Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

23
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012

Transcript of Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Page 1: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Attacking Data Stores

Brad StancelCSCE 813 Presentation 11/12/2012

Page 2: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Sources Consulted

• Stuttard, D. and Pinto, M., The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition, 2011, Wiley Publishing

Page 3: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Importance of Data Stores

• Almost every web app uses data stores

• Used to hold information vital to the application

• Often hold information crucial to the application logic (access control, etc.)

Page 4: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Important Notes about Data Stores

• Application interacts with the data store at a specified security level

• Common data stores are databases that use SQL (Structure Query Language) to interact & manipulate database

• Other non-SQL type databases are becoming more popular (i.e. NoSQL)

• Some data stores specifically revolve around access control (i.e. LDAP)

Page 5: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Interpreted vs. Compiled Languages

• Injection Attacks can happen on either type of language

• Interpreted languages make it easier for injection attacks (i.e. can type in code)

• Compiled language injection attacks generally use machine code

Page 6: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

SQL Injection

• Type of code injection common in interpreted languages that use SQL data stores

• A lot of similarities across databases but each vendor database may be a bit different

• Our focus today is on: MS-SQL, Oracle and MySQL data stores

Page 7: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Fingerprinting the Database

• Extract version stringo MySQL /*!32302 and 1=0*/

• Look at Concatenation of Stringso Oracle 'serv'||'ices'o MS-SQL 'serv'+'ices'o MySQL 'serv' 'ices'

• Look at how Numeric Data is handledo Oracle BITAND(1,1)-BITAND(1,1)o MS-SQL @@PACK_RECEIVED-

@@PACKRECEIVEDo MySQL CONNECTION_ID()-

CONNECTION_ID()

Page 8: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Testing for Injection Bugs

General Algorithm:• Supply unexpected data and syntax

• Identify any anomalies

• Observe and examine any error messages

• Systematically modify input to confirm or disprove vulnerability existence

• Construct proof-of-concept that causes safe command to execute in a verifiable way to prove flaw exists

• Exploit the vulnerability by leveraging functionality and knowledge of target language and/or its components

Page 9: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Testing for SQL Injection Bugs

Three Main Methods:

• Injecting into String Data

• Injecting into Numeric Data

• Injecting into Query Structure

Page 10: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Injecting Into String Data

• String data is encapsulated into single quotation marks

• Need to break out of these quotation markso ex. Wiley' OR 'a'='a

• Preliminary Steps to Test:o Submit a single quotation mark to see if error

occurso Submit two quotation marks (escape

sequence) and look for error or odd behavioro Try SQL concatenation techniques discussed

earlier and if no behavior detected possible vulnerable

Page 11: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Injecting Into Numeric Data

• Query may use numbers as strings so try string data methods first

• Remember to encode certain characters

• Steps to Test:o Supply a mathematical expression equiv. to

number (responds same way = possible vulnerable)

o Use more complicated expressions that use SQL keywords.

o Using ASCII commands to test are useful 67-ASCII('A') 51-ASCII(1)

Page 12: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Injecting Into Query Structure

• Determine the Type of Statemento SELECT Statements

o INSERT Statements

o UPDATE Statements

o DELETE Statements

o UNION Operator (more of a technique)

Page 13: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

SELECT Statements

• Frequently used when returning data based on user's actions

• Attack entry point is usually the statement's WHERE clause

• Correct Example:o SELECT author,title,year FROM books WHERE

publisher = 'Wiley'

• Malicious Example:o Input into web form: Wiley' OR 1=1--o SELECT author,title,year FROM books WHERE

publisher = 'Wiley' OR 1=1--

Page 14: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

INSERT Statements

• Used to create a new row of data in a table

• Example: Web app that allows users to self register

• Correct Example:o INSERT INTO users (username, password,

privs) VALUES ('daf','secret',1)

• Malicious Example:o Input into web form: foo','bar',0)--o INSERT INTO users (username, password,

privs) VALUES ('foo','bar',0)--o MUST contain correct number of data types!

Page 15: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

UPDATE Statements

• Used to modify one or more rows of existing data in a table

• Correct Example:o UPDATE users SET password='newsecret'

WHERE user='brad' and password='secret'

• Malicious Example:o Input into web form: admin'--o UPDATE users SET password='newsecret'

WHERE user='admin'--

• This example bypasses the password check & changes the admin password!

Page 16: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

DELETE Statements

• Used to delete one or more rows of data in a table

• Can corrupt the entire table or database

• Correct Example:o DELETE from users WHERE uid='brad'

• Malicious Example:o Input into web form: ' OR ' '='o DELETE from users WHERE uid=' ' OR ' '=' '

• This example deletes all user ID's in the users table!

Page 17: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

UNION Operator

• Used to combine results of two or more SELECT statements into a single result set

• Supported by all major DBMS products

• Fastest way to retrieve arbitrary information when query results are returned

• Point of attack is usually the WHERE clause of a SELECT statement

• Additional SELECT statement must contain correct number of data types

Page 18: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

UNION Operator cont.

• Example SELECT statement before:o SELECT author,title,year FROM books WHERE

publisher ='Wiley' (Where Wiley was submitted)

• Input put into web form:o Wiley' UNION SELECT username,password,uid

FROM users--

• Returns a dataset containing both the authors,titles,year and username,password,uid in one table

• This example only works if users table has three columns

Page 19: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Advanced Techniques

• Out-of-Band Communication

• Bypassing Filters

• Using Comments & Circumventing Validation

• Second Order SQL Injection

• Retrieving Data as Numbers

• Inference

Page 20: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Escalating Attacks

• Most applications employ one account for database access

• Rely on application-layer controls to enforce segregation of access

• Already have the data, why escalate?o Gain access to other hosted application datao Compromise the OS of the database servero Gain network access to access other systemso Establish network connection to own system

for faster data retrievalo Include own functions to enhance DB

capabilities

Page 21: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Some Tools Used in SQL Exploitation

• Absinthe - Automated Blind SQL Injection Tool

• SQLMap - Automatic SQL Injection Tool

Page 22: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Preventing SQL Injection

• Validate input!

• Escape certain characters and words

• Use Stored Procedures to helpo This does not completely solve the problem

• Parameterized Querieso AKA: prepared statementso Application specifies query's structureo Application specifies contents of each

placeholder

Page 23: Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Summary, Comments and Questions

• Attacking Data Stores can be done in a variety of ways

• Protecting Data Stores is of utmost importance

• Understanding how these attacks take place enables one to better protect against them

• Questions and Comments.........