SQL Injection and DoS
-
Upload
emil-tan -
Category
Technology
-
view
156 -
download
0
description
Transcript of SQL Injection and DoS
![Page 1: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/1.jpg)
Edgis Workshop SQL Injection & DoS
Emil Tan
&
Han
http://edgis-security.org
September, 2011
![Page 2: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/2.jpg)
Agenda
• SQL Injection
– Demonstrations
– Countermeasures
• What is DoS?
– Demonstrations
– Countermeasures
![Page 3: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/3.jpg)
SQL Interface
http://edgis-security.org/
INSERT INTO CreditRecords (Name, CardNum) VALUES (‘” & Request.Form(“Username”) & “’, ’” & Request.Form(“CreditCard”) & “’)
INSERT INTO CreditRecords (Name, CardNum) VALUES (‘Alice’, ‘123-456-789’)
![Page 4: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/4.jpg)
SQL Injection
http://edgis-security.org/
INSERT INTO CreditRecords (Name, CardNum) VALUES (‘Eve’, ‘1’); EXEC xp_cmdshell ‘del *.*’ -- ‘)
![Page 5: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/5.jpg)
http://edgis-security.org/
SQL Injection (cont’d)
Exploit of a Mom http://xkcd.com/327/
![Page 6: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/6.jpg)
Information Leakage
http://edgis-security.org/
• Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x1A2B3C4D) [Microsoft ][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ‘ and password = “, /login.asp,line 30
• Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x1A2B3C4D) [Microsoft ][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ‘ and password = ‘123“’, /login.asp,line 30
• User String Validation on Error Handling
![Page 7: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/7.jpg)
Information Leakage (cont’d)
http://edgis-security.org/
• UNION Poisoning
SELECT * FROM records WHERE user=‘[user input] ‘ union all select name, xtype, 0, 0 from sysobjects --
SELECT * FROM records WHERE user=‘[user input] ‘ union all select <column> from <schema.columns>, 0, 0, 0 --
![Page 8: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/8.jpg)
http://edgis-security.org/
![Page 9: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/9.jpg)
http://edgis-security.org/
![Page 10: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/10.jpg)
SQL Injection (Demonstration)
• OWASP Insecure Web App Project
http://edgis-security.org/
![Page 11: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/11.jpg)
Countermeasures
http://edgis-security.org/
• Validate, Validate, Validate
– Client-Side, Server-Side
• Prepared Statement
![Page 12: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/12.jpg)
Denial-of-Service
• Confidentiality, Integrity, Availability
• Classic Examples
– Ping of Death
– SYN Flood Attack
– LAND Attack
– Tear Drop Attack
– Smurf Attack
• Distributed Denial-of-Service (DDoS)
http://edgis-security.org/
![Page 13: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/13.jpg)
Slowloris
• Written by Robert “RSnake” Hansen • Notable Use
– Iran Presidential Election 2009 – Th3j35t3r against WikiLeaks & Terrorist Web Sites
• How it Works? – Hold connections open by sending partial HTTP
requests – Send subsequent headers at regular intervals to keep
the sockets from closing – Full TCP connection but partial HTTP request (SYN
flood over HTTP)
http://edgis-security.org/
![Page 14: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/14.jpg)
Slowloris (cont’d)
• Awesomeness
– Attack amplifies on multi-threaded Web servers
– No logs will be written until request is completed
– “HTTP 400: Bad Request Error” message will be logged after the attack stops
– Web service will resume once attack is terminated
http://edgis-security.org/
![Page 15: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/15.jpg)
LOC (Low Orbit Ion Cannon)
• Written by Praetox Technologies
• Notable Use
– 4Chan organized “refresh” attacks
– DoS Scientology
– #OpPayback
• How it Works?
– Overwhelm server with TCP, UDP, & HTTP
– HiveMind Mode (i.e. DDoS Mode)
http://edgis-security.org/
![Page 16: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/16.jpg)
Demonstrations
http://edgis-security.org/
• Slowloris
• LOIC
![Page 17: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/17.jpg)
Countermeasures
• Increase the max no. of clients the web server allow
• Limit the no. of connections a single IP address is allowed to make
• Imposing restrictions on the minimum transfer speed on connection is allowed to have
• Restricting the length of time a client is allowed to stay connected
http://edgis-security.org/
![Page 18: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/18.jpg)
Countermeasures (cont’d)
• HTTPReady
• Apache Modules
– mod_limitipconn, mod_qos, mod_evasive, mod_security, mod_noloris, mod_antiloris
• Reverse Proxies
• Firewall
• Load Balancers
• CloudFare
http://edgis-security.org/
![Page 19: SQL Injection and DoS](https://reader034.fdocuments.us/reader034/viewer/2022052523/5565857dd8b42a723f8b5026/html5/thumbnails/19.jpg)
End Note
• Security is more than patching your machine
– Configuration are equally important
• Be proactive in looking for vulnerabilities
http://edgis-security.org/