Java Web Application Security - Introduction to SQL Injection

1. Java Web Application Security Introduction to SQL Injection (SQLi) Joseph Konieczka Sales Engineer BrixBits

2. Agenda • First of several sessions on SQL Injection • Definition • Prevalence • Coding Guidance • Testing Methods • Defensive Protection • Homework

3. What is SQL Injection (SQLi)? • At its most basic level, an injection flaw exists when user supplied input is combined with programming logic • Once the attacker has the ability to morph the SQL query, the damage is only limited by the controls implemented in the application, web server, OS, and infrastructure

4. OWASP Definition of SQLi • https://www.owasp.org/index.php/SQL_Injection • A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. • A successful SQL injection exploit can – read sensitive data from the database, – modify database data (Insert/Update/Delete) – execute administration operations on the database (such as shutdown the DBMS), – recover the content of a given file present on the DBMS file system – and in some cases issue commands to the operating system.

5. How widespread is it? • In 2015, more than 200 SQLi vulnerabilities were reported • In 2016, 10 were already reported just by the end of February • Year after year, SQLi is listed as one of the OWASP Top 10 risks seen in the wild

6. CWE, CVE, and NVD • The Common Weakness Enumeration (CWE™) is a list of software weaknesses. – https://cwe.mitre.org/ • Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known cybersecurity vulnerabilities. – http://cve.mitre.org/ • National Vulnerability Database – https://nvd.nist.gov/home.cfm

7. How do you avoid it? • Query parameterization • SQL code is first defined • Parameters are then passed to the query (ideally after the input has been validated) • Distinct boundary between code and data • PreparedStatement prepareStatement(String sql)

8. Example • https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet • String custname = request.getParameter("customerName"); • String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; • PreparedStatement pstmt = connection.prepareStatement( query ); • pstmt.setString( 1, custname); • ResultSet results = pstmt.executeQuery( );

9. How do you test for it? • Static Analysis tools such as FindBugs with the FindSecurityBugs plugin • Automated tools such as sqlmap (covered in Advanced section) • Manual penetration testing for complex situations

10. WebGoat Numeric SQL Injection

11. View intercepted traffic

12. Key parameter is station

13. Returns temp info for that station

14. Retry but add OR 1=1

15. Statement evaluated to TRUE All results returned

16. How can you protect production? • Implement change control procedures to effectively patch during normal vendor update cycles • Setup an expedited approval process for critical vulnerabilities • Setup firewalls and other traffic analysis tools • Leverage Runtime Application Self Protection (RASP) such as BrixBits Security Analyzer

17. Defense in Depth

18. Homework • Complete the BodgeIt labs outlined in Testing VM Setup Guide • Begin working with the WebGoat Injection Flaws Lessons • Review the SQL Injection and Query Parameterization Cheat Sheets • Signup for next week’s webinar

19. http://brixbits.com/ http://brixbits.com/request-a-demo/