Transcript DAT356 - Hackers Paradise: SQL Injection Attacks

DAT356
Hackers Paradise
SQL Injection Attacks
Doug Seven, Microsoft MVP
Cofounder of SqlJunkies.com
[email protected]
Session Agenda
Introduction to SQL Injection
How Do Attackers Do it?
Advanced Attacks
Solutions
Least-privilege Access
Parameterize DML
Validating Input
What is a SQL Injection?
SQL statement(s) “injected” into
an existing SQL command
Injection occurs through
malformed application input:
Text box.
Query string.
Manipulated values in HTML.
A good SQL injection attack can
cripple and even destroy your
database!
SQL Injection Causes
public void OnLogon(object src, EventArgs e){
SqlConnection con = new SqlConnection(
"server=(local);database=myDB;uid=sa;pwd;" );
string query = String.Format(
"SELECT COUNT(*) FROM Users WHERE " +
"username='{0}' AND password='{1}'",
txtUser.Text, txtPassword.Text );
SqlCommand cmd = new SqlCommand(query, con);
conn.Open();
SqlDataReader reader = cmd.ExecuteReader();
try{
if(reader.HasRows())
IssueAuthenticationTicket();
else
TryAgain();
}
finally{
con.Close()
}
}
The Problem
Expected:
Username: doug
Password: p@$$w0rd
SELECT COUNT(*)
FROM Users
WHERE username='doug' and password='p@$$w0rd'
Malicious:
Username: ' OR 1=1 -Password:
SELECT COUNT(*)
FROM Users
WHERE username='' OR 1=1 -- and password='p@$$w0rd'
Basic SQL Injection
How Do Attackers Know?
Insider Information
Trial and Error
Error message often reveal too much
Malicious user can force an error to
discover information about the database
It Gets Worse
Once a malicious user can access the
database, they are likely to use:
xp_cmdshell
xp_grantlogin
xp_regread
With the right privileges the user can
access ALL databases on the server
Extended Stored
Procedures
Problem: Access Privileges
Application is accessing
database with:
“sa” account
ASP.NET worker process account
(added as admin)
High-privilege user account
Solution: Limit Privileges
Application should have least
necessary privileges to access
database
Grant ASP.NET account access to
database using an alias
Create an account that has minimal
privileges (EXEC-only)
Machine\ASPNET
-- Windows 2000 / XP
EXEC sp_grantlogin [MachineName\ASPNET]
EXEC sp_grantdbaccess [MachineName\ASPNET], [Alias]
GRANT EXECUTE ON [ProcedureName] TO [Alias]
GO
-- Windows Server 2003
EXEC sp_grantlogin [NT AUTHORITY\NETWORK SERVICE]
EXEC sp_grantdbaccess [NT AUTHORITY\NETWORK SERVICE]
GRANT EXECUTE ON [ProcedureName]
TO [NT AUTHORITY\NETWORK SERVICE]
GO
Least Privilege
Problem: DML in Code
Application code shouldn’t contain
SQL Data Manipulation Language
(DML)
DML enables malicious input
to be injected
Eliminating DML should be part of
your next security review
Solution: Parameterize DML
If DML is a requirement of the
application add parameters to
the SQL statements
string sql = "SELECT * FROM Users " +
"WHERE username=@Username " +
"AND password= @Password";
SqlCommand command = new SqlCommand (sql, connection);
command.Parameters.Add("@Username",
SqlDbType.VarChar).Value = UserName.Text;
command.Parameters.Add("@Password",
SqlDbType.VarChar).Value = Password.Text;
Solution: Stored Procedures
Less vulnerable to SQL
injection attacks
Added security via
EXECUTE permission
SqlCommand command = new SqlCommand ("Users_GetUser", connection);
command.CommandType = CommandType.StoredProcedure;
SqlCommand command = new SqlCommand (sql, connection);
command.Parameters.Add("@Username",
SqlDbType.VarChar).Value = UserName.Text;
command.Parameters.Add("@Password",
SqlDbType.VarChar).Value = Password.Text;
Stored Procedures
Problem: User Input
All user input is inherently evil
Malicious input can:
Inject SQL statements
Execute arbitrary SQL
Damage limited only by privilege
of data account
Alter application flow
Attack other users (cross-site scripting)
Read/write cookies
Execute script, etc.
Solution: Input Validation
All user input should be cleansed
ASP.NET validation controls
RegEx class
Reject invalid input
Encode any input that is echoed
to the browser
HttpUlitity.HtmlEncode()
Always use parameterized SQL queries
Parameterized commands (good)
Parameterized stored procedures (better)
ASP.NET Request Validation
Validates query string, form
data, cookies
Developers still have
responsibility to secure inputs
Can be disabled at page-,
application-, or machine-level
Input and Request
Validation
SqlJunkies.com
Online resource for DEVELOPERS
using SQL Server
DotNetJunkies.com
Online resource for developers
working with the .NET Framework
Web Application Disassembly with
ODBC Error Messages by David
Litchfield
http://www.nextgenss.com/papers/webappdis.doc
Writing Secure Code (Second Edition)
Michael Howard & David LeBlanc
Microsoft Press, December 2002
Required reading at Microsoft!
Improving Web Application Security
http://msdn.microsoft.com/security/default.aspx?pull=
/library/en-us/dnnetsec/html/threatcounter.asp
Building Secure ASP.NET Applications
http://msdn.microsoft.com/security/default.aspx?pull=
/library/en-us/dnnetsec/html/secnetlpmsdn.asp
Please fill out a session evaluation on CommNet
Q1: Overall satisfaction with the session
Q2: Usefulness of the information
Q3: Presenter’s knowledge of the subject
Q4: Presenter’s presentation skills
Q5: Effectiveness of the presentation
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.