Professional Documents
Culture Documents
How To Protect SQL Injection Attack Upload by
How To Protect SQL Injection Attack Upload by
database
commands Login page SQL
injection application database over-privileged account
application’s Login page
database Attacker
- User
- parameters SQL statements
- Over-privileged database login
SQL Injection
User SSN text box String
SELECT au_lname, au_fname FROM authors WHERE au_id = ''; DROP DATABASE pubs --'
SQL injection
- ၁ input
- ၂ stored procedures parameters
- ၃ dynamic SQL parameters
input characters
characters characters
regular expressions validation character
Library code
data access code library ac a e data access code
validation client applications
using System;
using System.Text.RegularExpressions;
using System.Data;
using System.Data.SqlClient;
myCommand.Fill(userDataset);
}
Parameter Batching
single round trip server a batch of statement
SQL statement parameter
parameter name SQL text concatenation
unique parameter
using System.Data;
using System.Data.SqlClient;
...
using (SqlConnection connection = new SqlConnection(connectionString))
{
SqlDataAdapter dataAdapter = new SqlDataAdapter(
"SELECT CustomerID INTO #Temp1 FROM Customers " +
"WHERE CustomerID > @custIDParm; SELECT CompanyName FROM Customers " +
"WHERE Country = @countryParm and CustomerID IN " +
"(SELECT CustomerID FROM #Temp1);",
connection);
SqlParameter custIDParm = dataAdapter.SelectCommand.Parameters.Add(
"@custIDParm", SqlDbType.NChar, 5);
custIDParm.Value = customerID.Text;
connection.Open();
DataSet dataSet = new DataSet();
dataAdapter.Fill(dataSet);
}
...
SQL injection
- Special input characters escape routines
- Privileged database account
- o in o ation
o in o ation
Error exception handling client error
error information Local Log client
error
User database e o user error nature
ata database error
database security compromise
malicious user Attacker SQL query
deconstruct error message
a icio s co e
error message connection string, SQL server name
table database naming conventions
-
♦ Web page oss-Site sc i tin
(vulnerabilities)
♦ oss-Site ttac s
♦ e a e ession input
ASP.NET ႕ validator controls
♦ B o se Script code HTML tag execute
♦ HTML tags attributes review
-
Cross-site scripting (XSS) attack countermeasures (၂)
♦ In t
♦O t t encode
input
Input malicious code type, length, format, range
Validate
♦ ASP.NET input Server site validator controls
RegularExpressionValidator RangeValidor
♦ Regular expression server side code check
System.Text.RegularExpressions.Regex client-side ႕ HTML input controls
( ) source query strings or cookies ႕ input supply
input ႕
♦ Va i ate intergers, doubles, dates currency amounts
NET Framework data type e i a ent input data convert
resulting conversion errors handle
Output encode User input ( ) database ( )
source input HttpUtility.HtmlEncode method HtmlEncode
special meaning characters replace - < is
replaced with < and " is replaced with " Data encode browser
႕ Execute code Data L a ess rendered
in t const cte output URLs encode
HttpsUtility.UrlEncode Cross-site scripting
1. Create an ASP.NET page that disables request validation. To do this, set ValidateRequest="false", as shown in
the following code example.
2. <%@ Page Language="C#" ValidateRequest="false" %>
3. <html>
4. <script runat="server">
5. void btnSubmit_Click(Object sender, EventArgs e)
6. {
7. // If ValidateRequest is false, then 'hello' is displayed
8. // If ValidateRequest is true, then ASP.NET returns an exception
9. Response.Write(txtString.Text);
10. }
11. </script>
12. <body>
13. <form id="form1" runat="server">
14. <asp:TextBox id="txtString" runat="server" Text="<script>alert('hello');</script>" />
15. <asp:Button id="btnSubmit" runat="server"
16. OnClick="btnSubmit_Click"
17. Text="Submit" />
18. </form>
19. </body>
20. </html>
Response.Write
<% =
HTML . URL output . Client et n page . Locate
<html>
<form id="form1" runat="server">
<div>
Color: <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox><br />
<asp:Button ID="Button1" runat="server" Text="Show color"
OnClick="Button1_Click" /><br />
<asp:Literal ID="Literal1" runat="server"></asp:Literal>
</div>
</form>
</html>
<script runat="server">
private void Page_Load(Object Src, EventArgs e)
{
protected void Button1_Click(object sender, EventArgs e)
{
Literal1.Text = @"<span style=""color:"
+ Server.HtmlEncode(TextBox1.Text)
+ @""">Color example</span>";
}
}
</Script>
HTML Tags -
List HTML tags malicious user a o
inject script -
• <applet>
• <body>
• <embed>
• <frame>
• <script>
• <frameset>
• <html>
• <iframe>
• <img>
• <style>
• <layer>
• <link>
• <ilayer>
• <meta>
• <object>
Attacker ၁ src, lowsrc, style href L att ib tes cross-site scripting
<img> ႕ Src attributes source of injection
<img src="javascript:alert('hello');">
<img src="java
script:alert('hello');">
<img src="java
 script:alert('hello');">
st e ta
<style TYPE="text/javascript">
alert('hello');
</style>
<script runat="server">
<html>
<body>
<form id="form1" runat="server">
<div>
<asp:TextBox ID="htmlInputTxt" Runat="server"
TextMode="MultiLine" Width="318px"
Height="168px"></asp:TextBox>
<asp:Button ID="submitBtn" Runat="server"
Text="Submit" OnClick="submitBtn_Click" />
</div>
</form>
</body>
</html>
techniques future cross-site scripting prevent
countermeasures
♦ o ect c a acte enco in set
♦ In t sanitization do not rely
♦ tt On coo ies o tion Use
♦ a e sec it att ib te Use
♦ InnerHTML innerText property Use
OR
<% @ Page ResponseEncoding="iso-8859-1" %>
using System.Text.RegularExpressions;
...
if (!Regex.IsMatch(Request.Form["name"],
@"^[\p{L}\p{Zs}\p{Lu}\p{Ll}\']{1,40}$"))
throw new ArgumentException("Invalid name parameter");
In t Sanitization ႕
Unsafe character filtering out code in t sanitize ႕
Rely malicious
user a i ation a te nati e
secure, safe input check Table 1
႕common character ၏ sa e various way
<html>
<body>
<span id="Welcome1" runat="server"> </span>
<span id="Welcome2" runat="server"> </span>
</body>
</html>
<script runat="server">
private void Page_Load(Object Src, EventArgs e)
{
// Using InnerText renders the content safe–no need to HtmlEncode
Welcome1.InnerText = "Hello, " + User.Identity.Name;
co an s ea esca e st in
s ea esca e st in MySQL’s ib a nction nction bac s as e
\x00, \n, \r, \, ‘, “ a c a acte nction
SQL e ata
s ea esca e st in
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
?>
ac e ass o o in
Sec it
eb e e o e Sec it
ebsite function
……
http://www.mmcert.org.mm/ ..