SQLrand: Preventing SQL Injection Attacks
Download
Report
Transcript SQLrand: Preventing SQL Injection Attacks
Riji Jacob
MS Student in
Computer Science
SQL
Hamdi Yesilyurt, MA
Student in MSDF &
PhD-Public Affaris
Many of the Web applications employ
database driven content on the Internet.
yahoo, Amazon
The interactive nature of web applications
that employ database services consist
vulnerabilities to SQL injection attacks
Web applications receive user inputs via form
fields and then transfer those inputs as
database requests
Transaction may consist of user name, password
and information that have large amounts of
monetary value.
A national security and privacy matter, such as
social security numbers in the U.S.
SQL injection attacks are widespread and Web
applications are vulnerable to SQL Injection
Attacks (SQLIAs).
over 300 Internet Web sites has shown that most
of them could be vulnerable to SQLIAs- Study by
Gartner Group
SQLIA Examples: Travelocity, FTD.com, and
Guess Inc.
SQL injection is a code injection technique
that exploits a security vulnerability occurring
in the database layer of an application
Data provided by the user is NOT validated
and included in an SQL query in such a way
that part of the user’s input is treated as SQL
code.
Tautologies
Illegal/Logically Incorrect Queries
Union Query
Piggy-Backed Queries
Stored Procedures
Inference
Alternate Encodings
Attack Intent: Bypassing authentication,
identifying injectable parameters, extracting
data.
The general goal of a tautology-based attack
is to inject code in one or more conditional
statements so that they always evaluate to
true.
An attacker exploits an injectable field that is
used in a query’s WHERE conditional
SELECT accounts FROM users WHERE
login=’’ or 1=1 -- AND pass=’’ AND pin=
Attack Intent: Identifying injectable parameters,
performing database finger-printing, extracting
data.
Description: This attack lets an attacker gather
important information about the type and
structure of the back-end database of a Web
application.
SELECT accounts FROM users WHERE login=’’ AND
pass=’’ AND pin= convert (int,(select top 1 name from
sysobjects where xtype=’u’))
Attack Intent: Bypassing Authentication,
extracting data.
Description: In union-query attacks, an
attacker exploits a vulnerable parameter to
change the data set returned for a given
query.
SELECT accounts FROM users WHERE login=’’ UNION
SELECT cardNo from CreditCards where
acctNo=10032 -- AND pass=’’ AND pin=
Attack Intent: Extracting data, adding or modifying data,
performing
denial of service, executing remote commands.
Description: In this attack type, an attacker tries to inject
additional queries into the original query.
Vulnerability to this type of attack is often dependent on
having a database configuration that allows multiple
statements to be contained in a single string.
SELECT accounts FROM users WHERE login=’doe’ AND
pass=’’; drop table users -- ’ AND pin=123
Attack Intent: Performing privilege escalation,
performing denial of service, executing remote
commands.
Description: SQLIAs of this type try to execute stored
procedures
An attacker determines which backend database is in
use
CREATE PROCEDURE DBO.isAuthenticated
@userName varchar2, @pass varchar2, @pin int
AS
EXEC("SELECT accounts FROM users
WHERE login=’" +@userName+ "’ and pass=’"
+@password+ "’ and pin=" +@pin);
GO
Attack Intent: Identifying injectable parameters,
extracting data, determining database schema.
Description: The query is modified to recast it in
the form of an action that is executed based on
the answer to a true/false question about data
values in the database.
Attackers are generally trying to attack a site that
has been secured enough so that, when an
injection has succeeded, there is no usable
feedback via database error messages.
SELECT accounts FROM users
WHERE login=’legalUser’ and
ASCII(SUBSTRING((select top 1 name from sysobjects),1,1))
> X WAITFOR 5 -- ’ AND pass=’’ AND pin=0
Attack Intent: Evading detection.
Description: In this attack, the injected text is
modified so as to avoid detection by
defensive coding practices and also many
automated prevention techniques.
SELECT accounts FROM users WHERE login=’legalUser’;
exec(char(0x73687574646f776e)) -- AND pass=’’ AND pin=tion
with other attacks.
* Apply Instruction-set randomization to SQL
* Creating instances of the language that are
unpredictable to the attacker
* Queries injected by the attacker will be
caught by the database parser.
* An intermediary proxy that translates the
random SQL to its standard language.
* Mechanism imposes negligible performance
overhead to query processing and can be
easily retrofitted to existing systems.
Mechanism provides a tool reads an SQL statement(s) and rewrites
all keywords with the random key appended.
select gender, avg(age)
from cs101.students
where dept = %d
group by gender
The utility will identify the six keywords in the example query and
append the key to
each one (e.g., when the key is “123”):
select123 gender, avg123 (age)
from123 cs101.students
where123 dept = %d
group123 by123 gender
Built proxy server that sits between the client
(web server) and SQL server, de-randomizes
requests received from the client, and
conveys the query to the server.
If an SQL injection attack has occurred, the
proxy’s parser will fail to recognize the
randomized
implementation focused on CGI scripts as the
query generators, a similar approach applies
when using JDBC query and will reject it.
THANK
YOU