Slide 1

2010 Quest Software, Inc. ALL RIGHTS RESERVED Understanding and Preventing SQL Injection Attacks Kevin Kline, Technical Strategy Manager Twitter @kekline Blog at http://KevinEKline.com

Slide 2

2 Your Speaker: Kevin Kline My first bookFounding PASSMVP Status

Slide 3

3 Agenda What is SQL Injection? An Attackers Approach SQL Injection Techniques Preventing SQL Injection Security Best Practices & Tips Useful Links and Resources

Slide 4

4 Context and Background

Slide 5

5 What is SQL Injection? SQL injection occurs when a malicious user controls the criteria of SQL statements and enters values that alter the original intention of the SQL statement

Slide 6

6 Who is Vulnerable? All SQL database platforms are susceptible Bypasses firewall protections Applications that build and send SQL strings are vulnerable Coding techniques can be exploited SQL statement itself is hacked Formatting vulnerabilities

Slide 7

7 Like This Courtesy of http://xkcd.com/327/http://xkcd.com/327/

Slide 8

8 Or This Webcode string cmdStr = @"SELECT order_id, order_date, qty FROM Production.Orders WHERE customer_name LIKE '%" + SearchText.Text + "%'"; using (SqlConnection conn = new SqlConnection(connStr)) using (SqlDataAdapter sda = new SqlDataAdapter(cmdStr, conn)) { DataTable dtOrders = new DataTable(); sda.Fill(dtOrders); return dtOrders.DefaultView; }

Slide 9

9 9 Injected Values Can Range from Bad The Good search text: 'Hanso Foundation' The Curious search text: 'Widmore Industries' or 1=1 -- The Exploratory search text: ZZZ' UNION SELECT COLUMN_NAME, DATA_TYPE, TABLE_SCHEMA FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'Address' --

Slide 10

10 To Worse The Ugly search text: ZZZ'; DROP TABLE customer_credit_card -- The REALLY UGLY search text: ZZZ'; xp_cmdshell(FTP )

Slide 11

11 Attack Methodology ReconnaissanceScan for Vulnerabilities / AccessGain AccessEscalate PrivilegesMaintain AccessCover Tracks

Slide 12

12 Attackers understand the concept of surface area use error messages to learn about the structure of the underlying SQL statements and database exploit SQL formatting characters (single quotes, comment notation (--), semi-colons, etc)

Slide 13

13 Then Attackers manipulate the SQL statements to learn about the structure of the database and data execute SQL statements at will use built-in trap doors inside of the DBMS to go to the next level Upload their own files, even replacing your own Examine the rest of your infrastructure Download data Launch malware and bots

Slide 14

14 SQL Injection Techniques Probing databases Bypassing authorization Executing multiple SQL statements Calling built-in stored procedures Exiting to the OS for command-line access Inserting code to be used by the web app

Slide 15

15 Error Type: Microsoft OLE DB Provider for SQL Server (0x80040E14) Unclosed quotation mark before the character string having 1 = 1--. /Project1/Demo.asp, line 14 Probing Databases Web apps usually return connectivity error information unless you trap the errors! Hackers can use this information and continually modify parameters to discover: Table names, column names, data types, row values

Slide 16

16 Bypassing Authorization Good Guy, passes these values - UserID: administrator Password: GoodOne SELECT * FROM users WHERE username = administrator AND password = GoodOne; Bad Guy, passes this value - UserID: OR 1=1 Password -- SELECT * FROM users WHERE username = OR 1=1 and password =

Slide 17

17 INSERT Statement Injections Good Guy INSERT INTO Authors (auName, EmailAddress) VALUES (Julian Isla, juliani@hotmail.com) Bad Guy INSER INTO Authors (auName, EmailAddress) VALUES (SELECT TOP 1 name FROM sys.sys_logins, badguy@hacker.com);badguy@hacker.com EXEC xp_regread HKEY ; Very Bad Guy, uses scripting and text/xml fields

Slide 18

18 Blind SQL Injection Good apps trap default errors and show their own. Hackers flank this with: Normal Blind: Get response data from error codes, severity levels, and HTTP status codes Totally Blind: Gather data through IFTHEN testing, response times, logging, and system functions.

Slide 19

19 Blind Example URL query string: DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450 04300...7200%20AS%20NVARCHAR(4000));EXEC(@S);-- Decoded: DECLARE @S NVARCHAR(4000); SET @S=CAST(0x440045004300...7200 AS NVARCHAR(4000)); EXEC(@S);-- SELECT CAST('this could be some bad code' as varbinary(256)) SELECT CAST (0x7468697320636F756C6420626520736F6D652062616420636F 6465 as varchar(256))

Slide 20

20 Blind Example Final SQL code being executed (hex value decoded): DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+ ']))+'' ''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Slide 21

21 SQL Injection as an Attack Vector Attackers have chosen not to go after data Targets have been legitimate web sites Plant links and redirects to malware sites Use of a blended attack (browser vulnerability) to infect the client computer Take control of client computers

Slide 22

22 Preventing SQL Injection Never let an app connect as sysadmin Least privilege principle Building secure SQL statements and apps: Input validation: check for valid input Dont check for bad input, you will always miss a case Use stored procedure to hide application logic no default error messages; no direct access to tables Use parameterized input, not string concatenation Multi layered input checking: application, stored procedure, database schema Apply the latest security patches!

Slide 23

23 Best Practices, Service Accounts SQL Server may use the local system account. Set up a specific Windows login (not Admin!) with appropriate privileges for use by the MSSQLServer system service. Add a separate Windows login (not Admin!) for SQLServerAgent system service.

Slide 24

24 Best Practices, Security Settings Enable Non-sysadmin job step proxy account on SQL Server Agent. Set security Audit Level at least to Failure. Monitor it! Make sure data and log files are on NTFS with proper ACLs applied. Restrict system stored procs and XPs to sysadmins- only Remove guest from all but master and tempdb Disable anything unneeded and unused! (e.g. SQL Browser service, unneeded network protocols) Use Windows Authentication where feasible..

Slide 25

25 Best Practices, Security Checks Check for null and bad passwords frequently Check for non-SA permissions on all system SPs and XPs Monitor failed login attempts Three free scanner utils (HP Scrawlr, URLScan, and Microsoft Source Code Analyzer for SQL Injection (http://www.sqlmag.com/Articles/ArticleID/100720/100720. html?Ad=1)http://www.sqlmag.com/Articles/ArticleID/100720/100720. html?Ad=1 Microsoft Assessment and Planning (MAP) is a great tool as well, available at http://technet.microsoft.com/en- us/library/bb977556.aspxhttp://technet.microsoft.com/en- us/library/bb977556.aspx Tip: Get Quest Discovery Wizard for free!

Slide 26

26 Best Practices, Security Practices Strong SA password at least 6 digits long with at least 2 numbers Add mixed case and symbols for more strength Use roles for provisioning, not users More work, user must be assigned to a login and role Easy to forget when user leaves Never hardcode passwords Never write apps for use by the SA account Change passwords frequently

Slide 27

27 Best Practices, Security for Developers Do Not Trust User Input Data Validation Black list vs White list Run With Least Privilege Defense in Depth Fail Intelligently Test Security Remove unused stored procedures, views, and UDFs

Slide 28

28 Best Practices, Security for Developers (contd) Use Parameterized Queries or Stored Procedures Do not use string concatenations to build SQL queries Use Views and Stored Procedures Demand security savvy third-party applications!

Slide 29

29 Resources http://www.sqlsecurity.com my favorite for broad security and tools on SQL Serverhttp://www.sqlsecurity.com Microsoft SQL Injection white paper at http://msdn.microsoft.com/en-us/library/ms161953.aspx http://msdn.microsoft.com/en-us/library/ms161953.aspx How-to: Prevent SQL Injection on ASP.Net http://msdn.microsoft.com/en-us/library/ms998271.aspx http://msdn.microsoft.com/en-us/library/ms998271.aspx SQL Injection via CAST: http://www.rtraction.com/blog/devit/sql-injection-hack-using- cast.html http://www.rtraction.com/blog/devit/sql-injection-hack-using- cast.html SQL Injection Cheat Sheet: http://ferruh.mavituna.comhttp://ferruh.mavituna.com

Slide 30

30 Quest Software Swag for SQL Server Free posters, guides, and other goodies. HTTP://www.quest.com/backstage/promotion.aspx HTTP://www.quest.com/backstage/promotion.aspx Free DVD Training: HTTP://db-management.com/liveHTTP://db-management.com/live March 2010 July 2010

Slide 31

31 Quest Software Resources for SQL Server SQLServerPedia SQL Server knowledge base, straight from the experts. HTTP://www.SQLServerPedia.com SQL Server Community Online discussion forums, customization library, and beta programs. HTTP://SQLServer.quest.com SQL Server Backstage All things SQL Server at Quest including our Pain of the Week Webcasts. HTTP://www.quest.com/BackStage

Slide 32

2010 Quest Software, Inc. ALL RIGHTS RESERVED Questions ? Send questions to me at: kevin.kline@quest.comkevin.kline@quest.com Twitter @kekline Blogs at SQLServerPedia.com, SQLblog.com, SQLMag.com, etc. Rate Me http://SpeakerRate.com/kekline/http://SpeakerRate.com/kekline/ Content at http://KevinEKline.com/Slides/http://KevinEKline.com/Slides/