Database Security Concepts & Attacks: Prepared By: Ruba Ardah
Database Security Concepts & Attacks: Prepared By: Ruba Ardah
1
Agenda
Relational Database
Non Relational DB - NoSQL DB
Database and data stores Attacks
OWASP
SQLi
NoSQL Injection
Broken Authentication and session Management
2
Data Stores & Database
3
Databases Technology
In database technology, there are two main types of databases, The main differences between them are how
they’re built, the type of information they store, and how they store it.
SQL (Relational Databases ):Are structured, like phone books that store phone numbers and addresses.
NoSQL (Non-Relational Databases): are document-oriented and distributed, like file folders that hold
everything from a person’s address and phone number to their Facebook likes and online shopping
preferences.
4
Databases Technology
5
Relational Databases
6
Relational Databases
Table of data consisting of rows and columns
Each column holds a particular type of data
Each row contains a specific value for each column
Ideally has one column where all values are unique, forming an identifier/key for that row
Enables the creation of multiple tables linked together by a unique identifier that is present in all tables
Use a relational query language to access the database
Request data that fit a given set of criteria
7
Relational DB Architecture - Data Definition Language
A data definition language (DDL) is to define the database logical structure and procedural properties, which
are represented by a set of database description tables.
DDL Operations
Create
Alter
Drop
Database Objects
Tables
Indexes
Stored procedures
Views and any other database objects.
8
Relational DB Architecture - Data Manipulation Language
A data manipulation language (DML) provides a powerful set of tools for application developers. Query
languages are declarative, languages designed to support end users.
Operations
Select
Insert
Remove
Update
The database management system makes use of the database description tables to manage the physical
database.The interface to the database is through a file manager module and a transaction manager module.
9
DBMS Architecture (DDL , DML)
10
Relational Databases Elements & Relations
Elements:
Primary Key
Relation / table / file
• Uniquely identifies a row
• Consists of one or more column
Row / record names
The relationship between tables and field types is called a schema. In a relational database, the schema must 11
SQL is a programming language used by database architects to design relational databases. In an SQL database
like MySQL, Sybase, Oracle, or IBM DM2, SQL executes queries, retrieves data, and edits data by updating,
deleting, or creating new records.
SQL is a lightweight, declarative language that does a lot of heavy lifting for the relational database, acting like a
database’s version of a server-side script.
• Create tables
• Insert and delete data in tables
• Create views
• Retrieve data with query statements
E.g. find the balances of all accounts held by the customer with customer-id 192-83-7465
select account.balanceb from deposit, account where deposit.customer-id = ‘192-83-7465’ and deposit.account-
number = account.account-number
15
Relational Databases
16
Non-Relational DB
17
Non-Relational DB (NoSQL)
If your data requirements aren’t clear enough or if you’re dealing with massive amounts of unstructured
data, you may not have the luxury of developing a relational database with clearly defined schema.
Enter non-relational databases, which offer much greater flexibility than their traditional counterparts.
18
What is Big Data?
A term for data sets that are so large that traditional methods of storage and processing are inadequate.
Massive increase in data volume within the last decode or so
Social networks, search engines … etc.
Challenges in storage, capture, analysis transfer … etc
19
Advantages of NoSQL over RDBMS
20
MongoDB
Founded in 2007
A document-oriented, NoSQL database
Hash-based, schema-less database
In practice, this means you can store hashes with any keys and values that you choose
No Data Definition Language
Document Identifiers (_id) will be created for each document, field name reserved by system
Application tracks the schema and mapping
Supports APIs (drivers) in many computer languages
JavaScript, Python, Ruby, Perl, Java, Java Scala, C#, C++, Haskell, Erlang
MongoDB is a cross-platform, document oriented database that provides, high performance, high
availability, and easy scalability. MongoDB works on concept of collection and document.
21
Why & Where to Use MongoDB
Document Oriented Storage − Data is stored in the form of JSON style documents (JSON very common data format used for
Big Data
Content Management and Delivery Docs
Mobile and Social Infrastructure 22
Others
23
MongoDB-Schema view
Schema view for movies collection, it provides a list of fields found within this collection
24
MongoDB- Fields
25
MongoDB-Documents Representation
26
Data stores / Database Attack
Nearly all applications rely on a data store or database to manage data that is processed within the application.
Most of the time this data drives the core application and business rules logic, holding user accounts,
permissions, application configuration settings, and more.
If an attacker can interfere with the application’s interaction with the data store, to make it retrieve, access or
modify different data, he can usually bypass any controls over data access that are imposed at the application
layer.
Injection flaws, such as SQLi, OS, and LDAPi, occur when malicious code or untrusted data is sent to an
interpreter as part of a command or query. By using this technique the attacker can execute unintended
commands or access unauthorized data.
27
Understanding SQLi
28
SQLi Attack
Switch
Internet
Router Wireless
Firewall access point
Web servers
Legend:. Web
Data exchanged application
between hacker server
and servers Database servers
Two-way traffic
between hacker Database
and Web server
Credit card data is 29
retrieved from
database
SQL Injection (SQLi)
SQLi is a code injection technique that exploits a security vulnerability within the database layer of an application,
An application security weakness allows attackers to control an application’s database – letting them access or
delete data.
SQL injection weaknesses occur when an application uses untrusted data, such as data entered into web form
fields, as part of a database query.
When an application fails to properly control this untrusted data before adding it to a SQL query, an attacker can
include their own SQL commands which the database will execute.
Such SQLi vulnerabilities are easy to prevent, yet SQLi remains a leading web application risk, and many
organizations remain vulnerable to potentially damaging data breaches resulting from SQL injection. 30
SQLi Attack Cartoon
SQL INJECTION ATTACKS
31
Understanding SQLi
The exploitability of a SQL Injection attack can be extremely easy. There are automated tools that simply
allow you to paste a URL in and let the tool go and extract data from the system, it can be that simple.
Its detectability is average, it's not a dead easy risk to find, it's not real hard either, but it does take some
probing of the system to discover a risk.
The Impact is Severe. This is about as bad as it gets, because a SQL Injection attack can lead to the complete
and utter compromise of the database. It can mean that everything in the database gets exposed publicly and
it can also mean that an attacker can modify or destroy anything within the database.
32
Database Fingerprinting
The differences between platforms become more significant, as we begin to look at more advanced
exploitation techniques
The following examples show how the string services could be constructed on the common types of
database:
• Oracle: ‘serv’||’ices’
• MS-SQL: ‘serv’+’ices’
• MySQL: ‘serv’ ‘ices’ (note the space)
If you are injecting into numeric data, the following attack strings can be used to fingerprint the database
Each of these items evaluates to 0 on the target database and generates an error on the other databases:
• Oracle: BITAND(1,1)-BITAND(1,1)
• MS-SQL: @@PACK_RECEIVED-@@PACK_RECEIVED
33
• MySQL: CONNECTION_ID()-CONNECTION_ID()
SQL Attack Steps
34
Understanding SQLi
Trusted Part
Untrusted Part
35
Understanding SQLi
Untrusted Part
36
Understanding SQLi
Login example: SQL Statement example, used for login: SELECT * FROM users WHERE username = ‘user’
and password = ‘password’ (if the username and password are correct, the statement is correct and the user
will be logged in)
40
SQL Injection – To Know More Details about DB Columns
Union select
null,Username,
CCNumber,null,null,
null FROM Users
41
SQL Injection - In Search Textbox
SQL statement uses a semicolon (;) to indicate the end of the SQL line and use two dashes (--) as an ignored
comments.With this simple knowledge, the attackers could enter different information into the web form like this
43
SQI Injection - In Search Textbox
44
SQI Injection – Result
45
SQI Injection - In Search Textbox
46
SQI Injection – Result
47
Second Order SQL injection – Indirect SQLi
Second Order SQL injection is an application vulnerability, it occurs when user submitted values are stored in the
database, and then it gets used by some other functionality in the application without escaping or filtering the data.
Steps
Signup or signin with username “Admin” and password “asdasd”.
Create another user with username “Admin’--” and password “abc”
Note that, the username value “Admin’--” is actually the sql injection payload
Admin
48
Second Order SQL injection – Indirect SQLi
Basically so far we have two usernames registered. “Admin” and “Admin’--” using different
passwords.
Login by using “Admin’ --” Logged in as
Admin’--
Change “Admin’--” password
UPDATE users
SET password='123'
WHERE username=‘Admin'--' and password='abc‘
Now as the username in WHERE clause is “Admin’ –“, Not that After — the query is
discarded as comments, as — is used to start comments in SQL . The query ends up like
UPDATE users
SET password='123'
49
WHERE username=‘Admin'
SQLi Attack
User Input
Attackers inject SQL commands by providing suitable crafted user input
Server Variables
Attackers can forge the values that are placed in HTTP and network headers and
exploit this vulnerability by placing data directly into the headers
Second-Order Injection
A malicious user could rely on data already present in the system or database to
trigger an SQL injection attack, so when the attack occurs, the input that
modifies the query to cause an attack does not come from the user, but from
within the system itself
Cookies
An attacker could alter cookies such that when the application server builds an
SQL query based on the cookie’s content, the structure and function of the
query is modified
50
SQLi Attacks Types
Inband SQLi : uses the same communication channel for injecting SQL code and retrieving results
The retrieved data are presented directly in application Web page
End-of-line
Tautology Piggybacked queries
comment
After injecting
This form of The attacker adds
code into a
attack injects code additional queries
particular field,
in one or more beyond the
legitimate code
conditional intended query,
that follows are
statements so that piggy-backing the
nullified through
they always attack on top of a
usage of end of
evaluate to true legitimate request
line comments
51
SQLi Attacks Types
Inferential Attack: There is no actual transfer of data, but the attacker is able to reconstruct the information
by sending particular requests or payload and observing the resulting behavior of the Website/database server.
(Blind SQLi attack).
Out-of-band SQLi: techniques would rely on the database server’s ability to make DNS or HTTP requests to
deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to
make DNS requests to a server that an attacker controls, as well as Oracle Database’s UTL_HTTP package, which
can be used to send HTTP requests from SQL and PL/SQL to a server that an attacker controls.
52
53
How Do I Prevent Injection?
Preventing injection requires keeping data separate from commands and queries.
The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a
parameterized interface, or migrate to use ORMs or Entity Framework.
Positive or "white list" input validation, but this is not a complete defense as many applications require
special characters, such as text areas or APIs for mobile applications
Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of
SQL injection.
54
Protecting Data
Some data breaches become big news, for example, in Nov & Dec 2013, attackers hacked into target’s network
and stole credit card data and personal information on more than million customers. This attack was huge and
media outlets reported on it for weeks.
The Identity Theft Resource Center tracks data breaches and regularly reports summaries. As of August 2014,
they reported 480 data breaches exposing more than 17 million customers records during 2014.
Loosing control of data directly effects the reputation, and often the button line , of an organization.
You will frequently see data categorized based on how it is used or stored. The most common terms are data at
rest, data in transit and data in use:
Data T rest is any data stored on media. This includes data on hard drives, mobile phones, USB flash drives,
external drives, and backups. Data can be stored as individual files or full databases.
Data in transit (or data in motion) is any data traveling over the network. Data loss prevention (DLP)
techniques are effective at analyzing and detecting sensitive data sent over the network
The best way to protect data in transit is to encrypt network traffic by using encryption protocols
such as IPsec, SSH, or SFTP.
Data in use refers to any data that resides in temporary memory. Applications retrieve stored data,
process it, and may either save it back to storage or send it over a network. The application is responsible
for protecting data in use.
56
Database encryption is the process of converting data, within a database, in plain text format into a meaningless
cipher text by means of a suitable algorithm.
Database decryption is converting the meaningless cipher text into the original information using keys
generated by the encryption algorithms.
Database encryption can be provided at the file or column level.
57
What does Database Encryption and Decryption mean ?
Encryption of a database is costly and requires more storage space than the original data. The steps in encrypting a
database are:
Determine the criticality of the need for encryption
Determine what data needs to be encrypted
Determine which algorithms best suit the encryption standard
Determine how the keys will be managed
Numerous algorithms are used for encryption. These algorithms generate keys related to the encrypted data. These
keys set a link between the encryption and decryption procedures. The encrypted data can be decrypted only by
using these keys. 58
Encryption and Decryption Algorithm?
1. Triple DES
2. RSA
3. ElGamal
4. Blowfish
5. Twofish
59
OWASP
OWASP is the Open Web Application Security Project and there's three important things to understand about
OWASP.
They are not profit. They're not making money out of anyone. They are simply here to help the web become a
more secure place.
Cover all technologies (The most important ones) , OWASP covers PHP as equally as ASP.NET, also as equally
as they cover Java.
It's Contributed to selflessly by the security community. OWASP relies on those of us that are willing to devote
our time and expertise in order to build resources such as the one we're going to talk about in this course.
60
OWASP
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations
to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open
Application security tools and standards
Complete books on application security testing, secure code development, and security code review
Standard security controls and libraries
Local chapters worldwide
Cutting edge research
Extensive conferences worldwide
Mailing lists
61
OWASP
Attacks Controls
OWASP identifies list of sever attacks with its generic information about likelihood and technical impact.
63
A2 -Broken A special problem when implementing both authentication and session managements incorrectly, the attacker is able to
Authenticati
on and exploit real users identities such as passwords, keys, session token. Attacker is able to impersonate the real user or
Session
Management victim by hijacking the session ID
64
65