Scribd
Upload
64 views33 pages

08 Week8 10 Web Security B

Uploaded by

Oscar Wong
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
64 views33 pages

08 Week8 10 Web Security B

Uploaded by

Oscar Wong
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

Lecture 8-10 – Web Security-SQL

Injection Attack
Dr. Cong Wang
CS Department
City University of Hong Kong
Slides partially adapted from lecture notes by M. Goodrich&R. Tamassia,
W. Stallings&L. Brown, Dan Boneh, and Dawn Song.
CS4293 Topics Cybersecurity 1
Web Security:
Vulnerabilities and Attacks

CS4293 Topics Cybersecurity 2


Three top web site vulnerabilites
• SQL Injection
– Browser sends malicious input to server Uses SQL to change
– Bad input checking leads to malicious meaning of database
SQL query command

• CSRF – Cross-site request forgery


Leverage user’s session at
– Bad web site sends request to good web victim sever
site, using credentials of an innocent
victim who “visits” site
• XSS – Cross-site scripting
Inject malicious script
– Bad web site sends innocent victim a into trusted context
script that steals information from an
honest web site

CS4293 Topics Cybersecurity 3


Command Injection
a general vulnerability

CS4293 Topics Cybersecurity 4


Background

<!DOCTYPE html> <meta charset=utf-8>


<title>PHP Test</title>
<?php echo 'Hello World'; ?>

Other PhP delimiters:


<? echo 'Hello World'; ?>
<script language = “php”> echo 'Hello World'; </script>

CS4293 Topics Cybersecurity 5


Content of notes.txt

CS4293 Topics Cybersecurity 6


Command Injection

• Recall that special characters are encoded as hex:


– %0A = newline
– %20 or + = space, %2B = + (special exception)
– more see ACSII Table
CS4293 Topics Cybersecurity 7
Command Injection

CS4293 Topics Cybersecurity 8


Command Injection

CS4293 Topics Cybersecurity 9


Injection
• Injection is a general problem
– Typically caused when data and code share
the same channel
– For example, the code is “cat” and the
filename data.
• But “;” allows attacker to start a new command

CS4293 Topics Cybersecurity 10


Input Validation
• Two forms:
– Blacklisting: block known attack values
– Whitelisting: only allow known-good values
• Blacklists are easily bypassed
– Set of ‘attack’ inputs is potentially infinite
– The set can change after you deploy your code
– Only rely on blacklists as a part of a defense in
depth strategy

CS4293 Topics Cybersecurity 11


Blacklist Bypass

CS4293 Topics Cybersecurity 12


Input Validation: Whitelisting

preg_match(regex, string):

Performs a regular expression match.

Designing a general enough whitelisting with good validation purposes can be challenging.

CS4293 Topics Cybersecurity 13


Input Escaping

CS4293 Topics Cybersecurity 14


Use less powerful API
• The system() command is too powerful
– Executes the string args in a new shell
• If only need to read a file and output it, use
simpler API

• Again, it needs careful design consideration.

CS4293 Topics Cybersecurity 15


Recap
• Command Injection is one case of injection
attack.

• Defenses against injection input validation,


input escaping, and use of less powerful API

• We will discuss other examples of injection


and apply similar defenses.
CS4293 Topics Cybersecurity 16
SQL Injection

CS4293 Topics Cybersecurity 17


• A query language for Database
– E.g., SELECT statement, where clauses

• More info. on
– http://www.w3schools.com/sql/
– http://en.wikipedia.org/wiki/SQL

CS4293 Topics Cybersecurity 18


SQL Injection Running Example
• Consider a webpage that logs in a user by seeing if a
user exists with a given name and password

• If result exists, logs in the user and redirects the user


to the user control panel
CS4293 Topics Cybersecurity 19
• Is it safe?

CS4293 Topics Cybersecurity 20


SQL Injection

• Which of the following queries log you in as admin? Hint: the


SQL language supports comments via ‘--’ characters

CS4293 Topics Cybersecurity 21


SQL Injection

URI:http://www.example.net/login.php?user=admin'--&pwd=f

The “--” causes


rest of line to be
ignored.

• easy login to many sites this way.


CS4293 Topics Cybersecurity 22
SQL Injection
• Under the same premise, which URI can delete users table in
database?

CS4293 Topics Cybersecurity 23


SQL Injection
• Under the same premise, which URI can delete users table in
database?
decoded

CS4293 Topics Cybersecurity 24


SQL Injection
• One of most exploited vulnerabilities on web.
• Causes of massive data theft
– 24% of all data stolen in 2010
– 89% of all data stolen in 2009
• Like command injection, caused when attacker
controlled data interpreted as SQL command.

CS4293 Topics Cybersecurity 25


Injection Defense
• Defenses:
– Input validation
• Whitelist untrusted against a safe list.
– Input escaping
• Escape untrusted input so it will not be treated as a
command.
– Use less powerful API
• Use an API that only does what you want
• Prefer this over all other options.

CS4293 Topics Cybersecurity 26


Input Validation

preg_match(regex, string):

Performs a regular expression match.

Designing a general enough whitelisting with good validation purposes can be challenging.
CS4293 Topics Cybersecurity 27
Input Validation for SQL
• Given the input validation against username in our web
application, which of the following URI would still allow you to
login as admin?

CS4293 Topics Cybersecurity 28


Input Validation for SQL
• Given the input validation against username in our web
application, which of the following URI would still allow you to
login as admin?

1=1 is true everywhere.


CS4293 Topics Cybersecurity 29
Input Validation for SQL
• Given the input validation against username in our web
application, which of the following URI would still allow you to
login as admin?

1=1 is true everywhere. This returns all the rows in the table, and thus number of
results is greater than zero.
CS4293 Topics Cybersecurity 30
Input Escaping

CS4293 Topics Cybersecurity 31


Use Less Powerful API
• Create a template of SQL query, where data
values are substituted.
• Database ensures that untrusted value isn’t
interpreted as command.
• Always preferred over other techniques
• Never build SQL commands yourself !
– Use parameterized/prepared SQL

CS4293 Topics Cybersecurity 32


Examples: Parameterized/prepared SQL
• Builds SQL queries by properly escaping args: ′ ® \′
Different DB’s have
• Example: Parameterized SQL: (ASP.NET 1.1) different rules for
– Ensures SQL arguments are properly escaped. escaping

SqlCommand cmd = new SqlCommand(


"SELECT * FROM UserTable WHERE
username = @User AND
password = @Pwd", dbConnection);
cmd.Parameters.Add("@User", Request[“user”] );
cmd.Parameters.Add("@Pwd", Request[“pwd”] );
cmd.ExecuteReader();

• In PHP: bound parameters -- similar function


33 CS4293 Topics Cybersecurity

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy