Plan
Respond
Planning &
Policy
Incident
Response
Threat
Environment
Protect
Cryptography
Secure
Networks
Access
Control
Firewalls
Host
Hardening
Application
Security
Data
Protection
1
Defense
2
The Threats
3
Browser
Chrome
Internet Explorer
Firefox
Safari
Opera
Perimeter
Firewall
Web Server
Apache
Microsoft IIS
Middleware
Server
PHP, ASP, JSP,
Ruby on Rails,
Python
Internal
Firewall
Database
Server
Oracle
MySQL
SQL Server
4
SQL Injection
Definition: malicious code that tricks the database into executing unintended
commands usually through input validation and data access vulnerabilities
5
User Table (Not Very Secure)
CREATE TABLE security_user (
username varchar(25),
password varchar(128),
CONSTRAINT user_pk PRIMARY KEY (username)
);
INSERT INTO security_user
VALUES ('ormond', 'secure');
6
SQL Injection Using Dynamic Queries
A legitimate SQL query might be:
SELECT Count(*)
FROM security_user
WHERE username = 'contents of username textbox'
AND password = 'contents of password textbox';
SQL query with valid username and password (e.g. ormond and secure):
SELECT Count(*)
FROM security_user
WHERE username = 'ormond'
AND password = 'secure';
If a user enters a malformed username (e.g. ' OR 1 = 1 #), the SQL query passes
unexpected parameters resulting in a SQL injection:
SELECT Count(*)
FROM security_user
WHERE username = '' OR 1 = 1 #' AND Password = '';
Alternative to or together with 1 = 1 you could use letters (' OR 'a' = 'a' #)
7
SQL Injection Demo 1:
Dynamic Queries
8
SQL Injection Using Stacked Queries
Stacked queries: execution of more than one SQL query in a single function call from
an application program.
A query may intend to select all employees managed by a specific supervisor:
SELECT *
FROM employee
WHERE employee_supervisor = $supervisorID;
However, if a user enters one of the following:
1; DELETE FROM security_user;
OR
1; DROP TABLE security_user;
The user injects a stacked query which would remove all records from the user table or
delete it completely.
9
SQL Injection Demo 2:
Stacked Queries
10
The Countermeasures
11
SQL Injection Countermeasures
Constrain and Sanitize
Input Data
Bind Parameters Using Prepared Statements
Inserting a Record
$stmt = $c -> prepare("INSERT INTO customer (id,name) VALUES (?,?)");
$stmt -> bindParam(1, $id);
$stmt -> bindParam(2, $name);
$id = 529381;
$name = 'Billy BlueJay';
$stmt -> execute();
Returning Records
$stmt = $c -> prepare("SELECT * FROM customer WHERE name = ?");
$stmt -> bindParam(1, $name);
$name = 'Billy BlueJay';
$stmt -> execute();
$results = $stmt -> get_result();
while ($result = $results -> fetch_array()) { ... }
Alternatively using the following will escape quotes in strings:
$id = mysqli_real_escape_string($c, $_POST['id']);
$name = mysqli_real_escape_string($c, $_POST['name']);
12
SQL Injection Countermeasures
Single Query Execution (unless you have a reason to do otherwise):
mysqli_query() vs. mysqli_multi_query()
Use Dynamic SQL with Stored Procedures
DELIMITER $$
CREATE PROCEDURE dynamic (IN tbl CHAR(64), IN col
CHAR(64)) BEGIN
SET @s = CONCAT('SELECT ',col,' FROM ',tbl );
PREPARE stmt FROM @s;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
END$$
DELIMITER ;
13
Countermeasures in place…
We are good now, right?
14
Not quite!
15
Parameter Tampering
Element
Restricted
Appearance
12345
Read Only
uneditable
Disabled
disabled
Dropdown
drop
Checkbox
checked
Radio
selected
unselected
Button
<form method="post">
<input maxlength="5" value="12345" name="restricted" type="text">
<input readonly value="uneditable" name="readonly" type="text">
<input disabled value="disabled" name="disabled" type="text">
<select name="select">
<option>drop</option>
<option>down</option>
</select>
<input checked value="on" name="checkbox" type="checkbox">checked
<input checked value="selected" name="radio" type="radio">selected
<input value="unselected" name="radio" type="radio">unselected
<input value="submit" name="submit" type="submit">
</form>
Submit
16
Parameter Tampering Demo
<form method="post">
<input maxlength="10" value="max length" name="restricted" type="text">
<input readonly value="uneditable" name="readonly" type="text">
<input disabled value="disabled" name="disabled" type="text">
<select name="select">
<option>drop</option>
<option>down</option>
</select>
<input checked value="on" name="checkbox" type="checkbox">checked
<input checked value="selected" name="radio" type="radio">selected
<input value="unselected" name="radio" type="radio">unselected
<input value="submit" name="submit" type="submit">
</form>
17
Authentication Attacks
Insecure Password Reset Attack
Login Screen Bypass Attack
>_
Bypass Transaction Authentication Number (TAN)
18
Login Screen Bypass Demo
>_
19
Cross-Site Scripting (XSS) Attacks
Malicious
Script
Vulnerable
Webpage
Upload
Malicious Script
Attacker
Callback
Sent to
Attacker
Victim
Request
Data
Database
Server
Load Malicious
Script
20
Cross Site Scripting Demo
21
Insecure Communication
http://
22
How do hackers test servers for vulnerabilities?
23
Summary Demo:
Exam Sample
24
The Key Principle
25
NEVER
TRUST USER
INPUT!
26
Questions
27
Other Attacks: Command Injection
C:\> _
28
Other Attacks
Website
Defacement
Directory Traversal
Attack
root
You Have Been
WWW Root
`
etc
H@ck3D
reports
Buffer Overflow
Launches Shell
public
docs
quater.html
passwrd
URL
../etc/passwd
docs
URL
/reports/quarter.html
>_
money.docx
Authorized
Files
URL
/public/docs/money.docx
Restricted
Files
29