140 likes | 167 Views
SQL Injection. (CPSC620) Sanjay Tibile Vinay Deore. Agenda Database and SQL What is SQL Injection? Types Example of attack Prevention References. Database : A database is an organized collection of data for one or more purposes in digital form. SQL :
E N D
SQL Injection (CPSC620) Sanjay Tibile VinayDeore
Agenda Database and SQL What is SQL Injection? Types Example of attack Prevention References
Database : A database is an organized collection of data for one or more purposes in digital form. SQL : It is a programming language designed for managing data in relational database management systems (RDBMS).
SQL Injection: SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to dump the database content to the attacker. Many web applications take user input from a form, Often this user input is used literally in the construction of a SQL query submitted to a database.
Examples : Brute-force password guessing SELECT email, passwd, login_id, full_name FROM members WHERE email = 'bob@example.com' AND passwd = 'hello123'; The database isn't readonly SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; DROP TABLE members; Adding a new member SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; INSERT INTO members ('email','passwd','login_id','full_name') VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl'); Mail me a password SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; UPDATE members SET email = 'steve@unixwiz.net' WHERE email = 'bob@example.com';
Types Incorrect Type Handling Poorly Filtered Strings White Space Multiplicitytackersget hold of the error information
Using SQL injections, attackers can Add new data to the databaseCould be embarrassing to find yourself selling some inappropriate items on your sitePerform an INSERT in the injected SQL Modify data currently in the databaseCouldbe very costly to have an expensive item suddenly be deeply ‘discounted’Performan UPDATE in the injected SQL Often can gain access to other user’s system capabilities by obtaining their password
Examples: In January 2008, tens of thousands of PCs were infected by an automated SQL injection attack that exploited a vulnerability in application code that uses Microsoft SQL Server as the database store. On March 27, 2011 mysql.com, the official homepage for MySQL, was compromised by TinKode using SQL blind injection. In August, 2011, Hacker Steals User Records From Nokia Developer Site using "SQL injection“. Sony Playstation user data compromised.
DefensesPrivilegeRestrictions Restrict functions that are not necessary for the application Use stored procedures for database access use stored procedures for performing access on the application's behalf, which can eliminate SQL entirely.
More Defenses Check syntax of input for validityMany classes of input have fixed languages Email addresses, dates, part numbers, etc. Verify that the input is a valid string in the language Sometime languages allow problematic characters (e.g., ‘*’ in email addresses); may decide to not allow these If you can exclude quotes and semicolons that’s good Have length limits on input Many SQL injection attacks depend on entering long strings
Limit database permissions and segregate users Even a "successful" SQL injection attack is going to have much more limited success. Isolate the webserver For instance, putting the machine in a DMZ with extremely limited pinholes.
Configure database error reporting Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.) Configure so that this information is never exposed to a user If possible, use bound variables Some libraries allow you to bind inputs to variables inside a SQL statement PERL example (from http://www.unixwiz.net/techtips/sql-injection.html) $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email);
References:- http://www.unixwiz.net/techtips/sql-injection.html http://msdn.microsoft.com/en-us/library/ms161953.aspx http://php.net/manual/en/security.database.sql-injection.php http://en.wikipedia.org/wiki/SQL_injection