Transcript My final presentation

Analysis of SQL injection
prevention using a filtering
proxy server
By: David Rowe
Supervisor: Barry Irwin
Presentation Outline
•
•
•
•
•
•
Problem statement
Motivation (example)
Implementation
Results
Concluding remarks
Questions
2
SQL injection
• SQL Injection is a method by which the
parameters of a Web-based application
are modified in order to change the SQL
statements that are passed to a database.
• An attacker is able to insert a series of
SQL statements into a 'query' by
manipulating data input.
3
SQL injection
4
Example
• The critical vulnerability is the
way in which the query string is created.
• example: (no input validation)
var SQL = "select * from users
where
username = ' "+ username +" '
and
password = ' "+ password +" '";
5
Example
Vulnerable web page
6
Example
Queries executed:
select * from users where username = “
drop table users
7
Example
8
Example
If no spaces are allowed, try: 'or/**/1=1--
9
SQL injection types
• Redirecting and reshaping a query involves inserting
SQL commands into the query being sent to the
database. The commands allow a direct attack on the
database.
• Error message based SQL injection makes use of the
database error messages returned to the client. The
messages provide clues as to the database type and
structure as well as the query structure.
• Blind SQL injection which involves a lot of guesswork
and thus requires a larger investment in time. The
attacker tries many combinations of attack and makes
the next attack attempt based on their interpretation of
the resulting html page output.
10
Classes of SQL injection
• Inband uses the existing connection to the database to
manipulate the database. An example of this would be to
use the data returned in a well formed web page or an
error message.
• Out of band requires a new channel to be opened
between the client and the application. This usually
requires the database to connect out to the client using
email, http or a database connection.
• Inference does not require any data transfer at all but
uses properties such as web server response time or
web server response codes.
11
Project Goals
• Analyse the structure of SQL query commands
• Build a parser that will check allowable patterns
of SQL statements
• Create a proxy server that will filter SQL
commands.
• Prevent a SQL injection attack to a database
using this proxy server.
• Prove that SQL injection can be prevented using
the filter developed to work on the proxy server.
12
SQL injection
13
Implementation Step
14
Implementation Step
15
Results
• Analyse the structure of SQL query commands
• Build a filter that will check allowable patterns of
SQL statements
• Create a proxy server that will filter SQL
commands.
• Prevent a SQL injection attack to a database
using this proxy server.
• Prove that SQL injection can be prevented using
the filter developed to work on the proxy server.
16
Results
• Working proxy server
– Extracts the SQL from a TDS query packet
– Prevents SQL injection attacks
•
•
•
•
White list - principle of least privilege
Black list - disallow
Gray list - possibly harmful
Regex list - input validation
– Logs
• Extracted SQL queries
• Halted SQL
– Alerts
• DBA via UDP
17
Results
Average web transaction processing time
- Hons08 30
Time (ms)/query
25
20
Select
15
Insert
10
5
0
Direct
Proxy - No filter
Proxy - Filter
Query Scenario
18
Results
Average web transaction processing time
- Netserv 30
25
Time (ms)/query
20
Select
15
Insert
10
5
0
Direct
Proxy - No filter
Proxy - Filter
Query scenario
19
Conclusion
• Advantages
– Independent of flaws in application coding
and database privileges
– Can operate on a separate server with real
time analysis
– Another layer of protection
• Disadvantages
– False positives also filtered out too
– Won’t work if data is encrypted
20
Questions
21