SQL Injection Attacks and Defense, Syngress

Justin Clarke lead author and technical editor

PUBLISHED BY 
Syngress Publishing, Inc.Elsevier, Inc.30 Corporate Drive
Burlington, MA 01803

E-books Shop
SQL Injection Attacks and Defense

Many people say they know what SQL injection is, but all they have heard about or
experienced are trivial examples. SQL injection is one of the most devastating vulnerabilities
to impact a business, as it can lead to exposure of all of the sensitive information stored in
an application’s database, including handy information such as usernames, passwords,
names, addresses, phone numbers, and credit card details.

Contents

Chapter 1 What Is SQL Injection?
Introduction . 2
Understanding How Web Applications Work. 2
A Simple Application Architecture. 4
A More Complex Architecture. 5
Understanding SQL Injection. 6
High-Profile Examples. 10
Understanding How It Happens. 13
Dynamic String Building . 13
Incorrectly Handled Escape Characters. 14
Incorrectly Handled Types . 15
Incorrectly Handled Query Assembly. 17
Incorrectly Handled Errors. 18
Incorrectly Handled Multiple Submissions . 19
Insecure Database Configuration. 21
Summary. 24
Solutions Fast Track. 24
Frequently Asked Questions. 26
Chapter 2 Testing for SQL Injection
Introduction . 30
Finding SQL Injection. 30
Testing by Inference. 31
Identifying Data Entry. 31
GET Requests . 31
POST Requests . 32
Other Injectable Data . 35
Manipulating Parameters . 36
Information Workf low. 39
Database Errors . 40
Commonly Displayed SQL Errors . 41
Microsoft SQL Server Errors. 41
MySQL Errors . 46
Oracle Errors . 49
Application Response. 51
Generic Errors. 51
HTTP Code Errors. 54
Different Response Sizes . 55
Blind Injection Detection. 56
Confirming SQL Injection. 60
Differentiating Numbers and Strings. 61
Inline SQL Injection . 62
Injecting Strings Inline. 62
Injecting Numeric Values Inline. 65
Terminating SQL Injection. 68
Database Comment Syntax. 69
Using Comments. 70
Executing Multiple Statements. 74
Time Delays. 79
Automating SQL Injection Discovery. 80
Tools for Automatically Finding SQL Injection . 81
HP WebInspect . 81
IBM Rational AppScan . 83
HP Scrawlr. 85
SQLiX . 87
Paros Proxy. 88
Summary. 91
Solutions Fast Track. 91
Frequently Asked Questions. 93
Chapter 3 Reviewing Code for SQL Injection 
Introduction . 96
Reviewing Source Code for SQL Injection. 96
Dangerous Coding Behaviors . 98
Dangerous Functions . 105
Following the Data. 109
Following Data in PHP. 110
Following Data in Java. 114
Following Data in C#. 115
Reviewing PL/SQL and T-SQL Code. 117
Automated Source Code Review. 124
Yet Another Source Code Analyzer (YASCA) . 125
Pixy. 126
AppCodeScan . 127
LAPSE. 127
Security Compass Web Application Analysis Tool (SWAAT). 128
Microsoft Source Code Analyzer for SQL Injection. 128
Microsoft Code Analysis Tool .NET (CAT.NET). 129
Commercial Source Code Review Tools. 129
Ounce. 131
Source Code Analysis. 131
CodeSecure. 132
Summary. 133
Solutions Fast Track. 133
Frequently Asked Questions. 135
Chapter 4 Exploiting SQL Injection 
Introduction . 138
Understanding Common Exploit Techniques. 139
Using Stacked Queries. 141
Identifying the Database. 142
Non-Blind Fingerprint. 142
Banner Grabbing. 144
Blind Fingerprint. 146
Extracting Data through UNION Statements. 148
Matching Columns. 149
Matching Data Types . 151
Using Conditional Statements. 156
Approach 1: Time-based. 157
Approach 2: Error-based. 159
Approach 3: Content-based. 161
Working with Strings. 161
Extending the Attack . 163
Using Errors for SQL Injection. 164
Error Messages in Oracle . 167
Enumerating the Database Schema. 170
SQL Server . 171
MySQL. 177
Oracle. 180
Escalating Privileges. 183
SQL Server . 184
Privilege Escalation on Unpatched Servers . 189
Oracle. 190
Stealing the Password Hashes . 192
SQL Server . 192
MySQL. 194
Oracle. 194
Oracle Components. 196
APEX. 196
Oracle Internet Directory . 197
Out-of-Band Communication . 198
E-mail. 199
Microsoft SQL Server . 199
Oracle. 202
HTTP/DNS. 203
File System. 203
SQL Server. 204
MySQL. 207
Oracle. 208
Automating SQL Injection Exploitation. 208
Sqlmap. 208
Sqlmap Example . 209
Bobcat. 211
BSQL . 212
Other Tools . 214
Summary. 215
Solutions Fast Track. 215
Frequently Asked Questions. 218
Chapter 5 Blind SQL Injection Exploitation
Introduction . 220
Finding and Confirming Blind SQL Injection. 221
Forcing Generic Errors. 221
Injecting Queries with Side Effects. 222
Spitting and Balancing . 222
Common Blind SQL Injection Scenarios . 225
Blind SQL Injection Techniques. 225
Inference Techniques. 226
Increasing the Complexity of Inference Techniques. 230
Alternative Channel Techniques. 234
Using Time-Based Techniques. 235
Delaying Database Queries. 235
MySQL Delays . 235
Generic MySQL Binary Search Inference Exploits . 237
Generic MySQL Bit-by-Bit Inference Exploits. 237
SQL Server Delays. 238
Generic SQL Server Binary Search Inference Exploits. 240
Generic SQL Server Bit-by-Bit Inference Exploits . 240
Oracle Delays . 240
Time-Based Inference Considerations. 241
Using Response-Based Techniques. 242
MySQL Response Techniques. 242
SQL Server Response Techniques. 244
Oracle Response Techniques. 246
Returning More Than One Bit of Information. 247
Using Alternative Channels. 249
Database Connections. 250
DNS Exfiltration . 251
E-mail Exfiltration. 255
HTTP Exfiltration. 256
Automating Blind SQL Injection Exploitation. 258
Absinthe . 258
BSQL Hacker . 260
SQLBrute . 263
Sqlninja. 264
Squeeza. 265
Summary. 267
Solutions Fast Track. 267
Frequently Asked Questions. 270
Chapter 6 Exploiting the Operating System
Introduction . 272
Accessing the File System. 273
Reading Files. 273
MySQL. 274
Microsoft SQL Server . 280
Oracle. 289
Writing Files . 291
MySQL. 292
Microsoft SQL Server . 295
Oracle. 300
Executing Operating System Commands. 301
Direct Execution . 301
Oracle. 301
DBMS_SCHEDULER. 302
PL/SQL Native. 302
Other Possibilities. 303
Alter System Set Events. 303
PL/SQL Native 9i. 303
Buffer Overflows. 304
Custom Application Code. 304
MySQL. 304
Microsoft SQL Server . 305
Consolidating Access . 309
Summary. 312
Solutions Fast Track. 312
Frequently Asked Questions. 314
Endnotes. 315
Chapter 7 Advanced Topics
Introduction . 318
Evading Input Filters . 318
Using Case Variation. 319
Using SQL Comments. 319
Using URL Encoding . 320
Using Dynamic Query Execution. 322
Using Null Bytes. 323
Nesting Stripped Expressions . 324
Exploiting Truncation. 324
Bypassing Custom Filters . 326
Using Non-Standard Entry Points. 327
Exploiting Second-Order SQL Injection. 329
Finding Second-Order Vulnerabilities. 332
Using Hybrid Attacks. 335
Leveraging Captured Data. 335
Creating Cross-Site Scripting . 335
Running Operating System Commands on Oracle . 336
Exploiting Authenticated Vulnerabilities. 337
Summary. 338
Solutions Fast Track. 338
Frequently Asked Questions. 340
Chapter 8 Code-Level Defenses
Introduction . 342
Using Parameterized Statements. 342
Parameterized Statements in Java. 344
Parameterized Statements in .NET (C#). 345
Parameterized Statements in PHP. 347
Parameterized Statements in PL/SQL. 348
Validating Input. 349
Whitelisting. 349
Blacklisting. 351
Validating Input in Java. 353
Validating Input in .NET. 354
Validating Input in PHP. 354
Encoding Output. 355
Encoding to the Database. 355
Encoding for Oracle . 356
Oracle dbms_assert. 357
Encoding for Microsoft SQL Server. 359
Encoding for MySQL. 360
Canonicalization . 362
Canonicalization Approaches. 363
Working with Unicode . 364
Designing to Avoid the Dangers of SQL Injection. 365
Using Stored Procedures. 366
Using Abstraction Layers. 367
Handling Sensitive Data. 368
Avoiding Obvious Object Names. 369
Setting Up Database Honeypots . 370
Additional Secure Development Resources. 371
Summary. 373
Solutions Fast Track. 373
Frequently Asked Questions. 375
Chapter 9 Platform-Level Defenses
Introduction . 378
Using Runtime Protection. 378
Web Application Firewalls. 379
Using ModSecurity. 380
Configurable Rule Set. 380
Request Coverage. 383
Request Normalization. 383
Response Analysis. 384
Intrusion Detection Capabilities. 385
Intercepting Filters. 386
Web Server Filters. 386
Application Filters. 389
Implementing the Filter Pattern in Scripted Languages . 390
Filtering Web Service Messages. 391
Non-Editable versus Editable Input Protection. 391
URL/Page-Level Strategies. 392
Page Overriding . 392
URL Rewriting . 393
Resource Proxying/Wrapping . 393
Aspect-Oriented Programming (AOP) . 393
Application Intrusion Detection Systems (IDSs). 394
Database Firewall. 394
Securing the Database . 395
Locking Down the Application Data. 395
Use the Least-Privileged Database Login. 395
Revoke PUBLIC Permissions. 396
Use Stored Procedures. 396
Use Strong Cryptography to Protect Stored Sensitive Data . 397
Maintaining an Audit Trail. 398
Oracle Error Triggers. 398
Locking Down the Database Server. 400
Additional Lockdown of System Objects. . . . . . . . . . . . . . . . . . . . . . . . 400
Restrict Ad Hoc Querying. 401
Strengthen Controls Surrounding Authentication . 401
Run in the Context of the Least-Privileged
Operating System Account . 401
Ensure That the Database Server Software Is Patched. 402
Additional Deployment Considerations. 403
Minimize Unnecessary Information Leakage. 403
Suppress Error Messages. 403
Use an Empty Default Web Site. 406
Use Dummy Host Names for Reverse DNS Lookups. 406
Use Wildcard SSL Certificates . 407
Limit Discovery via Search Engine Hacking. 407
Disable Web Services Description Language
(WSDL) Information. 408
Increase the Verbosity of Web Server Logs . 409
Deploy the Web and Database Servers on Separate Hosts. 409
Configure Network Access Control. 409
Summary. 410
Solutions Fast Track. 410
Frequently Asked Questions. 412
Chapter 10 References
Introduction . 416
Structured Query Language (SQL) Primer. 416
SQL Queries. 416
SELECT Statement. 417
UNION Operator. 417
INSERT Statement. 418
UPDATE Statement. 418
DELETE Statement. 418
DROP Statement . 420
CREATE TABLE Statement . 420
ALTER TABLE Statement. 420
GROUP BY Statement. 421
ORDER BY Clause. 421
Limiting the Result Set . 421
SQL Injection Quick Reference. 422
Identifying the Database Platform. 422
Identifying the Database Platform via Time Delay Inference . 423
Identifying the Database Platform via SQL Dialect Inference. 423
Combining Multiple Rows into a Single Row. 424
Microsoft SQL Server Cheat Sheet. 425
Enumerating Database Configuration
Information and Schema. 425
Blind SQL Injection Functions: Microsoft SQL Server . 427
Microsoft SQL Server Privilege Escalation . 427
OPENROWSET Reauthentication Attack. 428
Attacking the Database Server: Microsoft SQL Server. 429
System Command Execution via xp_cmdshell . 429
xp_cmdshell Alternative. 430
Cracking Database Passwords. 430
Microsoft SQL Server 2005 Hashes . 431
File Read/Write. 431
MySQL Cheat Sheet . 431
Enumerating Database Configuration Information
and Schema . 431
Blind SQL Injection Functions: MySQL. 432
Attacking the Database Server: MySQL . 433
System Command Execution. 433
Cracking Database Passwords. 434
Attacking the Database Directly. 434
File Read/Write. 434
Oracle Cheat Sheet . 435
Enumerating Database Configuration Information
and Schema . 435
Blind SQL Injection Functions: Oracle. 436
Attacking the Database Server: Oracle. 437
Command Execution . 437
Reading Local Files. 437
Reading Local Files (PL/SQL Injection Only) . 438
Writing Local Files (PL/SQL Injection Only). 439
Cracking Database Passwords. 440
Bypassing Input Validation Filters . 440
Quote Filters. 440
HTTP Encoding . 442
Troubleshooting SQL Injection Attacks. 443
SQL Injection on Other Platforms. 446
PostgreSQL Cheat Sheet. 446
Enumerating Database Configuration Information
and Schema . 447
Blind SQL Injection Functions: PostgreSQL. 448
Attacking the Database Server: PostgreSQL. 448
System Command Execution. 448
Local File Access. 449
Cracking Database Passwords. 449
DB2 Cheat Sheet. 449
Enumerating Database Configuration Information
and Schema . 449
Blind SQL Injection Functions: DB2. 450
Informix Cheat Sheet. 451
Enumerating Database Configuration Information
and Schema . 451
Blind SQL Injection Functions: Informix. 452
Ingres Cheat Sheet. 452
Enumerating Database Configuration Information
and Schema . 452
Blind SQL Injection Functions: Ingres . 453
Microsoft Access. 453
Resources . 453
SQL Injection White Papers. 453
SQL Injection Cheat Sheets. 454
SQL Injection Exploit Tools. 454
Password Cracking Tools. 455
Solutions Fast Track. 456
Index. 459
---------------------------------------------------

 Screenshot 

E-books Shop

Purchase Now !
Just with Paypal
▬▬❂❂❂▬▬●

Product details
 Price
 File Size
 3,722 KB
 Pages
 494 p
 File Type
 PDF format
 ISBN-13
 978-1-59749-424-3
 Copyright
 2009 by Elsevier, Inc  
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●


═════ ═════

Previous Post Next Post