Stopping SQL Injection and Crossing Over Cross -site Scripting · Stopping SQL Injection and...
-
Upload
truongtuyen -
Category
Documents
-
view
216 -
download
0
Transcript of Stopping SQL Injection and Crossing Over Cross -site Scripting · Stopping SQL Injection and...
Stopping SQL Injection and
Crossing Over Cross -site Scripting Crossing Over Cross -site Scripting
Track: Operating Systems Security - Are we there yet ?
Manoranjan (Mano) Paul
CISSP, MCSD, MCAD, CompTIA Network+, ECSA/LPT
Common Attacks and Defenses
From 2003 …
Source: BurtonGroup ResearchSecuring the Web Infrastructure: Safeguarding Business Assets and Services
v1.0, 21 November 2003. Author: Phil Schacter
SQL Injection and Cross-site Scripting (XSS)
–Two of the most prevalent application attacks in this day and age
–Perimeter defense devices such as intrusion detection systems (IDS) and firewalls offer limited to no protection against such attacks
–Allows one to open the safe inside the house from t he –Allows one to open the safe inside the house from t he outside
–CIA Impact • Disclosure of sensitive information (Confidentiality)
– Authentication / System / User
• Modification of data (Integrity)
• Denial of Service - URL redirection / website defacement (Availability)
–Can be controlled/mitigated with a little effort and standardized security practices
What is it?
– SQL Injection is only one of the many types of injection attacks
– SQL Injection is a form of attack on a database-driven Web site
– Attacker executes unauthorized SQL commands by taking advantage of insecure code on a system, bypassing even deeply nested firewall environments.
SQL Injection – Anatomy
How does it Work?
– Programmer expects user to supply some Email Address and Password
string _sCmdText = "SELECT * FROM USERS WHERE user_login = '" + txtEmailAddress.Text + "' AND user_pwd = '“ + txtPassword.Text. + "'";
– Attacker supplies: ‘ Or 1=1 - -
string _sCmdText = "SELECT * FROM USERS WHERE user_login = '" + ‘ Or 1=1 - - + "' AND user_pwd = '“ + txtPassword.Text. + "'";
Resulting in the following valid SQL syntax to exec ute
SELECT * FROM USERS WHERE user_login = ‘’ Or 1 = 1 - -
• Bypass Authentication
• Discover Databases (Schemas, Users, Columns, Values)
• Data Disclosure
• From the Database to the Network
What can you do with SQL Injection?
DEMONSTRATION
Cross-site Scripting (XSS) - Anatomy
What is it?
– It is essentially code injection attacks into the various interpreters in the browser using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages
– Is an attack on the privacy of clients of a particular web site
– Involves 3 parties – attacker, a client and the vulnerable website
– Goal – steal or manipulate customer data– Goal – steal or manipulate customer data
How does it Work?
– Attacker executes code on client (customer) that appears to come from reputable source (e.g., burtongroup.com)
– Attacker attempts to steal account information from customer
– Attacker may attempt to use client data to compromise web site
• Steal Authentication Information and Account hijacking
• Changing of user settings
• Cookie theft/poisoning
• Denial of Service - Website Defacement
What can you do with XSS?
• Phishing (Pharming and Phear) – embedded links
• Identity Theft ! (Impersonation)
DEMONSTRATION
• Legacy Applications in Production
• Research Findings
• Globalization and Perimeter-less Security
Ah, but nobody codes like that anymore !
Defenses – So what should we do?
SQL Injection Cross-site Scripting
Policy, Standards and Best Practices (Coding Standards …)
Security Development Life Cycle
Awareness, Training and Education
Input Validation Error Handling Least Privilege
Encode
ParameterizedQueries
EscapeSequences
Quoting Quotes
Avoid Dynamic SQL
RemoveUnused Functions
Disable Active Scripting
Use Non-HTML Properties
•Validate (filter) all input (consider RegEx)
•Standardize Input Validation Mechanism (length, type, pattern, rules)
•Display generic error messages and redirect to generic error page
•Always encode input
•Escape sequences
Defending against SQL Injection
•Escape sequences
•Quoting Quotes – Replace single quotes (‘) with double quotes (“)
•Remove unused Functions/Stored Procedures
•Avoid dynamic SQL and Use parameterized queries for user input
•Stored Procedures != Secure
•Run with least privilege
•Validate (filter) all input (consider RegEx) •Standardize Input Validation Mechanism (length, type, pattern, rules)
•Enable request validation
•Always encode output
•Set appropriate character encoding (ISO-8859-1)
Defending against Cross-site Scripting (XSS)
•Set appropriate character encoding (ISO-8859-1)
•Beware of UTF-8 Unicode and Long UTF-8 Unicode
• Unicode must also be sanitized
• <SCRIPT> = <SCRIPT>
•Beware of Hex encoding
• script = script
•Use innerText property instead of innerHtml property for HTML controls
•Configure browser to disallow active scripting
Conclusion
–SQL Injection and Cross-site Scripting - Two of the most prevalent application attacks in this day and age – 2 security Catalysts
–Need to know how they work and the impact before you can defend against them
–Can be controlled/mitigated with a little effort and –Can be controlled/mitigated with a little effort and standardized security practices
Operating Systems Security – Are we there Yet?Is your SAFE locked and secure?
References
• BurtonGroup Research - Securing the Web Infrastructure: Safeguarding Business Assets and Services. v1.0, 21 November 2003. Author: Phil Schacter
• Victor Chapela: "Advanced SQL Injection" http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
• Chris Anley: "Advanced SQL Injection In SQL Server Applications" • Chris Anley: "Advanced SQL Injection In SQL Server Applications" http://www.nextgenss.com/papers/advanced_sql_injection.pdf nley:
• Chris Anley : "More Advanced SQL Injection" http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
• OWASP – Cross site scripting http://www.owasp.org/index.php/Cross_Site_Scripting
• OWASP – Testing for XSS http://www.owasp.org/index.php/Testing_for_Cross_site_scripting
Q&A
Stopping SQL Injection Stopping SQL Injection and
Crossing Over Cross-site Scripting Track: Operating Systems Security - Are we there yet ?
Manoranjan (Mano) Paul
CISSP, MCSD, MCAD, CompTIA Network+, ECSA/LPT
UPDATE
Following the Catalyst EU conference, Mano Paul lef t Dell Inc. Following the Catalyst EU conference, Mano Paul lef t Dell Inc. and founded SecuRisk Solutions - a security training, product
development and consulting company. http://www.securisksolutions.com
Manoranjan (Mano) Paul
CISSP, MCSD, MCAD, CompTIA Network+, ECSA/LPT