Web Attacks, con’tCS 161: Computer SecurityProf. Vern PaxsonTAs: Devdatta Akhawe, Mobin Javed& Matthias Vallentinhttp://inst.eecs.berkeley.edu/~cs161/February 22, 2011Announcements• See “Still confused about question 4submission format” thread in Piazzza(@116)• Guest lecture a week from Thursday(March 3rd), Prof. David Wagner– My office hours the week of March 7th will beby appointment• I may move my office hours next Mondayto 1-2PM - if so, will announce on Piazzza– Let me know if this would be a hardshipDefending AgainstCommand Injection• In principle, can prevent injection attacksby properly sanitizing input sent to webservers– Remove or escape meta-characters– Easy to get wrong by overlooking a meta-character or escaping subtlety• Better: avoid using a feature-rich API– KISS + defensive programming– E.g., use execve() to invoke a desiredprogram, rather than system()Command Injection in the Real WorldCommand Injection in the Real WorldStructure of Modern Web ServicesBrowserWebserverURL / Formcommand.php?arg1=x&arg2=yStructure of Modern Web ServicesBrowserWebserverURL / Formcommand.php?arg1=x&arg2=yDatabaseserverSQL query builtfrom x and yStructure of Modern Web ServicesBrowserWebserverDatabaseserverCustom datacorresponding to x & yStructure of Modern Web ServicesBrowserWebserverWeb page builtusing custom dataDatabaseserverSQL• Widely used database query language• Fetch a set of recordsSELECT * FROM Person WHERE Username=‘oski’• Add data to the tableINSERT INTO Person (Username, Balance)VALUES (‘oski’, 10) -- oski has ten buckaroos• Modify dataUPDATE Person SET Balance=42 WHEREUsername=‘oski’• Query syntax (mostly) independent of vendorAn SQL commentSQL Injection Scenario• Suppose web server front end stores URLparameter “recipient” in variable $recipientand then builds up a string with the followingSQL query:$sql = "SELECT PersonID FROM Person WHERE Balance < 100 AND Username='$recipient' ";• Query accesses recipient’s account if theirbalance is < 100.SQL Injection Scenario• Suppose web server front end stores URLparameter “recipient” in variable $recipientand then builds up a string with the followingSQL query:$sql = "SELECT PersonID FROM Person WHERE Balance < 100 AND Username='$recipient' ";• So for “?recipient=Bob” the SQL query is:"SELECT PersonID FROM Person WHERE Balance < 100 AND Username='Bob' "SQL Injection Scenario• Suppose web server front end stores URLparameter “recipient” in variable $recipientand then builds up a string with the followingSQL query:$sql = "SELECT PersonID FROM Person WHERE Balance < 100 AND Username='$recipient' ";• How can recipient cause trouble here?– How can we see anyone’s account?SQL Injection Scenario, con’tWHERE Balance < 100 AND Username='$recipient' "• $recipient = foo' OR 1=1 --WHERE Balance < 100 AND Username='foo' OR 1=1 --' "• Precedence & “--” (comment) makes this:WHERE (Balance < 100 AND Username='foo') OR 1=1• Always true!SQL Injection Scenario, con’tWHERE Balance < 100 AND Username='$recipient' ";• How about recipient = foo'; DROP TABLE Person; -- ?• Now there are two separate SQLcommands, thanks to ‘;’ command-separator.• Can change database however you wishDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:DefensesDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProfile(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(profile(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}Defenses“Prepared Statement”Defenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProfile(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(profile(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}DefensesUntrusted user inputDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProfile(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(profile(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}DefensesInput is confined toa single SQL atomDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProfile(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(profile(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}DefensesBinds the valueof uid to '?' atomDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProfile(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(profile(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}DefensesNo matter what input user provides, Prepared Statementensures it will be treated as a single SQL datumDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProfile(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(profile(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}<P>Hello8${username}!88Welcome8back.DefensesDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProfile(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(profile(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}<P>Hello8${username}!88Welcome8back.DefensesTemplate languageensures variable fullyescaped5 Minute BreakQuestions Before We Proceed?5 Minute Break27Basic Structure of Web Traffic28Basic Structure of Web TrafficIncludes “resource” from URLHeaders describing browser
View Full Document