Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Published byAugustine Thompson Modified over 8 years ago

Similar presentations

Presentation on theme: "Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012."— Presentation transcript:

1 Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012

2 Sources Consulted Stuttard, D. and Pinto, M., The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition, 2011, Wiley Publishing

3 Importance of Data Stores Almost every web app uses data stores Used to hold information vital to the application Often hold information crucial to the application logic (access control, etc.)

4 Important Notes about Data Stores Application interacts with the data store at a specified security level Common data stores are databases that use SQL (Structure Query Language) to interact & manipulate database Other non-SQL type databases are becoming more popular (i.e. NoSQL) Some data stores specifically revolve around access control (i.e. LDAP)

5 Interpreted vs. Compiled Languages Injection Attacks can happen on either type of language Interpreted languages make it easier for injection attacks (i.e. can type in code) Compiled language injection attacks generally use machine code

6 SQL Injection Type of code injection common in interpreted languages that use SQL data stores A lot of similarities across databases but each vendor database may be a bit different Our focus today is on: MS-SQL, Oracle and MySQL data stores

7 Fingerprinting the Database Extract version string o MySQL /*!32302 and 1=0*/ Look at Concatenation of Strings o Oracle'serv'||'ices' o MS-SQL 'serv'+'ices' o MySQL 'serv' 'ices' Look at how Numeric Data is handled o Oracle BITAND(1,1)-BITAND(1,1) o MS-SQL @@PACK_RECEIVED-@@PACKRECEIVED o MySQL CONNECTION_ID()-CONNECTION_ID()

8 Testing for Injection Bugs General Algorithm: Supply unexpected data and syntax Identify any anomalies Observe and examine any error messages Systematically modify input to confirm or disprove vulnerability existence Construct proof-of-concept that causes safe command to execute in a verifiable way to prove flaw exists Exploit the vulnerability by leveraging functionality and knowledge of target language and/or its components

9 Testing for SQL Injection Bugs Three Main Methods: Injecting into String Data Injecting into Numeric Data Injecting into Query Structure

10 Injecting Into String Data String data is encapsulated into single quotation marks Need to break out of these quotation marks o ex. Wiley' OR 'a'='a Preliminary Steps to Test: o Submit a single quotation mark to see if error occurs o Submit two quotation marks (escape sequence) and look for error or odd behavior o Try SQL concatenation techniques discussed earlier and if no behavior detected possible vulnerable

11 Injecting Into Numeric Data Query may use numbers as strings so try string data methods first Remember to encode certain characters Steps to Test: o Supply a mathematical expression equiv. to number (responds same way = possible vulnerable) o Use more complicated expressions that use SQL keywords. o Using ASCII commands to test are useful  67-ASCII('A')  51-ASCII(1)

12 Injecting Into Query Structure Determine the Type of Statement o SELECT Statements o INSERT Statements o UPDATE Statements o DELETE Statements o UNION Operator (more of a technique)

13 SELECT Statements Frequently used when returning data based on user's actions Attack entry point is usually the statement's WHERE clause Correct Example: o SELECT author,title,year FROM books WHERE publisher = 'Wiley' Malicious Example: o Input into web form: Wiley' OR 1=1-- o SELECT author,title,year FROM books WHERE publisher = 'Wiley' OR 1=1--

14 INSERT Statements Used to create a new row of data in a table Example: Web app that allows users to self register Correct Example: o INSERT INTO users (username, password, privs) VALUES ('daf','secret',1) Malicious Example: o Input into web form: foo','bar',0)-- o INSERT INTO users (username, password, privs) VALUES ('foo','bar',0)-- o MUST contain correct number of data types!

15 UPDATE Statements Used to modify one or more rows of existing data in a table Correct Example: o UPDATE users SET password='newsecret' WHERE user='brad' and password='secret' Malicious Example: o Input into web form: admin'-- o UPDATE users SET password='newsecret' WHERE user='admin'-- This example bypasses the password check & changes the admin password!

16 DELETE Statements Used to delete one or more rows of data in a table Can corrupt the entire table or database Correct Example: o DELETE from users WHERE uid='brad' Malicious Example: o Input into web form: ' OR ' '=' o DELETE from users WHERE uid=' ' OR ' '=' ' This example deletes all user ID's in the users table!

17 UNION Operator Used to combine results of two or more SELECT statements into a single result set Supported by all major DBMS products Fastest way to retrieve arbitrary information when query results are returned Point of attack is usually the WHERE clause of a SELECT statement Additional SELECT statement must contain correct number of data types

18 UNION Operator cont. Example SELECT statement before: o SELECT author,title,year FROM books WHERE publisher ='Wiley' (Where Wiley was submitted) Input put into web form: o Wiley' UNION SELECT username,password,uid FROM users-- Returns a dataset containing both the authors,titles,year and username,password,uid in one table This example only works if users table has three columns

19 Advanced Techniques Out-of-Band Communication Bypassing Filters Using Comments & Circumventing Validation Second Order SQL Injection Retrieving Data as Numbers Inference

20 Escalating Attacks Most applications employ one account for database access Rely on application-layer controls to enforce segregation of access Already have the data, why escalate? o Gain access to other hosted application data o Compromise the OS of the database server o Gain network access to access other systems o Establish network connection to own system for faster data retrieval o Include own functions to enhance DB capabilities

21 Some Tools Used in SQL Exploitation Absinthe - Automated Blind SQL Injection Tool SQLMap - Automatic SQL Injection Tool

22 Preventing SQL Injection Validate input! Escape certain characters and words Use Stored Procedures to help o This does not completely solve the problem Parameterized Queries o AKA: prepared statements o Application specifies query's structure o Application specifies contents of each placeholder

23 Summary, Comments and Questions Attacking Data Stores can be done in a variety of ways Protecting Data Stores is of utmost importance Understanding how these attacks take place enables one to better protect against them Questions and Comments.........

Download ppt "Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
SQL Injection Stephen Frein Comcast.

SQL Injection Stephen Frein Comcast.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Understand Database Security Concepts

Understand Database Security Concepts
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
Introduction to Structured Query Language (SQL)

Introduction to Structured Query Language (SQL)
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Introduction to Structured Query Language (SQL)

Introduction to Structured Query Language (SQL)
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTION COUNTERMEASURES &

SQL INJECTION COUNTERMEASURES &

Similar presentations

Ads by Google