1. Attacking Applications: SQL Injection & Buffer Overflows

2.  AKA: Code Injection  Common Issues  Both used to attack applications  Both generally caused by programming flaws  Both usually delivered via user input field  Both caused by invalid parameters (not verified)  Countermeasures for both  Utilize secure programming methods

3.  Occurs when an app processes user-provided data to create an SQL statement without first validating the input.  Read or modify a database by compromising the meaning of the original query  Results  1. Attacker gets to remotely execute system commands, or  2. Attacker takes control of database server

4.  1. Search for websites with login page or other input or query fields  2. Test using single quotes  3. Use SELECT to retrieve data, or  Use automated tool: Absinthe  http://www.youtube.com/watch?v=Aotphk1sOAQ http://www.youtube.com/watch?v=Aotphk1sOAQ  http://www.youtube.com/watch?v=_Bh1_-wg-ok http://www.youtube.com/watch?v=_Bh1_-wg-ok  Why it works: http://www.youtube.com/watch?v=AhTfo6pWBIM http://www.youtube.com/watch?v=AhTfo6pWBIM

5.  Identifying vulnerabilities  Database Finger-Printing  Determine Database Schema  Extract / Add / Modify Data  Perform DoS  Evade Detection  Bypass Authentication  Execute Remote Commands  Perform Privilege Escalation  Install Malware

6.  Practice Defensive Coding  Change default admin login information  Disable default admin login account  Validate / Sanitize user input  Use strong firewall rules  Block ports: 1434 (SQL & mysql); 1521-1530 (Oracle)  Don’t display error messages  Remove Stored Procedures, but rather use Prepared Statements  Session encryption

7.  Use escape commands  escapeshellcmd(): decreases risks involved in allowing user input to be passed to the shell  escapeshellarg(): convert scalar value into single- quote delimited string  Mysql_real-escape-string()  Sanitizes data before sending to MYSQL

8.  http://www.youtube.com/watch?v=7LDdd90aq5Y http://www.youtube.com/watch?v=7LDdd90aq5Y  How it works: http://www.youtube.com/watch?v=kZZgNnhxA_4 http://www.youtube.com/watch?v=kZZgNnhxA_4  http://www.youtube.com/watch?v=diKNfnY76z8 http://www.youtube.com/watch?v=diKNfnY76z8  http://www.youtube.com/watch?v=AlgwqMH3Uss http://www.youtube.com/watch?v=AlgwqMH3Uss

9.  Types  Stack based  Static locations for memory address space  Heap based  Dynamic memory address spaces  Countermeasures  IDS should look for NOP (No Operation) instructions  Don’t use: C or C++ commands that don’t provide argument checking. (C & C++ leave data integrity checking to programmer):  eg) strcpy(), strcat(), streadd()  Use functions that check buffer size – eg) strncopy()  DO use: Java or Perl or Lisp