1Secure Web Site DesignCS 155Spring 20091John MitchellSchematic web site architectureApplicationFirewall(WAF)FirewallLoadBalancerDBWS1WS2FirewallAppServers2IDSWS3AuthorizationNetegrity (CA)Oblix (Oracle)Web application codeRuns on web server or app server. Takes input from web users (via web server) Interacts with the database and 3rdparties. Prepares results for users (via web server)3Examples: Shopping carts, home banking, bill pay, tax prep, … New code written for every web site.Written in: C, PHP, Perl, Python, JSP, ASP, … Often written with little consideration for securityCommon vulnerabilitiesSQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL queryXSS – Cross-site scriptingBd b it d i t iti itthtSans Top 10Bad web site sends innocent victim a script that steals information from an honest web siteCSRF – Cross-site request forgery Bad web site sends request to good web site, using credentials of an innocent victim who “visits” siteOther problems HTTP response splitting, site redirects, …410SQL Injection5with slides from Neil DaswaniDynamic Web ApplicationBrowserWebserverGET / HTTP/1.0HTTP/1.1 200 OK6index.phpDatabaseserver2PHP: Hypertext Preprocessor Server scripting language with C-like syntaxCan intermingle static HTML and code<input value=<?php echo $myvalue; ?>>Canembed variables in double-quote strings7Can embed variables in doublequote strings$user = “world”; echo “Hello $user!”;or $user = “world”; echo “Hello” . $user . “!”;Form data in global arrays $_GET, $_POST, …SQLWidely used database query languageFetch a set of recordsSELECT * FROM Person WHERE Username=‘grader’Add data to the table8Add data to the tableINSERT INTO Person (Username, Zoobars) VALUES (‘grader’, 10)Modify dataUPDATE Person SET Zoobars=42 WHERE PersonID=5Query syntax (mostly) independent of vendorExampleSample PHP$recipient = $_POST[‘recipient’]; $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $$dbtQ($l)9$rs = $db->executeQuery($sql);Problem What if ‘recipient’ is malicious string that changed the meaning of the query?Basic picture: SQL InjectionVictim Server1210Victim SQL DBAttackerunintended queryreceive valuable data3CardSystems AttackCardSystems credit card payment processing company SQL injection attack in June 2005 put company out of businessThe Attack11The Attack 263,000 credit card #s stolen from database credit card #s stored unencrypted 43 million credit card #s exposedApril 2008 SQL Vulnerabilities3Main steps in this attackUse Google to find sites using a particular ASP style vulnerable to SQL injectionUse SQL injection on these sites to modify the page to include a link to a Chinese site nihaorr1.com Don't visit this site yourself!Don t visit this site yourself!The site (nihaorr1.com) serves JavaScript that exploits vulnerabilities in IE, RealPlayer, QQ Instant MessengerSteps (1) and (2) are automated in a tool that can be configured to inject whatever you like into vulnerable sites There is some evidence that hackers may get paid for each visit to nihaorr1.com13Part of the SQL attack stringDECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSORFOR select a.name,b.name from sysobjects a,syscolumns b wherea.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_CursorFETCH NEXT FROM Table_Cursor INTO @T,@CWHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+'‘ ''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_CursorDEALLOCATE Table_Cursor;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(%20AS%20NVARCHAR(4000));EXEC(@S);--1415SQL Injection ExamplesWebWebEnterUsername&PasswordSELECT passwdFROM USERSType 1 Attack ExampleType 1 Attack ExampleWebServerBrowser(Client)DBPasswordWHERE uname IS ‘$username’Attacker will modifyAttacker will modifyMalicious input17Attacker Modifies InputAttacker Modifies InputSQL Injection ExamplesWebServerWebBrowserDBEnterUsername&PasswordSELECT passwdFROM USERSWHERE uname IS‘’;DROPTABLEMalicious QueryMalicious QueryServer(Client)IS ; DROP TABLE USERS; -- ‘Eliminates all user Eliminates all user accountsaccounts4What is SQL Injection?Input Validation Vulnerability Untrusted user input in SQL query sent to back-end database without sanitizing the dataSpecific case of more general command injectionSpecific case of more general command injection Inserting untrusted input into a query or commandWhy is this Bad? Data can be misinterpreted as a command Can alter the intended effect of command or query19SQL Injection ExamplesView pizza order history:<br><form method="post" action="...">Month<select><option name="month" value="1">Jan</option>20...<option name="month" value="12">Dec</option></select>Year<p><input type=submit name=submit value=View></form>Attacker can post form that is not generated by this page.SQL Injection ExamplesSELECT pizza, toppings, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=10Normal Normal SQL SQL QueryQueryFdhtttk lditType 2Type 221For order_monthparameter, attacker could inputType 2Type 2AttackAttack0 OR 1=1Malicious Malicious QueryQuery…WHERE userid=4123 AND order_month=0 OR 1=1WHERE condition is always true! Gives attacker access to other users’ private data!SQL Injection ExamplesAll User Data All User Data CompromisedCompromised22SQL Injection ExamplesA more damaging breach of user privacy:For order_month parameter, attacker could input0 AND 1=0UNION SELECT cardholder, number, exp_month, exp_yearFROMcreditcardsAttacker is able to Combine the results of two queries Empty table from first query with the sensitive credit card info of all users from second query23FROM creditcardsSQL Injection ExamplesCredit Card Info Credit Card Info CompromisedCompromised245More Attacks• Create new users:‘; INSERT INTO USERS (‘uname’,’passwd’, ‘salt’) VALUES (‘hacker’,’38a74f’, 3234);•Password reset:•Password reset:‘; UPDATE USERS SET [email protected] [email protected] SQL InjectionSecond-Order SQL Injection: attack where data stored in database is later used to conduct SQL injectionExample: this vulnerability could exist if string ii lidi ittl26escaping is applied inconsistentlySolution: Treat ALL parameters as dangerousUPDATE USERS SET
View Full Document
Unlocking...