Dirty Data: SQL Injection and You Kelly FitzGerald Sr. Vulnerability Analyst Dirty Data.
Download ReportTranscript Dirty Data: SQL Injection and You Kelly FitzGerald Sr. Vulnerability Analyst Dirty Data.
Dirty Data: SQL Injection and You
Kelly FitzGerald
Sr. Vulnerability Analyst
Dirty Data
1
Sr. Vulnerability Analyst
Dirty Data
•Joined Symantec 2003
•Advisor to the Crypto Review
Board
•Captain of the Emergency
Response Team, Culver City
•Work with researchers
responsible/coordinated disclosure
•Implementation of Neural
Economics
2
How Do We Do It?
• Vulnerability Management
– Coordinate external vulnerabilities
• Blackhats
• Whitehats
• Customers
– Pay no Money for Vulns
• Goals
– Keep things quiet
– Asses the damage
– Release a fix
– Disclose - Carefully
Dirty Data
3
The Usual Suspects
1.
2.
3.
4.
5.
6.
7.
The Academic
The Legit Research Lab
The other Research Lab
The IT guy that finds
something
The fame seeker
The fortune seeker
That guy without a clue
Dirty Data
4
Groups in LA that work with IT/Software Security
http://www.OWASP.org
•Non Profit, groups meet around the world in the idea of
exchanging security information
•The LA Chapter meets every 3rd Wednesday at Symantec in
Culver City
•This month is a joint meeting with ISSA and will be held
March 16th at Les Freres Taix Resturant.
•Topic will be STUXNET
•Normally meetings are free, but because of the Resturant
admission is $20-$40
•More Technical
Dirty Data
5
ISSA Information Systems Security Association
•http://wwww.issa-la.org
•More directed to management perspective(i.e. CSO)
•Monthly lunchtime meetings
Dirty Data
6
OWASP Top 10
• The Ten Most Critical Web
Application Security
Vulnerabilities
• 2010 Release
• A great start, but not a standard
Dirty Data
What, Me Worry?
• 1. Injection
• 2. Cross Site Scripting (XSS)
• 3. Broken Authentication and Session Management
• 4. Insecure Direct Object References
• 5. Cross Site Request Forgery (CSRF)
• 6. Security Misconfiguration
• 7. Failure to Restrict URL Access
• 8. Unvalidated Redirects and Forwards
• 9. Insecure Cryptographic Storage
• 10. Insufficient Transport Layer Protection
Dirty Data
8
Top 10 Methodology
• Take the MITRE Vulnerability Trends for 2006, and distill the
Top 10 web application security issues
Dirty Data
9
What is an Exploit?
Exploit:
Taking Advantage of a Vulnerability
+
Dirty Data
=
10
The House that Software Built
Confidentiality
Strangers knowing the
objects in the house.
Integrity
Someone comes inside and swaps
the expensive jewelry for fakes.
Availability
Someone breaks a key in the lock so
nobody can use the door.
Dirty Data
11
CIA Confidentiality
Confidentiality
•Webserver contains private employee HR Files
•Files only intended for managers
Confidentiality Breach
•Unauthorized persons can view the protected information
Dirty Data
12
CIA Integrity
Integrity
•Webserver contains private employee HR Files
•Files only intended for managers
Integrity Breach
•Unauthorized users can modify the sensitive data
Dirty Data
13
CIA Availability
Availability
•Webserver contains private employee HR data
•Data is only intended for managers
Availability Breach
•The server cannot be logged into
Dirty Data
14
Hacme Casino: I bet you can’t Hack Me!
Dirty Data
15
Best Guess of the SQL Query That is Being Run
SELECT * FROM users
WHERE(
username=‘<username>’
AND
password =‘<password>’
)
Dirty Data
16
SQL Injection.. What???
A SQL Injection attack is a form of attack that comes from user
input that has not been checked to see that it is valid. The
objective is to fool the database system into running malicious
code that will reveal sensitive information or otherwise
compromise the server.
Dirty Data
17
Let’s Pretend I’m a the Naughty Guy
•Don’t want to change the queries on
the server.
•Too Traceable
•Too much hacking
•Cuts into watching CSI
•What if I could just make a few
adjustments to help my access
problems?
Dirty Data
18
A New Coat of Paint
SELECT * FROM users WHERE(username=‘<username>’ AND
password=‘<password>’)
Redecorated into:
SELECT * FROM users WHERE(username=‘’)OR 1=1
--AND password=‘’)
Dirty Data
19
Why Would this Give us Unauthorized Access?
SELECT * FROM users WHERE(username=‘’)OR 1=1
--AND password=‘’)
• Were asking for a null username ’’
• Asking for results as long as 1=1
• --Inline comments just disregard the rest of the
statement.
Dirty Data
20
Nice, but how do you actually do it…
Dirty Data
21
On My Way to Gambling Fame
SELECT * FROM users WHERE(username=‘<username>’ AND
password=‘<password>’)
SELECT * FROM users WHERE(username=‘’)OR 1=1
--AND password=‘’)
Dirty Data
22
Ahh Yes, In The Casino.. Thank You 1=1
Dirty Data
23
Using Comments to Get Around Safety Checks
/*Comment Here*/ (SM)
– DROP/*comment*/sampletable
– DR/**/OP/*bypass blacklisting*/sampletable
– SELECT/*avoid-spaces*/password/**/FROM/**/Members
Dirty Data
24
How many ways can you say
• http://www.yahoo.com
• http://209.191.93.52 (the “vanilla IP address version
everyone knows and loves…)
• http://0xD1BF5D34 (hex representation of a yahoo server)
• http://0x123456789D1BF5D34/ (hex representation of a
yahoo server is a bunch of numbers in the front “123456789”.
Those numbers are disregarded by some browsers.
• http://3518979380/ (decimal representation of an IP)
• http://0321.0277.0135.064 (octal representation of an IP)
Dirty Data
Cross-Site Scripting (XSS)
• Occurs any time…
– Raw data from attacker is sent to an innocent user
• Raw data…
– Stored in database
– Reflected from web input (form field, hidden field, url, etc…)
– Sent directly into rich JavaScript client
• Virtually every web application has this problem
– Try this in your browser – javascript:alert(document.cookie)
Dirty Data
• Allows to embed malicious code:
– JavaScript (AJAX!), VBScript, ActiveX, HTML, or Flash
• Threats: phishing, hijacking, changing of user settings, cookie
theft/poisoning, false advertising , execution of code on the
client, ...
Dirty Data
Cross-Site Scripting Illustrated
Communication
Knowledge
Mgmt
E-Commerce
Bus. Functions
Victim views page – sees attacker
profile
Administration
Transactions
2
Attacker sets the trap – update my
profile
Application with
stored XSS
Attacker enters a malicious
script into a web page that
vulnerability
stores the data on the server
Accounts
Finance
1
Custom Code
Script runs inside victim’s
browser with full access to
the DOM and cookies
3
Dirty Data
Script silently sends attacker Victim’s session
cookie
Oh Great. This Totally Means More Work for Me
•That default mySQL admin
account/password? Make sure it’s gone.
•Operation of least privilege. Build your
application with the assumption that the
user is an admin. Then change it to a lowprivilege user. Then cry. Then adjust.
•Encrypted Queries, Parametriczed
equations. If it’s not predictable.. You can’t
inject so easy.
•Admin accounts: No remote access.
•Cleanse your input. Don’t allow sql in the
textbox. OWASP ESAPI project is free and
can help.
•No user input, no SQL Injection.
Dirty Data
29
Parametric, Encryption and Stored Procedures
Parameterized
• string commandText = "SELECT * FROM Customers "+ "WHERE
Country=@CountryName"; SqlCommand cmd = new
SqlCommand(commandText, conn);
cmd.Parameters.Add("@CountryName",countryName);
Encryption
• Kjaglfjg;kjgflkjt jgmzlgkjzlfkglakgla;dfkglkgfjalfka;dkga
Stored Procedure
• CREATE PROCEDURE dbo.CreateUserTable @userName
sysname AS EXEC('CREATE TABLE '+@userName+ ' (column1
varchar(100), column2 varchar(100))'); GO
Dirty Data
30
The Cookie that hacked the Pentagon
http://pentagon.afis.osd.mil/tours?action=viewLarge
Photo&title=1%3E%22%3E%3CScRiPt%20%0A
%0D%3Ealert%28document.cookie%29%3B%3C/ScRiP
t%3E
2009 Hackers Review
31
I Have this great Widget, it even has a picture Frame!
2009 Hackers Review
32
5 Pictures, Each A Chance for Exploitation
2009 Hackers Review
33
I Always Thought My Blog Needed More Fame…
Dirty Data
34
One Smart Cookie
Romanian Hacker, Ne0h
The XSS URL
• http://pentagon.afis.osd.mil/tours?action=viewLargePhoto&title=
1%22%3E%3Ciframe%20src=
http://ne0h.baywords.com%3E%3C/iframe%3E
The Resulting HTML
<div id="content_1column"> <div id="content_main">
<h2>Tours</h2>
<h3>Photo Gallery</h3>
<div id="galleryPhotoLg">
<img src="images/largePhotos/1>">
<ScRiPt >alert(document.cookie);</ScRiPt>" width="650"
height="480" alt="Image Gallery" /> </div>
2009 Hackers Review
35
Okay, I’m Curious. What Now.
• Hacme bank and Hacme Casino. Originally built by
Foundstone/McAfee now maintained by OWASP.
• OWASP SQL Injection “Cheat Sheet”
http://www.owasp.org/index.php/SQL_Injection_Prevention_Che
at_Sheet
• WebGoat
http://www.owasp.org/index.php/Category:OWASP_WebGoat_
Project
• OWASP Live CD(VMWare Image is easiest)
http://www.owasp.org/index.php/OWASP_Live_CD
Dirty Data
36
What Else. I don’t have time for this.
• Fortify: Static Code Analysis
• Cenzic Hailstorm: Good at detecting XSS and SQL Injection
• Penetration Testing: Hire an agency(generally for 1-2 weeks) to
do every dirty trick they know to break the security of your
application.
Dirty Data
37
Thank you!
Kelly FitzGerald
[email protected]
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY
Copyright © 2010 Symantec Corporation. All rights reserved.
Dirty Data
38