Database Security Concepts & Attacks

Prepared By: Ruba Ardah

1
Agenda

 Relational Database
 Non Relational DB - NoSQL DB
 Database and data stores Attacks
 OWASP
 SQLi
 NoSQL Injection
 Broken Authentication and session Management

2
 Data Stores & Database

Relational DB & Non Relational DB

3
Databases Technology

In database technology, there are two main types of databases, The main differences between them are how
they’re built, the type of information they store, and how they store it.

 SQL (Relational Databases ):Are structured, like phone books that store phone numbers and addresses.

 NoSQL (Non-Relational Databases): are document-oriented and distributed, like file folders that hold
everything from a person’s address and phone number to their Facebook likes and online shopping
preferences.

4
Databases Technology

5
Relational Databases

 Structured collection of data stored for use by one or more applications

 Contains the relationships between data items and groups of data items.
 Can sometimes contain sensitive data.
 Database Management System (DBMS)
 Suite of programs for constructing and maintaining the database
 Query language such as SQL
 Provides a uniform interface to the database

6
Relational Databases
 Table of data consisting of rows and columns
 Each column holds a particular type of data
 Each row contains a specific value for each column
 Ideally has one column where all values are unique, forming an identifier/key for that row

 Enables the creation of multiple tables linked together by a unique identifier that is present in all tables
 Use a relational query language to access the database
 Request data that fit a given set of criteria

7
Relational DB Architecture - Data Definition Language

 A data definition language (DDL) is to define the database logical structure and procedural properties, which
are represented by a set of database description tables.
 DDL Operations
 Create
 Alter
 Drop
 Database Objects
 Tables
 Indexes
 Stored procedures
 Views and any other database objects.

8
Relational DB Architecture - Data Manipulation Language

 A data manipulation language (DML) provides a powerful set of tools for application developers. Query
languages are declarative, languages designed to support end users.
 Operations
 Select
 Insert
 Remove
 Update

The database management system makes use of the database description tables to manage the physical
database.The interface to the database is through a file manager module and a transaction manager module.
9
DBMS Architecture (DDL , DML)

10
Relational Databases Elements & Relations

 Elements:
Primary Key
 Relation / table / file
• Uniquely identifies a row
• Consists of one or more column
 Row / record names

 Attribute / column / field Foreign Key

 Types of Relations • Links one table to attributes in another

 One to One Relation

 One to Many Relation View / Virtual Table

• Result of a query that returns selected
 Many to Many Relation rows and columns from one or more
tables

The relationship between tables and field types is called a schema. In a relational database, the schema must 11

be clearly defined before any information can be added.

12
SQL: Structured Query Language

SQL is a programming language used by database architects to design relational databases. In an SQL database
like MySQL, Sybase, Oracle, or IBM DM2, SQL executes queries, retrieves data, and edits data by updating,
deleting, or creating new records.

SQL is a lightweight, declarative language that does a lot of heavy lifting for the relational database, acting like a
database’s version of a server-side script.

SQL advantage & Why SQL is so popular

 It has simple-yet-powerful JOIN clause, which allows developers to retrieve related data stored across
multiple tables with a single command.
 It fits naturally into many venerable software stacks, including LAMP and Ruby-based stacks. 13
SQL: Structured Query Language

SQL statements can be used to:

• Create tables
• Insert and delete data in tables
• Create views
• Retrieve data with query statements

 Originally developed by IBM in the mid-1970s

 Standardized language to define, manipulate, and query data in a relational database
 Several similar versions of ANSI/ISO standard
14
SQL

 SQL: widely used non-procedural language

 E.g. find the name of the customer with customer-id 192-83-7465
select customer.customer-name from customer where customer.customer-id = ‘192-83-7465’

 E.g. find the balances of all accounts held by the customer with customer-id 192-83-7465
select account.balanceb from deposit, account where deposit.customer-id = ‘192-83-7465’ and deposit.account-
number = account.account-number

 Application programs generally access databases through one of

 Language extensions to allow embedded SQL.
 Application program interface (e.g. ODBC/JDBC) which allow SQL queries to be sent to a database.

15
Relational Databases

16
Non-Relational DB

17
Non-Relational DB (NoSQL)

 Stands for Not Only SQL

 A non-relational DB means we have no tables
 Flexible DB used for big data & real time web applications
 Multiple types of NoSQL DB such as MongoDB, Key Value Store.. Etc

 If your data requirements aren’t clear enough or if you’re dealing with massive amounts of unstructured
data, you may not have the luxury of developing a relational database with clearly defined schema.
 Enter non-relational databases, which offer much greater flexibility than their traditional counterparts.

18
What is Big Data?

 A term for data sets that are so large that traditional methods of storage and processing are inadequate.
 Massive increase in data volume within the last decode or so
 Social networks, search engines … etc.
 Challenges in storage, capture, analysis transfer … etc

19
Advantages of NoSQL over RDBMS

 Handles Big Data

 Data Models – No predefined schema
 Data Structure – NoSQL handles unstructured data
 Cheaper to manage
 Scaling – Scale out / horizontal scaling

20
MongoDB
 Founded in 2007
 A document-oriented, NoSQL database
 Hash-based, schema-less database
 In practice, this means you can store hashes with any keys and values that you choose
 No Data Definition Language
 Document Identifiers (_id) will be created for each document, field name reserved by system
 Application tracks the schema and mapping
 Supports APIs (drivers) in many computer languages
 JavaScript, Python, Ruby, Perl, Java, Java Scala, C#, C++, Haskell, Erlang

MongoDB is a cross-platform, document oriented database that provides, high performance, high
availability, and easy scalability. MongoDB works on concept of collection and document.

21
Why & Where to Use MongoDB

 Document Oriented Storage − Data is stored in the form of JSON style documents (JSON very common data format used for

asynchronous browser–server communication)

 Index on any attribute

 Replication and high availability
 Auto-sharing
Database
 Rich queries
 Fast in-place updates
 Professional support by MongoDB Collections
 No complex joins
Docs Docs
Use MongoDB with

 Big Data
 Content Management and Delivery Docs
 Mobile and Social Infrastructure 22

 Others
23
MongoDB-Schema view

Schema view for movies collection, it provides a list of fields found within this collection

24
MongoDB- Fields

25
MongoDB-Documents Representation

26
Data stores / Database Attack

 Nearly all applications rely on a data store or database to manage data that is processed within the application.

 Most of the time this data drives the core application and business rules logic, holding user accounts,
permissions, application configuration settings, and more.

 If an attacker can interfere with the application’s interaction with the data store, to make it retrieve, access or
modify different data, he can usually bypass any controls over data access that are imposed at the application
layer.

 Injection flaws, such as SQLi, OS, and LDAPi, occur when malicious code or untrusted data is sent to an
interpreter as part of a command or query. By using this technique the attacker can execute unintended
commands or access unauthorized data.

27
Understanding SQLi

Malicious Request Modified Query

Data Exfiltration Query Output

28
SQLi Attack
Switch
Internet
Router Wireless
Firewall access point

Web servers

Legend:. Web
Data exchanged application
between hacker server
and servers Database servers
Two-way traffic
between hacker Database
and Web server
Credit card data is 29
retrieved from
database
SQL Injection (SQLi)

 SQLi is a code injection technique that exploits a security vulnerability within the database layer of an application,
An application security weakness allows attackers to control an application’s database – letting them access or
delete data.

 SQL injection weaknesses occur when an application uses untrusted data, such as data entered into web form
fields, as part of a database query.

 When an application fails to properly control this untrusted data before adding it to a SQL query, an attacker can
include their own SQL commands which the database will execute.

 Such SQLi vulnerabilities are easy to prevent, yet SQLi remains a leading web application risk, and many
organizations remain vulnerable to potentially damaging data breaches resulting from SQL injection. 30
 SQLi Attack Cartoon
SQL INJECTION ATTACKS

31
Understanding SQLi

 The exploitability of a SQL Injection attack can be extremely easy. There are automated tools that simply
allow you to paste a URL in and let the tool go and extract data from the system, it can be that simple.

 Its spreading very much

 Its detectability is average, it's not a dead easy risk to find, it's not real hard either, but it does take some
probing of the system to discover a risk.

 The Impact is Severe. This is about as bad as it gets, because a SQL Injection attack can lead to the complete
and utter compromise of the database. It can mean that everything in the database gets exposed publicly and
it can also mean that an attacker can modify or destroy anything within the database.
32
Database Fingerprinting
 The differences between platforms become more significant, as we begin to look at more advanced
exploitation techniques
 The following examples show how the string services could be constructed on the common types of
database:
• Oracle: ‘serv’||’ices’
• MS-SQL: ‘serv’+’ices’
• MySQL: ‘serv’ ‘ices’ (note the space)

 If you are injecting into numeric data, the following attack strings can be used to fingerprint the database
 Each of these items evaluates to 0 on the target database and generates an error on the other databases:
• Oracle: BITAND(1,1)-BITAND(1,1)
• MS-SQL: @@PACK_RECEIVED-@@PACK_RECEIVED
33

• MySQL: CONNECTION_ID()-CONNECTION_ID()
SQL Attack Steps

 Searching for a vulnerable point

 Fingerprinting the backend DB
 Enumerating or retrieving data of interest – table dumps, usernames/passwords etc.
 Eventual exploiting the system once the information is handy OS take over, data change, web server
take over etc.

34
Understanding SQLi

Trusted Part

Untrusted Part

35
Understanding SQLi

Untrusted Part

36
Understanding SQLi

Login example: SQL Statement example, used for login: SELECT * FROM users WHERE username = ‘user’
and password = ‘password’ (if the username and password are correct, the statement is correct and the user
will be logged in)

 Crafted input: User= admin’–

The statement will become SELECT * FROM users WHERE username = ‘admin’--’ AND password = ‘asd’ (“-- ”
comments the rest of the statement, the user will be logged as admin and the password will not be checked)

 Crafted input example: User= ‘ OR 1=1–

The SQL statement will become SELECT * FROM users WHERE username = ‘’ OR 1=1-- (1 is equal to 1, and
because of the OR operator, just one statement have to be correct. So the username will not be checked)
37
SQL Injection – In The Login Page

Many attacks use a phrase or '1'='1' to create a true condition

SELECT * FROM Books WHERE Books WHERE name=''or'1'='1'

User Name: ‘or '1'='1' OR ‘or 'a'='a' OR password:’ or 1=1--

Password: ‘or'1'='1‘' OR ‘or 'a'='a' OR password:’ or 1=1--
 Go to Login page
 Enter User Name:‘or '1'='1' and firstname <> ‘Ruba’
 Password: or'1'='1'
 Click Login
38
SQL Injection – To Know DB Brand

 After Login to the application (Shopping website)

 Right click on MobilePhones link
 From the appeared menu choose properties to
know the exact address for this link
 Copy “Address URL” =
IP:Port/domainname.asp?CatID=5865
 Past the URL to the browser
 Try to change CatID = 99 OR 567867 OR any
number
39
SQL Injection – To Know DB Brand

40
SQL Injection – To Know More Details about DB Columns

Union select
null,Username,
CCNumber,null,null,
null FROM Users

41
SQL Injection - In Search Textbox

SQL statement uses a semicolon (;) to indicate the end of the SQL line and use two dashes (--) as an ignored
comments.With this simple knowledge, the attackers could enter different information into the web form like this

Ruba Ardah'; SELECT *FROM Customers;--

If the web application plugged this string of data directly into the SELECT statement surrounded by the same single
quotes, it would look like this

SELECT * FROM Books WHERE Books WHERE Author='Ruba Ardah';

SELECT * FROM Customers;
--'
42
 SQI Injection - In Search Textbox

 The first line retrieves data from the DB just as before,

 The semicolon signals the end of the line and the DB will accept another command.
 The next line reads all the data in the Customers table, which can give the attackers access to names
credit card data and more
 The last line comments out the second single quote to prevent a SQL error.

43
SQI Injection - In Search Textbox

44
SQI Injection – Result

45
SQI Injection - In Search Textbox

46
SQI Injection – Result

47
Second Order SQL injection – Indirect SQLi

Second Order SQL injection is an application vulnerability, it occurs when user submitted values are stored in the
database, and then it gets used by some other functionality in the application without escaping or filtering the data.

Steps
 Signup or signin with username “Admin” and password “asdasd”.
 Create another user with username “Admin’--” and password “abc”
 Note that, the username value “Admin’--” is actually the sql injection payload

Admin

48
Second Order SQL injection – Indirect SQLi
 Basically so far we have two usernames registered. “Admin” and “Admin’--” using different
passwords.
 Login by using “Admin’ --” Logged in as
Admin’--
 Change “Admin’--” password

UPDATE users
SET password='123'
WHERE username=‘Admin'--' and password='abc‘

Now as the username in WHERE clause is “Admin’ –“, Not that After — the query is
discarded as comments, as — is used to start comments in SQL . The query ends up like

UPDATE users
SET password='123'
49

WHERE username=‘Admin'
SQLi Attack

User Input
Attackers inject SQL commands by providing suitable crafted user input

Server Variables
Attackers can forge the values that are placed in HTTP and network headers and
exploit this vulnerability by placing data directly into the headers

Second-Order Injection
A malicious user could rely on data already present in the system or database to
trigger an SQL injection attack, so when the attack occurs, the input that
modifies the query to cause an attack does not come from the user, but from
within the system itself

Cookies
An attacker could alter cookies such that when the application server builds an
SQL query based on the cookie’s content, the structure and function of the
query is modified

50
SQLi Attacks Types

Inband SQLi : uses the same communication channel for injecting SQL code and retrieving results
 The retrieved data are presented directly in application Web page

End-of-line
Tautology Piggybacked queries
comment

After injecting
This form of The attacker adds
code into a
attack injects code additional queries
particular field,
in one or more beyond the
legitimate code
conditional intended query,
that follows are
statements so that piggy-backing the
nullified through
they always attack on top of a
usage of end of
evaluate to true legitimate request
line comments
51
SQLi Attacks Types

Inferential Attack: There is no actual transfer of data, but the attacker is able to reconstruct the information
by sending particular requests or payload and observing the resulting behavior of the Website/database server.
(Blind SQLi attack).

Out-of-band SQLi: techniques would rely on the database server’s ability to make DNS or HTTP requests to
deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to
make DNS requests to a server that an attacker controls, as well as Oracle Database’s UTL_HTTP package, which
can be used to send HTTP requests from SQL and PL/SQL to a server that an attacker controls.

52
53
How Do I Prevent Injection?

Preventing injection requires keeping data separate from commands and queries.
 The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a
parameterized interface, or migrate to use ORMs or Entity Framework.
 Positive or "white list" input validation, but this is not a complete defense as many applications require
special characters, such as text areas or APIs for mobile applications
 Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of
SQL injection.

54
Protecting Data

 Some data breaches become big news, for example, in Nov & Dec 2013, attackers hacked into target’s network
and stole credit card data and personal information on more than million customers. This attack was huge and
media outlets reported on it for weeks.

 However, smaller data breaches occur almost daily.

 The Identity Theft Resource Center tracks data breaches and regularly reports summaries. As of August 2014,
they reported 480 data breaches exposing more than 17 million customers records during 2014.

 Loosing control of data directly effects the reputation, and often the button line , of an organization.

 The importance of taking steps to protect valuable data can’t be overstated. 55

Comparing Data Category

You will frequently see data categorized based on how it is used or stored. The most common terms are data at
rest, data in transit and data in use:

 Data T rest is any data stored on media. This includes data on hard drives, mobile phones, USB flash drives,
external drives, and backups. Data can be stored as individual files or full databases.

The best way to protect it at rest from an attacker is to encrypt it

 Data in transit (or data in motion) is any data traveling over the network. Data loss prevention (DLP)
techniques are effective at analyzing and detecting sensitive data sent over the network
The best way to protect data in transit is to encrypt network traffic by using encryption protocols
such as IPsec, SSH, or SFTP.

 Data in use refers to any data that resides in temporary memory. Applications retrieve stored data,
process it, and may either save it back to storage or send it over a network. The application is responsible
for protecting data in use.
56

Confidentiality is primarily protected through encryption and strong access control

What does Database Encryption and Decryption mean ?

 Database encryption is the process of converting data, within a database, in plain text format into a meaningless
cipher text by means of a suitable algorithm.
 Database decryption is converting the meaningless cipher text into the original information using keys
generated by the encryption algorithms.
 Database encryption can be provided at the file or column level.

57
What does Database Encryption and Decryption mean ?

Encryption of a database is costly and requires more storage space than the original data. The steps in encrypting a
database are:
 Determine the criticality of the need for encryption
 Determine what data needs to be encrypted
 Determine which algorithms best suit the encryption standard
 Determine how the keys will be managed

Numerous algorithms are used for encryption. These algorithms generate keys related to the encrypted data. These
keys set a link between the encryption and decryption procedures. The encrypted data can be decrypted only by
using these keys. 58
Encryption and Decryption Algorithm?

1. Triple DES
2. RSA
3. ElGamal
4. Blowfish
5. Twofish

59
OWASP

OWASP is the Open Web Application Security Project and there's three important things to understand about
OWASP.
 They are not profit. They're not making money out of anyone. They are simply here to help the web become a
more secure place.
 Cover all technologies (The most important ones) , OWASP covers PHP as equally as ASP.NET, also as equally
as they cover Java.
 It's Contributed to selflessly by the security community. OWASP relies on those of us that are willing to devote
our time and expertise in order to build resources such as the one we're going to talk about in this course.

60
OWASP
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations
to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open
 Application security tools and standards
 Complete books on application security testing, secure code development, and security code review
 Standard security controls and libraries
 Local chapters worldwide
 Cutting edge research
 Extensive conferences worldwide
 Mailing lists

61
OWASP

Attacks Controls

 A1: Injection  C1: Define Security Requirements

 A2: Broken Authentication  C2: Leverage Security Frameworks and Libraries
 A3: Sensitive Data Exposure  C3: Secure Database Access
 A4: XML External Entity (XXE)  C4: Encode and Escape Data
 A5: Broken Access Control  C5: Validate All Inputs
 A6: Security Misconfiguration  C6: Implement Digital Identity
 A7: Cross-Site Scripting (XSS)  C7: Enforce Access Controls
 A8: Insecure Deserialization (Missing Access Control)  C8: Protect Data Everywhere
 A9: Using Components with Known Vulnerabilities  C9: Implement Security Logging and Monitoring
 A10: Insufficient Logging & Monitoring  C10: Handle All Errors and Exceptions 62
OWASP Risk Identification

OWASP identifies list of sever attacks with its generic information about likelihood and technical impact.

63
A2 -Broken A special problem when implementing both authentication and session managements incorrectly, the attacker is able to
Authenticati
on and exploit real users identities such as passwords, keys, session token. Attacker is able to impersonate the real user or
Session
Management victim by hijacking the session ID

64
65