nick tsamis university of tulsa cs 7493 april 2013
TRANSCRIPT
![Page 1: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/1.jpg)
Nick TsamisUniversity of TulsaCS 7493April 2013
![Page 2: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/2.jpg)
What is SQL? Why SQL Matters. *yawn* What’s the big deal? What could possibly go wrong?
SQL Injection XSS Command Execution
*pffft* So we shouldn’t use SQL? That’s some smart SQL!
![Page 3: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/3.jpg)
Structured Query Language Language
Specialized programming language Utilized in relational databases
Query Raw data is queried to obtain information “Our business is turning data into
information.” – Michael A. Peterson
Structured Adheres to a strict, defined format
Query Table Column
![Page 4: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/4.jpg)
Relational Databases
vs Hierarchical Databases
• Data relations are stored
• Top down flow only
![Page 5: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/5.jpg)
Popularity One of the first commercial languages for
relational models Today, exists as the de facto standard
(ANSI and ISO) It’s EVERYWHERE
Versatility It’s flexible:
T-SQL MySQL LINQ
![Page 6: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/6.jpg)
VulnerabilitiesSQL is powerful…if you grant it
Manages data some of which is sensitive Provides a great entry point for access Recovering lost password:
Security is not always implicit Raw SQL can be very vulnerable to simple injections if $EMAIL = “anything' OR 'x'='x”
![Page 7: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/7.jpg)
SQL InjectionInjecting unintended code into a query
Returning user name from ID
Source code
The attack We add a second condition that will always
examine true (1=1)
Purpose is to dump all user information
$id = ‘ or 1=1 #
WHERE user_id = ‘ ’ or 1=1 # ’ ”;
![Page 8: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/8.jpg)
SQL InjectionInjecting unintended code into a query
Returning sql information
The attack(s) We add a union select to dump additional data
$id = ‘ union SELECT 1, user() # Yields current sql user
$id = ‘ and 1=1 union select database(),version() # Yields current sql version and database name
![Page 9: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/9.jpg)
SQL InjectionInjecting unintended code into a query
Case StudyReturning the good stuff!!The attack(s)
We add a union select to dump password data $id = ‘ union select user, password FROM users #
Yields current user and associated password (hash)
![Page 10: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/10.jpg)
XSS (Cross Site Scripting)Execute unintended scripts inline
Throw an alert
Passed as a url argument
What if we put an inline script in that url?
Alert box shown:
![Page 11: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/11.jpg)
XSS (Cross Site Scripting)Well that wasn’t exactly l33t…
Have a cookie<script>alert(document.cookie)</script>
Alert box shown:
More serious implications: Run a custom script that can open a remote
connection (backdoor) Read and dump configuration data (SQL or OS)
![Page 12: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/12.jpg)
![Page 13: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/13.jpg)
Better SQL
Stored Procedures Preformat and secure a static query Grant access to a SP, not the tables it accesses
Typically increased performance
Parameter check – data typing No network traffic – run inside the engine
String Filtering/Escaping String escape characters
‘ “ \ NUL
![Page 14: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/14.jpg)
Mo’ Better SQL
Parameterized SQL Strongly typed data is bound on execution Parameters are populated and checked User input is not directly embedded
Database Management Permission limitation Principle of Least Privilege
![Page 15: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/15.jpg)
![Page 16: Nick Tsamis University of Tulsa CS 7493 April 2013](https://reader036.vdocuments.site/reader036/viewer/2022062417/551c41b25503467b488b4b38/html5/thumbnails/16.jpg)
http://upload.wikimedia.org/wikipedia/commons/thumb/e/eb/Hierarchical_Model.svg/320px-Hierarchical_Model.svg.png
http://www.ibm.com/developerworks/library/x-matters8/relat.gif
http://upload.wikimedia.org/wikipedia/commons/a/aa/SQL_ANATOMY_wiki.svg
http://www.unixwiz.net/techtips/sql-injection.html http://wikipedia.org http://www.codinghorror.com/blog/2005/04/give-me-
parameterized-sql-or-give-me-death.html