SQL Injection - Mozilla Security Learning Center
•Transferir como KEY, PDF•
1 gostou•8,141 visualizações
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (8)
Semelhante a SQL Injection - Mozilla Security Learning Center
Semelhante a SQL Injection - Mozilla Security Learning Center (20)
Mais de Michael Coates
Mais de Michael Coates (10)
Último
Último (20)
SQL Injection - Mozilla Security Learning Center
- 2. Intro • Michael Coates • Infrastructure Security • mcoates@mozilla.com - @_mwc • Questions / comments during presentation? • Use IRC at air.mozilla.org
- 3. Agenda • Business risk of XSS • Understanding the vulnerability • Attack scenarios • Mitigation techniques
- 4. Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
- 5. Risks of SQL Injection • Injection attacks (SQL, LDAP, OS, etc) - #1 Issue on OWASP Top 10 • Impact: Vulnerability allows attacker to change intent of SQL statement • Business Impact: • Theft of sensitive/PII data (account data, password hashes) • Data Corruption • Unauthorized application/feature access • Inject other attacks (XSS) into databases
- 6. SQL Injection in the News
- 7. Setup • http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation • http://bit.ly/MozLab • Download Virtual Box, OWASP Broken Web App VM
- 8. Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
- 9. Fundamental Problem • User controlled data improperly used with SQL statements • Example Vulnerable Query: sqlQ = “Select user from UserTable where name= '+username + ' and pass = '+password+ ' ” Login: ___ My username is o’malley ? Pass: ____
- 10. Fundamental Problem • User controlled data improperly used with SQL statements • o’malley scenario Select user from UserTable where name= 'o'malley' and pass = 'foo' • Result: Error, syntax is not valid Error: Invalid syntax
- 11. Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
- 12. SQL Attack Examples • Basic SQL Injection Tests: OR 1=1 -- ' OR '1'= '1'-- • Select user from UserTable where name= 'joe' and pass = ' ' OR '1'= '1'-- ' • Looks for username of joe and password of (blank || TRUE)
- 13. Variations • SQL Injection • Error message or different text returned based on SQL statement results • Example: Error message, db data displayed in page • Blind SQL Injection • No visible response to user indicating success of fail of query
- 14. Blind SQL Injection • Use time of results to deduce boolean • Injected SQL uses IF statements and delays to enumerate data, 1 char at a time
- 15. Blind SQL Examples mysql> select * from example; +----+-----------------+------+ | id | name | age | +----+-----------------+------+ | 1 | Timmy Mellowman | 23 | Text| | 2 | Sandy Smith | 21 +----+-----------------+------+ 2 rows in set (0.00 sec)
- 16. Blind SQL Examples • mysql> SELECT IF( name = 'Sandy Smith', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM example; • Command line result - 2 rows in set (5.25 sec) • mysql> SELECT IF( name = 'Joe Bob', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM example; • Command line result - 2 rows in set (0.00 sec) • The actual data returned is not important the delay indicates True of False +----+-----------------+------+ | 1 | Timmy Mellowman | 23 | | 2 | Sandy Smith | 21 | +----+-----------------+------+
- 17. Blind SQL Injection • mysql> select headerName from header_store UNION select IF(SUBSTRING(name, 1,1)='T',BENCHMARK(1000000,MD5( 'x' )),'y') from example where age=23 limit 1; • 1 row in set (6.01 sec) • Test if the first character of "name" from the example table (where age=23) is the letter T. +----+-----------------+------+ | 1 | Timmy Mellowman | 23 |
- 18. WebGoat • Click First Link - OWASP WebGoat version 5.3.x • Username / Password is guest / guest
- 19. Setup • http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation • http://bit.ly/MozLab • Download Virtual Box, OWASP Broken Web App VM
- 20. Using A Proxy • Burp - Configure to listen on 8080 • Ensure “loopback only” is checked (will be by default)
- 21. Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences -> Advanced -> Network -> Settings • Set HTTP Proxy • Important - clear “No Proxy for” line
- 22. Confirm Setup Works • Refresh Web Browser - it should hang • Go to Burp -> Proxy -> Intercept (they are highlighted) • Click “Forward” for all messages • Should now see page in browser
- 23. Confirm Setup Works • Intercept is on • Each request will be caught by proxy • Requires you to hit forward each time • Intercept is off • Requests sent through proxy automatically • Logged in tab “proxy”->”history”
- 24. “Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue Attacker’s euS euS Web Proxy Web Server Browser
- 25. SQL Injection • Problem: User controlled data improperly used with SQL statements • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests: OR 1=1 -- ' OR '1'= '1'-- • Example Vulnerable Query: sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
- 26. Lab! - SQL Lesson
- 27. SQL Injection • Lesson: Injection Flaws -> Lab: SQL Injection -> Stage 1: String SQL Injection • Proxy Needed • Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
- 28. SQL Injection • HTTP Post employee_id=112&password=x' OR '1'='1&action=Login • Vulnerable SQL Select user from UserTable where name= '+username+ ' and pass = '+password+ ' Select user from UserTable where name= '112' and pass = 'x' OR '1'='1' • Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
- 29. Agenda • Business risk of SQL Injection • Understanding the vulnerability • Attack scenarios • Mitigation techniques
- 30. SQL Injection • Parameterized Queries No confusion with control characters • Input Validation Are special characters needed for most fields? What about non-printable characters %00-%0A? Just a layer of defense - remember o’malley example
- 31. Parameterized Query • HTTP Post employee_id=112&password=x' OR '1'='1&action=Login • Parameterized Query Look for employee_id 112 with password of x' OR '1'='1 • Result: Login fail - password is foo not x' OR '1'='1
- 32. Language Examples • User data + string concatenation == SQL injection disaster • DJANGO • Model Query API-> Safe • raw() manager -> Dangerous, Avoid! • Java String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( );
- 33. Additional Resources • OWASP SQL Prevention Cheat Sheet • https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet • 10 Minute Crash Course • Episode 3 - http://www.youtube.com/user/ AppsecTutorialSeries
- 34. Questions • Next Events • Aug 24 - CEF Logging for Attack Aware Applications • Aug 25 - OWASP Bay Area Chapter Meeting • https://wiki.mozilla.org/index.php? title=WebAppSec#Schedule
Notas do Editor
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n