction ,[object Object],[object Object],[object Object]

Methods to prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Development Phase QA Phase Production Phase

Method 1: Input Validation ,[object Object],[object Object],[object Object]

Method 1: Input Validation (cont’d) ,[object Object],[object Object],[object Object],[object Object],[object Object]

1.1: Escape inputs properly ,[object Object],[object Object],[object Object]

Consider the following PHP code ,[object Object],[object Object],[PHP] $magic_quotes_runtime = “on” ; $url = urldecode ($_REQUEST [ ‘url’ ]); $query = “INSERT INTO tbl_links (type, url) VALUES(1, ‘ $url ’)” ;

1.2: Validate numeric fields ,[object Object],[object Object],[object Object],[ASP] Dim conn, rec, query, prod, price prod = Replace (Request. Form ( “prod” ), “’ ”, “’’” ) price = Replace (Request. Form (“price”), “’” , “’’” ) Set conn = CreateObject ("ADODB.Connection") conn.Open = "DSN=AccountDB;UID=sa;PWD=password;" query = “select * from sales where prod=’” & prod & “‘ and price > ” & price Set rec = conn.Execute(query)

However… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Table 1. SQL injection vulnerabilities found in BugTraq SecurityFocus 194 1 7 94 92 2005 Jan-Jun 57 　　 29 28 2004 Jan-Jun Total Second Order StoredProc Numeric Field Others Period

Table 1 (cont’d) ,[object Object],[object Object],[object Object]

Prevent Numeric Field Injection 1 ,[object Object],[object Object],if ( $category > 0) { $categ = "AND catid=$category "; } elseif ( $category == 0) { .... } “ AND catid=2 union…”; Return true even if $category = “ 2 union … ”

Prevent Numeric Field Injection 2 ,[object Object],[object Object],[object Object],[object Object]

1.3 Column Names ,[object Object],[object Object],[object Object]

1.3 Column Names (cont’d) ,[object Object],Dim cat, orderBy, query cat = Replace ( Request .Form( “cat” ), “’” , “’’” ) orderBy = Replace ( Request .Form( “orderBy” ), “’” , “’’” ) query = “select * from tbl_prod ” & “where cat = ‘” & cat & “’ “ & “order by “ & orderBy

Prevent SQL injection in column names ,[object Object],[object Object],[object Object],[object Object],[object Object]

1.4 Prevent second order attacks Dim conn, rec, query1, query2, login_id, old_pass, new_pass login_id = Replace (Request. Form ( “login_id” ), “’” , “’’” ) old_pass = Replace (Request. Form ( “old_pass” ), “’” , “’’” ) new_pass = Replace (Request. Form ( “new_pass” ), “’” , “’’” ) Set conn = CreateObject ( "ADODB.Connection" ) conn.Open = "DSN=AccountDB;UID=sa;PWD=password;" query1 = “select * from tbl_user where login_id=’” & login_id & “’ and password=‘” & old_pass & “’” Set rec = conn.Execute(query1) If (rec.EOF) Then Response.Write "Invalid Password" Else query2 = “update from tbl_user set password=’” & new_pass & “’ where login_id=’” & rec.( “login_id” ) & “’” conn.Execute(query2) .. .. End If Unescaped data, read from database. But, what about if login_id = “foo’ union…. – ” All properly escaped

What is 2 nd Order SQL Injection? ,[object Object]

Prevent 2 nd Order SQL Injection ,[object Object],[object Object],[object Object],[object Object]

 PHP magic_quotes_gpc, magic_quotes_runtime ,[object Object],[object Object],[object Object],[object Object]

Method 2: Use Static Query Statement ,[object Object],[object Object],[object Object],[object Object]

2.1 parameterized stmt != static stmt [Java] String sql = “select * from product where cat=’” + request.get( “cat” ) + “’ and price > ?” ; PreparedStatement pstmt = con.prepare(sql); pstmt.setString(1, request.getParameter( “price” )); ResultSet rs = pstmt.executeQuery(); Obviously vulnerable to SQL injection Even this is called in a parameterized form Prepare statement

2.2 Stored Procedure != SAFE CREATE PROCEDURE sp_dynamic ( @name varchar(50) = '' ) AS DECLARE @Query varchar(500) SET @Query = 'SELECT * FROM userlist where name = ''' + @name + ''' EXEC( @Query ) GO Dangerous Function SQL style string concatenation [Solution] SET @name = REPLACE ( @name , '''' , '''''' ) Insert at HERE

2.3 Static query doesn’t always work ,[object Object],[object Object]

Method 3: Least Privilege ,[object Object],[object Object],[object Object],[object Object],[object Object]

Invoker’s right for stored procedure ,[object Object],[object Object],[object Object]

However... ,[object Object],[object Object],[object Object],[object Object]

If the code DOES contain SQL Injection bug… ,[object Object],[object Object]

Conclusion ,[object Object],[object Object],[object Object]

Method 4: Verifies Your code ,[object Object],[object Object],[object Object]

4.1 Source Code Auditing ,[object Object],[object Object],[object Object]

Automatic Source Code Scanner [7] ,[object Object],[object Object],[object Object]

4.2 Web Application Vulnerability Scanner ,[object Object],[object Object],[object Object],[object Object],[object Object]

Semi-automatic tools: Web Proxy ,[object Object],[object Object],Edit Post Data Before Send

Automatic Source Code Scanner vs Automatic Vulnerability Scanner ,[object Object],[object Object],[object Object],[object Object]

Method 5: Web Application Gateway (WAG) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

The downside of WAG ,[object Object],[object Object],A new user register to a web portal application N oted the apostrophe But should we block this?

The downside of WAG (cont’d) ,[object Object],[object Object],[object Object]

The downside of WAP (cont’d) ,[object Object],[object Object],[object Object],[object Object]

To make configuration easier: 1 st method ,[object Object],[object Object],[object Object],[object Object],[object Object]

To make configuration easier: 2 nd method ,[object Object],[object Object],[object Object]

To make configuration easier ,[object Object],[object Object],[object Object],[object Object]

Method 6: SQL Driver Proxy ,[object Object],[object Object],[object Object]

Architecture of a SQL Driver Proxy HTTP Client HTTP Server HTTP Server HTTP Client ODBC JDBC App Original Driver ODBC/JDBC Driver ODBC/JDBC App Analysis Analysis HTTP Proxy ODBC/JDBC Proxy HTTP Protocol HTTP Protocol API Calls API Calls

How SQL Driver Proxy works? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

How SQL Driver Proxy works? (cont’d) ,[object Object],SELECT * FROM tbl_user WHERE user_id = ‘<some thing>’ AND password = ‘<some thing>’ OR 1=1 --’ SELECT * FROM tbl_accounts WHERE user_id = ‘<some thing>’ UNION … UPDATE tbl_accounts SET balance = balance + <some value> WHERE account_id = ‘<some thing>’ ; DROP …

How SQL Driver Proxy works? (cont’d) ,[object Object],[object Object]

SQL Driver Proxy limitation ,[object Object]

SQL Driver Proxy limitation (cont’d) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Intrusion Detection System (IDS) ,[object Object],[object Object],[object Object]

Context-Sensitive String Evaluation [9] ,[object Object],[object Object],[object Object],[object Object]

Database Layer Protection ,[object Object],[object Object]

Conclusion ,[object Object],[object Object],[object Object],[object Object]

Reference ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Reference - 2 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Advanced Topics on SQL Injection Protection

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (13)

Ähnlich wie Advanced Topics on SQL Injection Protection

Ähnlich wie Advanced Topics on SQL Injection Protection (20)

Mehr von amiable_indian

Mehr von amiable_indian (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Advanced Topics on SQL Injection Protection