sql injection attacks and prevention
Post on 05-Dec-2014
5.641 Views
Preview:
DESCRIPTION
TRANSCRIPT
1
SQL Injection
Anand Jain@helloanand
Tech at Network18
2
What is it?
SQL Injection allows a programmer user specified query
to execute in the database
3
Excuse me, WHAT?
Unintended SQL queries run in the DB
Most of the times it also alters the original query
4
we
see how it happens
5
Actual use case
$sql = “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”];
//executed query - SELECT * FROM ARTICLES WHERE ID = 1234
$result = mysql_query($sql);
6
SQL injected input
$sql = “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”];
//executed query - SELECT * FROM ARTICLES WHERE ID = 1234; DROP TABLE ARTICLES
$result = mysql_query($sql);
7
Ok, but…How will the attacker know what I’ve named my table?
8
Good question
9
There are queries for that too…
http://www.site.com/articles.php?id=1234 UNION
SELECT group_concat(schema_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1
7,18,19,20,21,22,23,24 from information_schema.schemata --
10
There are queries for that too…
http://www.site.com/articles.php?id=1234 UNION
SELECT group_concat(table_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
,18,19,20,21,22,23,24 from information_schema.tables where
table_schema=database()--
11
12
SQL Attack steps
• Searching for a vulnerable point• Fingerprinting the backend DB• Enumerating or retrieving data of interest –
table dumps, usernames/passwords etc.• Eventual exploiting the system once the
information is handy– OS take over, data change, web server take over
etc.
13
It is a very serious problem
• The attacker can delete, modify or even worse, steal your data
• Compromises the safety, security & trust of user data
• Compromises a company’s competitiveness or even the ability to stay in business
14
How to mitigate the risk
• Escape all user supplied input• Always validate input• Use prepared statements– For PHP+MySQL – use PDO with strongly typed
parameterized queries (using bindParam()) • Code reviews • Don’t store password in plain text in the DB– Salt them and hash them
15
Escape & Validate input
• Escape all input– Whether supplied via the URL or via POST data– Even for internal APIs– Anything that goes to the DB is escaped
• Validate all input - Validating a Free Form Text Field for allowed chars (numbers, letters, whitespace, .-_) – ^[a-zA-Z0-9\s._-]+$ (Any number of characters) – ^[a-zA-Z0-9\s._-]{1-100}$ (This is better, since it limits this field to 1
to 100 characters)
• source https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
16
Least privilege
• To minimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment.
• Do not assign DBA or admin type access rights to your application accounts.
• Don't run your DBMS as root or system!
17
URL rules
• No parentheses or angular brackets in the URLs – While saving or generating remove from the URLs– If you really need to have parentheses or angular brackets in
the URL, then encode them• URL should not end with two or more dashes “--“
– While saving or generating remove these from the URLs• URL should not end with “/*”
– While saving or generating remove these from the URLs• No schema, table or column names should be part of your
URL• These rules should be followed even for AJAX/JSON URLs
18
Quick fixes
• For companies that have a large setup or a lot of legacy code that will take a long time to audit and fix, put some SQL injection detection patterns in your Load Balancer itself
• Enable mod_security on Apache• Run the RIPS scanner on your PHP code for
detecting vulnerabilities - http://sourceforge.net/projects/rips-scanner/
19
Common (My)SQL injection URL patterns
• ending with “--”• ending with “/*”• containing UNION, (ALL), SELECT and FROM• BENCHMARK• Containing “information_schema”• Containing “load_file”
20
Further reading
• SQL attacks by example - http://www.unixwiz.net/techtips/sql-injection.html
• OWASP - https://www.owasp.org/index.php/SQL_Injection
top related