SQL injection attacks and defense [2nd ed.] 1597499633, 9781597499637, 9781597499736, 1597499730

SQL Injection Attacks and Defense, First Edition:Winner of the Best Book Bejtlich Read Award SQL injection is probably

196 97 21MB

English Pages 547 [576] Year 2012

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
SQL Injection Attacks and Defense......Page 3
Copyright ......Page 4
Acknowledgements......Page 5
Dedication......Page 7
Contributing Authors......Page 9
Lead Author and Technical Editor......Page 13
Table ofContents......Page 15
Introduction to the 2nd Edition......Page 27
Introduction......Page 29
Understanding How Web Applications Work......Page 30
A Simple Application Architecture......Page 31
A More Complex Architecture......Page 32
Understanding SQL Injection......Page 34
High-Profile Examples......Page 37
Dynamic String Building......Page 41
Incorrectly Handled Escape Characters......Page 42
Incorrectly Handled Types......Page 43
Incorrectly Handled Query Assembly......Page 45
Incorrectly Handled Errors......Page 46
Incorrectly Handled Multiple Submissions......Page 47
Insecure Database Configuration......Page 49
Summary......Page 51
Understanding How It Happens......Page 52
Frequently Asked Questions......Page 53
Finding SQL Injection......Page 55
Identifying Data Entry......Page 56
POST Requests......Page 57
Other Injectable Data......Page 59
Manipulating Parameters......Page 60
Information Workflow......Page 63
Database Errors......Page 64
Commonly Displayed SQL Errors......Page 65
Microsoft SQL Server Errors......Page 66
MySQL Errors......Page 70
Oracle Errors......Page 73
PostgreSQL Errors......Page 75
Generic Errors......Page 77
HTTP Code Errors......Page 80
Different Response Sizes......Page 81
Blind Injection Detection......Page 82
Differentiating Numbers and Strings......Page 86
Injecting Strings Inline......Page 87
Injecting Numeric Values Inline......Page 91
Database Comment Syntax......Page 93
Using Comments......Page 95
Executing Multiple Statements......Page 98
Time Delays......Page 102
Automating SQL Injection Discovery......Page 104
HP WebInspect......Page 105
IBM Rational AppScan......Page 107
HP Scrawlr......Page 108
SQLiX......Page 110
Paros Proxy/Zed Attack Proxy......Page 111
Finding SQL Injection......Page 113
Automating SQL Injection Discovery......Page 114
Frequently Asked Questions......Page 115
Reviewing Source Code for SQL Injection......Page 117
Dangerous Coding Behaviors......Page 120
Dangerous Functions......Page 127
Following Data in PHP......Page 132
Following Data in Java......Page 137
Following Data in C#......Page 138
Reviewing Android Application Code......Page 139
Reviewing PL/SQL and T-SQL Code......Page 146
Automated Source Code Review......Page 154
Graudit......Page 156
Pixy......Page 157
OWASP LAPSE+ Project......Page 158
Microsoft Code Analysis Tool .NET (CAT.NET)......Page 159
Teachable Static Analysis Workbench......Page 160
Commercial Source Code Review Tools......Page 161
Fortify Source Code Analyzer......Page 162
Klocwork Solo......Page 163
Reviewing Source Code for SQL Injection......Page 164
Frequently Asked Questions......Page 165
Introduction......Page 167
Understanding Common Exploit Techniques......Page 168
Exploiting Oracle from Web Applications......Page 170
Identifying the Database......Page 171
Non-Blind Fingerprint......Page 172
Banner Grabbing......Page 174
Blind Fingerprint......Page 177
Extracting Data through UNION Statements......Page 178
Matching Columns......Page 179
Matching Data Types......Page 181
Using Conditional Statements......Page 186
Approach 1: Time-Based......Page 187
Approach 2: Error-Based......Page 191
Working with Strings......Page 193
Extending the Attack......Page 195
Using Errors for SQL Injection......Page 196
Error Messages in Oracle......Page 198
Enumerating the Database Schema......Page 202
SQL Server......Page 203
MySQL......Page 206
PostgreSQL......Page 211
Oracle......Page 212
First Scenario: Inserting User Determined Data......Page 216
Second Scenario: Generating INSERT Errors......Page 219
Other Scenarios......Page 221
SQL Server......Page 222
Privilege Escalation on Unpatched Servers......Page 227
Oracle......Page 228
SYS.LT......Page 229
Cursor Injection......Page 230
Weak Permissions......Page 231
SQL Server......Page 232
PostgreSQL......Page 234
Oracle......Page 235
Oracle Internet Directory......Page 237
Microsoft SQL Server......Page 239
Oracle......Page 242
File System......Page 243
SQL Server......Page 244
MySQL......Page 246
SQL Injection on Mobile Devices......Page 247
Automating SQL Injection Exploitation......Page 251
sqlmap......Page 252
Bobcat......Page 253
BSQL......Page 254
Other Tools......Page 255
Summary......Page 256
Identifying the Database......Page 257
Escalating Privileges......Page 258
Frequently Asked Questions......Page 259
Introduction......Page 261
Finding and Confirming Blind SQL Injection......Page 262
Splitting and Balancing......Page 263
Common Blind SQL Injection Scenarios......Page 265
Inference Techniques......Page 267
Increasing the Complexity of Inference Techniques......Page 271
Delaying Database Queries......Page 277
MySQL Delays......Page 278
Generic MySQL Binary Search Inference Exploits......Page 279
PostgreSQL Delays......Page 280
SQL Server Delays......Page 282
Generic SQL Server Bit-by-Bit Inference Exploits......Page 284
Time-Based Inference Considerations......Page 285
Using Response-Based Techniques......Page 286
MySQL Response Techniques......Page 287
PostgreSQL Response Techniques......Page 288
SQL Server Response Techniques......Page 289
Oracle Response Techniques......Page 291
Returning More Than 1 bit of Information......Page 292
Database Connections......Page 295
DNS Exfiltration......Page 297
HTTP Exfiltration......Page 301
Absinthe......Page 304
BSQL Hacker......Page 306
SQLBrute......Page 308
Sqlmap......Page 310
Sqlninja......Page 311
Squeeza......Page 312
Finding and Confirming Blind SQL Injection......Page 314
Automating Blind SQL Injection Exploitation......Page 315
Frequently Asked Questions......Page 316
Introduction......Page 317
Reading Files......Page 318
MySQL......Page 319
Microsoft SQL Server......Page 324
Oracle......Page 332
Writing Files......Page 334
MySQL......Page 335
Microsoft SQL Server......Page 338
Oracle......Page 343
PostgreSQL......Page 344
Executing Operating System Commands......Page 345
Microsoft SQL Server......Page 346
Privilege Escalation......Page 350
EXTPROC......Page 353
DBMS_SCHEDULER......Page 354
PL/SQL Native......Page 355
Oracle Text......Page 356
Custom Application Code......Page 357
PostgreSQL......Page 358
Consolidating Access......Page 361
Accessing the File System......Page 363
References......Page 364
Frequently Asked Questions......Page 365
Evading Input Filters......Page 367
Using SQL Comments......Page 368
Using URL Encoding......Page 369
Using Dynamic Query Execution......Page 370
Nesting Stripped Expressions......Page 373
Exploiting Truncation......Page 374
Bypassing Custom Filters......Page 375
Using Non-Standard Entry Points......Page 376
Exploiting Second-Order SQL Injection......Page 378
Finding Second-Order Vulnerabilities......Page 380
Accessing Local Databases......Page 383
Attacking Client-Side Databases......Page 384
Creating Cross-Site Scripting......Page 386
Running Operating System Commands on Oracle......Page 387
Exploiting Authenticated Vulnerabilities......Page 388
Summary......Page 389
Exploiting Client-Side SQL Injection......Page 390
Frequently Asked Questions......Page 391
Introduction......Page 393
Domain Driven Security......Page 394
Using Parameterized Statements......Page 399
Parameterized Statements in Java......Page 400
Parameterized Statements in .NET (C#)......Page 401
Parameterized Statements in PHP......Page 404
Parameterized Statements in iOS Applications......Page 405
Parameterized Statements in HTML5 Browser Storage......Page 406
Whitelisting......Page 407
Known Value Validation......Page 408
Blacklisting......Page 411
Validating Input in Java......Page 412
Validating Input in PHP......Page 414
Encoding Output......Page 415
Encoding for Oracle......Page 416
Encoding for Microsoft SQL Server......Page 418
Encoding for MySQL......Page 421
Encoding for PostgreSQL......Page 422
Avoiding NoSQL injection......Page 423
Canonicalization......Page 424
Working with Unicode......Page 425
Using Stored Procedures......Page 427
Using Abstraction Layers......Page 428
Handling Sensitive Data......Page 429
Avoiding Obvious Object Names......Page 431
Additional Secure Development Resources......Page 432
Summary......Page 433
Canonicalization......Page 434
Frequently Asked Questions......Page 435
Introduction......Page 437
Using Runtime Protection......Page 438
Configurable Rule Set......Page 439
Request Coverage......Page 442
Request Normalization......Page 443
Intrusion Detection Capabilities......Page 444
Web Server Filters......Page 445
WebKnight......Page 447
Application Filters......Page 448
Implementing the Filter Pattern in Scripted Languages......Page 449
URL/Page-Level Strategies......Page 450
URL Rewriting......Page 451
Application Intrusion Detection Systems (IDSs)......Page 452
Securing the Database......Page 453
Segregated Database Logins......Page 454
Use Strong Cryptography to Protect Stored Sensitive Data......Page 455
Maintaining an Audit Trail......Page 456
Oracle Error Triggers......Page 457
Additional Lockdown of System Objects......Page 459
Strengthen Controls Surrounding Authentication......Page 460
Ensure That the Database Server Software is Patched......Page 461
Suppress Error Messages......Page 462
Use Dummy Host Names for Reverse DNS Lookups......Page 464
Limit Discovery Via Search Engine Hacking......Page 465
Increase the Verbosity of Web Server Logs......Page 466
Summary......Page 467
Additional Deployment Considerations......Page 468
Frequently Asked Questions......Page 469
Investigating a Suspected SQL Injection Attack......Page 471
Following Forensically Sound Practices......Page 472
Web Server Log Files......Page 474
Database Execution Plans......Page 480
What to Look for Within Cached Execution Plans......Page 483
Microsoft SQL Server......Page 486
MySQL......Page 487
PostgreSQL......Page 488
Execution Plan Limitations......Page 489
Transaction Log......Page 490
Microsoft SQL Server......Page 491
Oracle......Page 493
MySQL......Page 494
Database Object Time Stamps......Page 496
Oracle......Page 497
MySQL......Page 498
PostgreSQL......Page 499
Containing the Incident......Page 500
Assessing the Data Involved......Page 501
Determining What Actions the Attacker Performed on the System......Page 502
Recovering from a SQL Injection Attack......Page 503
Determining the Payload of an Attack......Page 504
Recovering from Attacks Carrying Static Payloads......Page 505
Recovering from Attacks Carrying Dynamic Payloads......Page 507
Required Forensically Sound Practices:......Page 509
Notifying the Appropriate Individuals:......Page 510
Frequently Asked Questions......Page 511
Introduction......Page 513
SELECT Statement......Page 514
INSERT Statement......Page 515
CREATE TABLE Statement......Page 516
ORDER BY Clause......Page 518
Limiting the Result Set......Page 519
Identifying SQL Injection Vulnerabilities......Page 520
Identifying the Database Platform......Page 523
Identifying the Database Platform Via Time Delay Inference......Page 524
Identifying the Database Platform Via SQL Dialect Inference......Page 525
Microsoft SQL Server Cheat Sheet......Page 526
OPENROWSET Reauthentication Attack......Page 528
xp_cmdshell Alternative......Page 534
Microsoft SQL Server 2005 Hashes......Page 535
Enumerating Database Configuration Information and Schema......Page 536
System Command Execution......Page 537
Attacking the Database Directly......Page 538
Command Execution......Page 539
Reading Local Files (PL/SQL injection only)......Page 542
Writing Local Files (PL/SQL Injection Only)......Page 543
Cracking Database Passwords......Page 544
Enumerating Database Configuration Information and Schema......Page 545
Attacking the Database Server: PostgreSQL......Page 546
Cracking Database Passwords......Page 547
Quote Filters......Page 548
Troubleshooting SQL Injection Attacks......Page 549
SQL Injection on Other Platforms......Page 553
Informix Cheat Sheet......Page 554
Blind SQL Injection Functions: Informix......Page 555
Blind SQL Injection Functions: Ingres......Page 556
Enumerating Database Configuration Information and Schema......Page 557
Microsoft Access......Page 558
SQL Injection Exploit Tools......Page 559
Structured Query Language (SQL) Primer......Page 560
SQL Injection on Other Platforms......Page 561
B......Page 563
C......Page 564
D......Page 565
E......Page 566
I......Page 567
M......Page 568
O......Page 570
R......Page 571
S......Page 572
T......Page 574
Z......Page 575

SQL injection attacks and defense [2nd ed.]
 1597499633, 9781597499637, 9781597499736, 1597499730

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Recommend Papers