Sania: Syntactic and Semantic Analysis for Automated Testing against SQL InjectionYuji Kosuga, Kenji Kono, Miyuki Hanaoka

Keio University

Miho Hishiyama, Yu Takahama

IX Knowledge Inc.

2007 Annual Computer Security Applications Conference (ACSAC)

1

OUTLINE1. Introduction

2. Related Work

3. Design of Sania

4. Implementation

5. Experiments

6. Conclusion

2

1. Introduction Databases are threatened by SQL injection

attacks. Sanitizing

Discovering SQL injection vulnerabilities are based on a penetration testing.

SELECT * FROM users WHERE name = 'xxx' AND password = '' or '1'='1'

SELECT * FROM users WHEREname = 'xxx' AND password = '" or "1"="1'

3

1. Introduction (cont.) Sania

Automatically identifies potentially vulnerable spots in the SQL queries.

Generates attack requests. Comparing the parse trees of the SQL queries

between innocent HTTP request and attack request.

4

2. Related Work Framework Support

A validator prohibits an input from including meta-characters.

To transform the dangerous characters to safe ones.

5

2. Related Work (cont.) Prepare Statement

separates the values in a query from the structure of SQL

All the legacy web applications must be re-written.

PreparedStatement stmt = conn.prepareStatement( "INSERT INTO message VALUES(?, ?)");

stmt.setString(1, “razor"); stmt.setString(2, “razor@mail.com"); stmt.executeUpdate(); stmt.clearParameters();

6

2. Related Work (cont.) Combined Static and Dynamic Analysis

Uses a static analysis to build the models of the SQL queries.

Intercepts all the SQL queries before they are sent to the database.

Checks each query against the statically built models.

7

2. Related Work (cont.) Machine Learning Approach

An intrusion detection system (IDS) based on a machine learning technique.

The overall IDS quality depends on the quality of the training set.

It cannot thoroughly check all the vulnerable spots like the traditional penetration testing.

8

2. Related Work (cont.) Instruction-Set Randomization

To create SQL queries using randomized keywords instead of the normal SQL keywords.

9

3. Design of Sania Specifying Vulnerable Spots

The vulnerable spots have the potential to be security holes of SQL injection.

HTTP request includes

id=555&cat=bookGenerated SQL query

SELECT * FROM users WHERE user id=555

10

3. Design of Sania (cont.) Crafting Attack Requests

Linear attack Sania inserts an attack code to a single vulnerable

spot. Combination attack

Sania inserts attack codes in two or more vulnerable spots at the same time.

11

3. Design of Sania (cont.) Linear attack

Each attack code represented as a four-element tuple:

SELECT id, xxx from users(λ, ε, false, from yyy-- | from yyy;-- | from yyy/*). SELECT id, xxx from yyy--from users

(userInput, metaCharacter, parentheses, insertedSQL).(λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*).

(userInput, metaCharacter, parentheses, insertedSQL).(λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*).

(userInput, metaCharacter, parentheses, insertedSQL).(λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*).

(userInput, metaCharacter, parentheses, insertedSQL).(λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*).

12

3. Design of Sania (cont.) Combination Attack

A combination attack exploits two or more vulnerable spots at the same time to inject an SQL query.

SELECT * FROM users WHERE name=’ø1’ and password=’ø2’ (øi: vulnerable spot).

SELECT * FROM users WHERE name=’\’ and password=’ or 1=1--’

13

3. Design of Sania (cont.) Validation

SELECT * FROM users WHERE name=’’ or ’1’=’1’

Properly sanitized parse tree

Improperly sanitized parse tree

14

3. Design of Sania (cont.) Validation

Because of dynamic query, Sania allows the user to control the matching of parse trees.

15

4. Implementation Sania in Java that had 13,000 lines of code. A list of attack codes in XML that had 1,800 lines of code An SQL parser implemented by JavaCC and JSqlParser

16

5. Experiments

17

5. Experiments (cont.) This result reveals that Sania can:

Execute precise linear attacks. Execute powerful combination attacks.

18

5. Experiments (cont.) False Positives

19

Tool Num. Description

Sania 13

8 Length of attack code was too long

3 Backslash mistakenly broke query

1 Failed to delete inserted SQL query

1 Authentication failed

Paros 67

16Attack codes are mistakenly injected tostate parameters

15Contents of response page was changedafter editing

13 These spots were already sanitized

10 Length of attack code was too long

9 Type of code does not match

4 Duplicate warnings are received

Tool Num. Description

Sania 13

8 Length of attack code was too long

3 Backslash mistakenly broke query

1 Failed to delete inserted SQL query

1 Authentication failed

Paros 67

16Attack codes are mistakenly injected tostate parameters

15Contents of response page was changedafter editing

13 These spots were already sanitized

10 Length of attack code was too long

9 Type of code does not match

4 Duplicate warnings are received

Tool Num. Description

Sania 13

8 Length of attack code was too long

3 Backslash mistakenly broke query

1 Failed to delete inserted SQL query

1 Authentication failed

Paros 67

16Attack codes are mistakenly injected tostate parameters

15Contents of response page was changedafter editing

13 These spots were already sanitized

10 Length of attack code was too long

9 Type of code does not match

4 Duplicate warnings are received

Tool Num. Description

Sania 13

8 Length of attack code was too long

3 Backslash mistakenly broke query

1 Failed to delete inserted SQL query

1 Authentication failed

Paros 67

16Attack codes are mistakenly injected tostate parameters

15Contents of response page was changedafter editing

13 These spots were already sanitized

10 Length of attack code was too long

9 Type of code does not match

4 Duplicate warnings are received

Tool Num. Description

Sania 13

8 Length of attack code was too long

3 Backslash mistakenly broke query

1 Failed to delete inserted SQL query

1 Authentication failed

Paros 67

16Attack codes are mistakenly injected tostate parameters

15Contents of response page was changedafter editing

13 These spots were already sanitized

10 Length of attack code was too long

9 Type of code does not match

4 Duplicate warnings are received

Tool Num. Description

Sania 13

8 Length of attack code was too long

3 Backslash mistakenly broke query

1 Failed to delete inserted SQL query

1 Authentication failed

Paros 67

16Attack codes are mistakenly injected tostate parameters

15Contents of response page was changedafter editing

13 These spots were already sanitized

10 Length of attack code was too long

9 Type of code does not match

4 Duplicate warnings are received

Tool Num. Description

Sania 13

8 Length of attack code was too long

3 Backslash mistakenly broke query

1 Failed to delete inserted SQL query

1 Authentication failed

Paros 67

16Attack codes are mistakenly injected tostate parameters

15Contents of response page was changedafter editing

13 These spots were already sanitized

10 Length of attack code was too long

9 Type of code does not match

4 Duplicate warnings are received

Tool Num. Description

Sania 13

8 Length of attack code was too long

3 Backslash mistakenly broke query

1 Failed to delete inserted SQL query

1 Authentication failed

Paros 67

16Attack codes are mistakenly injected tostate parameters

15Contents of response page was changedafter editing

13 These spots were already sanitized

10 Length of attack code was too long

9 Type of code does not match

4 Duplicate warnings are received

Length and Type ErrorMisallocated BackslashDatabase Record ConflictField Data ConflictAttacking Potentially Safe SpotsMishandling of Dynamic ContentsDuplicate Warnings

6. Conclusion Sania, which is designed to check for SQL

injection vulnerabilities in the development and debugging phases.

Sania has been proved effective; it found 39 SQL injection vulnerabilities and incurred only 13 false positives.

20