Edgis Workshop SQL Injection & DoS
Emil Tan
&
Han
http://edgis-security.org
September, 2011
Agenda
• SQL Injection
– Demonstrations
– Countermeasures
• What is DoS?
– Demonstrations
– Countermeasures
SQL Interface
http://edgis-security.org/
INSERT INTO CreditRecords (Name, CardNum) VALUES (‘” & Request.Form(“Username”) & “’, ’” & Request.Form(“CreditCard”) & “’)
INSERT INTO CreditRecords (Name, CardNum) VALUES (‘Alice’, ‘123-456-789’)
SQL Injection
http://edgis-security.org/
INSERT INTO CreditRecords (Name, CardNum) VALUES (‘Eve’, ‘1’); EXEC xp_cmdshell ‘del *.*’ -- ‘)
http://edgis-security.org/
SQL Injection (cont’d)
Exploit of a Mom http://xkcd.com/327/
Information Leakage
http://edgis-security.org/
• Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x1A2B3C4D) [Microsoft ][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ‘ and password = “, /login.asp,line 30
• Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x1A2B3C4D) [Microsoft ][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ‘ and password = ‘123“’, /login.asp,line 30
• User String Validation on Error Handling
Information Leakage (cont’d)
http://edgis-security.org/
• UNION Poisoning
SELECT * FROM records WHERE user=‘[user input] ‘ union all select name, xtype, 0, 0 from sysobjects --
SELECT * FROM records WHERE user=‘[user input] ‘ union all select <column> from <schema.columns>, 0, 0, 0 --
http://edgis-security.org/
http://edgis-security.org/
SQL Injection (Demonstration)
• OWASP Insecure Web App Project
http://edgis-security.org/
Countermeasures
http://edgis-security.org/
• Validate, Validate, Validate
– Client-Side, Server-Side
• Prepared Statement
Denial-of-Service
• Confidentiality, Integrity, Availability
• Classic Examples
– Ping of Death
– SYN Flood Attack
– LAND Attack
– Tear Drop Attack
– Smurf Attack
• Distributed Denial-of-Service (DDoS)
http://edgis-security.org/
Slowloris
• Written by Robert “RSnake” Hansen • Notable Use
– Iran Presidential Election 2009 – Th3j35t3r against WikiLeaks & Terrorist Web Sites
• How it Works? – Hold connections open by sending partial HTTP
requests – Send subsequent headers at regular intervals to keep
the sockets from closing – Full TCP connection but partial HTTP request (SYN
flood over HTTP)
http://edgis-security.org/
Slowloris (cont’d)
• Awesomeness
– Attack amplifies on multi-threaded Web servers
– No logs will be written until request is completed
– “HTTP 400: Bad Request Error” message will be logged after the attack stops
– Web service will resume once attack is terminated
http://edgis-security.org/
LOC (Low Orbit Ion Cannon)
• Written by Praetox Technologies
• Notable Use
– 4Chan organized “refresh” attacks
– DoS Scientology
– #OpPayback
• How it Works?
– Overwhelm server with TCP, UDP, & HTTP
– HiveMind Mode (i.e. DDoS Mode)
http://edgis-security.org/
Demonstrations
http://edgis-security.org/
• Slowloris
• LOIC
Countermeasures
• Increase the max no. of clients the web server allow
• Limit the no. of connections a single IP address is allowed to make
• Imposing restrictions on the minimum transfer speed on connection is allowed to have
• Restricting the length of time a client is allowed to stay connected
http://edgis-security.org/
Countermeasures (cont’d)
• HTTPReady
• Apache Modules
– mod_limitipconn, mod_qos, mod_evasive, mod_security, mod_noloris, mod_antiloris
• Reverse Proxies
• Firewall
• Load Balancers
• CloudFare
http://edgis-security.org/
End Note
• Security is more than patching your machine
– Configuration are equally important
• Be proactive in looking for vulnerabilities
http://edgis-security.org/
Top Related