SQL Injection in Real-life (2/2) On March 29,2006,Susam Pal discovered an SQL injection flaw in www.incredibleindia.org,an official Indian government tourism site. On January 1,2007,Dr.Jr7 SQL injected Nokia's website in a rather tame and civil way,but then Digg users proceeded to change it to Goatse and bukkake On March 2,2007,Sebastian Bauer discovered an SQL injection flaw in knorr.de login page. On June 29,2007,Hacker Defaces Microsoft U.K.Web Page using SQL injection. On August 12,2007,The United Nations web site was defaced using SQL injection 11
11 SQL Injection in Real-life (2/2) On March 29, 2006, Susam Pal discovered an SQL injection flaw in www.incredibleindia.org, an official Indian government tourism site. On January 1, 2007, Dr.Jr7 SQL injected Nokia's website in a rather tame and civil way, but then Digg users proceeded to change it to Goatse and bukkake On March 2, 2007, Sebastian Bauer discovered an SQL injection flaw in knorr.de login page. On June 29, 2007, Hacker Defaces Microsoft U.K. Web Page using SQL injection. On August 12, 2007, The United Nations web site was defaced using SQL injection
SQL Injection Prevention Design Principles: -Avoiding application structures that leave apps vulnerable Coding Practices: -Preventing bad SQL fragments from being executed -Blocking bad input/input sanitation Database Practices: Making the database less vulnerable to any type of attack Infrastructure Support: -Preventing attacks on any application 12
12 SQL Injection Prevention Design Principles: ─ Avoiding application structures that leave apps vulnerable Coding Practices: ─ Preventing bad SQL fragments from being executed ─ Blocking bad input/input sanitation Database Practices: ─ Making the database less vulnerable to any type of attack Infrastructure Support: ─ Preventing attacks on any application
Design Principle-No Anonymous User Input Data Force users to create an account,which is verified with an email a Use Captcha or similar graphics to text entry to prevent automated/bot data entry into systems. Log all data entry by web request-who,what,where,when and from which IP. 13
13 Design Principle-No Anonymous User Input Data Force users to create an account, which is verified with an email. Use Captcha or similar graphics to text entry to prevent automated/bot data entry into systems. Log all data entry by web request – who, what, where, when and from which IP
Design Principle Authentication a Eliminate all database based usernames and passwords stores. -A login page is the entry point into an application and must allow anonymous data entry. -SQL injection is frequently used to bypass security. Many inexpensive and free alternatives exist for authentication stores 一 OpenLDAP is easy,free,and access is through LDAP calls and not SOL. Caution:Do not mix internal and external users in the same LDAP store if possible. 14
14 Design Principle - Authentication Eliminate all database based usernames and passwords stores. ─ A login page is the entry point into an application and must allow anonymous data entry. ─ SQL injection is frequently used to bypass security. Many inexpensive and free alternatives exist for authentication stores ─ OpenLDAP is easy, free, and access is through LDAP calls and not SQL. Caution: Do not mix internal and external users in the same LDAP store if possible
Design Principle-Avoid free text where possible and never accept hTML tags Constraining inputs to drop downs and formatted text boxes simplifies validations necessary to trap SQL injection attempts HTML tags are a very common malware vector. -Better to break up input into multiple text fields. -Use formatting options through drop downs,check boxes and other fixed input fields. 15
15 Design Principle- Avoid free text where possible and never accept HTML tags Constraining inputs to drop downs and formatted text boxes simplifies validations necessary to trap SQL injection attempts HTML tags are a very common malware vector. ─ Better to break up input into multiple text fields. ─ Use formatting options through drop downs, check boxes and other fixed input fields