The Threat of SQL Injection Is your information safe

1
The Threat of SQL InjectionIs your information
safe?
By Jordon Janelle
2
Abstract

• The purpose of our presentation and report.
• Inform the user about SQL Injection.
• Explain common mistakes and easy fixes to
  minimize risk.
• Evaluate programs to actively detect when SQL
  injection attacks occur.
• Review tools which can be used to identify
  weakness.

3
What is SQL Injection?

• SQL Injection is when a malicious user attempted
  to run queries on a database that were not
  intended.
• SQL Injection is only the first step.
• Oracle
• Select banner '-' (select banner from
  vversion where banner like 'Oracle') from
  vversion where banner like 'TNS'
• http//ferruh.mavituna.com/sql-injection-cheatshee
  t-oku/

4
The History of SQL Injection
1998 rfp(rain forest puppy) writes article
called NT Web Technology Vulnerabilities for
Phrack 54 February 1999 Allaire release
advisory Multiple SQL Statements in Dynamic
Queries May 1999 rfp and Matthew Astley
release advisory with title NT ODBC Remote
Compromise February 2000 How I hacked
Packetstorm A look at hacking wwwthreads via
SQL by rfp September 2000 Application
Assessments on IIS Blackhat David Litchfield
5
The History of SQL Injection
October 2000 SQL Injection FAQ Chip Andrews
uses the first public usage of term
SQL Injection in a paper April 2001 Remote
Web Application Disassembly with ODBC Error
Messages January 2002 Chris Anley releases
Advanced SQL Injection June 2002 (more)
Advanced SQL Chris Anley From SQL
Injection and Data Mining through Inference,
David Litchfield
6
Examples of SQL injection

• Mass hack infects tens of thousands of sites
• Using the same malicious SQL Injection over
  160,000 sites were infected.
• http//www.computerworld.com.au/index.php/id68362
  7551

7
What is at risk?

• PII systems, Personally Identifiable Information
• Hospital Records
• Government
• Health Insurance
• Financial Information
• Credit Card Companies
• Banks
• Lenders
• Any Sensitive or Private Information

8
Legal Ramifications for Lack of Precautions.

• California
• Online Privacy Protection Act
• Not to be confused with the Childrens Online
  Privacy Protection Act
• Germany
• The Federal Data Protection Act
• United States
• Sarbanes-Oxley Act

9
Discover

• How do you know your site is being compromised?
• Input validation in web forms and cookies
• Alerts to administrators
• Watch for SQL specific characters such as
  or --
• Using some of the various programs discussed later

10
Discovered

• Frequently simple form validation inadequate.
• Practically impossible to evaluate every possible
  input.
• Most injections are discovered after the fact.
• Respond!

11
Respond

• Inaction snowballs the problem for other
  companies.
• The lure of anonymity of the internet.
• What crimes would you commit if you were not
  going to be caught?

12
For Example

• Music downloading
• 14 of users admitted to downloading illegal
  songs in 2004.
• Translates to 23 million American users who admit
  it
• Regardless of controversy, RIAA lawsuits dropped
  pirated music downloads by six millions users
  (Pew internet study)

13
Know the Enemy

• Catching a good hacker is not as easy as your
  average p2p user.
• The date/time stamp of unauthorized entries into
  a database cross-referenced with IP address log
  of connections.
• A hacker is not going to hand you their address.

14
What you see isnt what you get.

• IP Spoofing
• Attackers packets bouncing around several
  different networks before reaching yours
• You get to see the last location.
• But is that all

15
More Hops in Every Barrel

• Hop Count Filtering
• Hops cannot as of yet be altered
• Blocking statistically spoofed IPs
• Promises close to 90 block of spoofed IPs

16
Tracing

• IP Traceback
• Algebra and many matrix calculations, luckily we
  have computers
• With a statistical sample, it has been suggested
  (Dean, D., et al) tracing paths of length 25 over
  98 of the time
• Drawback needs thousands of packets to analyze.
• Mostly for DOS attacks but still useful

17
Accountability

• FBI threatening serious jail time for attackers
  of federal sites.
• Attacking government sites is cyber-terrorism
  attacking private sites is just a nuisance.
• Most attacks are not considered worth
  investigating, one possible cause for so many of
  them

18
Types of SQL Injections

• Blind Injection
• Conditional Responses
• Conditional Errors
• Time Delays
• Code Injection
• Code Execution
• Buffer Overruns

19
Analysis Tools

• Free Tools
• Usually designed toward a specific back end
  database
• Lack of product support
• Lack of statistic collecting
• Usability
• Purchased Tools
• Policy Based
• Better support
• Cost

20
Purchased Tools

• N-Stalker
• Policy Based Driven Engine
• Able to create its own False Positive filter
• Able to run reports and keep a database of
  vulnerabilities
• GUI Based System
• Requires a subscription service

21
Purchased Tools (Cont.)

• Acunetix WVS
• GUI Based
• Requires an annual subscription service
• Detailed Reporting
• Not rule based
• Does brute force
• Scans for common mistakes

22
Free Tools

• SQLIer
• Command line driven
• Only does True/False SQL injections
• BobCat
• Used only with MSSQL and .NET applications
• SQLMap
• Works on multiple DBMS systems
• Blind and Inbound SQL injections
• Developed in Python (Command line driven)