Nick TsamisUniversity of TulsaCS 7493April 2013
What is SQL? Why SQL Matters. *yawn* What’s the big deal? What could possibly go wrong?
SQL Injection XSS Command Execution
*pffft* So we shouldn’t use SQL? That’s some smart SQL!
Structured Query Language Language
Specialized programming language Utilized in relational databases
Query Raw data is queried to obtain information “Our business is turning data into
information.” – Michael A. Peterson
Structured Adheres to a strict, defined format
Query Table Column
Relational Databases
vs Hierarchical Databases
• Data relations are stored
• Top down flow only
Popularity One of the first commercial languages for
relational models Today, exists as the de facto standard
(ANSI and ISO) It’s EVERYWHERE
Versatility It’s flexible:
T-SQL MySQL LINQ
VulnerabilitiesSQL is powerful…if you grant it
Manages data some of which is sensitive Provides a great entry point for access Recovering lost password:
Security is not always implicit Raw SQL can be very vulnerable to simple injections if $EMAIL = “anything' OR 'x'='x”
SQL InjectionInjecting unintended code into a query
Returning user name from ID
Source code
The attack We add a second condition that will always
examine true (1=1)
Purpose is to dump all user information
$id = ‘ or 1=1 #
WHERE user_id = ‘ ’ or 1=1 # ’ ”;
SQL InjectionInjecting unintended code into a query
Returning sql information
The attack(s) We add a union select to dump additional data
$id = ‘ union SELECT 1, user() # Yields current sql user
$id = ‘ and 1=1 union select database(),version() # Yields current sql version and database name
SQL InjectionInjecting unintended code into a query
Case StudyReturning the good stuff!!The attack(s)
We add a union select to dump password data $id = ‘ union select user, password FROM users #
Yields current user and associated password (hash)
XSS (Cross Site Scripting)Execute unintended scripts inline
Throw an alert
Passed as a url argument
What if we put an inline script in that url?
Alert box shown:
XSS (Cross Site Scripting)Well that wasn’t exactly l33t…
Have a cookie<script>alert(document.cookie)</script>
Alert box shown:
More serious implications: Run a custom script that can open a remote
connection (backdoor) Read and dump configuration data (SQL or OS)
Better SQL
Stored Procedures Preformat and secure a static query Grant access to a SP, not the tables it accesses
Typically increased performance
Parameter check – data typing No network traffic – run inside the engine
String Filtering/Escaping String escape characters
‘ “ \ NUL
Mo’ Better SQL
Parameterized SQL Strongly typed data is bound on execution Parameters are populated and checked User input is not directly embedded
Database Management Permission limitation Principle of Least Privilege
http://upload.wikimedia.org/wikipedia/commons/thumb/e/eb/Hierarchical_Model.svg/320px-Hierarchical_Model.svg.png
http://www.ibm.com/developerworks/library/x-matters8/relat.gif
http://upload.wikimedia.org/wikipedia/commons/a/aa/SQL_ANATOMY_wiki.svg
http://www.unixwiz.net/techtips/sql-injection.html http://wikipedia.org http://www.codinghorror.com/blog/2005/04/give-me-
parameterized-sql-or-give-me-death.html
Top Related