Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SQLi Injection attacks & mitigation

SQLi Injection attacks & mitigation

evandentremont

May 27, 2015
Tweet

More Decks by evandentremont

Other Decks in Programming

Transcript

  1. SQL Injection
    Practical attacks and mitigation

    View full-size slide

  2. Obligatory XKCD
    SELECT * FROM `Students` where name = (’Robert’); DROP TABLE Students;--
    ’;

    View full-size slide

  3. It’s about breaking out of the data context, and into the query context
    - Troy Hunt troyhunt.com
    What is SQL Injection (SQLi)?

    View full-size slide

  4. What is SQL Injection (SQLi)?
    ● SQL injection is a code injection technique.
    ● It is used to attack data-driven applications.
    ● Malicious data is used to modify the resulting SQL
    statements.
    http://example.com/?post=1
    SELECT * FROM `posts` WHERE post_id = 1;

    View full-size slide

  5. What is SQL Injection (SQLi)?
    ● SQL injection is a code injection technique.
    ● It is used to attack data-driven applications.
    ● Malicious data is used to modify the resulting SQL
    statements.
    http://example.com/?post=1;DROP TABLE posts; --
    SELECT * FROM `posts` WHERE post_id = 1;DROP TABLE posts; -- ;

    View full-size slide

  6. SQLi isn’t a new problem; It was first discussed publicly in 1997.

    View full-size slide

  7. My first experiences with SQLi
    Data driven websites used to break
    all the time.
    UPDATE `users` (fname, lname) INSERT (‘evan’, ‘d’Entremont’);
    ERROR: SYNTAX ERROR NEAR , ‘d’Entremont’
    Make a habit of testing your forms with
    “Miles O’Brien”

    View full-size slide

  8. Real World Attacks

    View full-size slide

  9. Real World Attacks
    Data breaches have become a statistical
    certainty and SQLi attacks are low hanging
    fruit.
    It’s a well understood attack vector that is
    relatively easy to mitigate.
    Lets walk through some SQLi attacks.

    View full-size slide

  10. Symbolic sacrifice to the demo gods
    No goats were slain during the preparation of this talk

    View full-size slide

  11. Guess.com (2002)
    ● In February 2002, Jeremiah Jacks discovered that Guess.com was
    vulnerable to an SQL injection attack, permitting anyone able to construct
    a properly-crafted URL to pull down 200,000+ names, credit card
    numbers and expiration dates in the site's customer database.
    https://web.archive.org/web/20000229100810/http://www.guess.com/
    Notable for being one of the first major cc breaches online.

    View full-size slide

  12. Microsoft.co.uk (2007)
    ● On June 29, 2007, a computer criminal defaced the Microsoft UK website
    using SQL injection.[33][34] UK website The Register quoted a
    Microsoftspokesperson acknowledging the problem.
    ● "A hacker managed a rare feat Wednesday, successfully attacking a Web
    page within Microsoft's U.K. domain and replacing the page with several
    graphics related to Saudi Arabia.
    ● http://www.cgisecurity.com/2007/06/hacker-defaces.html
    ● https://web.archive.org/web/20070713141102/http://www.microsoft.com
    /en/gb/default.aspx
    Notable for being such a gigantic company; point was to deface via a table.
    Demo defacing a site.

    View full-size slide

  13. Istanbul City Government (2013)
    ● On June 27, 2013, hacker group "RedHack"

    ● Redhack (Kızıl Hackerlar, Kızıl Hackerlar Birliği), is a Turkish
    Marxist–Leninist computer hacker group which was founded in 1997
    Get their twitter background

    ● breached Istanbul Administration Site.[59] They claimed that, they’ve been
    able to erase people's debts to water, gas, Internet, electricity, and
    telephone companies. Additionally, they published admin user name and
    password for other citizens to log in and clear their debts early morning.
    They announced the news from Twitter.[60]
    ● https://web.archive.org/web/20130611014453/http://www.ioi.gov.tr/
    ● http://en.wikipedia.org/wiki/RedHack
    ● https://twitter.com/RedHack_EN/statuses/350461821456613376
    ● Implement this site:
    https://pbs.twimg.com/media/BN0Qj_3CMAEgC9c.jpg:large

    View full-size slide

  14. Migitation
    How can we prevent SQLi vulnerabilities?

    View full-size slide

  15. SELECT * FROM `registrations` WHERE plate = ' 'OR 1=1;--'
    Never Trust User Input

    View full-size slide

  16. Any data a user controls is an attack vector.
    Obvious
    ● Name
    ● Username
    ● Phone Number
    ● Password
    Never Trust User Input

    View full-size slide

  17. Any data a user controls is an attack vector.
    Less Obvious
    ● Referrer
    ● User Agent
    ● Charset
    ● Host
    Never Trust User Input

    View full-size slide

  18. Patch and update software

    View full-size slide

  19. Many SQLi holes come from third party
    software.
    Most attacks on Wordpress aren’t against the
    Wordpress core; they’re against third party
    plugins.
    Patch and update software

    View full-size slide

  20. Use Appropriate Privileges

    View full-size slide

  21. Not all code needs access to all data.
    Separation of permissions can limit the
    damage an attacker can do.
    Use Appropriate Privileges

    View full-size slide

  22. If your public facing Wordpress site shares a
    DB with your internal data…
    Then your data is screwed*
    *Yes, that’s the technical term.
    Use Appropriate Privileges

    View full-size slide

  23. Don’t Divulge Unnecessary Info

    View full-size slide

  24. Don’t Divulge Unnecessary Info

    View full-size slide

  25. Reduce Your Attack Surface

    View full-size slide

  26. Reduce Your Attack Surface

    View full-size slide

  27. If all else fails...

    View full-size slide

  28. The Thermonuclear Approach: Hexing
    Hexing effectively separates the data layer
    from the query layer. Marginally less efficient,
    but guaranteed to be safe from SQLi.
    $query="SELECT * FROM posts
    WHERE postid=UNHEX('".bin2hex(‘’;DROP TABLE posts;-- ’)."');
    ?>
    SELECT * FROM posts
    WHERE postid=UNHEX('3b44524f50205441424c4520706f7374733b2d2d20');

    View full-size slide

  29. If you take one thing away from this...
    Never trust user input.

    View full-size slide

  30. Questions
    No; SQLi can’t melt steel beams.
    It can however significantly weaken them.
    Email / XMPP: [email protected]

    View full-size slide