web attacks - sql injections

Question 1

what is sql

Answer 1

standard language for interacting with databases, very common with web applications

Question 2

what is it used for in web applications

Answer 2

authentications : DB users and passwords
common password: data storage

Question 3

how is it used in desktops and server apps

Answer 3

Email clients/servers
Photo applications, media servers
Custom database clients
Application data caches

Question 4

what is network injections

Answer 4

usually considered the bigger risk
can be accessed by unknown users
network is a gateway crossing physical boundaries
risk in priviledged servers

Question 5

what is local injections

Answer 5

local users can only deny access to themselves
desktop apps run as plain users , putting own data at risks
however:
drive by exloits attack locally growing concerns due to insider threats

Question 6

Typical Setting for Attacks

Answer 6

1) presentation tier
2)logic tier
3) storage

Question 7

what happens in the presentation tier

Answer 7

get victim

renders the html that is given from the logic tier

Question 8

what happens in the logic tier

Answer 8

load compile and execute index.asp
sends html from the storage after the data is return from the storage

Question 9

what happens in the storage tier

Answer 9

exeutes sql and returns data

Question 10

what does this code accomplish?

$username = $HTTP_POST_VARS [ ’username ’ ];
$password = $HTTP_POST_VARS [ ’ passwd ’ ];
$query = “ SELECT * FROM logintable WHERE user = ’”
. $username . “ ’ AND pass = ’” . $password . “ ’ “;
…
$result = mysql_query ( $query ) ;
if (! $results )
die_bad_login () ;

Answer 10

this guarantees login!

Question 11

write sql code that guarntees login
▶ User name: bob’ OR user<>’bob’
▶ Password: foo OR pass<>’foo’

Answer 11

SELECT * FROM logintable WHERE user = ’ bob ’ or user < > ’ bob ’ AND pass = ’ foo ’ OR pass < > ’ foo ’

Question 12

what is an in - band fix

Answer 12

filtering

Question 13

what does in-band fix :filtering do?

Answer 13

use filtering to escape black listed characters
php and mysql have functions to help do this

Question 14

what is an out-band fix

Answer 14

Prepared statements

Question 15

what does out-band fix:Prepared statements do?

Answer 15

uses a prepared query with parameters
parameters are safe substitued in sql statements

Question 16

what is an alterative fix from filtering and prepared statements

Answer 16

ORM and LINQ

Question 17

what is ORM used for?

Answer 17

Use Object-Relational Mapping (ORM) for structured DB access

Question 18

what does orm stand for

Answer 18

Object-Relational Mapping

Question 19

what is LINQ used for

Answer 19

Use LINQ in .NET to interact with databases safely

Question 20

what is a more general out of band solution besides from prepared statements

Answer 20

A more general ”out-of-band” solution is to use embedded programming language support for
databases

Question 21

what should we examine when trying to classify sql injections

Answer 21

▶ Route – where injection happens
▶ Motive — what it aims to achieve
▶ SQL code — the form of SQL injected

Question 22

name the different types of injection routes

Answer 22

▶ User input e.g., web forms via HTTP GET or POST
▶ Cookies used by web apps to build queries
▶ Server variables logged by web apps (e.g., HTTP headers)
▶ Second-order injections where the injection is separated from attack

Question 23

give me examples of a primary motive

Answer 23

▶ Extracting data
▶ Adding or modifying data
▶ Mounting a denial-of-service attack
▶ Bypassing authentication
▶ Executing arbitrary commands

Question 24

give me examples of an auxiliary motive

Answer 24

finding injectable parameters
finding database schema
database server fingerprinting
escalating priviledge at a database level

Question 25

forma of sql modes injected

Answer 25

tautologies illegal or incorrect queries union query piggybacked queries inference pairs stored procedures or other dbms features the injection may use alternate encodings to try to defeat sanitization routines that don’t interpret them (e.g., char(120) instead of x)

Question 26

what is a tautology

Answer 26

inject code into condition statements so they always evaluate to true

Question 27

give example of tautology query

Answer 27

SELECT accounts FROM users WHERE login = ’ ’ or 1=1 -- AND pin =

Question 28

why is blacklisting tautologies difficult

Answer 28

▶ Many ways of writing them: 1>0, ’x’ LIKE ’x’, etc. ▶ Quasi tautologies: very often true RAND()>0.01

Question 29

what does an illegal/ incorrect query do

Answer 29

causes a run-time error , hopping to learn information from error response

Question 30

give example of incorrect / illegal query

Answer 30

SELECT accounts FROM users WHERE login = ’ ’ AND pin = convert ( int ,( select top 1 name from sysobjects where xtype = ’u ’)

Question 31

explain how illegal/incorrect query works

Answer 31

▶ Assumes MS SQL Server ▶ sysobjects is a server table of metadata ▶ Attempts to find first user table ▶ Converts name into an integer → Runtime error

Question 32

what is a sysobject

Answer 32

server table of metadata

Question 33

what does his error tell the attacker: Microsoft OLE DB Provider for SQL Server (Ox80040E07) Error converting nvarchar value ’CreditCards’ to a column of data type int

Answer 33

▶ MS SQL Server is running ▶ The first user-defined table is called CreditCards

Question 34

what is a union query

Answer 34

injecting a second query using UNION

Question 35

give example of union query

Answer 35

SELECT accounts FROM users WHERE login = ’ ’ UNION SELECT cardNo from CreditCards where acctNo =10032 -- AND pin =

Question 36

what is the effect of this union query? SELECT accounts FROM users WHERE login = ’ ’ UNION SELECT cardNo from CreditCards where acctNo =10032 -- AND pin =

Answer 36

▶ Suppose there are no tuples with login=’’ ▶ May reveal cardNo for account 10032

Question 37

give example of piggyback query

Answer 37

SELECT accounts FROM users WHERE login = ‘ doe ‘; drop table users -- ‘ AND pin

Question 38

explain what this piggyback query does? SELECT accounts FROM users WHERE login = ‘ doe ‘; drop table users -- ‘ AND pin

Answer 38

▶ Database parses second command after ; ▶ Executes second query, deleting users table ▶ Some servers don’t require the ; character!

Question 39

what is an inference pair

Answer 39

even if error reponse is not visible we can gather information by observing the subtle differences between outputs.

Question 40

what are the two techniques for inference pairs

Answer 40

blind injection timing attack With unlimited access, these techniques allow automated differential analysis

Question 41

what is a blind injection

Answer 41

it exploites visible differences in responses

Question 42

what is a timing attack

Answer 42

it exploits differences in response time based on boolean conditions (e.g using WAITFOR)

Question 43

how to use blind injection to discover if login parameter in injectable

Answer 43

Step 1: Always true login = ’ legalUser ’ and 1=1 -- ’ Step 2: Always false login = ’ legalUser ’ and 1=0 -- ’

Question 44

what is a stored procedure

Answer 44

custom sub routines that provide support for additional operations

Question 45

what is a risk of stored procedure

Answer 45

if improperly sanitised , it can allows sql injectios insie the stored procedure

Question 46

why are out of band fixes preferred

Answer 46

they reduce risk of sql injections

Question 47

how to repair an sqli vunerability

Answer 47

Filtering to sanitize inputs ▶ Prepared queries (aka parameterized queries) Both methods are server-side, so it is better to use database driver libraries to abstract away from the underlying DBMS

Question 48

what is dangerous about the xp cmdshell provided by mmicrodoft sql

Answer 48

allows execution of os commands Mitigation: ▶ Since SQL Server 2005, this is disabled by default. ▶ But DB administrators can re-enable it. ▶ Worse, an attacker with SQLi access might be able to enable it Lesson: Access control and passwords are critical inside the database!

Question 49

How Do I Prevent SQLi Vulnerabilities BEFORE DEPLOYMENT

Answer 49

using programming languages, objrct relation mapping manual code review or automatic static analysis

Question 50

How Do I Prevent SQLi Vulnerabilities DURING TESTING OR DEPLOYMENT

Answer 50

pen testing tool instrumented code

Question 51

How Do I Prevent SQLi Vulnerabilities AFTER TESTING OR DEPLOYMENT

Answer 51

wait untill after code, manually investigate use dynamic remediation plus alarms (app firewall or speciaised techniques)

Question 52

what is the idea behind Static Prevention: Automated Analysis

Answer 52

use static code analysis to warn programmers or prohibit or fix vunerable code

Question 53

what are the techniques used for Static Prevention: Automated Analysis

Answer 53

Detect suspicious code patterns, e.g., dynamic query construction Use static taint analysis to detect data-flows from input parameters to queries

Question 54

What is th use of AMNESIA in static analysis

Answer 54

use static analysis pre processing to create a sdynamic detection tool

Question 55

how to use amnesia in static analysis?

Answer 55

1. Find SQL query-generation points in code 2. Build SQL-query model as NDFA which models SQL grammar, transition labels are tokens 3. Instrument application to call runtime monitor 4. If monitor detects violation of state machine, triggers error, preventing SQL query

Question 56

what is an sql injection

Answer 56

attack that detects exploits securoty vulnerbaility in application software

Question 57

Dynamic Prevention: SQLrand

Answer 57

Use instruction set randomization to change language dynamically to use opcodes/keywords that attackers can’t easily guess

Question 58

describe State Machine for SQL Production

Answer 58

Variable β: Matches any string in SQL grammar ▶ Spots violation in injectable parameters ▶ Aborts query if model not in accepting state