SQL injections are one of the most utilized web attack vectors used with the goal of retrieving sensitive data from organizations. When you hear about stolen credit cards or password lists, they often happen through SQL injection vulnerabilities. Fortunately, there are ways to protect your website from SQL injection attacks.
SQL Injection Attacks and Defense, Second Edition
One of the best practices to identify SQL injection attacks is having a web application firewall (WAF). A WAF operating in front of the web servers monitors the traffic which goes in and out of the web servers and identifies patterns that constitute a threat. Essentially, it is a barrier put between the web application and the Internet.
Prevention techniques such as input validation, parametrized queries, stored procedures, and escaping work well with varying attack vectors. However, because of the large variation in the pattern of SQL injection attacks they are often unable to protect databases.
SQL Injection Attacks and Defense, Second Edition includes all the currently known information about these attacks and significant insight from its team of SQL injection experts, who tell you about:
Now it is 2012 as we are completing the second edition, and still little has changed in the basics of SQL injection, however technology has moved on and some new progress has been made in applying SQL injection in newer areas such as mobile applications, and client-side vectors via HTML5. This also gave my co-authors and I an opportunity to address some of the feedback we got from readers of the first edition. In this second edition, as well as comprehensively updating all of the content in the book and covering new technologies and approaches, we have increased the scope of database coverage to include PostgreSQL, as well as Microsoft SQL Server, Oracle and MySQL as the primary database platforms we cover in all chapters, with code examples in Java, .NET and PHP where relevant.
It is difficult to correctly and accurately gather data on exactly how many organizations are vulnerable to or have been compromised via an SQL injection vulnerability, as companies in many countries, unlike their US counterparts, are not obliged by law to publicly disclose when they have experienced a serious breach of security. However, security breaches and successful attacks executed by malicious attackers are now a favorite media topic for the world press. The smallest of breaches, that historically may have gone unnoticed by the wider public, are often heavily publicized today.
In addition, the Open Web Application Security Project (OWASP) lists Injection Flaws (which include SQL injection) as the most serious security vulnerability affecting Web applications in its 2010 Top 10 list. The primary aim of the OWASP Top 10 is to educate developers, designers, architects, and organizations about the consequences of the most common Web application security vulnerabilities. In the previous list published in 2007, SQL injection was listed at second place. OWASP, for 2010, changed the ranking methodology to estimate risk, instead of relying solely on the frequency of the associated weakness. The OWASP Top 10 list has historically been compiled from data extracted from Common Vulnerabilities and Exposures (CVE) list of publicly known information security vulnerabilities and exposures published by the MITRE Corporation ( ). The problem with using CVE numbers as an indication of how many sites are vulnerable to SQL injection is that the data does not provide insight into vulnerabilities within custom-built sites. CVE requests represent the volume of discovered vulnerabilities in commercial and open source applications; they do not reflect the degree to which those vulnerabilities exist in the real world. In reality, the situation is much, much worse. Nonetheless, the trends report published in 2007 can make interesting reading ( -trends/vuln-trends.pdf).
One traditional approach to preventing SQL injection attacks is tohandle them as an input validation problem and either accept onlycharacters from an allow list of safe values or identify and escape adeny list of potentially malicious values. An allow list can be a veryeffective means of enforcing strict input validation rules, butparameterized SQL statements require less maintenance and can offer moreguarantees with respect to security. As is almost always the case,deny listing is riddled with loopholes that make it ineffective atpreventing SQL injection attacks. For example, attackers can:
Another solution commonly proposed for dealing with SQL injectionattacks is to use stored procedures. Although stored procedures preventsome types of SQL injection attacks, they fail to protect against manyothers. For example, the following PL/SQL procedure is vulnerable to thesame SQL injection attack shown in the first example.
Stored procedures typically help prevent SQL injection attacks bylimiting the types of statements that can be passed to their parameters.However, there are many ways around the limitations and many interestingstatements that can still be passed to stored procedures. Again, storedprocedures can prevent some exploits, but they will not make yourapplication secure against SQL injection attacks.
Databases are commonly targeted for injection through an application (such as a website, which requests user input and then does a lookup in a database based on that input), but they can also be targeted directly. SQL injection attacks are listed on the OWASP Top 10 list of application security risks that companies wrestle with.
With1 the rapid development of computer network technology, people's life and work have become more and more dependent on the Internet. Consequent network security issues have also received much attention. At present, SQL injection attacks have become the main method of hacking. SQL injection vulnerabilities seriously threaten the security of WEB application systems. This article takes the PHP language as an example, introduces the reasons for the SQL injection in detail, conducts in-depth research on the common SQL injection attack methods. Based on the practical penetration testing practice, puts forward the SQL injection detection technology and how to avoid SQL injection vulnerability when writing WEB program code. This article provides detailed technical support for testing SQL injection and provides a powerful guarantee for WEB information system in SQL injection defense.
Software exploit defenses have long remained as one of the most importantresearch areas in the lab. Given the large base of existing software, andlarge gaps in automated or manual code analyses for discovering them,automated exploit defenses remain as perhaps one bright area, as thesetechniques are often able to block vast classes of popular exploits atlittle (or relatively low) cost. Our research initially targeted the popular memory error exploits [28, 27, 23, 21, 20]. Manyof these defenses rely on randomization, and are hence subject tobrute-force attacks that try to guess the randomization key. To defendagainst these attacks, we developed novel techniques that rely on aforensic analysis of the memory space of randomized applications and/orapplication behavior models to synthesize accurate attack signatures [26, 25]. These signatures are developed within milliseconds after the first unsuccessful attack, and canhence defeat brute-force attacks.We subsequently extended automated exploit defense to a much largerclass of vulnerabilities, including those that lead to SQL injection,command injection, cross-site scripting, path-traversal, format-string vulnerabilities, and so on [24, 19].Automated exploit defense continue to be one of the most activeareas of research within the lab.Related Publications [1] Extracting Instruction Semantics Via Symbolic Execution of Code Generators Niranjan Hasabnis and R. SekarACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE) November, 2016. [2] Lifting Assembly to Intermediate Representation: A Novel Approach Leveraging CompilersNiranjan Hasabnis and R. SekarACM Architectural Support for Programming Languages and Operating Systems (ASPLOS) April, 2016. [3] Code and Control Flow Integrity for COTS binaries: An Effective Defense Against Real-World ROP Attacks Mingwei Zhang and R. SekarAnnual Computer Security Applications Conference (ACSAC) December, 2015. [4] A Principled Approach for ROP DefenseRui Qiao, Mingwei Zhang and R. SekarAnnual Computer Security Applications Conference (ACSAC) December, 2015. [5] Harbormaster: Policy Enforcement for Containers Mingwei Zhang, Daniel Marino and Petros EfstathopoulosIEEE CloudCom (CloudCom) November, 2015. [6] Automatic Generation of Assembly to IR Translators Using Compilers Niranjan Hasabnis and R. SekarWorkshop on Architectural and Microarchitectural Support for Binary Translation (AMAS-BT) February, 2015. [7] Eternal War in MemoryLaszlo Szekeres, Mathias Payer, Tao Wei and R. SekarIEEE Security and Privacy Magazine (S&P Magazine) May, 2014. [8] A Platform for Secure Static Binary InstrumentationMingwei Zhang, Rui Qiao, Niranjan Hasabnis and R. SekarVirtual Execution Environments (VEE) March, 2014. [9] Control Flow Integrity for COTS BinariesMingwei Zhang and R. SekarUSENIX Security Symposium (USENIX Security) August, 2013. Best paper award!. [10] SoK: Eternal War in MemoryLaszlo Szekeres, Mathias Payer, Tao Wei and Dawn SongIEEE Symposium on Security and Privacy (IEEE S&P) May, 2013. [11] Protecting Function Pointers in BinaryChao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Stephen McCamant and Laszlo SzekeresACM Symposium on Information, Computer and Communications Security (ASIACCS) May, 2013. [12] Practical Control Flow Integrity and Randomization for Binary ExecutablesChao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song and Wei ZouIEEE Symposium on Security and Privacy (IEEE S&P) May, 2013. [13] Protection, Usability and Improvements in Reflected XSS FiltersRiccardo Pelizzi and R. SekarACM Symposium on Information, Computer and Communications Security (ASIACCS) May, 2012. [14] Taint-Enhanced Anomaly DetectionLorenzo Cavallaro and R. SekarInternational Conference on Information Systems Security (ICISS) December, 2011. [15] A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications Riccardo Pelizzi and R. SekarAnnual Computer Security Applications Conference (ACSAC) December, 2011. [16] PAriCheck: An Efficient Pointer Arithmetic Checker for C ProgramsYves Younan, Pieter Philippaerts, Lorenzo Cavallaro, R. Sekar, Frank Piessens and Wouter JoosenACM Symposium on Information, Computer and Communications Security (ASIACCS) March, 2010. [17] Online Signature Generation for Windows SystemsLixin Li, Jim Just and R. SekarAnnual Computer Security Applications Conference (ACSAC) December, 2009. [18] Practical Techniques for Regeneration and Immunization of COTS ApplicationsLixin Li, Mark R. Cornwell, E. Hultman, Jim Just and R. SekarWorkshop on Recent Advances on Intrusion-Tolerant Systems (WRAITS) June, 2009. [19] An Efficient Black-box Technique for Defeating Web Application AttacksR. SekarISOC Network and Distributed Systems Symposium (NDSS) February, 2009. [20] Anomalous Taint Detection (Extended Abstract)Lorenzo Cavallaro and R. SekarRecent Advances in Intrusion Detection (RAID) September, 2008. (Full version available as Technical Report SECLAB08-06). [21] Data Space RandomizationSandeep Bhatkar and R. SekarDetection of Intrusions, Malware and Vulnerability Analysis (DIMVA) July, 2008. [22] Comprehensive Memory Error Protection via Diversity and Taint-Tracking Lorenzo CavallaroPhD Dissertation (Stony Brook University) February, 2008. [23] Address-Space Randomization for Windows SystemsLixin Li, Jim Just and R. SekarAnnual Computer Security Applications Conference (ACSAC) December, 2006. [24] Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of AttacksWei Xu, Sandeep Bhatkar and R. SekarUSENIX Security Symposium (USENIX Security) August, 2006. (An earlier version appeared as Technical Report SECLAB-05-06, November 2005. Also supercedes Technical Report SECLAB-05-05 A Unified Approach for Preventing Attacks Exploiting a Range of Software Vulnerabilities, August 2005, and Technical Report SECLAB-05-04 Practical dynamic taint analysis for countering input validation attacks on web applications, May 2005, [PDF]). [25] Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior ModelsZhenkai Liang and R. SekarAnnual Computer Security Applications Conference (ACSAC) December, 2005. (Supercedes Technical Report SECLAB-05-01 An Immune System Inspired Approach for Protection from Repetitive Attacks, March 2005.). [26] Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting ServersZhenkai Liang and R. SekarACM Conference on Computer and Communications Security (CCS) November, 2005. (Supercedes Technical Report SECLAB-05-02 Automated, Sub-second Attack Signature Generation: A Basis for Building Self-Protecting Servers, May 2005.). [27] Efficient Techniques for Comprehensive Protection from Memory Error ExploitsSandeep Bhatkar, R. Sekar and Daniel DuVarneyUSENIX Security Symposium (USENIX Security) August, 2005. [28] Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error ExploitsSandeep Bhatkar, Daniel DuVarney and R. SekarUSENIX Security Symposium (USENIX Security) August, 2003. Overview Research Areas Source-code analysis/transformation Binary analysis/rewriting Policy/Specification Languages OS and Virtualization Techniques Algorithms Learning/anomaly detection Formal methods/Foundations 2ff7e9595c
Comments