Surprise! The OWASP Belgian Chapter sent a late notification to announce an extra chapter meeting with a special guest: Joe McCray from Learn Security Online. Today’ topic was “Advanced SQL injections“. Joe is a well known security specialist with high skills in penetration tests. He was in Belgium to provide trainings and it was a good opportunity to invite him.Thanks to OWASP-BE!
Only a few people were present tonight, I suppose due to the late notification. Too bad because Joe’s presentation was really cool. First, he makes the show! He is not afraid to say what he thinks with his own words. I should count the number of times he said “Fix your shit!” 😉
The presentation started with small examples of basic SQL injections: Just by adding an extra single quote to an URL, it’s possible to detect if the site is vulnerable or not. An important remark about the database enumeration process: if you detect that your database server contains a lot of DB, there is maybe a shared environment available somewhere. Remember that, even if your site is bullet-proof (ok, ok, none are), your security may be affected by a neighbor site which is badly protected. Keep this in mind!
To resume briefly, SQL injection attacks are based on a three steps process:
- Identify the target (enumeration, version disclosure, etc)
- Define how to attack
- Protect yourself to not be caught!
There are three classes of SQL injections:
- Inbound (the same channel is used to send the attack and get the results)
- Out of band (data are retrieved using a different channel)
- Inferential (there is no data returned to the attacker, just the website behavior which is affected – example using timeouts)
Joe also explained how it is possible to grab interesting data like user names, db names, version or path using the UNION syntax. The queries became more and more complex but, with some exercises, it will become a simple brain mechanism. After the offensive part, he reviewed the defensive part and the classic mistakes to avoid:
- Client side filtering?
- Restrictive blacklists?
- Signature based IDS?
Forget them! It’s easy to bypass those countermeasures, often just be changing the encoding or due to stupid rules. The next step was a brief introduction on techniques to detect IDS and WAF (“Web Application Firewall“). Those systems suffer from a major lack of decoding. In the worst case, they don’t support extra encoding (like HEX, UTF etc..) or they just support a few of them. Why? Because decoding the URLs against all the methods requires a lot of CPU cycles. A WAF can only be considered as a temporary fix until the detected issue has been fixed by the developers. About the developers, Joe suggests to report all the security holes as regular “bugs”. Developers are not aware of security but they are “bug hunters”.
After the presentation, an relaxed informal discussion continued over several security topics. It was interesting to compare the security landscapes in Europe and in the United States.