Vidya Pratisthans College of Engineering, Baramati

A Seminar on SQL INJECTION

Presented by MANJIRI JACHAK TEIT

Under the guidance of Mr. YOGESH KHALATE
1

TOPICS
1. 2. 3. WHAT IS SQL? WHAT IS SQL INJECTION? HOW COMMON IS IT? & ITS VULNERABLE APPLICATIONS.. 4. SQL INJECTION SCANNER 5. SQL INJECTION CHARACTERS 6. EVASION TECHNIQUE 7. DEFENDING AGAINST SQL INJECTION 8. CODE VERIFICATION 9. CONCLUSION 10. REFERENCES

What is SQL?
SQL stands for Structured Query Language Allows us to access a database ANSI and ISO standard computer language The most current standard is SQL99 SQL can: insert new records in a database execute queries against a database delete records from a database retrieve data from a database update records in a database
3

SQL is a Standard - but...

There are many different versions of the SQL language They support the same major keywords in a similar manner (such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others). Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard!
4

SQL injection

What is SQL Injection?

The ability to inject SQL commands

into the database engine

through an existing application

SQL injection

How common is it?

It is probably the most common Website vulnerability today! It is a flaw in "web application" development, it is not a DB or web server problem Most programmers are still not aware of this problem A lot of the tutorials & demo templates are vulnerable Even worse, a lot of solutions posted on the Internet are not good enough In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection
6

SQL injection

Vulnerable Applications
Almost all SQL databases and programming languages are potentially vulnerable
MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and APIs Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) many more
7

SQL injection

SQL INJECTION
SCANNER

SQL injection

SQL injection scanner

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It takes place due to improper coding It allows SQL statements to pass through and query the database directly.
9

Why is it possible to pass SQL queries directly to a database that is hidden behind a firewall and any other security mechanism?

SQL is, in fact, the only way that a web application (and users) can interact with the database.
web application is hard coded with specific SQL queries If any input field of the web application is not properly sanitised, a hacker may inject additional SQL commands that broaden the range of SQL commands that the web application will execute, thus going beyond the original intended design and function. A hacker will thus have a clear channel of communication

10

System Architectural Design

The System Architectural Design is as shown in the figure.It contains three important modules which are: 1. Spidering 2. Initial Analysis 3.Input Fuzzing

11

Mechanics of SQL Injection Scanner

The scanner processes the URL of a starting page for the Web application and tries to find all pages that are part of that application. This process is called spidering. The completed spidering process leads to a list of pages that are going to be analyzed. The scanner tries to identify the input vectors of the pages such as forms, request parameters and cookies.

Finally, every input vector of every page is bombarded with a variety of attack patterns often referred to as input fuzzing and the resulting pages are scanned for indications of vulnerability.
12

How does SQL Injection work?

Common vulnerable login query
SELECT * FROM users WHERE login = 'victor' AND password = '123'

(If it returns something then login!) ASP/MS SQL Server login syntax
var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'";
13

SQL injection

Injecting through Strings

formusr = ' or 1=1 formpwd = anything
Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1

AND password = 'anything'

14

SQL injection

SQL Injection Characters

' or " character String Indicators -- or # single-line comment /**/ multiple-line comment + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator ?Param1=foo&Param2=bar URL Parameters PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10' time delay

15

EVASION TECHNIQUES

16

SQL injection

Evasion Techniques
Input validation circumvention and Signature Evasion techniques are very similar Snort based detection of SQL Injection is partially possible but relies on "signatures" Signatures can be evaded easily

17

SQL injection

Signature Evasions
Evading ' OR 1=1 signature ' OR 'unusual' = 'unusual' ' OR 'something' = 'some'+'thing' ' OR 'text' = N'text' ' OR 'something' like 'some%' ' OR 2 > 1 ' OR 'text' > 't' ' OR 'whatever' IN ('whatever') ' OR 2 BETWEEN 1 AND 3

18

SQL injection

Input validation
Some people use PHP addslashes() function to escape characters
single quote (') double quote (") backslash (\) NUL (the NULL byte)

This can be easily evaded by using replacements for any of the previous characters in a numeric field

19

DEFENDING AGAINST SQL INJECTION

20

SQL injection

SQL Injection Defense

1. It is quite simple: input validation 2. The real challenge is making best practices consistent through all your code
Enforce "strong design" in new applications You should audit your existing websites and source code
21

3. Even if you have an air tight design,

harden your servers

SQL injection

1.Input Validation
Define data types for each field
Implement stringent "allow only good" filters
If the input is supposed to be numeric, use a numeric variable in your script to store it

Reject bad input rather than attempting to escape or modify it Implement stringent "known bad" filters
For example: reject "select", "insert", "update", "shutdown", "delete", "drop", "--", "'"
22

SQL injection

2.Strong Design
Define an easy "secure" path to querying data
Use stored procedures for interacting with database Call stored procedures through a parameterized API Validate all input through generic routines Use the principle of "least privilege"
Define several roles, one for each kind of query
23

SQL injection

3.Harden the Server

1. Run DB as a low-privilege user account 2. Remove unused stored procedures and functionality or restrict access to administrators 3. Change permissions and remove "public" access to system objects 4. Audit password strength for all user accounts 5. Remove pre-authenticated linked servers 6. Remove unused network protocols 7. Firewall the server so that only trusted clients can connect to it (typically only: administrative network, web server and backup server)
24

CODE VERIFICATION

25

SQL injection

Code verification at two stages

How do you ensure your development staff do not make any mistakes?

1. Audit: review the source code of the

program (a programmers point of view)

2. Assess: conduct penetration test on the

program (a hackers point of view)

26

SQL injection

1.Source Code Auditing

The simplest way to do a source code auditing is probably by using the editors search function. For example, to check if a Java program is vulnerable to SQL injection attack, we could search for execute(), prepareStatement() and prepareCall(), and then back trace the formation of their corresponding input query string to see if they contains unchecked/unescaped user input.

27

SQL injection

2.Assessing web application

Hack (Assess) your own web application Can be done manually or automatically Manually assess the web application by input or 1=1 - or input 1 union .., and check if the web application behaviour will be affected by these unexpected input.

28

Conclusion
SQL Injection is a fascinating and dangerous vulnerability All programming languages and all SQL databases are potentially vulnerable Protecting against it requires
strong design correct input validation hardening
29

THANK YOU!!

30

REFERENCES
1. http://www.securityfocus.com/infocus/1768 2.http://www.extropia.com/tutorials/sql/toc.html 3.http://www.google.com/sqlinjection 4.http://www.owasp.org 5. http://www.sqlsecurity.com

31

Questions ?

32