文档详细内容(约44页)
Web Security -Part 3:SQL Injection Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Web Security – Part 3: SQL Injection Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
SQL Injection and XSS are top 2 attacks Web Vulnerabilities by Class Q1-Q22009 2% 3% 49% 79% 259% SQL Injection Cross-Site Scripting Code Injection 89% Authentication Information Leak/Disclosure Authorization Cross-Site Request Forgery Buffer Errors Web Server 8% Path(Directory) Traversal Web Browser 129% 149% Source:http://media.smashingmagazine.com/cdn smash/wp- content/uploads/2010/01/4239939571 b7d3cddc83 o.gif 2
2 SQL Injection and XSS are top 2 attacks Source: http://media.smashingmagazine.com/cdn_smash/wpcontent/uploads/2010/01/4239939571_b7d3cddc83_o.gif
Normal SQL Queries on Web Most web applications involve database queries. Phonebook Record Manager SQL:Structured Query Language. Used for query,delete,insert,and Username John update database records. Password abcd SELECT FROM phonebook WHERE Submit username John AND password abcd' Application Server Web browser Database User Input SQL Query Web Page Result Set John's phonebook entries are displayed 3
3 Normal SQL Queries on Web Most web applications involve database queries. John’s phonebook entries are displayed Web browser Application Server Database User Input SQL Query Web Page Result Set SQL: Structured Query Language. Used for query, delete, insert, and update database records. SELECT * FROM phonebook WHERE username = ‘John’ AND password = `abcd’ Phonebook Record Manager John abcd Username Password Submit
SQL Injection Malicious query input: Phonebook Record Manager SELECT FROM phonebook WHERE Username John’0R1=1 username John OR 1=1-'AND password ='not needed' Password not needed Submit Everything after--is ignored! Application Server Web browser Database User Input SQL Query Web Page Result Set All phonebook entries are displayed 4
4 SQL Injection Malicious query input: All phonebook entries are displayed Web browser Application Server Database User Input SQL Query Web Page Result Set SELECT * FROM phonebook WHERE username = ‘John’ OR 1=1 --’ AND password = ‘not needed’ Everything after -- is ignored! Phonebook Record Manager John ’ OR 1=1 -- not needed Username Password Submit
Exploits of a mum HI,THIS IS OH,DEAR-DID HE DID YOU REALLY WELL,WEVE LOST THIS YOUR SON'S SCHOOL BREAK SOME THING? NAME YOUR SON YEAR'S STUDENT R在CORDS. WE'RE HAVING 50ME IN A WAY- Robert);DROP I HOPE YOURE HAPPY. COMPUTER TROUBLE. TABLE Students;--? AND I HOPE OH,YES.LITTLE YOUVE LEARNED BOBBY TABLES, TO SANITIZE YOUR WE CALL HIM. DATABASE INPUTS. Source:http://imgs.xkcd.com/comics/exploits_of_a_mom.png 5
5 Exploits of a mum Source: http://imgs.xkcd.com/comics/exploits_of_a_mom.png
