Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Published byBertina Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages."— Presentation transcript:

1 Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages are built (in part) based on queries to a database –Possibly using some client input...

2 Lecture 16 Page 2 CS 236 Online SQL Injection Mechanics Server plans to build a SQL query Needs some data from client to build it –E.g., client’s user name Server asks client for data Client, instead, provides a SQL fragment Server inserts it into planned query –Leading to a “somewhat different” query

3 Lecture 16 Page 3 CS 236 Online An Example “select * from mysql.user where username = ‘ “. $uid. “ ‘ and password=password(‘ “. $pwd “ ‘);” Intent is that user fills in his ID and password What if he fills in something else? ‘or 1=1; -- ‘

4 Lecture 16 Page 4 CS 236 Online What Happens Then? $uid has the string substituted, yielding “select * from mysql.user where username = ‘ ‘ or 1=1; -- ‘ ‘ and password=password(‘ “. $pwd “ ‘);” This evaluates to true –Since 1 does indeed equal 1 –And -- comments out rest of line If script uses truth of statement to determine valid login, attacker has logged in

5 Lecture 16 Page 5 CS 236 Online Basis of SQL Injection Problem Unvalidated input Server expected plain data Got back SQL commands Didn’t recognize the difference and went ahead Resulting in arbitrary SQL query being sent to its database –With its privileges

6 Lecture 16 Page 6 CS 236 Online Some Example Attacks 130 million credit card numbers stolen in 2009 with SQL injection attack Used to steal 1 million Sony passwords Yahoo lost 450,000 passwords to a SQL injection in 2012 Successful SQL injections on Bit9, British Royal Navy, PBS Ruby on Rails had built-in SQL injection vulnerability in 2012

7 Lecture 16 Page 7 CS 236 Online Solution Approaches Carefully examine all input Use database access controls Randomization of SQL keywords Avoid using SQL in web interfaces Parameterized variables

8 Lecture 16 Page 8 CS 236 Online Examining Input for SQL SQL is a well defined language Generally web input shouldn’t be SQL So look for it and filter it out Problem: proliferation of different input codings makes the problem hard Problem: some SQL control characters are widely used in real data –E.g., apostrophe in names

9 Lecture 16 Page 9 CS 236 Online Using Database Access Controls SQL is used to access a database Most databases have decent access control mechanisms Proper use of them limits damage of SQL injections Problem: may be hard to set access controls to prohibit all dangerous queries

10 Lecture 16 Page 10 CS 236 Online Randomization of SQL Keywords Change all SQL keywords into something random Then translate all your internal queries to that new “language” Those trying SQL injection need to inject your language, not standard SQL Problem: security is based on a secret Problem: could cause unexpected errors from otherwise correct behavior

11 Lecture 16 Page 11 CS 236 Online Avoid SQL in Web Interfaces Never build a SQL query based on user input to web interface Instead, use predefined queries that users can’t influence Typically wrapped by query-specific application code Problem: may complicate development

12 Lecture 16 Page 12 CS 236 Online Use Parameterized Variables SQL allows you to set up code so variables are bound parameters Parameters of this kind aren’t interpreted as SQL Pretty much solves the problem, and is probably the best solution

13 Lecture 16 Page 13 CS 236 Online Malicious Downloaded Code The web relies heavily on downloaded code –Full language and scripting language –Mostly scripts Instructions downloaded from server to client –Run by client on his machine –Using his privileges Without defense, script could do anything

14 Lecture 16 Page 14 CS 236 Online Types of Downloaded Code Java –Full programming language Scripting languages –JavaScript –VB Script –ECMAScript –XSLT

15 Lecture 16 Page 15 CS 236 Online Drive-By Downloads Often, user must request that something be downloaded But not always –Sometimes visiting a page or moving a cursor causes downloads These are called drive-by downloads –Since the user is screwed just by visiting the page

16 Lecture 16 Page 16 CS 236 Online Solution Approaches Disable scripts in your browser Use secure scripting languages Isolation mechanisms Vista mandatory access control Virus protection and blacklist approaches

17 Lecture 16 Page 17 CS 236 Online Disabling Scripts Browsers (or plug-ins) can disable scripts –Selectively, based on web site The bad script is thus not executed Problem: Cripples much good web functionality –So users re-enable scripting

18 Lecture 16 Page 18 CS 236 Online Use Secure Scripting Languages Some scripting languages are less prone to problems than others Write your script in those Problem: secure ones aren’t popular Problem: many bad things can still be done with “secure” languages Problem: can’t force others to write their scripts in these languages

19 Lecture 16 Page 19 CS 236 Online Isolation Mechanisms Architecturally arrange for all downloaded scripts to run in clean VM –Limiting the harm they can do Problem: they might be able to escape the VM Problem: what if a legitimate script needs to do something outside its VM?

20 Lecture 16 Page 20 CS 236 Online Vista Mandatory Access Control In Vista, browser ran at low privilege level So scripts it downloaded did, too Limiting damage they could do Problem: also limited desirable things good scripts could do

21 Lecture 16 Page 21 CS 236 Online Signatures and Blacklists Identify known bad scripts Develop signatures for them Put them on a blacklist and distribute it to others Before running downloaded script, automatically check blacklist Problem: same as for virus protection

Download ppt "Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages."

Similar presentations

Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
PHP Security.

PHP Security.
Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 

Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Browser Security Evaluation IE6 vs. IE7 vs. Firefox 3.0 Gowri Kanugovi.

Browser Security Evaluation IE6 vs. IE7 vs. Firefox 3.0 Gowri Kanugovi.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.

Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
Feedback #2 (under assignments) Lecture Code:

Feedback #2 (under assignments) Lecture Code:
Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Similar presentations

Ads by Google