190 likes | 405 Views
Code Injection. Cable Johnson. Overview Common Injection Types Developer Prevention. Code Injection. “username” stored as string constant. I nsert source code into existing application Single command Entire script Used by worms to propagate . Overview. SQL injection Web injection/XSS
E N D
Code Injection Cable Johnson
Overview • Common Injection Types • Developer Prevention Code Injection
Insert source code into existing application • Single command • Entire script • Used by worms to propagate Overview
SQL injection • Web injection/XSS • Shell injection Common Injection Types
Infiltrate database • Dump data, alter data • Done at database level • Easily Automated • Attempted constantly • Average: 71 attempts/hr • Peak: 800-1300 attempts/hr SQL Injection
SQL: database level • XSS: web level • PHP/ASP injection: server infiltration • HTML/Script injection: browser infiltration • Most common injection type today Web
Targets machine rather than db or webpage • Done at shell (command line) level • Windows and UNIX • Typically used to escalate privileges Shell Injection
Design • Input sanatization Prevention
Blacklisting • Minimize use of user input • Limit database use • Disable unnecessary database functionality • Update regularly • Attack yourself Design
Character exclusion • Signature exclusion • Prepared statements Sanitization
( ‘ ), ( \ ), ( ` ) • Require alphanumeric only • Limit string length to guard against complex queries • Easy to implement • Easily recognizable Character Exclusion
UNION SELECT • OR 1=1 • EXEC SP_ (or EXEC XP_) • False positives come with large signature sets • Easily avoidable Signature Exclusion
OR 1 = 1 • OR ‘str’ = ‘str’ • OR ‘str’ = ‘st’+’r’ • OR ‘str’ = N’str’ • OR ‘s’ IN (‘str’) • O/**/R ‘s’ < ‘z’ • Unreasonable to keep signatures for countless possible inputs Signature Weakness
Efficient method of sanatization • Also a query optimization • Build the sql statement with minimal syntax • Run partial query (“prepare”) • Fill in user input after preparation Prepared Statements
sql= “SELECT * FROM users WHERE username=$1 AND password=$2” statement = db.prepare(sql) username = input() password = input() statement.execute(username, password) Pseudo Code
Seth • Amanda • George Bad Sanatization
function checkForBadSql($sqlcode) • { • global $CONTEXT, $ERROR_TEXT; • $badSqlCode[] = 'create'; • $badSqlCode[] = 'database'; • $badSqlCode[] = 'table'; • $badSqlCode[] = 'insert'; • $badSqlCode[] = 'update'; • $badSqlCode[] = 'rename'; • $badSqlCode[] = 'replace'; • $badSqlCode[] = 'select'; • $badSqlCode[] = 'handler'; • $badSqlCode[] = 'delete'; • $badSqlCode[] = 'truncate'; • $badSqlCode[] = 'drop'; • $badSqlCode[] = 'where'; • $badSqlCode[] = 'or'; • $badSqlCode[] = 'and'; • $badSqlCode[] = 'values'; • $badSqlCode[] = 'set'; • //test if sql code is bad • if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode)) • { • //bad sql found -- hack attept! Abort • $ERROR_TEXT = "Invalid text was entered. Please correct."; • return 0; • } • return 1; • }
Injection requires knowledge and craftiness on attacker’s part, but very deadly • SQL: database • XSS: web • Shell: machine • Several prevention tactics, but prepared statements win Review