java web application security - introduction to sql injection
TRANSCRIPT
Java Web Application SecurityIntroduction to SQL Injection (SQLi)
Joseph Konieczka
Sales Engineer
BrixBits
Agenda
• First of several sessions on SQL Injection
• Definition
• Prevalence
• Coding Guidance
• Testing Methods
• Defensive Protection
• Homework
What is SQL Injection (SQLi)?
• At its most basic level, an injection flaw exists when user supplied input is combined with programming logic
• Once the attacker has the ability to morph the SQL query, the damage is only limited by the controls implemented in the application, web server, OS, and infrastructure
OWASP Definition of SQLi
• https://www.owasp.org/index.php/SQL_Injection• A SQL injection attack consists of insertion or "injection" of
a SQL query via the input data from the client to the application.
• A successful SQL injection exploit can – read sensitive data from the database, – modify database data (Insert/Update/Delete)– execute administration operations on the database (such as
shutdown the DBMS), – recover the content of a given file present on the DBMS file
system – and in some cases issue commands to the operating system.
How widespread is it?
• In 2015, more than 200 SQLi vulnerabilities were reported
• In 2016, 10 were already reported just by the end of February
• Year after year, SQLi is listed as one of the OWASP Top 10 risks seen in the wild
CWE, CVE, and NVD
• The Common Weakness Enumeration (CWE™) is a list of software weaknesses.– https://cwe.mitre.org/
• Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known cybersecurity vulnerabilities. – http://cve.mitre.org/
• National Vulnerability Database– https://nvd.nist.gov/home.cfm
How do you avoid it?
• Query parameterization
• SQL code is first defined
• Parameters are then passed to the query (ideally after the input has been validated)
• Distinct boundary between code and data
• PreparedStatement prepareStatement(String sql)
Example
• https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
• String custname = request.getParameter("customerName");
• String query = "SELECT account_balance FROM user_dataWHERE user_name = ? ";
• PreparedStatement pstmt = connection.prepareStatement( query );
• pstmt.setString( 1, custname);
• ResultSet results = pstmt.executeQuery( );
How do you test for it?
• Static Analysis tools such as FindBugs with the FindSecurityBugs plugin
• Automated tools such as sqlmap (covered in Advanced section)
• Manual penetration testing for complex situations
WebGoat Numeric SQL Injection
View intercepted traffic
Key parameter is station
Returns temp info for that station
Retry but add OR 1=1
Statement evaluated to TRUEAll results returned
How can you protect production?
• Implement change control procedures to effectively patch during normal vendor update cycles
• Setup an expedited approval process for critical vulnerabilities
• Setup firewalls and other traffic analysis tools
• Leverage Runtime Application Self Protection (RASP) such as BrixBits Security Analyzer
Defense in Depth
Homework
• Complete the BodgeIt labs outlined in Testing VM Setup Guide
• Begin working with the WebGoat Injection Flaws Lessons
• Review the SQL Injection and Query Parameterization Cheat Sheets
• Signup for next week’s webinar
http://brixbits.com/
http://brixbits.com/request-a-demo/