Mano ‘dash4rk’ PaulCISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA

SQL Injection &

Soul Injection attacks

2

ABC’s about me --

• Author– The 7 Qualities of Highly Secure Software– The Official (ISC)2 Guide to the CSSLP

• Advisor– Software Assurance Advisor

• Biologist – Shark Researcher – Bimini Islands, Bahamas

• Christian• CEO– SecuRisk Solutions / Express Certifications

www.hackformers.org

3

Agenda

• Teach Security (SQL Injection)• Teach Christ (Soul Injection)• Teach Security In Christ (Discussion)

www.hackformers.org

SQL Injection

Teach Security

5

Going down memory lane

www.hackformers.org

6

Problem on the rise

• OWASP Top 10 rankings– 6th (2004)– 2nd (2007)– 1st (2010)

www.hackformers.org

7

No(thing/ one) is safe

www.hackformers.org

9

Is this still a problem?

www.hackformers.org

10

So what is SQL Injection?

• An attack where the attacker supplies input which gets concatenated with internal SQL commands and gets executed.

www.hackformers.org

SQL Command + User Input(s)

SQL Command(s)

11

The Hacker

• Attempts to exploit vulnerabilities and execute their own commands within your application

• Seeks control upon compromise

www.hackformers.org

12

Tell me, and I’ll forgetShow me, and I may rememberInvolve me, and I’ll understand

DEMO

www.hackformers.org

13

Root Cause Analysis

• External: Input not handled properly• Internal: Dynamic Query Construction

string _sQry = "SELECT * FROM USERS WHERE uname = '" + txtUserName.Text + "'

AND pwd = '" + txtPassword.Text + "'”;

Attacker supplies ' OR 1=1 -- string _sQry = "SELECT * FROM USERS WHERE uname = '' OR 1=1 –- ' AND pwd = '" + txtPassword.Text + "'";

www.hackformers.org

14

Impact

• Theft / Disclosure (Confidentiality)– ' UNION SELECT min(uname) '', '' FROM USERS, WHERE uname > 'a’ --

• Alteration (Integrity)– '; UPDATE USERS SET pwd = 'h@x0r' WHERE uname = 'administrator’ --

• Destruction / DoS (Availability)– '; DROP TABLE USERS --

www.hackformers.org

Mitigation Controls

• Handle Input – Replace Quotes– Validate (Format, Length, Range, Type)– Filter (Blacklist / Whitelist)

• Error/Exception Handling– Laconic messages– Catch all exceptions– Don’t show the Error

16

Mitigation Controls (Continued)

• Implement Least privilege– Reader/writer accounts instead of database owner

(dbo)– Remove unneeded functions/procedures– Harden the database server

• Re-architect the Application– Change the way the application processes input

www.hackformers.org

20

Re-architect the Application

• Disallow dynamic query construction• Use parameterized procedures/statements• Use Language Integrated Query (LINQ) (if

supported)

Parameterization renders ineffective all input data that are concatenated with SQL commands

www.hackformers.org

This is the BEST defense against SQL Injection

Soul Injection

Teach Christ

22

What is Soul Injection?

• An attack where the devil supplies temptations which gets concatenated with our internal commands and gets executed.

www.hackformers.org

23

The attacker

• Devil a.k.a. Satan, attempts to exploit human weaknesses and execute his own commands within your life

• Seeks control upon compromise

Satan, the attacker, is like a roaring lion, seeking whom he may devour (1 Peter 5:8)

www.hackformers.org

24

Since the beginning of time

• In the Garden of Edenthrough time till

• Today and still rising …

Satan, the attacker has blinded the minds of many, lest they see the glorious light of the

Gospel in Jesus Christ (2 Corinthians 4:4)

www.hackformers.org

25

No one is safe

• Irrespective of race, color, sex, age, nationality, or even religion.

All have sinned and have fallen short of the glory of God (Romans 3:23)

The wages of sin is death (Romans 6:23)

www.hackformers.org

26

Root Cause Analysis

• External: Not handling temptations properly– Sin is crouching at your door, don’t let it master

you (Genesis 4:7)• Internal: Conceived in sin (the way we are

architected) – Each person is tempted when he is lured and

enticed by his own desire (Psalm 51:5, James 1:14-15; ESV)

www.hackformers.org

27

Impact

• Theft / Disclosure (Confidentiality)– The thief (devil) cometh not, but for to steal, and to kill, and to

destroy: I (Jesus) have come so that you might have life, and that you might have it more abundantly (John 10:10)

• Alteration (Integrity)– The devil is the father of lies (John 8:44) who alters the truth

• Destruction / DoS (Availability)– Then desire when it (desire) has conceived (concatenated with

temptation) gives birth to sin (action), and sin when it is fully grown brings forth death (destruction) (James 1:15)

– No man can serve 2 masters (Matthew 6:24); DoS to God

www.hackformers.org

28

Mitigating Controls

• Handle Temptation– Replace / Validate / Filter

• Be laconic – Let your ‘Yes’ be ‘Yes’ and your ‘No’ be ‘No’; all

else beyond this is from the evil one (Matthew 5:37)

• Implement least privilege– Be humble, putting on the mind of Christ

(Philippians 2:5-8)

www.hackformers.org

29

The Control

• Re-architect your life– Change the way you handle temptation; repent and disallow

responses to temptation input– Store inside of you, the Holy Spirit of Jesus Christ, who is

given to all who believe in his Name.

The Holy Spirit will help you render ineffective all temptations and he will help you handle them.

THE BEST (and only) DEFENSE against SOUL INJECTION is JESUS CHRIST

www.hackformers.org

Points to Ponder

Teach Security In Christ

31

Discussion Points

• How are you defending your soul against injection attacks by Satan (the attacker)?

All who call on the name of the Lord Jesus Christ

shall be saved (Joel 2:32)

www.hackformers.org

32

Closing Thoughts

www.hackformers.org

try {if (uLikedThisPresentationAndMtg) {

subscribeViaEmail();followAndTweet(); // @hackformersgetLinkedIn();emailUs(); // mano.paul@hackformers.org

} else {

giveFeedback(); // mano.paul@hackformers.org }

} catch(Temptations t) {

applyControl(God JesusChrist);} finally {

ThankUandGodBless(); }

References

Backup