Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,

Published byKathlyn Flowers Modified over 9 years ago

Similar presentations

Presentation on theme: "Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,"— Presentation transcript:

1 Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama, Yu Takahama IX Knowledge Inc. 2007 Annual Computer Security Applications Conference (ACSAC) 1

2 OUTLINE 1. Introduction 2. Related Work 3. Design of Sania 4. Implementation 5. Experiments 6. Conclusion 2

3 1. Introduction  Databases are threatened by SQL injection attacks.  Sanitizing  Discovering SQL injection vulnerabilities are based on a penetration testing. SELECT * FROM users WHERE name = 'xxx' AND password = '' or '1'='1' SELECT * FROM users WHERE name = 'xxx' AND password = '" or "1"="1' 3

4 1. Introduction (cont.)  Sania  Automatically identifies potentially vulnerable spots in the SQL queries.  Generates attack requests.  Comparing the parse trees of the SQL queries between innocent HTTP request and attack request. 4

5 2. Related Work  Framework Support  A validator prohibits an input from including meta-characters.  To transform the dangerous characters to safe ones. 5

6 2. Related Work (cont.)  Prepare Statement  separates the values in a query from the structure of SQL  All the legacy web applications must be re- written. PreparedStatement stmt = conn.prepareStatement( "INSERT INTO message VALUES(?, ?)"); stmt.setString(1, “razor"); stmt.setString(2, “razor@mail.com"); stmt.executeUpdate(); stmt.clearParameters(); 6

7 2. Related Work (cont.)  Combined Static and Dynamic Analysis  Uses a static analysis to build the models of the SQL queries.  Intercepts all the SQL queries before they are sent to the database.  Checks each query against the statically built models. 7

8 2. Related Work (cont.)  Machine Learning Approach  An intrusion detection system (IDS) based on a machine learning technique.  The overall IDS quality depends on the quality of the training set.  It cannot thoroughly check all the vulnerable spots like the traditional penetration testing. 8

9 2. Related Work (cont.)  Instruction-Set Randomization  To create SQL queries using randomized keywords instead of the normal SQL keywords. 9

10 3. Design of Sania  Specifying Vulnerable Spots  The vulnerable spots have the potential to be security holes of SQL injection. HTTP request includes id=555&cat=book Generated SQL query SELECT * FROM users WHERE user id=555 10

11 3. Design of Sania (cont.)  Crafting Attack Requests  Linear attack  Sania inserts an attack code to a single vulnerable spot.  Combination attack  Sania inserts attack codes in two or more vulnerable spots at the same time. 11

12 3. Design of Sania (cont.)  Linear attack  Each attack code represented as a four-element tuple:  SELECT id, xxx from users (λ, ε, false, from yyy-- | from yyy;-- | from yyy/*).  SELECT id, xxx from yyy--from users (userInput, metaCharacter, parentheses, insertedSQL). (λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*). (userInput, metaCharacter, parentheses, insertedSQL). (λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*). (userInput, metaCharacter, parentheses, insertedSQL). (λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*). (userInput, metaCharacter, parentheses, insertedSQL). (λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*). 12

13 3. Design of Sania (cont.)  Combination Attack  A combination attack exploits two or more vulnerable spots at the same time to inject an SQL query.  SELECT * FROM users WHERE name=’ø1’ and password=’ø2’ (øi: vulnerable spot).  SELECT * FROM users WHERE name=’\’ and password=’ or 1=1--’ 13

14 3. Design of Sania (cont.)  Validation  SELECT * FROM users WHERE name=’’ or ’1’=’1’ Properly sanitized parse tree Improperly sanitized parse tree 14

15 3. Design of Sania (cont.)  Validation  Because of dynamic query, Sania allows the user to control the matching of parse trees. 15

16 4. Implementation  Sania in Java that had 13,000 lines of code.  A list of attack codes in XML that had 1,800 lines of code  An SQL parser implemented by JavaCC and JSqlParser 16

17 5. Experiments 17

18 5. Experiments (cont.)  This result reveals that Sania can:  Execute precise linear attacks.  Execute powerful combination attacks. 18

19 5. Experiments (cont.)  False Positives 19 ToolNum.Description Sania13 8Length of attack code was too long 3Backslash mistakenly broke query 1Failed to delete inserted SQL query 1Authentication failed Paros67 16 Attack codes are mistakenly injected to state parameters 15 Contents of response page was changed after editing 13These spots were already sanitized 10Length of attack code was too long 9Type of code does not match 4Duplicate warnings are received ToolNum.Description Sania13 8Length of attack code was too long 3Backslash mistakenly broke query 1Failed to delete inserted SQL query 1Authentication failed Paros67 16 Attack codes are mistakenly injected to state parameters 15 Contents of response page was changed after editing 13These spots were already sanitized 10Length of attack code was too long 9Type of code does not match 4Duplicate warnings are received ToolNum.Description Sania13 8Length of attack code was too long 3Backslash mistakenly broke query 1Failed to delete inserted SQL query 1Authentication failed Paros67 16 Attack codes are mistakenly injected to state parameters 15 Contents of response page was changed after editing 13These spots were already sanitized 10Length of attack code was too long 9Type of code does not match 4Duplicate warnings are received ToolNum.Description Sania13 8Length of attack code was too long 3Backslash mistakenly broke query 1Failed to delete inserted SQL query 1Authentication failed Paros67 16 Attack codes are mistakenly injected to state parameters 15 Contents of response page was changed after editing 13These spots were already sanitized 10Length of attack code was too long 9Type of code does not match 4Duplicate warnings are received ToolNum.Description Sania13 8Length of attack code was too long 3Backslash mistakenly broke query 1Failed to delete inserted SQL query 1Authentication failed Paros67 16 Attack codes are mistakenly injected to state parameters 15 Contents of response page was changed after editing 13These spots were already sanitized 10Length of attack code was too long 9Type of code does not match 4Duplicate warnings are received ToolNum.Description Sania13 8Length of attack code was too long 3Backslash mistakenly broke query 1Failed to delete inserted SQL query 1Authentication failed Paros67 16 Attack codes are mistakenly injected to state parameters 15 Contents of response page was changed after editing 13These spots were already sanitized 10Length of attack code was too long 9Type of code does not match 4Duplicate warnings are received ToolNum.Description Sania13 8Length of attack code was too long 3Backslash mistakenly broke query 1Failed to delete inserted SQL query 1Authentication failed Paros67 16 Attack codes are mistakenly injected to state parameters 15 Contents of response page was changed after editing 13These spots were already sanitized 10Length of attack code was too long 9Type of code does not match 4Duplicate warnings are received ToolNum.Description Sania13 8Length of attack code was too long 3Backslash mistakenly broke query 1Failed to delete inserted SQL query 1Authentication failed Paros67 16 Attack codes are mistakenly injected to state parameters 15 Contents of response page was changed after editing 13These spots were already sanitized 10Length of attack code was too long 9Type of code does not match 4Duplicate warnings are received Length and Type ErrorMisallocated BackslashDatabase Record ConflictField Data Conflict Attacking Potentially Safe SpotsMishandling of Dynamic ContentsDuplicate Warnings

20 6. Conclusion  Sania, which is designed to check for SQL injection vulnerabilities in the development and debugging phases.  Sania has been proved effective; it found 39 SQL injection vulnerabilities and incurred only 13 false positives. 20

Download ppt "Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,"

Similar presentations

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Understand Database Security Concepts

Understand Database Security Concepts
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTION COUNTERMEASURES &

SQL INJECTION COUNTERMEASURES &
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

Similar presentations

Ads by Google