Transcript 投影片 1

Web site security
Part 2 : Defending Against
SQL Injection
Reporter : James Chen
1
Outline

What is SQL Injection?

SQL Injection Testing Methodology
SQL Injection Defense
 SQL injection detection method and tools
 My Automatic Anti-SQL Injection Method
features
 Summary

2
What is SQL Injection?
 The
ability to inject SQL commands
into the database engine
through an existing application
3
How common is it?



It is probably the most common Website vulnerability
today!
It is a flaw in "web application" development,
it is not a DB or web server problem
 Most programmers are still not aware of this problem
 A lot of the tutorials & demo “templates” are
vulnerable
 Even worse, a lot of solutions posted on the Internet
are not good enough
In our pen tests over 60% of our clients turn out to be
vulnerable to SQL Injection
4
Vulnerable Applications


Almost all SQL databases and programming languages are
potentially vulnerable
 MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access,
Sybase, Informix, etc
Accessed through applications developed using:
 Perl and CGI scripts that access databases
 ASP, JSP, PHP
 XML, XSL and XSQL
 Javascript
 VB, MFC, and other ODBC-based tools and APIs
 DB specific Web-based applications and API’s
 Reports and DB Applications
 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)
 many more
5
SQL Injection Characters











' or "
character String Indicators
-- or #
single-line comment
/*…*/
multiple-line comment
+
addition, concatenate (or space in url)
||
(double pipe) concatenate
%
wildcard attribute indicator
?Param1=foo&Param2=bar URL Parameters
PRINT
useful as non transactional command
@variable local variable
@@variable
global variable
waitfor delay '0:0:10'
time delay
6
SQL Injection Testing Methodology
1) Input Validation
2) Info. Gathering
3) 1=1 Attacks
5) OS Interaction
4) Extracting Data
6) OS Cmd Prompt
7) Expand Influence
7
1) Input Validation :Discovery of Vulnerabilities


Vulnerabilities can be anywhere, we check all entry points:
 Fields in web forms
 Script parameters in URL query strings
 Values stored in cookies or hidden fields
By "fuzzing" we insert into every one:
 Character sequence: ' " ) # || + >
 SQL reserved words with white space delimiters
 %09select (tab%09, carriage return%13, linefeed%10
and space%32 with and, or, update, insert, exec, etc)
 Delay query ' waitfor delay '0:0:10'--
8
2) Information Gathering

We will try to find out the following:

Understand the query
 Output mechanism
 Determine database type
 Find out user privilege level
9
3) 1=1 Attacks
Discover DB structure
 Enumerating table columns in different
DBs
 Database Enumeration

10
4) Extracting Data
Password grabbing
 Create DB Accounts
 Grabbing MS SQL Server Hashes
 Brute forcing Passwords
 Transfer DB structure and data
 Create Identical DB Structure
 Transfer DB

11
5) OS Interaction
Interacting with the OS
 Assessing Network Connectivity
 Gathering IP information through reverse
lookups
 Network Reconnaissance

12
Architecture



To keep in mind always!
Our injection most times will be executed on a different
server
The DB server may not even have Internet access
Web Server
Application Server
Database Server
Web
Page
Access
Input
Validation
Flaw
Injected SQL
Execution!
13
6) OS Cmd Prompt
Jumping to the OS
 Using ActiveX Automation Scripts
 Retrieving VNC Password from Registry

14
7) Expand Influence
Hopping into other DB Servers
 Linked Servers
 Executing through stored procedures
remotely
 Uploading files through reverse connection
 Uploading files through SQL Injection

15
Evasion Techniques

Input validation or IDS Signature Evasion
 Evading
' OR 1=1 signature
 ' OR 'something' like 'some%‘
 use PHP addslashes() function to escape characters
 This can be easily evaded by using replacements
for any of characters in a numeric field
 To be circumvented by encoding or using Char()
 Using white spaces, comments, string
concatenation, variables, hex value
16
SQL Injection Defense
It is quite simple: input validation
 The real challenge is making best
practices consistent through all your code

 Enforce
"strong design" in new applications
 You should audit your existing websites and
source code

Even if you have an air tight design,
harden your servers
17
Strong Design

Define an easy "secure" path to querying
data
 Use
stored procedures for interacting with
database
 Call stored procedures through a
parameterized API
 Validate all input through generic routines
 Use the principle of "least privilege"

Define several roles, one for each kind of query
18
Input Validation

Define data types for each field
 Implement

stringent "allow only good" filters
If the input is supposed to be numeric, use a
numeric variable in your script to store it
 Reject
bad input rather than attempting to
escape or modify it
 Implement stringent "known bad" filters

For example: reject "select", "insert", "update",
"shutdown", "delete", "drop", "--", "'"
19
Harden the Server







Run DB as a low-privilege user account
Remove unused stored procedures and functionality or
restrict access to administrators
Change permissions and remove "public" access to
system objects
Audit password strength for all user accounts
Remove pre-authenticated linked servers
Remove unused network protocols
Firewall the server so that only trusted clients can
connect to it (typically only: administrative network, web
server and backup server)
20
Detection and Dissuasion


You may want to react to SQL injection attempts by:
 Logging the attempts
 Sending email alerts
 Blocking the offending IP
 Sending back intimidating error messages:
 "WARNING: Improper use of this application has
been detected. A possible attack was identified.
Legal actions will be taken."
 Check with your lawyers for proper wording
This should be coded into your validation scripts
21
SQL injection detection method has
introduced
Typical
validation procedure
Anti-SQL-Injection.php
To take the popular open-source
IDS Snort
WAVES—Black-box approach
22
WAVES—Black-box approach

Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. “Web
Application Security Assessment by Fault Injection and
Behavior Monitoring.” In Proc. 12th Int’l World Wide Web
Conference, p.148-159, Budapest, Hungary, 2003.

Using crawler to discover all pages in a Web site
that contain HTML forms.
HTML forms are parsed and stored in XML
format.
To inject malicious SQL patterns into the serverside program that processes the form’s input.
If the filtering mechanism is provided on a global
scale, then injection will fail.



23
Automatic black-box method features
Complete crawling
 Bypass the validation procedure
 Test set and injection patterns Automatic
generation (self-learning)
 Output analysis according output error
messages

24
Other sql injection tools introduction
Absinthe
 WebScarab
 WebGoat

25
Absinthe (字典攻擊)
26
Absinthe (cont.)
27
Web Scarab




WebScarab is a framework for analysing
applications that communicate using the HTTP
and HTTPS protocols.
It is written in Java, and is thus portable to many
platforms.
WebScarab records the conversations (requests
and responses) that it observes.
To allow a security specialist to identify
vulnerabilities in the way that the application has
been designed or implemented.
28
WebScarab plugin

WebScarab provides a number of plugins：
 Fragments
- extracts Scripts and HTML comments
from HTML pages.
 Proxy - observes traffic between the browser and the
web server


Manual intercept
Reveal hidden fields
 Spider
- identifies new URLs on the target site, and
fetches them on command.
 Parameter fuzzer - performs automated substitution of
parameter values that are likely to expose incomplete
parameter validation, leading to vulnerabilities like
Cross Site Scripting (XSS) and SQL Injection.
29
WebScarab Feature
WebScarab is extensible.
 Each feature above is implemented as a
plugin, and can be removed or replaced.
 New features can be easily implemented
as well .
 WebScarab is intended to become the tool
of choice for serious Web debugging.

30
WebScarab-selfcontained.jar
31
WebScarab snapshot
32
WebGoat
Web application security is difficult to learn
and practice.
 WebGoat is a full J2EE web application
designed to teach web application security
lessons.

33
My Automatic Anti-SQL Injection
Method features
不需要重新改寫網頁
 不需調整資料庫安全權限
 不需透過IDS或其他網路防禦設備
 不針對字典攻擊做防禦
 自動加入 input vlidation or filter function於
網頁中

34
How to insert validation function




Using crawler to discover all pages in a Web site
that contain HTML forms.
HTML forms are parsed and stored in XML
format.
To inject validation function into the server-side
program that processes the form’s input.
If SQL injection fail, my solutioin is success.
35
How to implement my solution




Using Web Scarab as platform.
Using Web Scarab’s Spider to identifies new
URLs on the target site, and fetches them on
command.
To inject validation function into the server-side
program that processes the form’s input.
Testing:using Web Scarab’s Parameter fuzzer to
expose incomplete parameter validation, leading
to vulnerabilities like Cross Site Scripting (XSS)
and SQL Injection.
36
Summary




SQL Injection is a dangerous vulnerability
All programming languages and all SQL
databases are potentially vulnerable
Protecting against it requires Input validation,
IDS detection AND strong database and OS
hardening must be used together.
We try to implement a anti-SQL Injection system
to insert correct input validation function
automatically.
37
Reference

Advanced SQL Injection, Victor Chapela
, http://www.owasp.org/docroot/owasp/misc/Advanced_SQL_Injection.ppt
38