1 / 18

Injection Rejection, or

Injection Rejection, or. How I Learned To Stop Worrying And Love Bobby Tables. What’s an “injection” attack?. An injection interprets user-supplied data—as malicious code. Attack surfaces. Direct user input. Filesystem. Environment variables. Database values.

sylvie
Download Presentation

Injection Rejection, or

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Injection Rejection, or How I Learned To Stop Worrying And Love Bobby Tables

  2. What’s an “injection” attack? An injection interprets user-supplied data—as malicious code.

  3. Attack surfaces • Direct user input. • Filesystem. • Environment variables. • Database values. • Anything interpreted at runtime. • Anything “just-in-time” compiled. Injection Rejection

  4. CGI example in Perl use CGI; use DBI; my @flagged = getFlaggedEntries(); my $bogus = join(',',@flagged); my $sql = "delete from student where id in ($bogus)\n"; my $sh = $db->prepare ($sql) || die "Couldn't prepare SQL statement: $!"; $sh->execute() || die "Couldn't execute SQL statement: $!"; Injection Rejection

  5. What it’s supposed to do Sane input: 303,101,404 delete from student where id in (303,101,404) Injection Rejection

  6. What it actually does Not-so-sane input: 303); truncate table users; -- delete from student where id in (303); truncate table users; --) Injection Rejection

  7. Rubber, meet road # return array of CGI parameters named flag#### where # the #### indicates one or more characters. Strips the # “flag” prefix. sub getFlaggedEntries() { my @f = (); # return value foreach (keys %{$cgi->Vars()}) { next unless m/^flag(.+)$/; push @f, $1; } @f; # return value } Perl untainting Injection Rejection

  8. A simple exploit $ curl ’http://example.com/cgi-bin/example.pl? flag303)%3B%20truncate%20table%20users%3B%20--=1’ Attacker’s payload Injection Rejection

  9. Real-Life Applications Injection Rejection

  10. “I hope you’ve learned to sanitize your database inputs.” • Don’t enumerate badness. • Precompiled code. Always. • Perl tainting: you still have to think. • LINQ has possibilities. • Parameterize your SQL. Injection Rejection

  11. Parameterized SQL WRONG my $sh = db->prepare("insert into foo set name=$name, company=$company"); $sh->execute(); my $sh = db->prepare('insert into foo set name=?, company=?'); $sh->execute($name, $company); Injection Rejection

  12. Injection’s not just for SQL I 01/06/2009 02:47 PM 20,104 CVSInstall.pdf 08/17/2008 07:41 PM 67 cweb.html 11/06/2006 02:56 AM 413,696 CWIMS.mdb 05/01/2008 01:35 PM 5,632 cwsl.dll 09/22/2007 07:07 PM 4,537 day.txt 04/14/2009 08:06 AM 5 dbappend(),fieldput('user','catfood') dbappend(),fieldput('user','catfood') Injection Rejection

  13. Injection’s not just for SQL II $command = "nslookup -type=ptr $inputdomain"; system($command); I saw this in production code… actually straight C. But still. Injection Rejection

  14. Making your project not suck! • Don’t hoard code. • Don’t optimize yet. • Review code constantly. • Let unit tests drive development. • Still don’t optimize yet. Injection Rejection

  15. A few good URLs • 6 dumbest ideas in computer security: http://www.ranum.com/security/computer_security/editorials/dumb/ • SQL Injection basics: http://www.sitepoint.com/article/sql-injection-attacks-safe • Parameterized SQL basics: http://www.codinghorror.com/blog/archives/000275.html Injection Rejection

  16. This is me.I make projects not suck. http://imakeyourprojectnotsuck.com Injection Rejection

  17. Get these slides http://criticalresults.com/notacon6 Injection Rejection

  18. Next! Here! Super Jason Scott Presentation 64 Injection Rejection

More Related