sania: syntactic and semantic analysis for automated testing against sql injection
DESCRIPTION
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection. Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama, Yu Takahama IX Knowledge Inc. 2007 Annual Computer Security Applications Conference (ACSAC). OUTLINE. Introduction Related Work - PowerPoint PPT PresentationTRANSCRIPT
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL InjectionYuji Kosuga, Kenji Kono, Miyuki Hanaoka
Keio University
Miho Hishiyama, Yu Takahama
IX Knowledge Inc.
2007 Annual Computer Security Applications Conference (ACSAC)
1
OUTLINE1. Introduction
2. Related Work
3. Design of Sania
4. Implementation
5. Experiments
6. Conclusion
2
1. Introduction Databases are threatened by SQL injection
attacks. Sanitizing
Discovering SQL injection vulnerabilities are based on a penetration testing.
SELECT * FROM users WHERE name = 'xxx' AND password = '' or '1'='1'
SELECT * FROM users WHEREname = 'xxx' AND password = '" or "1"="1'
3
1. Introduction (cont.) Sania
Automatically identifies potentially vulnerable spots in the SQL queries.
Generates attack requests. Comparing the parse trees of the SQL queries
between innocent HTTP request and attack request.
4
2. Related Work Framework Support
A validator prohibits an input from including meta-characters.
To transform the dangerous characters to safe ones.
5
2. Related Work (cont.) Prepare Statement
separates the values in a query from the structure of SQL
All the legacy web applications must be re-written.
PreparedStatement stmt = conn.prepareStatement( "INSERT INTO message VALUES(?, ?)");
stmt.setString(1, “razor"); stmt.setString(2, “[email protected]"); stmt.executeUpdate(); stmt.clearParameters();
6
2. Related Work (cont.) Combined Static and Dynamic Analysis
Uses a static analysis to build the models of the SQL queries.
Intercepts all the SQL queries before they are sent to the database.
Checks each query against the statically built models.
7
2. Related Work (cont.) Machine Learning Approach
An intrusion detection system (IDS) based on a machine learning technique.
The overall IDS quality depends on the quality of the training set.
It cannot thoroughly check all the vulnerable spots like the traditional penetration testing.
8
2. Related Work (cont.) Instruction-Set Randomization
To create SQL queries using randomized keywords instead of the normal SQL keywords.
9
3. Design of Sania Specifying Vulnerable Spots
The vulnerable spots have the potential to be security holes of SQL injection.
HTTP request includes
id=555&cat=bookGenerated SQL query
SELECT * FROM users WHERE user id=555
10
3. Design of Sania (cont.) Crafting Attack Requests
Linear attack Sania inserts an attack code to a single vulnerable
spot. Combination attack
Sania inserts attack codes in two or more vulnerable spots at the same time.
11
3. Design of Sania (cont.) Linear attack
Each attack code represented as a four-element tuple:
SELECT id, xxx from users(λ, ε, false, from yyy-- | from yyy;-- | from yyy/*). SELECT id, xxx from yyy--from users
(userInput, metaCharacter, parentheses, insertedSQL).(λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*).
(userInput, metaCharacter, parentheses, insertedSQL).(λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*).
(userInput, metaCharacter, parentheses, insertedSQL).(λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*).
(userInput, metaCharacter, parentheses, insertedSQL).(λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*).
12
3. Design of Sania (cont.) Combination Attack
A combination attack exploits two or more vulnerable spots at the same time to inject an SQL query.
SELECT * FROM users WHERE name=’ø1’ and password=’ø2’ (øi: vulnerable spot).
SELECT * FROM users WHERE name=’\’ and password=’ or 1=1--’
13
3. Design of Sania (cont.) Validation
SELECT * FROM users WHERE name=’’ or ’1’=’1’
Properly sanitized parse tree
Improperly sanitized parse tree
14
3. Design of Sania (cont.) Validation
Because of dynamic query, Sania allows the user to control the matching of parse trees.
15
4. Implementation Sania in Java that had 13,000 lines of code. A list of attack codes in XML that had 1,800 lines of code An SQL parser implemented by JavaCC and JSqlParser
16
5. Experiments
17
5. Experiments (cont.) This result reveals that Sania can:
Execute precise linear attacks. Execute powerful combination attacks.
18
5. Experiments (cont.) False Positives
19
Tool Num. Description
Sania 13
8 Length of attack code was too long
3 Backslash mistakenly broke query
1 Failed to delete inserted SQL query
1 Authentication failed
Paros 67
16Attack codes are mistakenly injected tostate parameters
15Contents of response page was changedafter editing
13 These spots were already sanitized
10 Length of attack code was too long
9 Type of code does not match
4 Duplicate warnings are received
Tool Num. Description
Sania 13
8 Length of attack code was too long
3 Backslash mistakenly broke query
1 Failed to delete inserted SQL query
1 Authentication failed
Paros 67
16Attack codes are mistakenly injected tostate parameters
15Contents of response page was changedafter editing
13 These spots were already sanitized
10 Length of attack code was too long
9 Type of code does not match
4 Duplicate warnings are received
Tool Num. Description
Sania 13
8 Length of attack code was too long
3 Backslash mistakenly broke query
1 Failed to delete inserted SQL query
1 Authentication failed
Paros 67
16Attack codes are mistakenly injected tostate parameters
15Contents of response page was changedafter editing
13 These spots were already sanitized
10 Length of attack code was too long
9 Type of code does not match
4 Duplicate warnings are received
Tool Num. Description
Sania 13
8 Length of attack code was too long
3 Backslash mistakenly broke query
1 Failed to delete inserted SQL query
1 Authentication failed
Paros 67
16Attack codes are mistakenly injected tostate parameters
15Contents of response page was changedafter editing
13 These spots were already sanitized
10 Length of attack code was too long
9 Type of code does not match
4 Duplicate warnings are received
Tool Num. Description
Sania 13
8 Length of attack code was too long
3 Backslash mistakenly broke query
1 Failed to delete inserted SQL query
1 Authentication failed
Paros 67
16Attack codes are mistakenly injected tostate parameters
15Contents of response page was changedafter editing
13 These spots were already sanitized
10 Length of attack code was too long
9 Type of code does not match
4 Duplicate warnings are received
Tool Num. Description
Sania 13
8 Length of attack code was too long
3 Backslash mistakenly broke query
1 Failed to delete inserted SQL query
1 Authentication failed
Paros 67
16Attack codes are mistakenly injected tostate parameters
15Contents of response page was changedafter editing
13 These spots were already sanitized
10 Length of attack code was too long
9 Type of code does not match
4 Duplicate warnings are received
Tool Num. Description
Sania 13
8 Length of attack code was too long
3 Backslash mistakenly broke query
1 Failed to delete inserted SQL query
1 Authentication failed
Paros 67
16Attack codes are mistakenly injected tostate parameters
15Contents of response page was changedafter editing
13 These spots were already sanitized
10 Length of attack code was too long
9 Type of code does not match
4 Duplicate warnings are received
Tool Num. Description
Sania 13
8 Length of attack code was too long
3 Backslash mistakenly broke query
1 Failed to delete inserted SQL query
1 Authentication failed
Paros 67
16Attack codes are mistakenly injected tostate parameters
15Contents of response page was changedafter editing
13 These spots were already sanitized
10 Length of attack code was too long
9 Type of code does not match
4 Duplicate warnings are received
Length and Type ErrorMisallocated BackslashDatabase Record ConflictField Data ConflictAttacking Potentially Safe SpotsMishandling of Dynamic ContentsDuplicate Warnings
6. Conclusion Sania, which is designed to check for SQL
injection vulnerabilities in the development and debugging phases.
Sania has been proved effective; it found 39 SQL injection vulnerabilities and incurred only 13 false positives.
20