SQL injection attacks and defense

Winner of the Best Book Bejtlich Read in 2009 award!"SQL injection is probably the number one problem for any server-side application, and this book is unequaled in its coverage." Richard Bejtlich, http://taosecurity.blogspot.com/SQL injection represents one of the most dangerous and well-...

Full description

Saved in:
Bibliographic Details
Main Author Clarke, Justin
Format eBook Book
LanguageEnglish
Published Burlington Syngress 2009
Elsevier Science & Technology Books
Syngress Pub
Edition1
Subjects
Computer security
SQL (Computer program language)
Online AccessGet full text
ISBN9781597494243
1597494240
9780080958576
0080958575
DOI10.1016/B978-1-59749-424-3.X0001-1

Cover

Table of Contents:
  • Application Intrusion Detection Systems (IDSs) -- Database Firewall -- Securing the Database -- Locking Down the Application Data -- Use the Least-Privileged Database Login -- Revoke PUBLIC Permissions -- Use Stored Procedures -- Use Strong Cryptography to Protect Stored Sensitive Data -- Maintaining an Audit Trail -- Oracle Error Triggers -- Locking Down the Database Server -- Additional Lockdown of System Objects -- Restrict Ad Hoc Querying -- Strengthen Controls Surrounding Authentication -- Run in the Context of the Least-Privileged Operating System Account -- Ensure That the Database Server Software Is Patched -- Additional Deployment Considerations -- Minimize Unnecessary Information Leakage -- Suppress Error Messages -- Use an Empty Default Web Site -- Use Dummy Host Names for Reverse DNS Lookups -- Use Wildcard SSL Certificates -- Limit Discovery via Search Engine Hacking -- Disable Web Services Description Language (WSDL) Information -- Increase the Verbosity of Web Server Logs -- Deploy the Web and Database Servers on Separate Hosts -- Configure Network Access Control -- Summary -- Solutions Fast Track -- Frequently Asked Questions -- Chapter 10: References -- Introduction -- Structured Query Language (SQL) Primer -- SQL Queries -- SELECT Statement -- UNION Operator -- INSERT Statement -- UPDATE Statement -- DELETE Statement -- DROP Statement -- CREATE TABLE Statement -- ALTER TABLE Statement -- GROUP BY Statement -- ORDER BY Clause -- Limiting the Result Set -- SQL Injection Quick Reference -- Identifying the Database Platform -- Identifying the Database Platform via Time Delay Inference -- Identifying the Database Platform via SQL Dialect Inference -- Combining Multiple Rows into a Single Row -- Microsoft SQL Server Cheat Sheet -- Enumerating Database Configuration Information and Schema
  • Following Data in PHP -- Following Data in Java -- Following Data in C# -- Reviewing PL/SQL and T-SQL Code -- Automated Source Code Review -- Yet Another Source Code Analyzer (YASCA) -- Pixy -- AppCodeScan -- Lapse -- Security Compass Web Application Analysis Tool (SWAAT) -- Microsoft Source Code Analyzer for SQL Injection -- Microsoft Code Analysis Tool .NET (CAT.NET) -- Commercial Source Code Review Tools -- Ounce -- Fortify Source Code Analyzer -- CodeSecure -- Summary -- Solutions Fast Track -- Frequently Asked Questions -- Chapter 4: Exploiting SQL Injection -- Introduction -- Understanding Common Exploit Techniques -- Using Stacked Queries -- Identifying the Database -- Non-Blind Fingerprint -- Banner Grabbing -- Blind Fingerprint -- Extracting Data through UNION Statements -- Matching Columns -- Matching Data Types -- Using Conditional Statements -- Approach 1: Time-based -- Approach 2: Error-based -- Approach 3: Content-based -- Working with Strings -- Extending the Attack -- Using Errors for SQL Injection -- Error Messages in Oracle -- Enumerating the Database Schema -- SQL Server -- MySQL -- Oracle -- Escalating Privileges -- SQL Server -- Privilege Escalation on Unpatched Servers -- Oracle -- Stealing the Password Hashes -- SQL Server -- MySQL -- Oracle -- Oracle Components -- APEX -- Oracle Internet Directory -- Out-of-Band Communication -- E-mail -- Microsoft SQL Server -- Oracle -- HTTP/DNS -- File System -- SQL Server -- MySQL -- Oracle -- Automating SQL Injection Exploitation -- Sqlmap -- Sqlmap Example -- Bobcat -- BSQL -- Other Tools -- Summary -- Solutions Fast Track -- Frequently Asked Questions -- Chapter 5: Blind SQL Injection Exploitation -- Introduction -- Finding and Confirming Blind SQL Injection -- Forcing Generic Errors -- Injecting Queries with Side Effects -- Splitting and Balancing
  • Blind SQL Injection Functions: Microsoft SQL Server
  • Common Blind SQL Injection Scenarios -- Blind SQL Injection Techniques -- Inference Techniques -- Increasing the Complexity of Inference Techniques -- Alternative Channel Techniques -- Using Time-Based Techniques -- Delaying Database Queries -- MySQL Delays -- Generic MySQL Binary Search Inference Exploits -- Generic MySQL Bit-by-Bit Inference Exploits -- SQL Server Delays -- Generic SQL Server Binary Search Inference Exploits -- Generic SQL Server Bit-by-Bit Inference Exploits -- Oracle Delays -- Time-Based Inference Considerations -- Using Response-Based Techniques -- MySQL Response Techniques -- SQL Server Response Techniques -- Oracle Response Techniques -- Returning More Than One Bit of Information -- Using Alternative Channels -- Database Connections -- DNS Exfiltration -- E-mail Exfiltration -- HTTP Exfiltration -- Automating Blind SQL Injection Exploitation -- Absinthe -- BSQL Hacker -- SQLBrute -- Sqlninja -- Squeeza -- Summary -- Solutions Fast Track -- Frequently Asked Questions -- Chapter 6: Exploiting the Operating System -- Introduction -- Accessing the File System -- Reading Files -- MySQL -- Microsoft SQL Server -- Oracle -- Writing Files -- MySQL -- Microsoft SQL Server -- Oracle -- Executing Operating System Commands -- Direct Execution -- Oracle -- DBMS_SCHEDULER -- PL/SQL Native -- Other Possibilities -- Alter System Set Events -- PL/SQL Native 9i -- Buffer Overflows -- Custom Application Code -- MySQL -- Microsoft SQL Server -- Consolidating Access -- Summary -- Solutions Fast Track -- Frequently Asked Questions -- Endnotes -- Chapter 7: Advanced Topics -- Introduction -- Evading Input Filters -- Using Case Variation -- Using SQL Comments -- Using URL Encoding -- Using Dynamic Query Execution -- Using Null Bytes -- Nesting Stripped Expressions -- Exploiting Truncation -- Bypassing Custom Filters
  • Using Non-Standard Entry Points -- Exploiting Second-Order SQL Injection -- Finding Second-Order Vulnerabilities -- Using Hybrid Attacks -- Leveraging Captured Data -- Creating Cross-Site Scripting -- Running Operating System Commands on Oracle -- Exploiting Authenticated Vulnerabilities -- Summary -- Solutions Fast Track -- Frequently Asked Questions -- Chapter 8: Code-Level Defenses -- Introduction -- Using Parameterized Statements -- Parameterized Statements in Java -- Parameterized Statements in .NET (C#) -- Parameterized Statements in PHP -- Parameterized Statements in PL/SQL -- Validating Input -- Whitelisting -- Blacklisting -- Validating Input in Java -- Validating Input in .NET -- Validating Input in PHP -- Encoding Output -- Encoding to the Database -- Encoding for Oracle -- Oracle dbms_assert -- Encoding for Microsoft SQL Server -- Encoding for MySQL -- Canonicalization -- Canonicalization Approaches -- Working with Unicode -- Designing to Avoid the Dangers of SQL Injection -- Using Stored Procedures -- Using Abstraction Layers -- Handling Sensitive Data -- Avoiding Obvious Object Names -- Setting Up Database Honeypots -- Additional Secure Development Resources -- Summary -- Solutions Fast Track -- Frequently Asked Questions -- Chapter 9: Platform-Level Defenses -- Introduction -- Using Runtime Protection -- Web Application Firewalls -- Using ModSecurity -- Configurable Rule Set -- Request Coverage -- Request Normalization -- Response Analysis -- Intrusion Detection Capabilities -- Intercepting Filters -- Web Server Filters -- Application Filters -- Implementing the Filter Pattern in Scripted Languages -- Filtering Web Service Messages -- Non-Editable versus Editable Input Protection -- URL/Page-Level Strategies -- Page Overriding -- URL Rewriting -- Resource Proxying/Wrapping -- Aspect-Oriented Programming (AOP)
  • Front Cover -- SQL Injectgion Attacks and Defense -- Copyright Page -- Lead Author and Techinical Editior -- Contributing Authors -- Contents -- Chapter 1: What Is SQL Injection? -- Introduction -- Understanding How Web Applications Work -- A Simple Application Architecture -- A More Complex Architecture -- Understanding SQL Injection -- High-Profile Examples -- Understanding How It Happens -- Dynamic String Building -- Incorrectly Handled Escape Characters -- Incorrectly Handled Types -- Incorrectly Handled Query Assembly -- Incorrectly Handled Errors -- Incorrectly Handled Multiple Submissions -- Insecure Database Configuration -- Summary -- Solutions Fast Track -- Frequently Asked Questions -- Chapter 2: Testing for SQL Injection -- Introduction -- Finding SQL Injection -- Testing by Inference -- Identifying Data Entry -- GET Requests -- POST Requests -- Other Injectable Data -- Manipulating Parameters -- Information Workflow -- Database Errors -- Commonly Displayed SQL Errors -- Microsoft SQL Server Errors -- MySQL Errors -- Oracle Errors -- Application Response -- Generic Errors -- HTTP Code Errors -- Different Response Sizes -- Blind Injection Detection -- Confirming SQL Injection -- Differentiating Numbers and Strings -- Inline SQL Injection -- Injecting Strings Inline -- Injecting Numeric Values Inline -- Terminating SQL Injection -- Database Comment Syntax -- Using Comments -- Executing Multiple Statements -- Time Delays -- Automating SQL Injection Discovery -- Tools for Automatically Finding SQL Injection -- HP WebInspect -- IBM Rational AppScan -- HP Scrawlr -- SQLiX -- Paros Proxy -- Summary -- Solutions Fast Track -- Frequently Asked Questions -- Chapter 3: Reviewing Code for SQL Injection -- Introduction -- Reviewing Source Code for SQL Injection -- Dangerous Coding Behaviors -- Dangerous Functions -- Following the Data