Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Injection Attacks Many web servers have backing databases

Published byElijah Hall Modified over 5 years ago

Similar presentations

Presentation on theme: "SQL Injection Attacks Many web servers have backing databases"— Presentation transcript:

1 SQL Injection Attacks Many web servers have backing databases
Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . .

2 SQL Injection Mechanics
Server plans to build a SQL query Needs some data from client to build it E.g., client’s user name Server asks client for data Client, instead, provides a SQL fragment Server inserts it into planned query Leading to a “somewhat different” query

3 An Example Intent is that user fills in his ID and password
“select * from mysql.user where username = ‘ “ . $uid . “ ‘ and password=password(‘ “. $pwd “ ‘);” Intent is that user fills in his ID and password What if he fills in something else? ‘or 1=1; -- ‘

4 What Happens Then? $uid has the string substituted, yielding
“select * from mysql.user where username = ‘ ‘ or 1=1; -- ‘ ‘ and password=password(‘ “. $pwd “ ‘);” This evaluates to true Since 1 does indeed equal 1 And -- comments out rest of line If script uses truth of statement to determine valid login, attacker has logged in

5 Basis of SQL Injection Problem
Unvalidated input Server expected plain data Got back SQL commands Didn’t recognize the difference and went ahead Resulting in arbitrary SQL query being sent to its database With its privileges

6 Some Example Attacks 130 million credit card numbers stolen in 2009 with SQL injection attack Used to steal 1 million Sony passwords Florida’s election site compromise by a SQL injection attack (2016) Successful SQL injections on Bit9, British Royal Navy, PBS Rasputin attacks on governments and universities (2017)

7 Solution Approaches Carefully examine all input
Use database access controls Randomization of SQL keywords Avoid using SQL in web interfaces Parameterized variables

8 Examining Input for SQL
SQL is a well defined language Generally web input shouldn’t be SQL So look for it and filter it out Problem: proliferation of different input codings makes the problem hard Problem: some SQL control characters are widely used in real data E.g., apostrophe in names

9 Using Database Access Controls
SQL is used to access a database Most databases have decent access control mechanisms Proper use of them limits damage of SQL injections Problem: may be hard to set access controls to prohibit all dangerous queries

10 Randomization of SQL Keywords
Change all SQL keywords into something random Then translate all your internal queries to that new “language” Those trying SQL injection need to inject your language, not standard SQL Problem: security is based on a secret Problem: could cause unexpected errors from otherwise correct behavior

11 Avoid SQL in Web Interfaces
Never build a SQL query based on user input to web interface Instead, use predefined queries that users can’t influence Typically wrapped by query-specific application code Problem: may complicate development

12 Use Parameterized Variables
SQL allows you to set up code so variables are bound parameters Parameters of this kind aren’t interpreted as SQL Pretty much solves the problem, and is probably the best solution

13 Malicious Downloaded Code
The web relies heavily on downloaded code Full language and scripting language Mostly scripts Instructions downloaded from server to client Run by client on his machine Using his privileges Without defense, script could do anything

14 Types of Downloaded Code
Java Full programming language Scripting languages JavaScript VB Script ECMAScript XSLT

15 Drive-By Downloads Often, user must request that something be downloaded But not always Sometimes visiting a page or moving a cursor causes downloads These are called drive-by downloads Since the user is screwed just by visiting the page

16 Solution Approaches Disable scripts in your browser
Use secure scripting languages Isolation mechanisms Vista mandatory access control Virus protection and blacklist approaches

17 Disabling Scripts Browsers (or plug-ins) can disable scripts
Selectively, based on web site The bad script is thus not executed Problem: Cripples much good web functionality So users re-enable scripting

18 Use Secure Scripting Languages
Some scripting languages are less prone to problems than others Write your script in those Problem: secure ones aren’t popular Problem: many bad things can still be done with “secure” languages Problem: can’t force others to write their scripts in these languages

19 Isolation Mechanisms Architecturally arrange for all downloaded scripts to run in clean VM Limiting the harm they can do Problem: they might be able to escape the VM Problem: what if a legitimate script needs to do something outside its VM?

20 Vista Mandatory Access Control
In Vista, browser ran at low privilege level So scripts it downloaded did, too Limiting damage they could do Problem: also limited desirable things good scripts could do

21 Signatures and Blacklists
Identify known bad scripts Develop signatures for them Put them on a blacklist and distribute it to others Before running downloaded script, automatically check blacklist Problem: same as for virus protection

Download ppt "SQL Injection Attacks Many web servers have backing databases"

Similar presentations

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for.

Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
PHP Security.

PHP Security.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.

Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.

PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER.

PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Similar presentations

Ads by Google