SQLrand : Preventing SQL Injection Attacks

1. SQLrand: Preventing SQL Injection Attacks Riji JacobMS Student in Computer Science Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL

2. Introduction • Many of the Web applications employ database driven content on the Internet. yahoo, Amazon • The interactive nature of web applications that employ database services consist vulnerabilities to SQL injection attacks • Web applications receive user inputs via form fields and then transfer those inputs as database requests

3. Importance of Database Security • Transaction may consist of user name, password and information that have large amounts of monetary value. • A national security and privacy matter, such as social security numbers in the U.S. • SQL injection attacks are widespread and Web applications are vulnerable to SQL Injection Attacks (SQLIAs). • over 300 Internet Web sites has shown that most of them could be vulnerable to SQLIAs- Study by Gartner Group • SQLIA Examples: Travelocity, FTD.com, and Guess Inc.

4. SQL Injection Attack(SQLIA) • SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application • Data provided by the user is NOT validated and included in an SQL query in such a way that part of the user’s input is treated as SQL code.

5. SQLIA TYPES • Tautologies • Illegal/Logically Incorrect Queries • Union Query • Piggy-Backed Queries • Stored Procedures • Inference • Alternate Encodings

6. Tautologies • Attack Intent: Bypassing authentication, identifying injectable parameters, extracting data. • The general goal of a tautology-based attack is to inject code in one or more conditional statements so that they always evaluate to true. • An attacker exploits an injectable field that is used in a query’s WHERE conditional SELECT accounts FROM users WHERE login=’’ or 1=1 -- AND pass=’’ AND pin=

7. Illegal/Logically Incorrect Queries • Attack Intent: Identifying injectable parameters, performing database finger-printing, extracting data. • Description: This attack lets an attacker gather important information about the type and structure of the back-end database of a Web application. SELECT accounts FROM users WHERE login=’’ AND pass=’’ AND pin= convert (int,(select top 1 name from sysobjectswhere xtype=’u’))

8. Union Query • Attack Intent: Bypassing Authentication, extracting data. • Description: In union-query attacks, an attacker exploits a vulnerable parameter to change the data set returned for a given query. • SELECT accounts FROM users WHERE login=’’ UNION SELECT cardNo from CreditCards where acctNo=10032 -- AND pass=’’ AND pin=

9. Piggy- Backed Queries • Attack Intent: Extracting data, adding or modifying data, performing denial of service, executing remote commands. • Description: In this attack type, an attacker tries to inject additional queries into the original query. Vulnerability to this type of attack is often dependent on having a database configuration that allows multiple statements to be contained in a single string. SELECT accounts FROM users WHERE login=’doe’ AND pass=’’; drop table users -- ’ AND pin=123

10. Stored Procedures • Attack Intent: Performing privilege escalation, performing denial of service, executing remote commands. • Description: SQLIAs of this type try to execute stored procedures • An attacker determines which backend database is in use CREATE PROCEDURE DBO.isAuthenticated @userName varchar2, @pass varchar2, @pin int AS EXEC("SELECT accounts FROM users WHERE login=’" +@userName+ "’ and pass=’" +@password+ "’ and pin=" +@pin); GO

11. Inference • Attack Intent: Identifying injectable parameters, extracting data, determining database schema. • Description: The query is modified to recast it in the form of an action that is executed based on the answer to a true/false question about data values in the database. • Attackers are generally trying to attack a site that has been secured enough so that, when an injection has succeeded, there is no usable feedback via database error messages. SELECT accounts FROM users WHERE login=’legalUser’ and ASCII(SUBSTRING((select top 1 name from sysobjects),1,1)) > X WAITFOR 5 -- ’ AND pass=’’ AND pin=0

12. Alternate Encodings • Attack Intent: Evading detection. • Description: In this attack, the injected text is modified so as to avoid detection by defensive coding practices and also many automated prevention techniques. SELECT accounts FROM users WHERE login=’legalUser’; exec(char(0x73687574646f776e)) -- AND pass=’’ AND pin=tion with other attacks.

13. SQLrand: Preventing SQL Injection Attacks * Apply Instruction-set randomization to SQL * Creating instances of the language that are unpredictable to the attacker * Queries injected by the attacker will be caught by the database parser. * An intermediary proxy that translates the random SQL to its standard language. * Mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems.

14. SQLrand and System Architecture

15. Example Mechanism provides a tool reads an SQL statement(s) and rewrites all keywords with the random key appended. select gender, avg(age) from cs101.students where dept = %d group by gender The utility will identify the six keywords in the example query and append the key to each one (e.g., when the key is “123”): select123 gender, avg123 (age) from123 cs101.students where123 dept = %d group123 by123 gender

16. Implementation • Built proxy server that sits between the client (web server) and SQL server, de-randomizes requests received from the client, and conveys the query to the server. • If an SQL injection attack has occurred, the proxy’s parser will fail to recognize the randomized • implementation focused on CGI scripts as the query generators, a similar approach applies when using JDBC query and will reject it.

17. THANK YOU