java web application security - introduction to sql injection
TRANSCRIPT
![Page 1: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/1.jpg)
Java Web Application SecurityIntroduction to SQL Injection (SQLi)
Joseph Konieczka
Sales Engineer
BrixBits
![Page 2: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/2.jpg)
Agenda
• First of several sessions on SQL Injection
• Definition
• Prevalence
• Coding Guidance
• Testing Methods
• Defensive Protection
• Homework
![Page 3: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/3.jpg)
What is SQL Injection (SQLi)?
• At its most basic level, an injection flaw exists when user supplied input is combined with programming logic
• Once the attacker has the ability to morph the SQL query, the damage is only limited by the controls implemented in the application, web server, OS, and infrastructure
![Page 4: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/4.jpg)
OWASP Definition of SQLi
• https://www.owasp.org/index.php/SQL_Injection• A SQL injection attack consists of insertion or "injection" of
a SQL query via the input data from the client to the application.
• A successful SQL injection exploit can – read sensitive data from the database, – modify database data (Insert/Update/Delete)– execute administration operations on the database (such as
shutdown the DBMS), – recover the content of a given file present on the DBMS file
system – and in some cases issue commands to the operating system.
![Page 5: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/5.jpg)
How widespread is it?
• In 2015, more than 200 SQLi vulnerabilities were reported
• In 2016, 10 were already reported just by the end of February
• Year after year, SQLi is listed as one of the OWASP Top 10 risks seen in the wild
![Page 6: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/6.jpg)
CWE, CVE, and NVD
• The Common Weakness Enumeration (CWE™) is a list of software weaknesses.– https://cwe.mitre.org/
• Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known cybersecurity vulnerabilities. – http://cve.mitre.org/
• National Vulnerability Database– https://nvd.nist.gov/home.cfm
![Page 7: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/7.jpg)
How do you avoid it?
• Query parameterization
• SQL code is first defined
• Parameters are then passed to the query (ideally after the input has been validated)
• Distinct boundary between code and data
• PreparedStatement prepareStatement(String sql)
![Page 8: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/8.jpg)
Example
• https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
• String custname = request.getParameter("customerName");
• String query = "SELECT account_balance FROM user_dataWHERE user_name = ? ";
• PreparedStatement pstmt = connection.prepareStatement( query );
• pstmt.setString( 1, custname);
• ResultSet results = pstmt.executeQuery( );
![Page 9: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/9.jpg)
How do you test for it?
• Static Analysis tools such as FindBugs with the FindSecurityBugs plugin
• Automated tools such as sqlmap (covered in Advanced section)
• Manual penetration testing for complex situations
![Page 10: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/10.jpg)
WebGoat Numeric SQL Injection
![Page 11: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/11.jpg)
![Page 12: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/12.jpg)
View intercepted traffic
![Page 13: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/13.jpg)
Key parameter is station
![Page 14: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/14.jpg)
Returns temp info for that station
![Page 15: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/15.jpg)
Retry but add OR 1=1
![Page 16: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/16.jpg)
Statement evaluated to TRUEAll results returned
![Page 17: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/17.jpg)
How can you protect production?
• Implement change control procedures to effectively patch during normal vendor update cycles
• Setup an expedited approval process for critical vulnerabilities
• Setup firewalls and other traffic analysis tools
• Leverage Runtime Application Self Protection (RASP) such as BrixBits Security Analyzer
![Page 18: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/18.jpg)
Defense in Depth
![Page 19: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/19.jpg)
Homework
• Complete the BodgeIt labs outlined in Testing VM Setup Guide
• Begin working with the WebGoat Injection Flaws Lessons
• Review the SQL Injection and Query Parameterization Cheat Sheets
• Signup for next week’s webinar
![Page 20: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/20.jpg)
![Page 21: Java Web Application Security - Introduction to SQL Injection](https://reader031.vdocuments.site/reader031/viewer/2022030303/587c73951a28abd04e8b62df/html5/thumbnails/21.jpg)
http://brixbits.com/
http://brixbits.com/request-a-demo/