Stopping SQL Injection and

Crossing Over Cross -site Scripting Crossing Over Cross -site Scripting

Track: Operating Systems Security - Are we there yet ?

Manoranjan (Mano) Paul

CISSP, MCSD, MCAD, CompTIA Network+, ECSA/LPT

Catalyst(s) – SQL Injection and (XSS)!

• SQL Injection

• Cross-site Scripting

2 Security Catalysts

Common Attacks and Defenses

From 2003 …

Source: BurtonGroup ResearchSecuring the Web Infrastructure: Safeguarding Business Assets and Services

v1.0, 21 November 2003. Author: Phil Schacter

To 2006 – Top 10 Web Application Vulnerabilities

Source: MITRE Data - OWASP Top 10 2007

SQL Injection and Cross-site Scripting (XSS)

–Two of the most prevalent application attacks in this day and age

–Perimeter defense devices such as intrusion detection systems (IDS) and firewalls offer limited to no protection against such attacks

–Allows one to open the safe inside the house from t he –Allows one to open the safe inside the house from t he outside

–CIA Impact • Disclosure of sensitive information (Confidentiality)

– Authentication / System / User

• Modification of data (Integrity)

• Denial of Service - URL redirection / website defacement (Availability)

–Can be controlled/mitigated with a little effort and standardized security practices

What is it?

– SQL Injection is only one of the many types of injection attacks

– SQL Injection is a form of attack on a database-driven Web site

– Attacker executes unauthorized SQL commands by taking advantage of insecure code on a system, bypassing even deeply nested firewall environments.

SQL Injection – Anatomy

How does it Work?

– Programmer expects user to supply some Email Address and Password

string _sCmdText = "SELECT * FROM USERS WHERE user_login = '" + txtEmailAddress.Text + "' AND user_pwd = '“ + txtPassword.Text. + "'";

– Attacker supplies: ‘ Or 1=1 - -

string _sCmdText = "SELECT * FROM USERS WHERE user_login = '" + ‘ Or 1=1 - - + "' AND user_pwd = '“ + txtPassword.Text. + "'";

Resulting in the following valid SQL syntax to exec ute

SELECT * FROM USERS WHERE user_login = ‘’ Or 1 = 1 - -

• Bypass Authentication

• Discover Databases (Schemas, Users, Columns, Values)

• Data Disclosure

• From the Database to the Network

What can you do with SQL Injection?

DEMONSTRATION

Cross-site Scripting (XSS) - Anatomy

What is it?

– It is essentially code injection attacks into the various interpreters in the browser using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages

– Is an attack on the privacy of clients of a particular web site

– Involves 3 parties – attacker, a client and the vulnerable website

– Goal – steal or manipulate customer data– Goal – steal or manipulate customer data

How does it Work?

– Attacker executes code on client (customer) that appears to come from reputable source (e.g., burtongroup.com)

– Attacker attempts to steal account information from customer

– Attacker may attempt to use client data to compromise web site

• Steal Authentication Information and Account hijacking

• Changing of user settings

• Cookie theft/poisoning

• Denial of Service - Website Defacement

What can you do with XSS?

• Phishing (Pharming and Phear) – embedded links

• Identity Theft ! (Impersonation)

DEMONSTRATION

• Legacy Applications in Production

• Research Findings

• Globalization and Perimeter-less Security

Ah, but nobody codes like that anymore !

Defenses – So what should we do?

SQL Injection Cross-site Scripting

Policy, Standards and Best Practices (Coding Standards …)

Security Development Life Cycle

Awareness, Training and Education

Input Validation Error Handling Least Privilege

Encode

ParameterizedQueries

EscapeSequences

Quoting Quotes

Avoid Dynamic SQL

RemoveUnused Functions

Disable Active Scripting

Use Non-HTML Properties

•Validate (filter) all input (consider RegEx)

•Standardize Input Validation Mechanism (length, type, pattern, rules)

•Display generic error messages and redirect to generic error page

•Always encode input

•Escape sequences

Defending against SQL Injection

•Escape sequences

•Quoting Quotes – Replace single quotes (‘) with double quotes (“)

•Remove unused Functions/Stored Procedures

•Avoid dynamic SQL and Use parameterized queries for user input

•Stored Procedures != Secure

•Run with least privilege

•Validate (filter) all input (consider RegEx) •Standardize Input Validation Mechanism (length, type, pattern, rules)

•Enable request validation

•Always encode output

•Set appropriate character encoding (ISO-8859-1)

Defending against Cross-site Scripting (XSS)

•Set appropriate character encoding (ISO-8859-1)

•Beware of UTF-8 Unicode and Long UTF-8 Unicode

• Unicode must also be sanitized

• &#60;&#83;&#67;&#82;&#73;&#80;&#84;&#62; = <SCRIPT>

•Beware of Hex encoding

• &#x73;&#x63;&#x72;&#x69;&#x70;&#x74; = script

•Use innerText property instead of innerHtml property for HTML controls

•Configure browser to disallow active scripting

Conclusion

–SQL Injection and Cross-site Scripting - Two of the most prevalent application attacks in this day and age – 2 security Catalysts

–Need to know how they work and the impact before you can defend against them

–Can be controlled/mitigated with a little effort and –Can be controlled/mitigated with a little effort and standardized security practices

Operating Systems Security – Are we there Yet?Is your SAFE locked and secure?

References

• BurtonGroup Research - Securing the Web Infrastructure: Safeguarding Business Assets and Services. v1.0, 21 November 2003. Author: Phil Schacter

• Victor Chapela: "Advanced SQL Injection" http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

• Chris Anley: "Advanced SQL Injection In SQL Server Applications" • Chris Anley: "Advanced SQL Injection In SQL Server Applications" http://www.nextgenss.com/papers/advanced_sql_injection.pdf nley:

• Chris Anley : "More Advanced SQL Injection" http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

• OWASP – Cross site scripting http://www.owasp.org/index.php/Cross_Site_Scripting

• OWASP – Testing for XSS http://www.owasp.org/index.php/Testing_for_Cross_site_scripting

Q&A

Stopping SQL Injection Stopping SQL Injection and

Crossing Over Cross-site Scripting Track: Operating Systems Security - Are we there yet ?

Manoranjan (Mano) Paul

CISSP, MCSD, MCAD, CompTIA Network+, ECSA/LPT

UPDATE

Following the Catalyst EU conference, Mano Paul lef t Dell Inc. Following the Catalyst EU conference, Mano Paul lef t Dell Inc. and founded SecuRisk Solutions - a security training, product

development and consulting company. http://www.securisksolutions.com

Manoranjan (Mano) Paul

mano.paul@securisksolutions.com

CISSP, MCSD, MCAD, CompTIA Network+, ECSA/LPT