O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Java Web Application Security
Introduction to SQL Injection (SQLi)
Joseph Konieczka
Sales Engineer
BrixBits
Agenda
• First of several sessions on SQL Injection
• Definition
• Prevalence
• Coding Guidance
• Testing Methods
• Defens...
What is SQL Injection (SQLi)?
• At its most basic level, an injection flaw exists
when user supplied input is combined wit...
OWASP Definition of SQLi
• https://www.owasp.org/index.php/SQL_Injection
• A SQL injection attack consists of insertion or...
How widespread is it?
• In 2015, more than 200 SQLi vulnerabilities
were reported
• In 2016, 10 were already reported just...
CWE, CVE, and NVD
• The Common Weakness Enumeration (CWE™) is
a list of software weaknesses.
– https://cwe.mitre.org/
• Co...
How do you avoid it?
• Query parameterization
• SQL code is first defined
• Parameters are then passed to the query
(ideal...
Example
• https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
• String custname =
request.getParameter("cus...
How do you test for it?
• Static Analysis tools such as FindBugs with the
FindSecurityBugs plugin
• Automated tools such a...
WebGoat Numeric SQL Injection
View intercepted traffic
Key parameter is station
Returns temp info for that station
Retry but add OR 1=1
Statement evaluated to TRUE
All results returned
How can you protect production?
• Implement change control procedures to
effectively patch during normal vendor
update cyc...
Defense in Depth
Homework
• Complete the BodgeIt labs outlined in Testing
VM Setup Guide
• Begin working with the WebGoat Injection
Flaws L...
http://brixbits.com/
http://brixbits.com/request-a-demo/
Java Web Application Security - Introduction to SQL Injection
Java Web Application Security - Introduction to SQL Injection
Próximos SlideShares
Carregando em…5
×

Java Web Application Security - Introduction to SQL Injection

541 visualizações

Publicada em

This presentation describes what SQL Injection is, how widespread it is, ways to test, and basic guidance to protect applications in production. Information on common weaknesses and vulnerabilities is also provided so that developers can view issues from the information security team’s perspective. A basic numeric SQL injection attack is then shown using WebGoat.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Java Web Application Security - Introduction to SQL Injection

  1. 1. Java Web Application Security Introduction to SQL Injection (SQLi) Joseph Konieczka Sales Engineer BrixBits
  2. 2. Agenda • First of several sessions on SQL Injection • Definition • Prevalence • Coding Guidance • Testing Methods • Defensive Protection • Homework
  3. 3. What is SQL Injection (SQLi)? • At its most basic level, an injection flaw exists when user supplied input is combined with programming logic • Once the attacker has the ability to morph the SQL query, the damage is only limited by the controls implemented in the application, web server, OS, and infrastructure
  4. 4. OWASP Definition of SQLi • https://www.owasp.org/index.php/SQL_Injection • A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. • A successful SQL injection exploit can – read sensitive data from the database, – modify database data (Insert/Update/Delete) – execute administration operations on the database (such as shutdown the DBMS), – recover the content of a given file present on the DBMS file system – and in some cases issue commands to the operating system.
  5. 5. How widespread is it? • In 2015, more than 200 SQLi vulnerabilities were reported • In 2016, 10 were already reported just by the end of February • Year after year, SQLi is listed as one of the OWASP Top 10 risks seen in the wild
  6. 6. CWE, CVE, and NVD • The Common Weakness Enumeration (CWE™) is a list of software weaknesses. – https://cwe.mitre.org/ • Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known cybersecurity vulnerabilities. – http://cve.mitre.org/ • National Vulnerability Database – https://nvd.nist.gov/home.cfm
  7. 7. How do you avoid it? • Query parameterization • SQL code is first defined • Parameters are then passed to the query (ideally after the input has been validated) • Distinct boundary between code and data • PreparedStatement prepareStatement(String sql)
  8. 8. Example • https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet • String custname = request.getParameter("customerName"); • String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; • PreparedStatement pstmt = connection.prepareStatement( query ); • pstmt.setString( 1, custname); • ResultSet results = pstmt.executeQuery( );
  9. 9. How do you test for it? • Static Analysis tools such as FindBugs with the FindSecurityBugs plugin • Automated tools such as sqlmap (covered in Advanced section) • Manual penetration testing for complex situations
  10. 10. WebGoat Numeric SQL Injection
  11. 11. View intercepted traffic
  12. 12. Key parameter is station
  13. 13. Returns temp info for that station
  14. 14. Retry but add OR 1=1
  15. 15. Statement evaluated to TRUE All results returned
  16. 16. How can you protect production? • Implement change control procedures to effectively patch during normal vendor update cycles • Setup an expedited approval process for critical vulnerabilities • Setup firewalls and other traffic analysis tools • Leverage Runtime Application Self Protection (RASP) such as BrixBits Security Analyzer
  17. 17. Defense in Depth
  18. 18. Homework • Complete the BodgeIt labs outlined in Testing VM Setup Guide • Begin working with the WebGoat Injection Flaws Lessons • Review the SQL Injection and Query Parameterization Cheat Sheets • Signup for next week’s webinar
  19. 19. http://brixbits.com/ http://brixbits.com/request-a-demo/

×