SQLi Injection attacks & mitigation

Transcript

1. SQL Injection Practical attacks and mitigation

2. Obligatory XKCD SELECT * FROM `Students` where name = (’Robert’);

   DROP TABLE Students;-- ’;

3. It’s about breaking out of the data context, and into

   the query context - Troy Hunt troyhunt.com What is SQL Injection (SQLi)?

4. What is SQL Injection (SQLi)? • SQL injection is a

   code injection technique. • It is used to attack data-driven applications. • Malicious data is used to modify the resulting SQL statements. http://example.com/?post=1 SELECT * FROM `posts` WHERE post_id = 1;

5. What is SQL Injection (SQLi)? • SQL injection is a

   code injection technique. • It is used to attack data-driven applications. • Malicious data is used to modify the resulting SQL statements. http://example.com/?post=1;DROP TABLE posts; -- SELECT * FROM `posts` WHERE post_id = 1;DROP TABLE posts; -- ;

6. SQLi isn’t a new problem; It was first discussed publicly

   in 1997.

7. My first experiences with SQLi Data driven websites used to

   break all the time. UPDATE `users` (fname, lname) INSERT (‘evan’, ‘d’Entremont’); ERROR: SYNTAX ERROR NEAR , ‘d’Entremont’ Make a habit of testing your forms with “Miles O’Brien”
8. None

9. Real World Attacks

10. Real World Attacks Data breaches have become a statistical certainty

    and SQLi attacks are low hanging fruit. It’s a well understood attack vector that is relatively easy to mitigate. Lets walk through some SQLi attacks.

11. Symbolic sacrifice to the demo gods No goats were slain

    during the preparation of this talk

12. Guess.com (2002) • In February 2002, Jeremiah Jacks discovered that

    Guess.com was vulnerable to an SQL injection attack, permitting anyone able to construct a properly-crafted URL to pull down 200,000+ names, credit card numbers and expiration dates in the site's customer database. https://web.archive.org/web/20000229100810/http://www.guess.com/ Notable for being one of the first major cc breaches online.

13. Microsoft.co.uk (2007) • On June 29, 2007, a computer criminal

    defaced the Microsoft UK website using SQL injection.[33][34] UK website The Register quoted a Microsoftspokesperson acknowledging the problem. • "A hacker managed a rare feat Wednesday, successfully attacking a Web page within Microsoft's U.K. domain and replacing the page with several graphics related to Saudi Arabia. • http://www.cgisecurity.com/2007/06/hacker-defaces.html • https://web.archive.org/web/20070713141102/http://www.microsoft.com /en/gb/default.aspx Notable for being such a gigantic company; point was to deface via a table. Demo defacing a site.

14. Istanbul City Government (2013) • On June 27, 2013, hacker

    group "RedHack" • • Redhack (Kızıl Hackerlar, Kızıl Hackerlar Birliği), is a Turkish Marxist–Leninist computer hacker group which was founded in 1997 Get their twitter background • • breached Istanbul Administration Site.[59] They claimed that, they’ve been able to erase people's debts to water, gas, Internet, electricity, and telephone companies. Additionally, they published admin user name and password for other citizens to log in and clear their debts early morning. They announced the news from Twitter.[60] • https://web.archive.org/web/20130611014453/http://www.ioi.gov.tr/ • http://en.wikipedia.org/wiki/RedHack • https://twitter.com/RedHack_EN/statuses/350461821456613376 • Implement this site: https://pbs.twimg.com/media/BN0Qj_3CMAEgC9c.jpg:large

15. Migitation How can we prevent SQLi vulnerabilities?

16. SELECT * FROM `registrations` WHERE plate = ' 'OR 1=1;--'

    Never Trust User Input

17. Any data a user controls is an attack vector. Obvious

    • Name • Username • Phone Number • Password Never Trust User Input

18. Any data a user controls is an attack vector. Less

    Obvious • Referrer • User Agent • Charset • Host Never Trust User Input

19. Patch and update software

20. Many SQLi holes come from third party software. Most attacks

    on Wordpress aren’t against the Wordpress core; they’re against third party plugins. Patch and update software

21. Use Appropriate Privileges

22. Not all code needs access to all data. Separation of

    permissions can limit the damage an attacker can do. Use Appropriate Privileges

23. If your public facing Wordpress site shares a DB with

    your internal data… Then your data is screwed* *Yes, that’s the technical term. Use Appropriate Privileges

24. Don’t Divulge Unnecessary Info

25. Don’t Divulge Unnecessary Info

26. Reduce Your Attack Surface

27. Reduce Your Attack Surface

28. If all else fails...

29. None

30. The Thermonuclear Approach: Hexing Hexing effectively separates the data layer

    from the query layer. Marginally less efficient, but guaranteed to be safe from SQLi. <?php $query="SELECT * FROM posts WHERE postid=UNHEX('".bin2hex(‘’;DROP TABLE posts;-- ’)."'); ?> SELECT * FROM posts WHERE postid=UNHEX('3b44524f50205441424c4520706f7374733b2d2d20');

31. If you take one thing away from this... Never trust

    user input.

32. Questions No; SQLi can’t melt steel beams. It can however

    significantly weaken them. Email / XMPP: evan@evandentremont.com