avoiding hacker attacks
DESCRIPTION
Avoiding Hacker Attacks. Objectives. You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users. Getting Started. http://www.cse.usf.edu/~turnerr/Software_Systems_Development/Downloads/2011_04_14_More_Hacker_Attacks/ - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/1.jpg)
1
Avoiding Hacker Attacks
![Page 2: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/2.jpg)
2
ObjectivesYou will be able to Avoid certain hacker attacks and
crashes due to bad inputs from users.
![Page 3: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/3.jpg)
Getting Started http://www.cse.usf.edu/~turnerr/Software_Systems_Develo
pment/Downloads/2011_04_14_More_Hacker_Attacks/ File Alt_Databound_Combo_Box_for_Hacker_Attacks.zip
3
![Page 4: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/4.jpg)
4
SQL Injection Attacks An Even More Insidious Threat
Potentially lets the hacker execute any SQL command. Can take over your database. Destroy your data. Worse, steal it without your knowing.
![Page 5: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/5.jpg)
5
How to Invite SQL Injection Attacks Accept text input from the user and
make it a part of a SQL command.
Suppose we provide a TextBox for the user to enter a search term.
Program retrieves information about all products with that search term in their ProductName.
![Page 6: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/6.jpg)
6
Add New Product_Info Form
![Page 7: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/7.jpg)
7
TextBox for Search Term
![Page 8: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/8.jpg)
8
How to Search with SQL The SQL "LIKE" operator permits us to
search for a text string containing a specified search target.
Two wildcard characters Percent sign (%) Underscore (_)
% matches any number of characters in a string, including none.
_ matches exactly one character
![Page 9: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/9.jpg)
9
How to Search with SQL
SELECT * FROM ProductsWHERE ProductName LIKE '%Tofu%'
The string '%Tofu%' matches any ProductName including Tofu.
![Page 10: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/10.jpg)
Copy Product_Info.cs http://www.cse.usf.edu/~turnerr/Software_Systems_Develo
pment/Downloads/2011_04_11_Hacker_Attacks/Product_Info.cs
Replace stub created by Visual Studio.
10
![Page 11: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/11.jpg)
11
Product_Info.csusing System;using System.Collections.Generic;using System.Windows.Forms;
namespace Alt_Databound_Combo_Box{ public partial class Product_Info : Form { String Username; String Password; List<Product> product_list;
public Product_Info(String Username_, String Password_) { InitializeComponent(); Username = Username_; Password = Password_; }
![Page 12: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/12.jpg)
12
Product_Info.csprivate void btnGetProductInfo_Click(object sender, EventArgs e){ String Search_Term = tbSearchTerm.Text;
product_list = Products.Get_Products(Username, Password, Search_Term);
if (product_list.Count > 0) { foreach (Product p in product_list) { MessageBox.Show(p.Product_name); } } else { MessageBox.Show("No product found"); } tbSearchTerm.Text = "";}
![Page 13: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/13.jpg)
13
Reuse Some Code http://www.cse.usf.edu/~turnerr/Software_Systems_Develo
pment/Downloads/2010_10_26_Product_Browser/
Copy Product.cs and Products.cs into project folder.
Add to project.
![Page 14: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/14.jpg)
14
Implement the Search Modify Get_Products to produce a
new version that gets products with ProductName containing a specified search term.
![Page 15: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/15.jpg)
15
Products.cspublic static List<Product> Get_Products(String Username, String Password, String Search_Term){ SqlDataReader rdr; SqlConnection cn; List<Product> Product_List = new List<Product>(); cn = Setup_Connection(Username, Password); rdr = Get_SqlDataReader(cn, Search_Term);
while (rdr.Read()) { Product p = new Product(rdr);
Product_List.Add(p); } rdr.Close(); cn.Close(); return Product_List;}
![Page 16: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/16.jpg)
16
Products.csprivate static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term){ SqlCommand cmd = new SqlCommand(); cmd.CommandText = "SELECT * FROM Products " + " WHERE ProductName LIKE '%" + Search_Term + "%'"; cmd.Connection = conn; return cmd.ExecuteReader();}
![Page 17: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/17.jpg)
17
Update Login Formprivate void btnLogIn_Click(object sender, EventArgs e){ if ((tbUserName.Text.IndexOf(';') >= 0) || (tbPassword.Text.IndexOf(';') >= 0)) { MessageBox.Show("Invalid input"); return; }
Product_Info pi = new Product_Info(tbUserName.Text, tbPassword.Text); this.Hide(); pi.ShowDialog(); this.Close();}
![Page 18: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/18.jpg)
18
Program Used as Intended
![Page 19: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/19.jpg)
19
An Innocent Error
![Page 20: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/20.jpg)
20
Crash!
![Page 21: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/21.jpg)
21
Program Subverted
![Page 22: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/22.jpg)
22
Another Subversion
...
Getting All Products
![Page 23: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/23.jpg)
23
Defense To foil this attack, and prevent crashes
from bad inputs, replace each single quote with a pair of single quotes.
The server replaces pairs of single quotes with one single quote. Treats that single quote as part of the
string rather than as a delimiter. Only way to include a single quote
character in a text string in a SQL query.
![Page 24: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/24.jpg)
24
Escape Single Quotes
In Products.cs:private static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term){ SqlCommand cmd = new SqlCommand();
Search_Term = Search_Term.Replace("'", "''");
cmd.CommandText = "SELECT * FROM Products " + " WHERE ProductName LIKE '%" + Search_Term + "%'"; cmd.Connection = conn; return cmd.ExecuteReader();}
![Page 25: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/25.jpg)
25
Attempted Subversion
![Page 26: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/26.jpg)
26
Search Term with Apostrophe
![Page 27: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/27.jpg)
27
Other Defensive Measures Use the MaxLength property of TextBox to
limit how many characters a user can enter. For numeric input, parse the input and
convert the resulting numeric value back into a string to splice into the command.
On exceptions, provide only a generic error message. The actual error message from the exception
might provide useful information to a hacker. Use parameterized commands or stored
procedures.
End of Section
![Page 28: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/28.jpg)
28
Parameterized Command A command string that uses placeholders
in the SQL text. Placeholders replaced by dynamically
supplied values at run time. Uses the Parameters collection of the
command object. Specific to ADO.NET.
The command object checks the parameter value for attempted SQL injection attacks.
![Page 29: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/29.jpg)
29
Parameterized Command Example Rather thanSELECT * FROM Customers WHERE CustomerID = 'ALFKI' where ALFKI was read from a TextBox
writeSELECT * FROM Customers WHERE CustomerID = @CustID
@CustID will be replaced by a string containing a real customer ID at run time.
Note: No quotes around @CustID
![Page 30: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/30.jpg)
30
Using a Parameterized Commandprivate static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term){ SqlCommand cmd = new SqlCommand();
//Search_Term = Search_Term.Replace("'", "''");
cmd.CommandText = "SELECT * FROM Products" + " WHERE ProductName LIKE @Parm1";
cmd.Parameters.AddWithValue("@Parm1", "%" + Search_Term + "%");
cmd.Connection = conn; return cmd.ExecuteReader();}
![Page 31: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/31.jpg)
31
Attempted Subversion
![Page 32: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/32.jpg)
32
Term with Apostrophe
![Page 33: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/33.jpg)
33
Blank Entry
Everything matches!
![Page 34: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/34.jpg)
34
Blank Entry If we don't want the user to be able to
ask for all products, we have to check for a zero length string in the TextBox.
private void btnGetProductInfo_Click(object sender, EventArgs e){ String Search_Term = tbSearchTerm.Text;
if (Search_Term.Length == 0) { MessageBox.Show("No search term entered"); return; } ...
![Page 35: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/35.jpg)
35
Blank Entry
End of Section
![Page 36: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/36.jpg)
36
Stored Procedures We can store SQL commands in the
database and executed them from there.
A safer alternative to constructing SQL commands and executing them.
Visual Studio and ADO.NET provide support for this.
![Page 37: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/37.jpg)
37
Stored Procedures The Northwind Traders database
has a lot of stored procedures.
Click on the + beside Stored Procedures in Server Explorer to expand the section.
![Page 38: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/38.jpg)
38
Northwind Stored Procedures
![Page 39: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/39.jpg)
39
Northwind Stored Procedures
![Page 40: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/40.jpg)
40
Northwind Stored Procedures We can execute these stored
procedures from the Server Explorer. Right click on a stored procedure and
select Execute.
![Page 41: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/41.jpg)
41
Executing a Stored Procedure
![Page 42: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/42.jpg)
42
Executing a Stored Procedure
![Page 43: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/43.jpg)
43
Results
![Page 44: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/44.jpg)
44
Viewing a Stored Procedure
To view the stored procedure right click on the procedure and select Open.
![Page 45: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/45.jpg)
45
Viewing a Stored Procedure
![Page 46: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/46.jpg)
46
Viewing a Stored Procedure
![Page 47: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/47.jpg)
47
Adding a Stored Procedure To add a new stored procedure from
the Server Explorer, right click on Stored Procedures and select Add New Stored Procedure.
Note that the new stored procedure will be a part of the database.
Stays there until you delete it.
![Page 48: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/48.jpg)
48
Adding a Stored Procedure
![Page 49: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/49.jpg)
49
Adding a Stored Procedure
![Page 50: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/50.jpg)
50
Adding a Stored Procedure
![Page 51: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/51.jpg)
51
Saving the New Stored Procedure
Click icon to save the new stored procedure
![Page 52: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/52.jpg)
52
Executing the Stored ProcedureVisual Studio changes "CREATE" to "ALTER".
We can now execute the procedure from the Server Explorer
![Page 53: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/53.jpg)
53
Executing the Stored Procedure
![Page 54: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/54.jpg)
54
Supplying the Parameter Value
![Page 55: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/55.jpg)
55
Results from the Execution
Results
![Page 56: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/56.jpg)
56
Executing a Stored Procedure from C#
We can execute a stored procedure from within our program.
In Products.cs add using System.Data;
![Page 57: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/57.jpg)
57
Executing a Stored Procedure Programatically
private static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term){ SqlCommand cmd = new SqlCommand();
cmd.CommandType = CommandType.StoredProcedure; cmd.CommandText = "Product_Search";
cmd.Parameters.AddWithValue("@Param1", "%" + Search_Term + "%");
cmd.Connection = conn; return cmd.ExecuteReader();}
![Page 58: Avoiding Hacker Attacks](https://reader036.vdocuments.net/reader036/viewer/2022062310/56816393550346895dd48b48/html5/thumbnails/58.jpg)
58
Program in Action
End of Presentation