Injection

Exploits the ability to send untrusted data to an interpreter
— SQL, LDAP, Xpath, or NoSQL — OS commands — XML parsers — SMTP Headers — Program arguments

Vulnerable Targets Any system that takes potentially untrusted input

Exploit Difficulty: Easy! — Attacks are usually plain text based
— Mike can craft them in a couple hours for a presentation

Exploit Impact: Can be devastating — Any stored data can
potentially be leaked — Privilege escalation can lead to host takeover

Examples — 2008: Heartland Payment Systems had 134 million credit
cards exposed — 2009: 2 NASA sites demonstrated to be vulnerable. Hacker able to get credentials of 25 admin accounts — 2013: 71 Chinese government databases compromised in an attack on Chinese Chamber of International Commerce

SQL Injection — One of the top methods of stealing
information and attacking systems — Gets around ﬁrewalls and intrusion detection systems — Can gain enough privileges to act as system admin — Can exploit other clients that access the database

Classic Attacks

WHERE clause manipulation — User provided input often ends up
in WHERE clause — Used for login bypass or fast testing — Direct Injection or Quoted Injection

Direct Injection — Vulnerable numeric parameters — No string escaping
needed Provided user input: 9999 OR 1=1 SELECT id, name, description FROM products WHERE productid=9999 OR 1=1 Returns all products

Quoted Injection — Vulnerability surrounded by quotes — Must craft
the query more carefully Input: zzzz' OR 'a'='a SELECT id, name, description FROM products WHERE category='zzzz' OR 'a'='a' Returns all products

Injection Using Union — Used in conjunction with WHERE clause
manipulation — End the previous query, execute a new valid query with a Union — Make the previous WHERE clause return false, so only the new query data is retrieved — Both queries must have the same structure

Input: zzz' AND 'a'='b' UNION SELECT 'a', 'b'', credit_card FROM
payment_details WHERE 1=1 SELECT id, name, description FROM products WHERE category='zzzz' AND 'a'='b' UNION SELECT 'a', 'b', credit_card FROM payment_details WHERE 1=1

Practice Time! http://www.sqlinjection.net/

Prevention — TLDR: keep untrusted data separate from commands and
queries — APIs should avoid interpreter entirely — Escape special characters — White list input validation

Injection

Injection

Mike Klemarewski

More Decks by Mike Klemarewski

Other Decks in Programming

Featured

Transcript

Injection

Exploits the ability to send untrusted data to an interpreter

Vulnerable Targets Any system that takes potentially untrusted input

Exploit Difficulty: Easy! — Attacks are usually plain text based

Exploit Impact: Can be devastating — Any stored data can

Examples — 2008: Heartland Payment Systems had 134 million credit

SQL Injection — One of the top methods of stealing

Classic Attacks

WHERE clause manipulation — User provided input often ends up

Direct Injection — Vulnerable numeric parameters — No string escaping

Quoted Injection — Vulnerability surrounded by quotes — Must craft

Injection Using Union — Used in conjunction with WHERE clause

Input: zzz' AND 'a'='b' UNION SELECT 'a', 'b'', credit_card FROM

Practice Time! http://www.sqlinjection.net/

Prevention — TLDR: keep untrusted data separate from commands and

FIN