SlideShare ist ein Scribd-Unternehmen logo

SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013

Nick Galbreath
Nick Galbreath

What if we could reduce SQLi attacks in your application by 90%? WIth little to no changes in your application, with no new hardware or firewalls? First presentated at RSA Conference USA, 2013-02-27

Technologie
1 von 55
Downloaden Sie, um offline zu lesen
SQL-RISC New Directions in SQLi Prevention Nick Galbreath RSA 2013-02-27
SQL-RISC: NEW DIRECTIONS IN SQLI DETECTION AND PREVENTION Nick Galbreath IPONWEB ► Session ID: ASEC-­‐W23 ► Session Classification: Advanced
Latest version of these slides: http://client9.com/20130227/ Tweet tweet: @ngalbreath Originally presented at: RSA Conference USA Moscone Center San Francisco, California February 27, 2013 10:40 AM, Room 132
What if we could substantially reduce the SQLi attack surface of a web application? @ngalbreath
without new hardware or firewalls? @ngalbreath
without application changes? @ngalbreath
and comes with free SQLi attack monitoring? @ngalbreath
Wild Speculation? @ngalbreath
A Brief History of SQL
1970s: SQL Invented ► Hey that's 40 years ago. ► "Structured Query Language" ► Why is it still around and so popular? ► Exercise for the reader: Pick any query you like, and write the equivalent in your favorite programming language. ► SQL is scriptable data structures. @ngalbreath
1972: Oracle Releases the First Commercial Database Also, Coppola releases The Godfather @ngalbreath
Remember the 80s? ► Networking sucked! ► TCP/IP not widespread ► Computers are fragile, expensive and slow ► Shoulder-pads so what do you do? @ngalbreath
Centralize ► Move computation as close as possible to the data ► Move to super-servers ► Have cheap/dumb clients @ngalbreath
1988: Oracle V6 ► The Database is now a full programming environment ► Unicode/UTF8 not standard ► Complexity explosion ► ... but most clients are private Also in 1988: Crack Cocaine 'invented' @ngalbreath
And then the 1990s ► TCP/IP ► Cheap CPUs ► Web Browsers ► Attaching databases to public networks This is why most of us are here today. @ngalbreath
2000+ Web Scale ► Discovery that data problems are a lot more painful than CPU problems. ► Turns out disk drives are mechanical ► If your database maxes out, you have big problems... so move everything out of the database. ► Complete reversal in strategy @ngalbreath
SQL isn't going anywhere ► For front-ends, general trend is federating data across cheap machines, using stripped down SQL ► SQL-like languages used by Amazon, Google and others. ► Still great for analytics and reporting on the back end, and generic data storage. ► But we stuck with legacy of the past. @ngalbreath
SQL'S DARK CORNERS ► bit.ly/UkQd7Z
SQL is Huge ► 40+ years of built up crud ► 1992 spec is 625 pages of plain text ► 2003 spec is 128 pages of BNF ► No one is completely compliant ► Every one has special extensions SQL is more complicated than you think.... @ngalbreath
SQL Integer Forms • [0-9]+ • 0x[0-9a-fA-F]+ 0xDEADbeef MySQL, MSSQL 0x is case sensitive • 0x MSSQL only • x'DEADbeef' PgSQL • b'10101010' MySQL, PgSQL • 0b010101 MySQL @ngalbreath
SQL Floating Point Forms ► digits ► digits[.] ► digits[.]digits ► digits[eE]digits ► digits[eE][+-]digits ► digits[.][eE]digits ► digits[.]digits[eE][+-]digits ► http://bit.ly/Qp6KTu ► digits[.]digits[eE]digits ► [.]digits ► [.]digits[eE]digits ► [.]digits[eE][+-]digits Optional starts with [+-] ► "binary_float_infinity" (O) Optional ending with [dDfF] (Oracle) @ngalbreath
SQL Money Literals ► MSSQL has a money type. ► -$45.12 ► $123.0 ► +$1,000,000.00 Commas ignored ► Many symbols are accepted for currency type @ngalbreath
SQL Ridiculous Operators ▶ != not equals, standard ▶ <=> mysql ▶ <> mssql ▶ ^= oracle ▶ !>, !< not less than mssql ▶ / oracle ▶ !! factorial (pgsql) ▶ |/ square root (pgsql) ▶ ||/ cube root (pgsql) ▶ ** exponential (oracle) @ngalbreath
SQL Strings, Charset & Comments Such a tangled mess, I defer to my DEFCON 20 talk: http:// client9.com/ 20120727/ @ngalbreath
SQLi Detection
Keyword Detection s/UNION.ALL/i ► The dumbest possible regexp. ► I've used this regexp as a goof for a while, but oddly works well in detecting SQLi scans. dow ► Almost zero false positives ore sha f @ngalbreath
By Using Regular Expressions Trying to catch more SQLi attacks leads to the question of is user input SQLi or not? Using regular expressions you end up with something like this: (?:)s*whens*d+s*then)|(?:"s*(?:#|--|{))|(?:/*!s?d+)|(?:ch(?:a)?rs*(s*d)|(?:(?:(n?and|x?or|not)s+||||&&)s*w+ ()(?:[s()]cases*()|(?:)s*likes*()|(?:havings*[^s]+s*[^ws])|(?:ifs?([dw]s*[=<>~])(?:"s*ors*"?d)|(?:x(?:23| 27|3d))|(?:^.?"$)|(?:(?:^["]*(?:[d"]+|[^"]+"))+s*(?:n?and|x?or|not||||&&)s*[w"[+&!@(),.-])|(?:[^ws]w+s*[|-]s*"s* w)|(?:@w+s+(and|or)s*["d]+)|(?:@[w-]+s(and|or)s*[^ws])|(?:[^ws:]s*dW+[^ws]s*".)|(?:Winformation_schema| table_nameW)(?:"s**.+(?:or|id)W*"d)|(?:^")|(?:^[ws"-]+(?<=ands)(?<=ors)(?<=xors)(?<=nands)(?<=nots)(?<=||)(?<=& &)w+()|(?:"[sd]*[^ws]+W*dW*.*["d])|(?:"s*[^ws?]+s*[^ws]+s*")|(?:"s*[^ws]+s*[Wd].*(?:#|--))|(?:".**s* d)|(?:"s*ors[^d]+[w-]+.*d)|(?:[()*<>%+-][w-]+[^ws]+"[^,])(?:d"s+"s+d)|(?:^admins*"|(/*)+"+s?(?:--|#|/*|{)?)| (?:"s*or[ws-]+s*[+<>=(),-]s*[d"])|(?:"s*[^ws]?=s*")|(?:"W*[+=]+W*")|(?:"s*[!=|][ds!=+-]+.*["(].*$)|(?:"s*[!=|][d s!=]+.*d+$)|(?:"s*likeW+[w"(])|(?:siss*0W)|(?:wheres[sw.,-]+s=)|(?:"[<>~]+")(?:unions*(?:all|distinct|[(!@]*)? s*[([]*s*select)|(?:w+s+likes+")|(?:likes*"%)|(?:"s*likeW*["d])|(?:"s*(?:n?and|x?or|not ||||&&)s+[sw]+=s*w+ s*having)|(?:"s**s*w+W+")|(?:"s*[^?ws=.,;)(]+s*[(@"]*s*w+W+w)|(?:selects*[[]()sw.,"-]+from)|(?:find_in_sets* ()(?:ins*(+s*select)|(?:(?:n?and|x?or|not ||||&&)s+[sw+]+(?:regexps*(|soundss+likes*"|[=d]+x))|("s*ds*(?:--| #))|(?:"[%&<>^=]+ds*(=|or))|(?:"W+[w+-]+s*=s*dW+")|(?:"s*iss*d.+"?w)|(?:"|?[w-]{3,}[^ws.,]+")|(?:"s*iss*[d.]+ s*W.*")(?:[dW]s+ass*["w]+s*from)|(?:^[Wd]+s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert| desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s+(?:(?:group_)concat|char|load_file)s?(?)| (?:ends*);)|("s+regexpW)|(?:[s(]load_files*()(?:@.+=s*(s*select)|(?:d+s*ors*d+s*[-+])|(?:/w+;?s+(?:having|and| or|select)W)|(?:ds+groups+by.+()|(?:(?:;|#|--)s*(?:drop|alter))|(?:(?:;|#|--)s*(?:update|insert)s*w{2,})|(?:[^w]SETs*@ w+)|(?:(?:n?and|x?or|not ||||&&)[s(]+w+[s)]*[!=+]+[sd]*["=()])(?:"s+ands*=W)|(?:(s*selects*w+s*()|(?:*/ from)|(?:+s*d+s*+s*@)|(?:w"s*(?:[-+=|@]+s*)+[d(])|(?:coalesces*(|@@w+s*[^ws])|(?:W!+"w)|(?:";s*(?:if|while| begin))|(?:"[sd]+=s*d)|(?:orders+bys+ifw*s*()|(?:[s(]+cased*W.+[tw]hen[s(])(?:(select|;)s+(?:benchmark|if|sleep) s*?(s*(?s*w+)(?:creates+functions+w+s+returns)|(?:;s*(?:select|create|rename|truncate|load|alter|delete|update|insert| desc)s*[[(]?w{2,})(?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")|(?:";.*:s*goto)(?:procedures+analyses* ()|(?:;s*(declare|open)s+[w-]+)|(?:creates+(procedure|function)s*w+s*(s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs* (s*@)(?:selects*pg_sleep)|(?:waitfors*delays?"+s?d)|(?:;s*shutdowns*(?:;|--|#|/*|{))(?:sexecs+xp_cmdshell)|(?:"s*! s*["w])|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user|database|schema|connection_id)s*([^)]*)|(?:";?s*(?:select| union|having)s*[^s])|(?:wiifs*()|(?:execs+master.)|(?:union select @)|(?:union[w(s]*select)|(?:select.*w?user()| (?:into[s+]+(?:dump|out)files*")(?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(), +-]+s*againsts*()(?:,.*[)da-f"]"(?:".*"|Z|[^"]+))|(?:Wselect.+W*from)|((?:select|create|rename|truncate|load|alter|delete| update|insert|desc)s*(s*spaces*()(?:[$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)])(?:(sleep((s*)(d*) (s*))|benchmark((.*),(.*))))(?:(union(.*)select(.*)from))(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647| 0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$) @ngalbreath
libinjection First presented at Black Hat USA 2012 http://client9.com/20120725 iSEC Partners party at Bellagio
libinjection ▶ Takes input and create tokens as if it SQL ▶ Compares first 5 tokens to "things that match SQLi" ▶ 50k+ SQLi samples, some from wild, some hand made, some from scans ▶ C, 100k checks per second ▶ Open Source, BSD License ▶ http://client9.com/libinjection @ngalbreath
Why do we have UNION at all? ▶ http://www.deepthoughtsbyjackhandey.com and what else do I, the developer, never use, but is commonly used by SQLi attackers? @ngalbreath
Let's use libinjection to find features of SQL used in SQLi! ► That's what I wrote in the abstract. ► Turns out to be not necessary ► Used the 50,000+ SQLi samples library from libinjection and ... ► ... the Awesome Power of Grep (well ... python regexp actually) @ngalbreath
A Highly Unscientific collection of 50,000+ SQLi attacks collected from actual attacks, scanners, how to guides, etc. But doesn't take into account: ► Frequency ► Severity ► Uniqueness hat! So  W ► Actual successful attacks versus probes ► Doesn't look at exfiltration techniques @ngalbreath
SQL used in SQLi union 75% comments (any type) 70% concat, etc 23% hex number literals 22% subselects 22% chr(),char() 6% aes, hex, compress 4% SQL variables 2% @ngalbreath
95% reduction in SQLi By eliminating the following in SQL: ➡unions ➡comments ➡subselects More than 95% of all SQLi samples were prevented. @ngalbreath
98+% reduction in SQLi ► By eliminating the remaining 'unusual' SQL, more than 98% of SQLi samples were prevented or rejected. ► Remaining 2% of SQLi attacks are all equivalent of 1 OR 1=1 ► Those remaining SQLi probes are mostly annoying, and mostly harmless. @ngalbreath
And of the course the obvious Not represented by frequency, but all database extensions that allow shell commands, networking calls, etc. •Oracle: dbms_pipe functions (networking, shell) •Oracle: ctxsys functions (admin info) •MSSQL: xp_cmdshell (shell access) •MSSQL: opendatasource (networking) •Oracle: utl_smtp (sending email) •You probably know of others. Most vendors provide ways to disable these commands, or off by default. Will focus on pure SQL. @ngalbreath
Introducing SQL-RISC I call this simplified SQL – SQL that limits SQLi damage -- SQL-RISC in honor of RISC computing. http://en.wikipedia.org/wiki/Reduced_instruction_set_computing @ngalbreath
Feasibility: Can public applications run using SQL-RISC?
Can we replace unions? ► Strongly suspect most? many? websites do not use unions. ► All unions can be rewritten into two queries. Minor overhead cost. ► Applications can create 'views' if absolutely required. @ngalbreath
Can we remove SQL comments? ► Uhh, I have a hard time getting developers to write any comments, let alone comments in SQL. ► Or just allow /* */ only at start of query (some ORMs generate a comment on where the query is coming from) @ngalbreath
Can we replace SQL subselects? ► All subselects can be re-written as joins , with almost no application level code changes needed. ► SQLi that uses subselects can not be rewritten as joins (except in rare cases) @ngalbreath
Can we replace SQL string functions? ► Including: substring, concatenation, encoding, encrypting, char functions, replacements ► Easy to move into application logic ► Suspect many web apps don't use these. @ngalbreath
Other SQL Functions sleep/waitfor/shutdown 3.2% Having a hard time seeing any in boolean mode 1.7% need for them in public drop|create|replace 1.6% rand|random applications. 1.4% dbms_ 1.0% convert 0.9% Again, I was going to analyze updatexml|xmltype 0.9% generate_series 0.9% "real world" benign SQL, but randomblob 0.8% I've never used any of these waitfor 0.5% functions, ever, in any web extractvalue 0.5% application. begin 0.5% load_file 0.3% ascii 0.2% nvarchar 0.1% as binary 0.1% into outfile 0.01% @ngalbreath
Enterprise Apps ► If SQL-RISC were implemented as a separate client, then ► public apps could use SQL-RISC ► internal apps could use regular SQL, and use all functions if required. ► This would make adoption much easier. @ngalbreath
SQL-RISC Benefits
Fixing SQLi the Old Way ► Ensuring that every user input is properly validated is intractable (true, some frameworks help, but .... only if you are using them) ► Parameterized queries helps but some common SQL expressions cannot be expressed with parameterization (e.g. IN lists) ► Auditing is very slow ► Every code change may introduce new problem. @ngalbreath
Fixing SQLi using SQL-RISC ► Using SQL-RISC may some require some application changes, however, this is a greppable finite problem. find . -name '*.php' | xargs grep -i union ► Feasibility, conversion & testing can be done before deployment of SQL-RISC. ► Once complete, the entire application, current and future is protected. @ngalbreath
Auto-Detecting Attacks By using SQL-RISC, critical SQLi features are de-activated. SQLi Attacks turn into SQL Syntax Errors @ngalbreath
SQL Syntax Errors are Easy to Monitor ► SQL Syntax errors are annoying but harmless, and are put into logs (database and/or application) ► Trivial to monitor using existing tools (e.g. grep -i 'syntax error' *.log ) ► Now you know where input validation isn't being done ▶ You should be monitoring SQL syntax errors anyways! Major alert if you are being scanner! @ngalbreath
But won't attackers just use another part of SQL? Of course they will! This is not a 100% solution but provides a good start on security by default. Possible pathways is not unlimited. Maybe I missed something, but then it's likely to be some 'exotic' part of SQL The more exotic the SQL, the easier it is to detect. @ngalbreath
Next Steps 食品サンプル
Proof of Concept Patch ► Making a source code patch to deactivating functions and features should be a relatively simple task. ► May be possible to produce a binary patch: perl -p -i -e mysqld 's/UNION/blah/g' @ngalbreath
Access Control ► However, best done via access control. ► Different clients could enable or disable SQL functions and features depending on need. ► This is a more complicated patch! @ngalbreath
Closed-Source ► I challenge you! ► Provide controls for 'advanced' SQL features or provide a simplified parser option. @ngalbreath
Let's Eat! ► Help wanted! ► contact me nickg@client9.com ► libinjection home page: http://client9.com/libinjection http:// client9.com /20130227/ @ngalbreath

Empfohlen

libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forumlibinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open ForumNick Galbreath
 
libinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYClibinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYCNick Galbreath
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012Nick Galbreath
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 

Empfohlen

libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forumlibinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open ForumNick Galbreath
 
libinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYClibinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYCNick Galbreath
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012Nick Galbreath
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Strongersnyff
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...Codemotion
 
Php Debugging from the Trenches
Php Debugging from the TrenchesPhp Debugging from the Trenches
Php Debugging from the TrenchesSimon Jones
 
PHP7 - The New Engine for old good train
PHP7 - The New Engine for old good trainPHP7 - The New Engine for old good train
PHP7 - The New Engine for old good trainXinchen Hui
 
Old code doesn't stink
Old code doesn't stinkOld code doesn't stink
Old code doesn't stinkMartin Gutenbrunner
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Design patterns
Design patternsDesign patterns
Design patternsJason Austin
 
Paris Web - Javascript as a programming language
Paris Web - Javascript as a programming languageParis Web - Javascript as a programming language
Paris Web - Javascript as a programming languageMarco Cedaro
 
The secret of PHP7's Performance
The secret of PHP7's Performance The secret of PHP7's Performance
The secret of PHP7's Performance Xinchen Hui
 
Building a Testable Data Access Layer
Building a Testable Data Access LayerBuilding a Testable Data Access Layer
Building a Testable Data Access LayerTodd Anglin
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksJuho Vepsäläinen
 
Exception Handling: Designing Robust Software in Ruby
Exception Handling: Designing Robust Software in RubyException Handling: Designing Robust Software in Ruby
Exception Handling: Designing Robust Software in RubyWen-Tien Chang
 
How to analyze your codebase with Exakat using Docker - Longhorn PHP
How to analyze your codebase with Exakat using Docker - Longhorn PHPHow to analyze your codebase with Exakat using Docker - Longhorn PHP
How to analyze your codebase with Exakat using Docker - Longhorn PHPDana Luther
 
Php7 傳說中的第七隻大象
Php7 傳說中的第七隻大象Php7 傳說中的第七隻大象
Php7 傳說中的第七隻大象bobo52310
 
Zen of Akka
Zen of AkkaZen of Akka
Zen of AkkaKonrad Malawski
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Vote NO for MySQL
Vote NO for MySQLVote NO for MySQL
Vote NO for MySQLUlf Wendel
 
Rafael Bagmanov «Scala in a wild enterprise»
Rafael Bagmanov «Scala in a wild enterprise»Rafael Bagmanov «Scala in a wild enterprise»
Rafael Bagmanov «Scala in a wild enterprise»e-Legion
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Strongersnyff
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...Codemotion
 
Php Debugging from the Trenches
Php Debugging from the TrenchesPhp Debugging from the Trenches
Php Debugging from the TrenchesSimon Jones
 
PHP7 - The New Engine for old good train
PHP7 - The New Engine for old good trainPHP7 - The New Engine for old good train
PHP7 - The New Engine for old good trainXinchen Hui
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Paris Web - Javascript as a programming language
Paris Web - Javascript as a programming languageParis Web - Javascript as a programming language
Paris Web - Javascript as a programming languageMarco Cedaro
 
The secret of PHP7's Performance
The secret of PHP7's Performance The secret of PHP7's Performance
The secret of PHP7's Performance Xinchen Hui
 
Building a Testable Data Access Layer
Building a Testable Data Access LayerBuilding a Testable Data Access Layer
Building a Testable Data Access LayerTodd Anglin
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksJuho Vepsäläinen
 
Exception Handling: Designing Robust Software in Ruby
Exception Handling: Designing Robust Software in RubyException Handling: Designing Robust Software in Ruby
Exception Handling: Designing Robust Software in RubyWen-Tien Chang
 
How to analyze your codebase with Exakat using Docker - Longhorn PHP
How to analyze your codebase with Exakat using Docker - Longhorn PHPHow to analyze your codebase with Exakat using Docker - Longhorn PHP
How to analyze your codebase with Exakat using Docker - Longhorn PHPDana Luther
 
Php7 傳說中的第七隻大象
Php7 傳說中的第七隻大象Php7 傳說中的第七隻大象
Php7 傳說中的第七隻大象bobo52310
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 

Was ist angesagt? (20)

Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositories
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Stronger
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
 
Php Debugging from the Trenches
Php Debugging from the TrenchesPhp Debugging from the Trenches
Php Debugging from the Trenches
 
PHP7 - The New Engine for old good train
PHP7 - The New Engine for old good trainPHP7 - The New Engine for old good train
PHP7 - The New Engine for old good train
 
Old code doesn't stink
Old code doesn't stinkOld code doesn't stink
Old code doesn't stink
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Design patterns
Design patternsDesign patterns
Design patterns
 
Paris Web - Javascript as a programming language
Paris Web - Javascript as a programming languageParis Web - Javascript as a programming language
Paris Web - Javascript as a programming language
 
The secret of PHP7's Performance
The secret of PHP7's Performance The secret of PHP7's Performance
The secret of PHP7's Performance
 
Building a Testable Data Access Layer
Building a Testable Data Access LayerBuilding a Testable Data Access Layer
Building a Testable Data Access Layer
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and Tricks
 
Exception Handling: Designing Robust Software in Ruby
Exception Handling: Designing Robust Software in RubyException Handling: Designing Robust Software in Ruby
Exception Handling: Designing Robust Software in Ruby
 
How to analyze your codebase with Exakat using Docker - Longhorn PHP
How to analyze your codebase with Exakat using Docker - Longhorn PHPHow to analyze your codebase with Exakat using Docker - Longhorn PHP
How to analyze your codebase with Exakat using Docker - Longhorn PHP
 
Php7 傳說中的第七隻大象
Php7 傳說中的第七隻大象Php7 傳說中的第七隻大象
Php7 傳說中的第七隻大象
 
Zen of Akka
Zen of AkkaZen of Akka
Zen of Akka
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 

Ähnlich wie SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013

Vote NO for MySQL
Vote NO for MySQLVote NO for MySQL
Vote NO for MySQLUlf Wendel
 
Rafael Bagmanov «Scala in a wild enterprise»
Rafael Bagmanov «Scala in a wild enterprise»Rafael Bagmanov «Scala in a wild enterprise»
Rafael Bagmanov «Scala in a wild enterprise»e-Legion
 
MySQL Without the SQL -- Oh My! Longhorn PHP Conference
MySQL Without the SQL -- Oh My! Longhorn PHP ConferenceMySQL Without the SQL -- Oh My! Longhorn PHP Conference
MySQL Without the SQL -- Oh My! Longhorn PHP ConferenceDave Stokes
 
Empowering the AWS DynamoDB™ application developer with Alternator
Empowering the AWS DynamoDB™ application developer with AlternatorEmpowering the AWS DynamoDB™ application developer with Alternator
Empowering the AWS DynamoDB™ application developer with AlternatorScyllaDB
 
Catalyst - refactor large apps with it and have fun!
Catalyst - refactor large apps with it and have fun!Catalyst - refactor large apps with it and have fun!
Catalyst - refactor large apps with it and have fun!mold
 
MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!Dave Stokes
 
Scala in a wild enterprise
Scala in a wild enterpriseScala in a wild enterprise
Scala in a wild enterpriseRafael Bagmanov
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLDave Stokes
 
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...Jim Czuprynski
 
MySQL's NoSQL -- Texas Linuxfest August 22nd 2015
MySQL's NoSQL -- Texas Linuxfest August 22nd 2015MySQL's NoSQL -- Texas Linuxfest August 22nd 2015
MySQL's NoSQL -- Texas Linuxfest August 22nd 2015Dave Stokes
 
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Nick Galbreath
 
MySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfMySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfVinicius M Grippa
 
Buildingsocialanalyticstoolwithmongodb
BuildingsocialanalyticstoolwithmongodbBuildingsocialanalyticstoolwithmongodb
BuildingsocialanalyticstoolwithmongodbMongoDB APAC
 
PostgreSQL - масштабирование в моде, Valentine Gogichashvili (Zalando SE)
PostgreSQL - масштабирование в моде, Valentine Gogichashvili (Zalando SE)PostgreSQL - масштабирование в моде, Valentine Gogichashvili (Zalando SE)
PostgreSQL - масштабирование в моде, Valentine Gogichashvili (Zalando SE)Ontico
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Making It To Veteren Cassandra Status
Making It To Veteren Cassandra StatusMaking It To Veteren Cassandra Status
Making It To Veteren Cassandra StatusEric Lubow
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupRafal Kwasny
 
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetupAvoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetupDavide Cioccia
 
USQ Landdemos Azure Data Lake
USQ Landdemos Azure Data LakeUSQ Landdemos Azure Data Lake
USQ Landdemos Azure Data LakeTrivadis
 

Ähnlich wie SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013 (20)

Vote NO for MySQL
Vote NO for MySQLVote NO for MySQL
Vote NO for MySQL
 
Rafael Bagmanov «Scala in a wild enterprise»
Rafael Bagmanov «Scala in a wild enterprise»Rafael Bagmanov «Scala in a wild enterprise»
Rafael Bagmanov «Scala in a wild enterprise»
 
MySQL Without the SQL -- Oh My! Longhorn PHP Conference
MySQL Without the SQL -- Oh My! Longhorn PHP ConferenceMySQL Without the SQL -- Oh My! Longhorn PHP Conference
MySQL Without the SQL -- Oh My! Longhorn PHP Conference
 
Empowering the AWS DynamoDB™ application developer with Alternator
Empowering the AWS DynamoDB™ application developer with AlternatorEmpowering the AWS DynamoDB™ application developer with Alternator
Empowering the AWS DynamoDB™ application developer with Alternator
 
Catalyst - refactor large apps with it and have fun!
Catalyst - refactor large apps with it and have fun!Catalyst - refactor large apps with it and have fun!
Catalyst - refactor large apps with it and have fun!
 
MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!
 
Scala in a wild enterprise
Scala in a wild enterpriseScala in a wild enterprise
Scala in a wild enterprise
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQL
 
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
 
MySQL's NoSQL -- Texas Linuxfest August 22nd 2015
MySQL's NoSQL -- Texas Linuxfest August 22nd 2015MySQL's NoSQL -- Texas Linuxfest August 22nd 2015
MySQL's NoSQL -- Texas Linuxfest August 22nd 2015
 
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
 
Oracle's Take On NoSQL
Oracle's Take On NoSQLOracle's Take On NoSQL
Oracle's Take On NoSQL
 
MySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfMySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdf
 
Buildingsocialanalyticstoolwithmongodb
BuildingsocialanalyticstoolwithmongodbBuildingsocialanalyticstoolwithmongodb
Buildingsocialanalyticstoolwithmongodb
 
PostgreSQL - масштабирование в моде, Valentine Gogichashvili (Zalando SE)
PostgreSQL - масштабирование в моде, Valentine Gogichashvili (Zalando SE)PostgreSQL - масштабирование в моде, Valentine Gogichashvili (Zalando SE)
PostgreSQL - масштабирование в моде, Valentine Gogichashvili (Zalando SE)
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Making It To Veteren Cassandra Status
Making It To Veteren Cassandra StatusMaking It To Veteren Cassandra Status
Making It To Veteren Cassandra Status
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetup
 
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetupAvoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
 
USQ Landdemos Azure Data Lake
USQ Landdemos Azure Data LakeUSQ Landdemos Azure Data Lake
USQ Landdemos Azure Data Lake
 

Mehr von Nick Galbreath

Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Nick Galbreath
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
DevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListDevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListNick Galbreath
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Nick Galbreath
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachineNick Galbreath
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Nick Galbreath
 
Slide show font sampler, black on white
Slide show font sampler, black on whiteSlide show font sampler, black on white
Slide show font sampler, black on whiteNick Galbreath
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Nick Galbreath
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 

Mehr von Nick Galbreath (12)

Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
DevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListDevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading List
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachine
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012
 
Slide show font sampler, black on white
Slide show font sampler, black on whiteSlide show font sampler, black on white
Slide show font sampler, black on white
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 

Kürzlich hochgeladen

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Kürzlich hochgeladen (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013

  • 1. SQL-RISC New Directions in SQLi Prevention Nick Galbreath RSA 2013-02-27
  • 2. SQL-RISC: NEW DIRECTIONS IN SQLI DETECTION AND PREVENTION Nick Galbreath IPONWEB ► Session ID: ASEC-­‐W23 ► Session Classification: Advanced
  • 3. Latest version of these slides: http://client9.com/20130227/ Tweet tweet: @ngalbreath Originally presented at: RSA Conference USA Moscone Center San Francisco, California February 27, 2013 10:40 AM, Room 132
  • 4. What if we could substantially reduce the SQLi attack surface of a web application? @ngalbreath
  • 5. without new hardware or firewalls? @ngalbreath
  • 7. and comes with free SQLi attack monitoring? @ngalbreath
  • 8. Wild Speculation? @ngalbreath
  • 10. 1970s: SQL Invented ► Hey that's 40 years ago. ► "Structured Query Language" ► Why is it still around and so popular? ► Exercise for the reader: Pick any query you like, and write the equivalent in your favorite programming language. ► SQL is scriptable data structures. @ngalbreath
  • 11. 1972: Oracle Releases the First Commercial Database Also, Coppola releases The Godfather @ngalbreath
  • 12. Remember the 80s? ► Networking sucked! ► TCP/IP not widespread ► Computers are fragile, expensive and slow ► Shoulder-pads so what do you do? @ngalbreath
  • 13. Centralize ► Move computation as close as possible to the data ► Move to super-servers ► Have cheap/dumb clients @ngalbreath
  • 14. 1988: Oracle V6 ► The Database is now a full programming environment ► Unicode/UTF8 not standard ► Complexity explosion ► ... but most clients are private Also in 1988: Crack Cocaine 'invented' @ngalbreath
  • 15. And then the 1990s ► TCP/IP ► Cheap CPUs ► Web Browsers ► Attaching databases to public networks This is why most of us are here today. @ngalbreath
  • 16. 2000+ Web Scale ► Discovery that data problems are a lot more painful than CPU problems. ► Turns out disk drives are mechanical ► If your database maxes out, you have big problems... so move everything out of the database. ► Complete reversal in strategy @ngalbreath
  • 17. SQL isn't going anywhere ► For front-ends, general trend is federating data across cheap machines, using stripped down SQL ► SQL-like languages used by Amazon, Google and others. ► Still great for analytics and reporting on the back end, and generic data storage. ► But we stuck with legacy of the past. @ngalbreath
  • 18. SQL'S DARK CORNERS ► bit.ly/UkQd7Z
  • 19. SQL is Huge ► 40+ years of built up crud ► 1992 spec is 625 pages of plain text ► 2003 spec is 128 pages of BNF ► No one is completely compliant ► Every one has special extensions SQL is more complicated than you think.... @ngalbreath
  • 20. SQL Integer Forms • [0-9]+ • 0x[0-9a-fA-F]+ 0xDEADbeef MySQL, MSSQL 0x is case sensitive • 0x MSSQL only • x'DEADbeef' PgSQL • b'10101010' MySQL, PgSQL • 0b010101 MySQL @ngalbreath
  • 21. SQL Floating Point Forms ► digits ► digits[.] ► digits[.]digits ► digits[eE]digits ► digits[eE][+-]digits ► digits[.][eE]digits ► digits[.]digits[eE][+-]digits ► http://bit.ly/Qp6KTu ► digits[.]digits[eE]digits ► [.]digits ► [.]digits[eE]digits ► [.]digits[eE][+-]digits Optional starts with [+-] ► "binary_float_infinity" (O) Optional ending with [dDfF] (Oracle) @ngalbreath
  • 22. SQL Money Literals ► MSSQL has a money type. ► -$45.12 ► $123.0 ► +$1,000,000.00 Commas ignored ► Many symbols are accepted for currency type @ngalbreath
  • 23. SQL Ridiculous Operators ▶ != not equals, standard ▶ <=> mysql ▶ <> mssql ▶ ^= oracle ▶ !>, !< not less than mssql ▶ / oracle ▶ !! factorial (pgsql) ▶ |/ square root (pgsql) ▶ ||/ cube root (pgsql) ▶ ** exponential (oracle) @ngalbreath
  • 24. SQL Strings, Charset & Comments Such a tangled mess, I defer to my DEFCON 20 talk: http:// client9.com/ 20120727/ @ngalbreath
  • 26. Keyword Detection s/UNION.ALL/i ► The dumbest possible regexp. ► I've used this regexp as a goof for a while, but oddly works well in detecting SQLi scans. dow ► Almost zero false positives ore sha f @ngalbreath
  • 27. By Using Regular Expressions Trying to catch more SQLi attacks leads to the question of is user input SQLi or not? Using regular expressions you end up with something like this: (?:)s*whens*d+s*then)|(?:"s*(?:#|--|{))|(?:/*!s?d+)|(?:ch(?:a)?rs*(s*d)|(?:(?:(n?and|x?or|not)s+||||&&)s*w+ ()(?:[s()]cases*()|(?:)s*likes*()|(?:havings*[^s]+s*[^ws])|(?:ifs?([dw]s*[=<>~])(?:"s*ors*"?d)|(?:x(?:23| 27|3d))|(?:^.?"$)|(?:(?:^["]*(?:[d"]+|[^"]+"))+s*(?:n?and|x?or|not||||&&)s*[w"[+&!@(),.-])|(?:[^ws]w+s*[|-]s*"s* w)|(?:@w+s+(and|or)s*["d]+)|(?:@[w-]+s(and|or)s*[^ws])|(?:[^ws:]s*dW+[^ws]s*".)|(?:Winformation_schema| table_nameW)(?:"s**.+(?:or|id)W*"d)|(?:^")|(?:^[ws"-]+(?<=ands)(?<=ors)(?<=xors)(?<=nands)(?<=nots)(?<=||)(?<=& &)w+()|(?:"[sd]*[^ws]+W*dW*.*["d])|(?:"s*[^ws?]+s*[^ws]+s*")|(?:"s*[^ws]+s*[Wd].*(?:#|--))|(?:".**s* d)|(?:"s*ors[^d]+[w-]+.*d)|(?:[()*<>%+-][w-]+[^ws]+"[^,])(?:d"s+"s+d)|(?:^admins*"|(/*)+"+s?(?:--|#|/*|{)?)| (?:"s*or[ws-]+s*[+<>=(),-]s*[d"])|(?:"s*[^ws]?=s*")|(?:"W*[+=]+W*")|(?:"s*[!=|][ds!=+-]+.*["(].*$)|(?:"s*[!=|][d s!=]+.*d+$)|(?:"s*likeW+[w"(])|(?:siss*0W)|(?:wheres[sw.,-]+s=)|(?:"[<>~]+")(?:unions*(?:all|distinct|[(!@]*)? s*[([]*s*select)|(?:w+s+likes+")|(?:likes*"%)|(?:"s*likeW*["d])|(?:"s*(?:n?and|x?or|not ||||&&)s+[sw]+=s*w+ s*having)|(?:"s**s*w+W+")|(?:"s*[^?ws=.,;)(]+s*[(@"]*s*w+W+w)|(?:selects*[[]()sw.,"-]+from)|(?:find_in_sets* ()(?:ins*(+s*select)|(?:(?:n?and|x?or|not ||||&&)s+[sw+]+(?:regexps*(|soundss+likes*"|[=d]+x))|("s*ds*(?:--| #))|(?:"[%&<>^=]+ds*(=|or))|(?:"W+[w+-]+s*=s*dW+")|(?:"s*iss*d.+"?w)|(?:"|?[w-]{3,}[^ws.,]+")|(?:"s*iss*[d.]+ s*W.*")(?:[dW]s+ass*["w]+s*from)|(?:^[Wd]+s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert| desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s+(?:(?:group_)concat|char|load_file)s?(?)| (?:ends*);)|("s+regexpW)|(?:[s(]load_files*()(?:@.+=s*(s*select)|(?:d+s*ors*d+s*[-+])|(?:/w+;?s+(?:having|and| or|select)W)|(?:ds+groups+by.+()|(?:(?:;|#|--)s*(?:drop|alter))|(?:(?:;|#|--)s*(?:update|insert)s*w{2,})|(?:[^w]SETs*@ w+)|(?:(?:n?and|x?or|not ||||&&)[s(]+w+[s)]*[!=+]+[sd]*["=()])(?:"s+ands*=W)|(?:(s*selects*w+s*()|(?:*/ from)|(?:+s*d+s*+s*@)|(?:w"s*(?:[-+=|@]+s*)+[d(])|(?:coalesces*(|@@w+s*[^ws])|(?:W!+"w)|(?:";s*(?:if|while| begin))|(?:"[sd]+=s*d)|(?:orders+bys+ifw*s*()|(?:[s(]+cased*W.+[tw]hen[s(])(?:(select|;)s+(?:benchmark|if|sleep) s*?(s*(?s*w+)(?:creates+functions+w+s+returns)|(?:;s*(?:select|create|rename|truncate|load|alter|delete|update|insert| desc)s*[[(]?w{2,})(?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")|(?:";.*:s*goto)(?:procedures+analyses* ()|(?:;s*(declare|open)s+[w-]+)|(?:creates+(procedure|function)s*w+s*(s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs* (s*@)(?:selects*pg_sleep)|(?:waitfors*delays?"+s?d)|(?:;s*shutdowns*(?:;|--|#|/*|{))(?:sexecs+xp_cmdshell)|(?:"s*! s*["w])|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user|database|schema|connection_id)s*([^)]*)|(?:";?s*(?:select| union|having)s*[^s])|(?:wiifs*()|(?:execs+master.)|(?:union select @)|(?:union[w(s]*select)|(?:select.*w?user()| (?:into[s+]+(?:dump|out)files*")(?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(), +-]+s*againsts*()(?:,.*[)da-f"]"(?:".*"|Z|[^"]+))|(?:Wselect.+W*from)|((?:select|create|rename|truncate|load|alter|delete| update|insert|desc)s*(s*spaces*()(?:[$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)])(?:(sleep((s*)(d*) (s*))|benchmark((.*),(.*))))(?:(union(.*)select(.*)from))(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647| 0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$) @ngalbreath
  • 28. libinjection First presented at Black Hat USA 2012 http://client9.com/20120725 iSEC Partners party at Bellagio
  • 29. libinjection ▶ Takes input and create tokens as if it SQL ▶ Compares first 5 tokens to "things that match SQLi" ▶ 50k+ SQLi samples, some from wild, some hand made, some from scans ▶ C, 100k checks per second ▶ Open Source, BSD License ▶ http://client9.com/libinjection @ngalbreath
  • 30. Why do we have UNION at all? ▶ http://www.deepthoughtsbyjackhandey.com and what else do I, the developer, never use, but is commonly used by SQLi attackers? @ngalbreath
  • 31. Let's use libinjection to find features of SQL used in SQLi! ► That's what I wrote in the abstract. ► Turns out to be not necessary ► Used the 50,000+ SQLi samples library from libinjection and ... ► ... the Awesome Power of Grep (well ... python regexp actually) @ngalbreath
  • 32. A Highly Unscientific collection of 50,000+ SQLi attacks collected from actual attacks, scanners, how to guides, etc. But doesn't take into account: ► Frequency ► Severity ► Uniqueness hat! So  W ► Actual successful attacks versus probes ► Doesn't look at exfiltration techniques @ngalbreath
  • 33. SQL used in SQLi union 75% comments (any type) 70% concat, etc 23% hex number literals 22% subselects 22% chr(),char() 6% aes, hex, compress 4% SQL variables 2% @ngalbreath
  • 34. 95% reduction in SQLi By eliminating the following in SQL: ➡unions ➡comments ➡subselects More than 95% of all SQLi samples were prevented. @ngalbreath
  • 35. 98+% reduction in SQLi ► By eliminating the remaining 'unusual' SQL, more than 98% of SQLi samples were prevented or rejected. ► Remaining 2% of SQLi attacks are all equivalent of 1 OR 1=1 ► Those remaining SQLi probes are mostly annoying, and mostly harmless. @ngalbreath
  • 36. And of the course the obvious Not represented by frequency, but all database extensions that allow shell commands, networking calls, etc. •Oracle: dbms_pipe functions (networking, shell) •Oracle: ctxsys functions (admin info) •MSSQL: xp_cmdshell (shell access) •MSSQL: opendatasource (networking) •Oracle: utl_smtp (sending email) •You probably know of others. Most vendors provide ways to disable these commands, or off by default. Will focus on pure SQL. @ngalbreath
  • 37. Introducing SQL-RISC I call this simplified SQL – SQL that limits SQLi damage -- SQL-RISC in honor of RISC computing. http://en.wikipedia.org/wiki/Reduced_instruction_set_computing @ngalbreath
  • 39. Can we replace unions? ► Strongly suspect most? many? websites do not use unions. ► All unions can be rewritten into two queries. Minor overhead cost. ► Applications can create 'views' if absolutely required. @ngalbreath
  • 40. Can we remove SQL comments? ► Uhh, I have a hard time getting developers to write any comments, let alone comments in SQL. ► Or just allow /* */ only at start of query (some ORMs generate a comment on where the query is coming from) @ngalbreath
  • 41. Can we replace SQL subselects? ► All subselects can be re-written as joins , with almost no application level code changes needed. ► SQLi that uses subselects can not be rewritten as joins (except in rare cases) @ngalbreath
  • 42. Can we replace SQL string functions? ► Including: substring, concatenation, encoding, encrypting, char functions, replacements ► Easy to move into application logic ► Suspect many web apps don't use these. @ngalbreath
  • 43. Other SQL Functions sleep/waitfor/shutdown 3.2% Having a hard time seeing any in boolean mode 1.7% need for them in public drop|create|replace 1.6% rand|random applications. 1.4% dbms_ 1.0% convert 0.9% Again, I was going to analyze updatexml|xmltype 0.9% generate_series 0.9% "real world" benign SQL, but randomblob 0.8% I've never used any of these waitfor 0.5% functions, ever, in any web extractvalue 0.5% application. begin 0.5% load_file 0.3% ascii 0.2% nvarchar 0.1% as binary 0.1% into outfile 0.01% @ngalbreath
  • 44. Enterprise Apps ► If SQL-RISC were implemented as a separate client, then ► public apps could use SQL-RISC ► internal apps could use regular SQL, and use all functions if required. ► This would make adoption much easier. @ngalbreath
  • 46. Fixing SQLi the Old Way ► Ensuring that every user input is properly validated is intractable (true, some frameworks help, but .... only if you are using them) ► Parameterized queries helps but some common SQL expressions cannot be expressed with parameterization (e.g. IN lists) ► Auditing is very slow ► Every code change may introduce new problem. @ngalbreath
  • 47. Fixing SQLi using SQL-RISC ► Using SQL-RISC may some require some application changes, however, this is a greppable finite problem. find . -name '*.php' | xargs grep -i union ► Feasibility, conversion & testing can be done before deployment of SQL-RISC. ► Once complete, the entire application, current and future is protected. @ngalbreath
  • 48. Auto-Detecting Attacks By using SQL-RISC, critical SQLi features are de-activated. SQLi Attacks turn into SQL Syntax Errors @ngalbreath
  • 49. SQL Syntax Errors are Easy to Monitor ► SQL Syntax errors are annoying but harmless, and are put into logs (database and/or application) ► Trivial to monitor using existing tools (e.g. grep -i 'syntax error' *.log ) ► Now you know where input validation isn't being done ▶ You should be monitoring SQL syntax errors anyways! Major alert if you are being scanner! @ngalbreath
  • 50. But won't attackers just use another part of SQL? Of course they will! This is not a 100% solution but provides a good start on security by default. Possible pathways is not unlimited. Maybe I missed something, but then it's likely to be some 'exotic' part of SQL The more exotic the SQL, the easier it is to detect. @ngalbreath
  • 51. Next Steps 食品サンプル
  • 52. Proof of Concept Patch ► Making a source code patch to deactivating functions and features should be a relatively simple task. ► May be possible to produce a binary patch: perl -p -i -e mysqld 's/UNION/blah/g' @ngalbreath
  • 53. Access Control ► However, best done via access control. ► Different clients could enable or disable SQL functions and features depending on need. ► This is a more complicated patch! @ngalbreath
  • 54. Closed-Source ► I challenge you! ► Provide controls for 'advanced' SQL features or provide a simplified parser option. @ngalbreath
  • 55. Let's Eat! ► Help wanted! ► contact me nickg@client9.com ► libinjection home page: http://client9.com/libinjection http:// client9.com /20130227/ @ngalbreath