Attacking Applications: SQL Injection & Buffer Overflows.

  • Published on

  • View

  • Download


Chapter 1Chapter 9Attacking Applications:SQL Injection & Buffer Overflows1SQL Injection & Buffer OverflowAKA: Code InjectionCommon IssuesBoth used to attack applicationsBoth generally caused by programming flawsBoth usually delivered via user input fieldBoth caused by invalid parameters (not verified)Countermeasures for bothUtilize secure programming methods2SQL InjectionOccurs when an app processes user-provided data to create an SQL statement without first validating the input.Read or modify a database by compromising the meaning of the original queryResults1. Attacker gets to remotely execute system commands, or2. Attacker takes control of database server3Finding a SQL Injection Vulnerability1. Search for websites with login page or other input or query fields2. Test using single quotes3. Use SELECT to retrieve data, orUse automated tool: Absinthe it works: Purpose of SQL InjectionIdentifying vulnerabilitiesDatabase Finger-PrintingDetermine Database SchemaExtract / Add / Modify DataPerform DoSEvade DetectionBypass AuthenticationExecute Remote CommandsPerform Privilege EscalationInstall Malware5SQL Injection CountermeasuresPractice Defensive CodingChange default admin login informationDisable default admin login accountValidate / Sanitize user inputUse strong firewall rulesBlock ports: 1434 (SQL & mysql); 1521-1530 (Oracle)Dont display error messagesRemove Stored Procedures, but rather use Prepared StatementsSession encryption6SQL Injection CountermeasuresUse escape commandsescapeshellcmd(): decreases risks involved in allowing user input to be passed to the shellescapeshellarg(): convert scalar value into single-quote delimited stringMysql_real-escape-string()Sanitizes data before sending to MYSQL7Buffer Overflows it works: OverflowsTypesStack basedStatic locations for memory address spaceHeap basedDynamic memory address spacesCountermeasuresIDS should look for NOP (No Operation) instructionsDont use: C or C++ commands that dont provide argument checking. (C & C++ leave data integrity checking to programmer): eg) strcpy(), strcat(), streadd()Use functions that check buffer size eg) strncopy()DO use: Java or Perl or Lisp9