SQL Injection

Presented By Satyaki De On April, 2011

Me (Satyaki De)

7+ Years Of experience Application Developer / Team Leader C, Pro*C Oracle 8i/9i/10g/11g Oracle Forms SAP Business Object Prelytis Unix/AIX Shell Training Community Contributor (OTN)

Presented By Satyaki De On April, 2011

Agenda
Basic about SQL Injection

Types Of SQL Injection Attacks with demo

SQL Injection avoidance guidelines with demo

Presented By Satyaki De On April, 2011

SQL injection is a code injection technique that

exploits a security loop holes in the database layer of an application. These loop holes are present when user input is Incorrectly filtered for string inputs(using escape characters) embedded in SQL statements Not strongly typed and thereby unexpectedly executed. - It is an instance of a more general class of threats that can occur whenever one programming or scripting language is embedded inside another.

SQL injection attacks are also known as SQL insertion attacks.

Presented By Satyaki De On April, 2011

History Of SQL Injection

Presented By Satyaki De On April, 2011

Biggest SQL Injection Attacks

130 Million credit card numbers SQL Injection is used to fetch data from credit card servers Sentenced 20 years in March 2010 It costs $12.6 million to company Heartland

Other Major Attacks

April 2008 Thousands of Social Security Numbers leaked from Oklahoma Department of Corrections August 2008 SQL Injection on Microsoft IIS & SQL Server hits 50000 web pages December 2009 Using SQL Injection Facebook game maker RockYou! exposed 32 million plaintext user name & password
Presented By Satyaki De On April, 2011

Data Breach Investigation Report

VeriZon Business RISK Team, 2009
When hackers are required to work to gain access, SQL injection appears to be the uncontested technique of choice.

In 2008, this type of attack ranked second in prevalence (utilized in 16 breaches) and first in the amount of records compromised (79 percent of the aggregate 285 million).

Ref: http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

Presented By Satyaki De On April, 2011

SQL Injection Demo

Presented By Satyaki De On April, 2011

It can be of two types 1. User Supplied Column Comparison Value 2. User Supplied Table Name

Presented By Satyaki De On April, 2011

User Supplied Column Comparison Value

Presented By Satyaki De On April, 2011

set serveroutput on
create or replace procedure log_in( pv_mail emp.email%type default null, pv_last_name emp.last_name%type null ) is buff varchar2(1000); v_mail emp.email%type; begin buff := 'select email from emp where email = '''||pv_mail|| ''' and last_name = '''||pv_last_name||''''; dbms_output.put_line('Statement Execute: '||buff); execute immediate buff into v_mail; dbms_output.put_line('Successful Login.....'); exception when others then raise_application_error(-20001,'Failed Login.....'); end;
Presented By Satyaki De On April, 2011

Buff contains sql injectable string based on user input

Test Using Valid Value

set serveroutput on

exec log_in('satyaki.de@in.com',DE');
Statement Execute: select email from emp where email = 'satyaki.de@in.com' and last_name = DE' Successful Login..... PL/SQL procedure successfully completed.

Continue..
Presented By Satyaki De On April, 2011

Test Using Invalid Value

set serveroutput on

exec log_in('satyaki.de@in.com',abcd efg');

Statement Execute: select email from emp where email = 'satyaki.de@in.com' and last_name = abcd efg' BEGIN log_in(satyaki.de@in.com, abcd efg) ; END; * ERROR at line 1: ORA-20000: Failed Login.. ORA-06512: at SCOTT.log_in, line 23 ORA-06512: at line 1

N.B.: As expected, the above Procedure failed.

Continue..
Presented By Satyaki De On April, 2011

Test Using Injected Value

set serveroutput on

exec log_in( or 1=1 and rownum = 1 ,abracadabra');

Statement Execute: select email from emp where email = or 1=1 and rownum = 1 and last_name = abracadabra Successful Login..... PL/SQL procedure successfully completed.

Here is the Injected String. It is parsed as additional condition.

N.B.: SQL Injection is successful, Check the statement interpreted By oracle compiler.

Continue..
Presented By Satyaki De On April, 2011

Lets closely observe

Initial Dynamic String buff := 'select email from emp where email = '''||pv_mail|| ''' and last_name = '''||pv_last_name||''''; Extracting Static Statement from buff
select email from emp where email = pv_mail and last_name = pv_last_name;

Continue..
Presented By Satyaki De On April, 2011

Lets closely observe

Substitute with Normal Input
select email from emp where email = satyaki.de@in.com and last_name = de;

Substitute with Injected Input

select email from emp where email = '' or 1=1 and rownum = 1 --and last_name = 'abracadabra'

N.B.: SQL Injection is successful as the where clause trickily changed by the user.

Presented By Satyaki De On April, 2011

User Supplied Table Name

Presented By Satyaki De On April, 2011

set serveroutput on
create or replace procedure fetch_col_info( pv_col varchar2, pv_tab varchar2 ) is type arr is varray(200) of varchar2(40); cell_val arr; buff varchar2(1000); begin buff := 'select '||pv_col||' from '||pv_tab; dbms_output.put_line('Executed SQL :: '||buff); execute immediate buff bulk collect into cell_val; for i in 1..cell_val.count loop dbms_output.put_line(cell_val(i)); end loop; end;

Buff contains sql injectable string based on user input

Presented By Satyaki De On April, 2011

Test Using Valid Value

set serveroutput on

exec fetch_col_info(email',emp');
Executed SQL :: select email from emp; satyaki.de@in.com arijit.bardhan@gmail.com pranab.paul@aol.in sagar.ghosh@yahoo.com promit.chowdhury@rediffmail.com banku.mondal@hotmail.com PL/SQL procedure successfully completed.

Continue..
Presented By Satyaki De On April, 2011

Test Using Invalid Value

set serveroutput on

exec fetch_col_info(email',hr_detail');
Executed SQL :: select email from hr_detail; BEGIN fetch_col_info(email,hr_detail); END;

* ERROR at line 1 ORA-00942: table or view does not exist ORA-06512: at SCOTT.fetch_col_info, line 11 ORA-06512: at line 1

N.B.: As expected, the above Procedure failed.

Continue..
Presented By Satyaki De On April, 2011

Test Using Injected Value

set serveroutput on

exec fetch_col_info(email', emp where 1=2 union all select username from all_users --');
Executed SQL :: select email from emp where 1 =2 union all select username from all_users --

APEX_PUBLIC_USER BI CTXSYS DBSNMP HR FIN ORDERS PM SCOTT SH SYS

PL/SQL procedure successfully completed.

Here is the Injected String. It is parsed as additional condition.

N.B.: SQL Injection is successful, Check the statement interpreted By oracle compiler.

Continue..
Presented By Satyaki De On April, 2011

Lets closely observe

select email from emp where 1 =2 union all select username from all_users

This block will return sensitive information Union all will append the result for the 2nd block supplied trickily by user This wont return any value to final output as 1=2 condition will fail N.B.: SQL Injection is successful as the where clause trickily changed by the user.

Presented By Satyaki De On April, 2011

Types Of SQL Injection Attacks

Presented By Satyaki De On April, 2011

It can be of three types 1. First Order Attack 2. Second Order Attack 3. Lateral Injection

Presented By Satyaki De On April, 2011

First Order Attack

Presented By Satyaki De On April, 2011

First Order Attack The attacker can simply enter malicious string and that
Acts like a modified condition interpreted by Oracle compiler. Hence, sensitive information Passed to unauthorized user/s. UNIONS added to an existing statement to execute the injected statement. Sub-query added to an existing statement. Using short circuit method by applying OR condition can bring back sensitive data.

Presented By Satyaki De On April, 2011

Second Order Attack

Presented By Satyaki De On April, 2011

Second Order Attack The attacker injects persistent storage such as

a table row that is deemed as a trusted source. An attack is subsequently executed by another activity. Attacker can retrieve information based on the short circuit code using OR clause as shown select sal from emp_payroll where username = XXX OR username = ARIJIT

- If the user XXX doesnt exists, Then sal of ARIJIT can be retrieved by attacker.
Attacker can create malicious database API such as function, procedure which contains SQL Injection code like 1=1 -- & can exploit DB security later.

Presented By Satyaki De On April, 2011

Lateral Injection

Presented By Satyaki De On April, 2011

Lateral Injection Using Lateral SQL Injection, an attacker can exploit a

PL/SQL procedure that does not even take user input. When a variable whose data type is date or number is concatenated into the text of a SQL statement, then, contrary to popular belief, there still is a risk of injection. The implicit function TO_CHAR() can be manipulated by using NLS_Date_Format or NLS_Numeric_Characters, respectively. One can include arbitrary text in the format model, and you do not need to include any of the structured elements such as Mon, hh24, and so on. Here's the normal use of that flexibility.

Continue..
Presented By Satyaki De On April, 2011

Lets closely observe

SCOTT> SET SERVEROUTPUT ON SCOTT> ALTER session SET NLS_Date_Format = '"The time is"... hh24:mi' 2/ Session altered. SCOTT> SELECT TO_CHAR(SYSDATE) d FROM Dual 2/ D -------------------The time is... 19:49 SCOTT> DECLARE 2 d DATE := TO_DATE('The time is... 23:15'); 3 BEGIN 4 -- Implicit To_Char() 5 DBMS_OUTPUT.PUT_LINE(d); 6 END; 7/ The time is... 23:15 PL/SQL procedure successfully completed.

Presented By Satyaki De On April, 2011

Reducing SQL Attacks

Presented By Satyaki De On April, 2011

It can be of three types 1. 2. 3. 4. Use Of Proper Invokers Right Strengthen DB Security Avoid Using Dynamic SQL Use Of Bind Variables

Presented By Satyaki De On April, 2011

Use Of Proper Invokers Right

Presented By Satyaki De On April, 2011

SQL>conn as / sysdba Connected.

SQL>set serveroutput on SQL>create or replace procedure alter_passwd( pv_usernm varchar2 default NULL, pv_pwd varchar2 default NULL ) is v_sql varchar2(1000); begin v_sql := alter user '||pv_usernm|| identified by '||pv_pwd; execute immediate v_sql; end; /

v_sql contains sql injectable string based on user input

Procedure Created.
SQL> grant execute on alter_passwd to public; Grant succeeded.

Presented By Satyaki De On April, 2011

SQL>conn scott Enter password: ****** Connected. SQL>set serveroutput on SQL>exec sys.alter_passwd(sys, oracle); PL/SQL procedure successfully completed. SQL>

N.B.: SQL Injection is successful as the where SCOTT is successful at changing SYSs password. Alter_Passwd procedure is owned by SYS and by default execute with SYSs privileges (definers right).

Presented By Satyaki De On April, 2011

Lets execute with invokers rights

SQL>conn as / sysdba Connected.

SQL>set serveroutput on
SQL>create or replace procedure alter_passwd( pv_usernm varchar2 default NULL, pv_pwd varchar2 default NULL ) authid current_user is v_sql varchar2(1000); begin v_sql := alter user '||pv_usernm|| identified by '||pv_pwd; execute immediate v_sql; end; / Procedure Created.

Presented By Satyaki De On April, 2011

SQL>conn scott Enter password: ****** Connected. SQL>set serveroutput on SQL>exec sys.alter_passwd(sys, oracle); BEGIN sys.alter_passwd(sys, oracle) END; * ERROR at line 1 ORA-01031: insufficient privileges ORA-06512: at SYS.ALTER_PASSWD, line 10 ORA-06512: at line 1

N.B.: SQL Injection is unsuccessful as SCOTT now unable to alter password of SYS from its account .

Presented By Satyaki De On April, 2011

SQL>conn scott Enter password: ****** Connected.

SQL>set serveroutput on
SQL>exec sys.alter_passwd(scott, oracle); PL/SQL procedure successfully completed. SQL> exec sys.alter_passwd(scott, oracle quota unlimited on users); BEGIN sys.alter_passwd(sys, oracle quota unlimited on users) END; * ERROR at line 1 ORA-01031: insufficient privileges ORA-06512: at SYS.ALTER_PASSWD, line 10 ORA-06512: at line 1

N.B.: SQL Injection is unsuccessful due to proper invoker rights but SCOTT can alter its own Password .

Presented By Satyaki De On April, 2011

Strengthen DB Security

Presented By Satyaki De On April, 2011

Security Guidelines
Encrypt sensitive data so that can be viewed. Evaluate all public privs and revoke them where possible. Do not widely grant execute any procedure. Avoid granting privs WITH ADMIN option. Ensure that application users are granted minimum privs by default, make privs configurable if necessary. Carefully monitor Oracle directory objects. Run the database listener as a non privilege user. Ensure that password management is active. Lock & expire the default user accounts and change the default user password. Do not allow wide access to any Standard Oracle Packages that can operate on OS. Packages are UTL_HTTP, UTL_SMTP, UTL_TCP, DBMS_PIPE, UTL_MAIL & UTL_FTP.

Presented By Satyaki De On April, 2011

Avoid Using Dynamic SQL

Presented By Satyaki De On April, 2011

Use Of Static SQL There are two dynamic SQL common situations, where
developers often use Static SQL, when it serves the purpose & is more secure:
Handle variable numbers of Input Argument in the query condition. Handle LIKE comparison operator in the query condition.

Presented By Satyaki De On April, 2011

Lets closely observe

Static SQL Using Variable Input Arguments select deptno, loc from dept
where LOC in ('DALLAS','CHICAGO');
DEPTNO -----10 20 LOC -----------------DALLAS CHICAGO

select deptno, loc from dept where LOC in ('DALLAS','CHICAGO','NEW YORK'); DEPTNO -----10 20 30 LOC -----------------DALLAS CHICAGO NEW YORK

N.B.: As here weve to pass different sets of argument in SQL. Generally, Application programmer tends to build more generic or dynamic PL/SQL solution.

Continue..
Presented By Satyaki De On April, 2011

Lets closely observe

Static SQL Using Variable Input Arguments - Alternatives with tt as ( select '&p_str' as src from dual ), csv_splitter as ( select k.* from ( select regexp_substr(src,'[^,]+',1,level) cooked_src from tt connect by level <= (length(src) - length(replace(src,',',''))) + 1 )k ) select * from dept where trim(LOC) in ( select trim(cooked_src) from csv_splitter );

Continue..
Presented By Satyaki De On April, 2011

Lets closely observe

Static SQL Using Variable Input Arguments - Alternatives / Enter value for p_str: DALLAS, CHICAGO DEPTNO -----10 20 LOC -----------------DALLAS CHICAGO

/ Enter value for p_str: DALLAS, CHICAGO, NEW YORK DEPTNO -----10 20 30 LOC -----------------DALLAS CHICAGO NEW YORK

N.B.: As you can see no need to write generic or dynamic PL/SQL solution that may be subject to SQL Injection later.

Presented By Satyaki De On April, 2011

Lets closely observe

Static SQL Using Variable Input Arguments - Alternatives 1) v_sql := select empno, ename from emp where ename like %||pv_ename||%;

2) v_match_str := %||pv_ename||%; select empno, ename from emp where ename like v_match_str ;

N.B.: Step 1) This piece of code are subjected to SQL Injection. Step 2) Immune to SQL injection.

Presented By Satyaki De On April, 2011

Use Of Bind Variables

Presented By Satyaki De On April, 2011

Bind Variable
1) v_sql := select empno, ename from emp where ename = ||pv_ename||; 2) v_sql := select empno, ename from emp
where ename = :1; execute immediate v_sql using pv_ename;

Using clause securely receive input data from user & then validate SQL Injection & pass it to parser once this process is over.

N.B.: Step 1) This piece of code are subjected to SQL Injection. Step 2) Immune to SQL injection.

Presented By Satyaki De On April, 2011

Summary

Basic about SQL Injection Types Of SQL Injection Use Of Dynamic PL/SQL prone to SQL Injection Use Of Static SQL are less prone Use Of Bind variables are good option Proper privileges of DB should always keep in close watch

Presented By Satyaki De On April, 2011

- Thank You -

Presented By Satyaki De On April, 2011