sql injection and dos

Edgis Workshop SQL Injection & DoS

Emil Tan

&

Han

http://edgis-security.org

September, 2011

Agenda

• SQL Injection

– Demonstrations

– Countermeasures

• What is DoS?

– Demonstrations

– Countermeasures

SQL Interface

http://edgis-security.org/

INSERT INTO CreditRecords (Name, CardNum) VALUES (‘” & Request.Form(“Username”) & “’, ’” & Request.Form(“CreditCard”) & “’)

INSERT INTO CreditRecords (Name, CardNum) VALUES (‘Alice’, ‘123-456-789’)

SQL Injection

http://edgis-security.org/

INSERT INTO CreditRecords (Name, CardNum) VALUES (‘Eve’, ‘1’); EXEC xp_cmdshell ‘del *.*’ -- ‘)

http://edgis-security.org/

SQL Injection (cont’d)

Exploit of a Mom http://xkcd.com/327/

Information Leakage

http://edgis-security.org/

• Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x1A2B3C4D) [Microsoft ][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ‘ and password = “, /login.asp,line 30

• Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x1A2B3C4D) [Microsoft ][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ‘ and password = ‘123“’, /login.asp,line 30

• User String Validation on Error Handling

Information Leakage (cont’d)

http://edgis-security.org/

• UNION Poisoning

SELECT * FROM records WHERE user=‘[user input] ‘ union all select name, xtype, 0, 0 from sysobjects --

SELECT * FROM records WHERE user=‘[user input] ‘ union all select <column> from <schema.columns>, 0, 0, 0 --

http://edgis-security.org/

http://edgis-security.org/

SQL Injection (Demonstration)

• OWASP Insecure Web App Project

http://edgis-security.org/

Countermeasures

http://edgis-security.org/

• Validate, Validate, Validate

– Client-Side, Server-Side

• Prepared Statement

Denial-of-Service

• Confidentiality, Integrity, Availability

• Classic Examples

– Ping of Death

– SYN Flood Attack

– LAND Attack

– Tear Drop Attack

– Smurf Attack

• Distributed Denial-of-Service (DDoS)

http://edgis-security.org/

Slowloris

• Written by Robert “RSnake” Hansen • Notable Use

– Iran Presidential Election 2009 – Th3j35t3r against WikiLeaks & Terrorist Web Sites

• How it Works? – Hold connections open by sending partial HTTP

requests – Send subsequent headers at regular intervals to keep

the sockets from closing – Full TCP connection but partial HTTP request (SYN

flood over HTTP)

http://edgis-security.org/

Slowloris (cont’d)

• Awesomeness

– Attack amplifies on multi-threaded Web servers

– No logs will be written until request is completed

– “HTTP 400: Bad Request Error” message will be logged after the attack stops

– Web service will resume once attack is terminated

http://edgis-security.org/

LOC (Low Orbit Ion Cannon)

• Written by Praetox Technologies

• Notable Use

– 4Chan organized “refresh” attacks

– DoS Scientology

– #OpPayback

• How it Works?

– Overwhelm server with TCP, UDP, & HTTP

– HiveMind Mode (i.e. DDoS Mode)

http://edgis-security.org/

Demonstrations

http://edgis-security.org/

• Slowloris

• LOIC

Countermeasures

• Increase the max no. of clients the web server allow

• Limit the no. of connections a single IP address is allowed to make

• Imposing restrictions on the minimum transfer speed on connection is allowed to have

• Restricting the length of time a client is allowed to stay connected

http://edgis-security.org/

Countermeasures (cont’d)

• HTTPReady

• Apache Modules

– mod_limitipconn, mod_qos, mod_evasive, mod_security, mod_noloris, mod_antiloris

• Reverse Proxies

• Firewall

• Load Balancers

• CloudFare

http://edgis-security.org/

End Note

• Security is more than patching your machine

– Configuration are equally important

• Be proactive in looking for vulnerabilities

http://edgis-security.org/