20
1/19 Agenda I SQL injection attack review I SQL injection defense
1/19
Agenda
I SQL injection attack reviewI SQL injection defense
2/19
Watch this short video from the Ellen Show, and thenanswer the question below.
https://www.youtube.com/watch?v=Srh_TV_J144
Can that password minder mitigate SQL injection attack? Why?
2/19
Watch this short video from the Ellen Show, and thenanswer the question below.
https://www.youtube.com/watch?v=Srh_TV_J144
Can that password minder mitigate SQL injection attack? Why?
3/19
In early June 2016, Facebook founder Mark Zuckerberg hadhis Twitter, Instagram and Pinterest accounts hacked, andhis password was revealed as ’Dadada’.
4/19
Let’s say Mark Zuckerberg has changed his password sincethat incident, and assume he is now using a very strongpassword. Would that make him less vulnerable against SQLinjection attack? Why?
5/19
Prevent SQL Injection Attacks
6/19
Employ comprehensive data sanitization
I Websites must filter all user input.I Email addresses should be filtered to allow only the characters
allowed in an e-mail address.I Phone numbers should be filtered to allow only the characters
allowed in a phone number.
7/19
Use a web application firewall
I A popular example is the free, open source moduleModSecurity which is available for Apache, Microsoft IIS, andnginx web servers.
I ModSecurity provides a sophisticated and ever-evolving set ofrules to filter potentially dangerous web requests.
I Its SQL injection defenses can catch most attempts to sneakSQL through web channels.
8/19
Limit database privileges by context
I Create multiple database user accounts with the minimumlevels of privilege for their usage environment.
I e.g., the code behind a login page should query the databaseusing an account limited only to the relevant credentials table:Jidong, when logining into my.boisestate.edu, can only see hisown salary information, but not other people’s salaryinformation.
I This way, a breach through this channel cannot be leveragedto compromise the entire database.
9/19
Avoid constructing SQL queries with user input
I Even data sanitization routines can be flawed.I Ideally, using SQL variable binding with prepared statements or
stored procedures is much safer than constructing full queries.
10/19
Prepared Statement
I A feature used to execute the same or similar databasestatements repeatedly with high efficiency.
I Typically used with SQL statements such as queries orupdates, the prepared statement takes the form of a templateinto which certain constant values are substituted during eachexecution.
I Widely supported by major DBMSs, including MySQL, Oracle,DB2, Microsoft SQL Server, and PostgreSQL.
I A number of programming languages support preparedstatements in their standard libraries and will emulate them onthe client side even if the underlying DBMS does not supportthem, including Java’s JDBC, Perl’s DBI, PHP’s PDO andPython’s DB-API.
11/19
Prepared Statement Typical Flow
I Prepare: The statement template is created by theapplication and sent to the database management system(DBMS). Certain values are left unspecified, called parameters,placeholders or bind variables.
I The DBMS parses, compiles, and performs query optimizationon the statement template, and stores the result withoutexecuting it.
I Execute: At a later time, the application supplies (or binds)values for the parameters, and the DBMS executes thestatement (possibly returning a result). The application mayexecute the statement as many times as it wants with differentvalues.
12/19
Unsafe Example - Without Prepared Statements
String query = "SELECT account_balance FROM user_dataWHERE user_name = " +request.getParameter("customerName");
try {Statement statement = connection.createStatement( . . . );ResultSet results = statement.executeQuery( query );}
13/19
Safe Java Prepared Statement Example
String custname = request.getParameter("customerName");String query = "SELECT account_balance FROM user_dataWHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement(query );pstmt.setString( 1, custname);ResultSet results = pstmt.executeQuery( );
The server will NOT concatenate the user input with SQL syntax,rather it will accept the entire user input as one parameter of thequery. In other words, the user input that will be inserted into aSQL query are sent to the SQL server after the actually query issent to the server.
14/19
Eliminate unnecessary database capabilities
I especially, those that escalate database privileges.I those that spawn command shells.
15/19
Regularly apply software patches
I SQL injection vulnerabilities are regularly identified incommercial software, it is important to stay up to date onpatching.
16/19
Suppress error messages
I These messages are an important reconnaissance tool forattackers, so keep them local if possible.
I If external messages are necessary, keep them generic.I Error based SQL injection demo:
https://www.youtube.com/watch?v=L4V0xZyUgFY
17/19
Continuously monitor SQL statements fromdatabase-connected applications
I This will help identify rogue SQL statements andvulnerabilities.
I Monitoring tools that utilize machine learning and/orbehavioral analysis can be especially useful.
18/19
Hands-on Project
Login to onyx, without utilizing any external tools (i.e., Do notdownload any hacking tools from the Internet), see if you can findany security issues on onyx.
19/19
References
A large portion of the material is adapted from:I How to Prevent SQL Injection Attacks -
http://www.esecurityplanet.com/hackers/how-to-prevent-sql-injection-attacks.html
I SQL Injection Prevention Cheat Sheet - https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
