Nick TsamisUniversity of TulsaCS 7493April 2013

What is SQL? Why SQL Matters. *yawn* What’s the big deal? What could possibly go wrong?

SQL Injection XSS Command Execution

*pffft* So we shouldn’t use SQL? That’s some smart SQL!

Structured Query Language Language

Specialized programming language Utilized in relational databases

Query Raw data is queried to obtain information “Our business is turning data into

information.” – Michael A. Peterson

Structured Adheres to a strict, defined format

Query Table Column

Relational Databases

vs Hierarchical Databases

• Data relations are stored

• Top down flow only

Popularity One of the first commercial languages for

relational models Today, exists as the de facto standard

(ANSI and ISO) It’s EVERYWHERE

Versatility It’s flexible:

T-SQL MySQL LINQ

VulnerabilitiesSQL is powerful…if you grant it

Manages data some of which is sensitive Provides a great entry point for access Recovering lost password:

Security is not always implicit Raw SQL can be very vulnerable to simple injections if $EMAIL = “anything' OR 'x'='x”

SQL InjectionInjecting unintended code into a query

Returning user name from ID

Source code

The attack We add a second condition that will always

examine true (1=1)

Purpose is to dump all user information

$id = ‘ or 1=1 #

WHERE user_id = ‘ ’ or 1=1 # ’ ”;

SQL InjectionInjecting unintended code into a query

Returning sql information

The attack(s) We add a union select to dump additional data

$id = ‘ union SELECT 1, user() # Yields current sql user

$id = ‘ and 1=1 union select database(),version() # Yields current sql version and database name

SQL InjectionInjecting unintended code into a query

Case StudyReturning the good stuff!!The attack(s)

We add a union select to dump password data $id = ‘ union select user, password FROM users #

Yields current user and associated password (hash)

XSS (Cross Site Scripting)Execute unintended scripts inline

Throw an alert

Passed as a url argument

What if we put an inline script in that url?

Alert box shown:

XSS (Cross Site Scripting)Well that wasn’t exactly l33t…

Have a cookie<script>alert(document.cookie)</script>

Alert box shown:

More serious implications: Run a custom script that can open a remote

connection (backdoor) Read and dump configuration data (SQL or OS)

Better SQL

Stored Procedures Preformat and secure a static query Grant access to a SP, not the tables it accesses

Typically increased performance

Parameter check – data typing No network traffic – run inside the engine

String Filtering/Escaping String escape characters

‘ “ \ NUL

Mo’ Better SQL

Parameterized SQL Strongly typed data is bound on execution Parameters are populated and checked User input is not directly embedded

Database Management Permission limitation Principle of Least Privilege

http://upload.wikimedia.org/wikipedia/commons/thumb/e/eb/Hierarchical_Model.svg/320px-Hierarchical_Model.svg.png

http://www.ibm.com/developerworks/library/x-matters8/relat.gif

http://upload.wikimedia.org/wikipedia/commons/a/aa/SQL_ANATOMY_wiki.svg

http://www.unixwiz.net/techtips/sql-injection.html http://wikipedia.org http://www.codinghorror.com/blog/2005/04/give-me-

parameterized-sql-or-give-me-death.html