defensive day1 s2
DESCRIPTION
defensive aecurityTRANSCRIPT
A H M E D F A W Z Y
S E C U R I T Y & I T C O N S U L T A N T
R A Y A C O N T A C T C E N T E R
SQL Injection Defensive Techniques
How to defend against SQL injection
1. Use Microsoft Source Code Analyzer
2.Use Stored Procedure
3.Enforcement at the database level
4.Filter User Input
5. Use SQL Defender
6.Create User for read and user for write
Microsoft Source Code Analyzer
Options: /GlobalAsaPath=path
Path to global.asa /IncludePaths=path;..;
path Paths to include files /Output=file
Generate warnings as XML in 'file' for the viewer /Append
Append to the output file instead of overwriting it /NoLogo
Do not display the tool logo /Quiet
Do not display any parsing errors
Microsoft Source Code Analyzer
msscasi_asp.exe /input="c:\source\logon.asp"
msscasi_asp.exe /input="c:\source\logon.asp" /output="warnings.xml"
msscasi_asp.exe /GlobalAsaPath="C:\source" /input="c:\source\display.asp"
msscasi_asp.exe /input="c:\display.asp" /IncludePaths="C:\vd1;C:\vd2"
Microsoft Source Code Analyzer
msscasi_asp.exe /input="c:\source\file1.asp" /output=”c:\output\warnings.xml” /append
msscasi_asp.exe /input="c:\source\file2.asp" /output=”c:\output\warnings.xml” /append
msscasi_asp.exe /input="c:\source\file3.asp" /output=”c:\output\warnings.xml” /append
Use Stored Procedure
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "insertMSG";
cmd.Parameters.Add("@Namee", SqlDbType.VarChar, 50).Value = txtName.Text;
cmd.Parameters.Add("@Email", SqlDbType.VarChar, 30).Value = txtEmail.Text;
cmd.Parameters.Add("@Tel", SqlDbType.VarChar, 15).Value = txtTEL.Text;
cmd.Parameters.Add("@Mobile", SqlDbType.VarChar, 15).Value = txtMobile.Text;
cmd.Parameters.Add("@MSG", SqlDbType.VarChar, 500).Value = txtMSG.Text;
cmd.Parameters.Add("@Datee ", SqlDbType.DateTime).Value = DateTime.Now;
cmd.ExecuteNonQuery();
Create User for read and user for write
Use SQL Defender
Bool SQl Defender (string Data) { If Data.contain (“select”,”drop”,’insert’, ”update”, ”delete”, ”table”, ”datebase”, ”cmd”, ”where”, ”=”) { return false; } Else { return true; } }
SQL Injection Attacks 9
SQL injection is a type of security exploit in which the attacker adds SQL code to a Web form input box to gain access to the database resources
Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & request.form("inputdata") & "'")
For example, in a search page, the developer may execute a query (VBScript/ASP) using the code :
Detect SQL Injection Attacks 10
Look for SQL Injection attack incidents in these locations:
IDS log files
Database server log files
Web server log files
12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah’ or 1=1 – •12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah’ or )1=1 (-- •12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah’ or exec master..xp_cmdshell 'net user test testpass --
The attack signature may look like:
Lab: Deep Log Analyzer 11
Deep Log Analyzer: is an advanced web analytics solution for small and medium size websites
Lab: Log Parser 12
LogParser is an excellent and free tool for analyzing log files
Lab: Acunetix 13