DEFCON 17 – SQL Injection Attacks

SQL Injection Attacks

I don’t know about you but part of my education has always been to study code and learn the latest attack techniques.  I enjoy reading code and have been doing this for longer than I can remember.  Much of this code can be found with a google search or on some of the underground hacker websites.  Next time you find a tool, use some of this inside knowledge from the code you are looking at to find even better and darker sides of the net. I have found this to be a quick way to come up to speed on a new attack vector when necessary.

Another method is to watch the videos from various hacker conferences.  Today I was watching a DEFCON 17 talk about SQL injection attacks and it gave me new insights of why log analysis is even more important today and some new discovery tools to have a look at the next time I am looking for new source code.  The speaker of this talk was Joseph McCray who was an entertaining and passionate speaker about his profession.  He has spent a lot of time researching and honing his trade and shared some of his tricks.  His entire talk can be found on youtube here.

Joe classified his techniques to three types of SQL injection methods based on our ability to learn from the server what the attack is doing.  The types are:

  1. Inband – Any errors you can see immediately with your browser or you screen
  2. Out of band – response back via secondary channel such as email or different method than web server
  3. Inferential – these are blind sql attacks and you receive no error messages from the attack but can infer by using techniques by delaying a response page from coming up with a delay timer for example.

He listed a few tools and the importance in knowing if they utilize error or blind testing before using them.  Blind testing can take a lot of time so knowing this in advance can save yourself days.

  • mieliekoek.pl – SQL insertion crawler which tests all forms on a web site
  • wpoison – discovery tool
  • sqlmap – Automatic SQL injection and database takeover tool
  • wapiti – Web application vulnerability scanner / security auditor
  • w3af – Web Application Attack and Audit Framework
  • paros – Web  Application Security Assessment
  • sqid – Sql injector digger
  • webgoat – open web application security framework
  • coreimpact – commercial
  • PHPIDS – PHP-Intrusion Detection System

He provided a few reference links at the end of the talk that I have taken the liberty to make a screen shot.

My take away continues to be:

  • prepared statements when possible
  • careful input scrubbing while important can be ineffective against a determined individual
  • parameterized queries can be attacked at the tag
  • injection are now done even in stored procedures
  • data validation continues to be the key but is difficult

Some security frameworks such as mod_security, webknight and dotnet defender (paper) are becoming fairly easy for hackers to identify as web application firewalls and get around.

The mantra continues to be… its not the script kiddies that you catch that should matter but the attacks from others you miss. He had a great slide of a soccer goalie who saved a ball.  “Yes I stopped one”.  Unfortunately, the net contained 100’s of balls and that is what current IDS are up against.