SlideShare a Scribd company logo

SQL injection and buffer overflows are hacking techniques used to exploit weaknesses in applications

Download as PPT, PDF
B
bankservicehyd

SQL injection and buffer overflows are hacking techniques used to exploit weaknesses in applications

1 of 46
Download to read offline
ITEC403 Graduation Project Applications’ Security – Cem Yağlı
2 Application Vulnerabilities SQL injection and buffer overflows are hacking techniques used to exploit weaknesses in applications. When programs are written, some parameters used in the creation of the application code can leave weaknesses in the program.
3 Application Vulnerabilities  SQL injection and buffer overflows are methods used to attack application and are generally caused by programming flaws.  SQL injection is a hacking method used to attack SQL databases  Buffer overflows can exist in many different types of applications.  SQL injection and buffer overflows are similar exploits in that they’re both usually delivered via a user input field.  The input field is – where a user may enter a username and password on a website, – add data to a URL, – or perform a search for a keyword in another application.
4 Application Vulnerabilities  Both SQL Server injection and buffer overflow vulnerabilities are caused by the same issue: – invalid parameters that are not verified by the application.  If programmers don’t take the time to validate the variables a user can enter into a variable field, the results can be serious and unpredictable.  Sophisticated hackers can exploit this vulnerability, causing an execution fault and shutdown of the system or application, or a command shell to be executed for the hacker.
5 Application Vulnerabilities  SQL injection and buffer overflow countermeasures are designed to utilize secure programming methods.  By changing the variables used by the application code, weaknesses in applications can be greatly minimized.
6 SQL Injection  Generally, the purpose of SQL injection is to convince the application to run SQL code that was not intended.  SQL injection occurs when an application processes user-provided data to create a SQL statement without first validating the input.
7 SQL Injection  The user input is then submitted to a web application database server for execution.  When successfully exploited, SQL injection can give an attacker access to database content or allow the hacker to remotely execute system commands.  In the worst-case scenario, the hacker can take control of the server that is hosting the database.
8 SQL Injection  This exploit can give a hacker access to a remote shell into the server file system.  The impact of a SQL injection attacks depends on – where the vulnerability is in the code, – how easy it is to exploit the vulnerability, – what level of access the application has to the database.  Theoretically, SQL injection can occur in any type of application, but it is most commonly associated with web applications.  The web applications are easy targets because by their very nature they are open to being accessed from the Internet.
9 SQL Injection  During a web application SQL injection attack, – The malicious code is inserted into a web form field – Or the website’s code to make a system execute a command shell – Or other arbitrary commands.  Just as a legitimate user enters queries and additions to the SQL database via a web form,  The hacker can insert commands to the SQL Server through the same web form field.
10 SQL Injection  For example: – An arbitrary command from a hacker might open a command prompt – or display a table from the database.  A database table may contain personal information such as credit card numbers, social security numbers, or passwords.  SQL Servers are very common database servers and used by many organizations to store confidential data.  This makes a SQL Server a high-value target and therefore a system that is very attractive to hackers.
11 Finding a SQL Injection Vulnerability  Before launching a SQL injection attack, the hacker determines whether the configuration of the database and related tables and variables is vulnerable.  The steps to determine the SQL Server’s vulnerability are as follows: 1. Using your web browser, search for a website that uses a login page or other database input or query fields (such as an “I forgot my password” form). Look for web pages that display the POST or GET HTML commands by checking the site’s source code.
12 Finding a SQL Injection Vulnerability 2.Test the SQL Server using single quotes (‘’). Doing so indicates whether the user input variable is sanitized or interpreted literally by the server. If the server responds with an error message that says use 'a'='a' (or something similar), then it’s most likely susceptible to a SQL injection attack. 3. Use the SELECT command to retrieve data from the database or the INSERT command to add information to the database.
13 Finding a SQL Injection Vulnerability  Here are some examples of variable field text you can use on a web form to test for SQL vulnerabilities: – Blah’ or 1=1-- – Login:blah’ or 1=1-- – Password::blah’ or 1=1-- – http://search/index.asp?id=blah’ or 1=1--
14 Finding a SQL Injection Vulnerability  These commands and similar variations may allow a user to bypass a login depending on the structure of the database.  When entered in a form field, the commands may return many rows in a table or even an entire database table because the SQL Server is interpreting the terms literally.  The double dashes near the end of the command tell SQL to ignore the rest of the command as a comment.
15 Finding a SQL Injection Vulnerability  Here are some examples of how to use SQL commands to take control:  To get a directory listing, type the following in a form field: – Blah‘;exec master..xp_cmdshell “dir c:*.* /s >c:directory.txt”--  To create a file, type the following in a form field: – Blah‘;exec master..xp_cmdshell “echo hacker-was-here > c: hacker.txt”--  To ping an IP address, type the following in a form field: – Blah‘;exec master..xp_cmdshell “ping 192.168.1.1”--
16 The Purpose of SQL Injection  SQL injection attacks are used by hackers to achieve certain results. Some SQL exploits will produce valuable user data stored in the database, and some are just precursors to other attacks.  The following are the most common purposes of a SQL injection attack:
17 The Purpose of SQL Injection  Identifying SQL Injection Vulnerability – The purpose is to probe a web application to discover which parameters and user input fields are vulnerable to SQL injection.  Performing Database Finger-Printing – The purpose is to discover the type and version of database that a web application is using and “fingerprint” the database. – Knowing the type and version of the database used by a web application allows an attacker to craft database specific attacks.
18 The Purpose of SQL Injection  Determining Database Schema – To correctly extract data from a database, the attacker often needs to know database schema information, such as table names, column names, and column data types. – This information can be used in a follow-on attack.  Extracting Data – These types of attacks employ techniques that will extract data values from the database. – Depending on the type of web application, this information could be sensitive and highly desirable to the attacker.
19 The Purpose of SQL Injection  Adding or Modifying Data – The purpose is to add or change information in a database.  Performing Denial of Service – These attacks are performed to shut down access to a web application, thus denying service to other users. – Attacks involving locking or dropping database tables also fall under this category.  Evading Detection – This category refers to certain attack techniques that are employed to avoid auditing and detection.
20 The Purpose of SQL Injection  Bypassing Authentication – The purpose is to allow the attacker to bypass database and application authentication mechanisms. – Bypassing such mechanisms could allow the attacker to assume the rights and privileges associated with another application user.  Executing Remote Commands – These types of attacks attempt to execute arbitrary commands on the database. These commands can be stored procedures or functions available to database users.  Performing Privilege Escalation – These attacks take advantage of implementation errors or logical flaws in the database in order to escalate the privileges of the attacker.
21 SQL Injection Using Dynamic Strings  Many functions of a SQL database receive static user input where the only variable is the user input fields.  Such statements do not change from execution to execution.  They are commonly called static SQL statements.
22 SQL Injection Using Dynamic Strings  Some programs must build and process a variety of SQL statements at runtime.  In many cases the full text of the statement is unknown until application execution.  Such statements can, and probably will, change from execution to execution.  So, they are called dynamic SQL statements.
23 SQL Injection Using Dynamic Strings  Dynamic SQL is an enhanced form of SQL that, unlike standard SQL, facilitates the automatic generation and execution of program statements.  Dynamic SQL is a term used to mean SQL code that is generated by the web application before it is executed.  Dynamic SQL is a flexible and powerful tool for creating SQL strings.
24 SQL Injection Using Dynamic Strings  It can be helpful when you find it necessary to write code that can adjust to varying databases, conditions, or servers.  Dynamic SQL also makes it easier to automate tasks that are repeated many times in a web application.  A hacker can attack a web-based authentication form using SQL injection through the use of dynamic strings.
25 SQL Injection Using Dynamic Strings  For example, the underlying code for a web authentication form on a web server may look like the following: SQLCommand = “SELECT Username FROM Users WHERE Username = ‘“ SQLCommand = SQLComand & strUsername SQLCommand = SQLComand & “‘ AND Password = ‘“ SQLCommand = SQLComand & strPassword SQLCommand = SQLComand & “‘“ strAuthCheck = GetQueryResult(SQLQuery)
26 SQL Injection Using Dynamic Strings  A hacker can exploit the SQL injection vulnerability by entering a login and password in the web form that uses the following variables: Username: kimberly Password: graves’ OR ‘’=’
27 SQL Injection Using Dynamic Strings  The SQL application would build a command string from this input as follows: SELECT Username FROM Users WHERE Username = ‘kimberly’ AND Password = ‘graves’ OR ‘’=’’
28 SQL Injection Using Dynamic Strings  This query will return all rows from the user’s database, regardless of whether kimberly is a real username in the database or graves is a legitimate password.  This is due to the OR statement appended to the WHERE clause.  The comparison ‘’=’’ will always return a true result, making the overall WHERE clause evaluate to true for all rows in the table.  This will enable the hacker to log in with any username and password.
29 SQL Injection Vulnerability Scanning  We can use the HP’s Scrawlr to test for SQL Injection Vulnerabilities 1. Download Scrawlr from www.HP.com. 2. Install Scrawlr on your Windows lab PC. 3. Open the Scrawlr program. 4. Type a target web address in the URL Of Site To Scan field: 5. Click the Start button to start the audit of the website for SQL injection vulnerabilities. 6. Once the SQL injection vulnerability scan is complete, Scrawlr will display additional hosts linked from the scanned site. It is a best practice to scan the linked sites as well as the main site to ensure no SQL injection vulnerabilities exist.
30 SQL Injection Countermeasures  The cause of SQL injection vulnerabilities is relatively simple and well understood: – Insufficient validation of user input.  To address this problem, defensive coding practices, such as encoding user input and validation, can be used when programming applications.  It is a laborious and time-consuming process to check all applications for SQL injection vulnerabilities.
31 SQL Injection Countermeasures  When implementing SQL injection countermeasures, review source code for the following programming weaknesses: – Single quotes – Lack of input validation  The first countermeasures for preventing a SQL injection attack are – Minimizing the privileges of a user’s connection to the database and – Enforcing strong passwords for SA and Administrator accounts.
32 SQL Injection Countermeasures  You should also disable verbose or explanatory error messages so no more information than necessary is sent to the hacker;  Such information could help them determine whether the SQL Server is vulnerable.
33 SQL Injection Countermeasures  Another countermeasure for preventing SQL injection is checking user data input and validating the data prior to sending the input to the application for processing.  Some countermeasures to SQL injection are – Rejecting known bad input – Sanitizing and validating the input field
34 Buffer Overflows  As an ethical hacker; – You must be able to identify different types of buffer overflows. – You should also know how to detect a buffer overflow vulnerability and understand the steps a hacker may use to perform a stack- based overflow attack.
35 Types of Buffer Overflows  Buffer overflows are exploits that hackers use against an operating system or application;  like SQL injection attacks, they’re usually targeted at user input fields.  A buffer overflow exploit causes – a system to fail by overloading memory – or executing a command shell – or arbitrary code on the target system.
36 Types of Buffer Overflows  A buffer overflow vulnerability is caused by – a lack of bounds checking – or a lack of input-validation sanitization in a variable field (such as on a web form).  If the application doesn’t check or validate the size or format of a variable before sending it to be stored in memory, an overflow vulnerability exits.  The two types of buffer overflows are – stack based – heap based.
37 Types of Buffer Overflows  The stack and the heap are storage locations for user-supplied variables within a running program.  Variables are stored in the stack or heap until the program needs them. – Stacks are static locations of memory address space. – Heaps are dynamic memory address spaces that occur while a program is running.  A heap-based buffer overflow occurs in the lower part of the memory and overwrites other dynamic variables.
38 Types of Buffer Overflows
39 Types of Buffer Overflows  A call stack, or stack, is used to keep track of where in the programming code the execution pointer should return after each portion of the code is executed.  A stack-based buffer overflow attack occurs when the memory assigned to each execution routine is overflowed.  As a consequence of both types of buffer overflows, – A program can open a shell or – command prompt or stop the execution of a program.
40 Types of Buffer Overflows
41 Types of Buffer Overflows  To detect program buffer overflow vulnerabilities that result from poorly written source code, – a hacker sends large amounts of data to the application via a form field – and sees what the program does as a result.
42 Types of Buffer Overflows  The following are the steps a hacker uses to execute a stack-based buffer overflow: 1. Enter a variable into the buffer to exhaust the amount of memory in the stack. 2. Enter more data than the buffer has allocated in memory for that variable, which causes the memory to overflow or run into the memory space for the next process. Then, add another variable, and overwrite the return pointer that tells the program where to return to after executing the variable.
43 Types of Buffer Overflows 3. A program executes this malicious code variable and then uses the return pointer to get back to the next line of executable code. If the hacker successfully overwrites the pointer, the program executes the hacker’s code instead of the program code.  Most hackers don’t need to be this familiar with the details of buffer overflows.  Prewritten exploits can be found on the Internet and are exchanged between hacker groups (example: Metasploit).
44 Buffer Overflow Countermeasures  Hackers can graduate from standard buffer overflows to redirecting the return pointer to the code of their choosing.  A hacker must know the exact memory address and the size of the stack in order to make the return pointer execute their code.  A hacker can use a No Operation (NOP) instruction, which is just padding to move the instruction pointer and does not execute any code.  The NOP instruction is added to a string before the malicious code to be executed.
45 Buffer Overflow Countermeasures  If an intrusion detection system (IDS) is present on the network, it can thwart (not allowed) a hacker who sends a series of NOP instructions to forward to the instruction pointer.  To bypass the IDS, the hacker can randomly replace some of the NOP instructions with equivalent pieces of code, such as x++,x-;? NOPNOP.  This example of a mutated buffer overflow attack can bypass detection by an IDS.
46 Buffer Overflow Countermeasures  Programmers should not use the built-in strcpy(), strcat(), and streadd() C/C++ functions because they are susceptible to buffer overflows.  Alternatively, Java can be used as the programming language since Java is not susceptible to buffer overflows.

Recommended

Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & Mitigation
IRJET Journal
 
Web application security
Web application securityWeb application security
Web application security
www.netgains.org
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
IOSR Journals
 
E017131924
E017131924E017131924
E017131924
IOSR Journals
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
Sql
SqlSql
Sql
IJASCSE
 
SQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen TestingSQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen Testing
191013607gouthamsric
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
penetration Tester
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
Smitha Padmanabhan
 
IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET Journal
 
Understanding SQL Injection_ A Guide to Website Security.docx
Understanding SQL Injection_ A Guide to Website Security.docxUnderstanding SQL Injection_ A Guide to Website Security.docx
Understanding SQL Injection_ A Guide to Website Security.docx
Oscp Training
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
prasadGade6
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_Nicole
Nicole Bili?
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 
Sql injection
Sql injectionSql injection
Sql injection
Suraj Tiwari
 
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET Journal
 
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptxEthical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Boston Institute of Analytics
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Abhinav Nair
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
PetraVukmirovic
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection Attack
IJRESJOURNAL
 
sql injection login bypass sqli-191017162412.pdf
sql injection login bypass sqli-191017162412.pdfsql injection login bypass sqli-191017162412.pdf
sql injection login bypass sqli-191017162412.pdf
bankservicehyd
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 
RICS Membership-(The Royal Institution of Chartered Surveyors).pdf
RICS Membership-(The Royal Institution of Chartered Surveyors).pdfRICS Membership-(The Royal Institution of Chartered Surveyors).pdf
RICS Membership-(The Royal Institution of Chartered Surveyors).pdf
MohamedAbdelkader115
 
Value Stream Mapping Worskshops for Intelligent Continuous Security
Value Stream Mapping Worskshops for Intelligent Continuous SecurityValue Stream Mapping Worskshops for Intelligent Continuous Security
Value Stream Mapping Worskshops for Intelligent Continuous Security
Marc Hornbeek
 

More Related Content

Similar to SQL injection and buffer overflows are hacking techniques used to exploit weaknesses in applications (20)

Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
penetration Tester
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
Smitha Padmanabhan
 
IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET Journal
 
Understanding SQL Injection_ A Guide to Website Security.docx
Understanding SQL Injection_ A Guide to Website Security.docxUnderstanding SQL Injection_ A Guide to Website Security.docx
Understanding SQL Injection_ A Guide to Website Security.docx
Oscp Training
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
prasadGade6
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_Nicole
Nicole Bili?
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 
Sql injection
Sql injectionSql injection
Sql injection
Suraj Tiwari
 
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET Journal
 
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptxEthical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Boston Institute of Analytics
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Abhinav Nair
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
PetraVukmirovic
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection Attack
IJRESJOURNAL
 
sql injection login bypass sqli-191017162412.pdf
sql injection login bypass sqli-191017162412.pdfsql injection login bypass sqli-191017162412.pdf
sql injection login bypass sqli-191017162412.pdf
bankservicehyd
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
penetration Tester
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
Smitha Padmanabhan
 
IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET Journal
 
Understanding SQL Injection_ A Guide to Website Security.docx
Understanding SQL Injection_ A Guide to Website Security.docxUnderstanding SQL Injection_ A Guide to Website Security.docx
Understanding SQL Injection_ A Guide to Website Security.docx
Oscp Training
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
prasadGade6
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_Nicole
Nicole Bili?
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 
Sql injection
Sql injectionSql injection
Sql injection
Suraj Tiwari
 
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET Journal
 
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptxEthical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Boston Institute of Analytics
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Abhinav Nair
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
PetraVukmirovic
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection Attack
IJRESJOURNAL
 
sql injection login bypass sqli-191017162412.pdf
sql injection login bypass sqli-191017162412.pdfsql injection login bypass sqli-191017162412.pdf
sql injection login bypass sqli-191017162412.pdf
bankservicehyd
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 

Recently uploaded (20)

RICS Membership-(The Royal Institution of Chartered Surveyors).pdf
RICS Membership-(The Royal Institution of Chartered Surveyors).pdfRICS Membership-(The Royal Institution of Chartered Surveyors).pdf
RICS Membership-(The Royal Institution of Chartered Surveyors).pdf
MohamedAbdelkader115
 
Value Stream Mapping Worskshops for Intelligent Continuous Security
Value Stream Mapping Worskshops for Intelligent Continuous SecurityValue Stream Mapping Worskshops for Intelligent Continuous Security
Value Stream Mapping Worskshops for Intelligent Continuous Security
Marc Hornbeek
 
IntroSlides-April-BuildWithAI-VertexAI.pdf
IntroSlides-April-BuildWithAI-VertexAI.pdfIntroSlides-April-BuildWithAI-VertexAI.pdf
IntroSlides-April-BuildWithAI-VertexAI.pdf
Luiz Carneiro
 
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Journal of Soft Computing in Civil Engineering
 
Machine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptxMachine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptx
rajeswari89780
 
LECTURE-16 EARTHEN DAM - II.pptx it's uses
LECTURE-16 EARTHEN DAM - II.pptx it's usesLECTURE-16 EARTHEN DAM - II.pptx it's uses
LECTURE-16 EARTHEN DAM - II.pptx it's uses
CLokeshBehera123
 
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design ThinkingDT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DhruvChotaliya2
 
Level 1-Safety.pptx Presentation of Electrical Safety
Level 1-Safety.pptx Presentation of Electrical SafetyLevel 1-Safety.pptx Presentation of Electrical Safety
Level 1-Safety.pptx Presentation of Electrical Safety
JoseAlbertoCariasDel
 
Introduction to FLUID MECHANICS & KINEMATICS
Introduction to FLUID MECHANICS & KINEMATICSIntroduction to FLUID MECHANICS & KINEMATICS
Introduction to FLUID MECHANICS & KINEMATICS
narayanaswamygdas
 
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E..."Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
Infopitaara
 
Compiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptxCompiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptx
RushaliDeshmukh2
 
DSP and MV the Color image processing.ppt
DSP and MV the Color image processing.pptDSP and MV the Color image processing.ppt
DSP and MV the Color image processing.ppt
HafizAhamed8
 
Mathematical foundation machine learning.pdf
Mathematical foundation machine learning.pdfMathematical foundation machine learning.pdf
Mathematical foundation machine learning.pdf
TalhaShahid49
 
Main cotrol jdbjbdcnxbjbjzjjjcjicbjxbcjcxbjcxb
Main cotrol jdbjbdcnxbjbjzjjjcjicbjxbcjcxbjcxbMain cotrol jdbjbdcnxbjbjzjjjcjicbjxbcjcxbjcxb
Main cotrol jdbjbdcnxbjbjzjjjcjicbjxbcjcxbjcxb
SunilSingh610661
 
ELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdfELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdf
Shiju Jacob
 
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
charlesdick1345
 
Oil-gas_Unconventional oil and gass_reseviours.pdf
Oil-gas_Unconventional oil and gass_reseviours.pdfOil-gas_Unconventional oil and gass_reseviours.pdf
Oil-gas_Unconventional oil and gass_reseviours.pdf
M7md3li2
 
theory-slides-for react for beginners.pptx
theory-slides-for react for beginners.pptxtheory-slides-for react for beginners.pptx
theory-slides-for react for beginners.pptx
sanchezvanessa7896
 
introduction to machine learining for beginers
introduction to machine learining for beginersintroduction to machine learining for beginers
introduction to machine learining for beginers
JoydebSheet
 
Metal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistryMetal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistry
mee23nu
 
RICS Membership-(The Royal Institution of Chartered Surveyors).pdf
RICS Membership-(The Royal Institution of Chartered Surveyors).pdfRICS Membership-(The Royal Institution of Chartered Surveyors).pdf
RICS Membership-(The Royal Institution of Chartered Surveyors).pdf
MohamedAbdelkader115
 
Value Stream Mapping Worskshops for Intelligent Continuous Security
Value Stream Mapping Worskshops for Intelligent Continuous SecurityValue Stream Mapping Worskshops for Intelligent Continuous Security
Value Stream Mapping Worskshops for Intelligent Continuous Security
Marc Hornbeek
 
IntroSlides-April-BuildWithAI-VertexAI.pdf
IntroSlides-April-BuildWithAI-VertexAI.pdfIntroSlides-April-BuildWithAI-VertexAI.pdf
IntroSlides-April-BuildWithAI-VertexAI.pdf
Luiz Carneiro
 
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Journal of Soft Computing in Civil Engineering
 
Machine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptxMachine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptx
rajeswari89780
 
LECTURE-16 EARTHEN DAM - II.pptx it's uses
LECTURE-16 EARTHEN DAM - II.pptx it's usesLECTURE-16 EARTHEN DAM - II.pptx it's uses
LECTURE-16 EARTHEN DAM - II.pptx it's uses
CLokeshBehera123
 
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design ThinkingDT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DhruvChotaliya2
 
Level 1-Safety.pptx Presentation of Electrical Safety
Level 1-Safety.pptx Presentation of Electrical SafetyLevel 1-Safety.pptx Presentation of Electrical Safety
Level 1-Safety.pptx Presentation of Electrical Safety
JoseAlbertoCariasDel
 
Introduction to FLUID MECHANICS & KINEMATICS
Introduction to FLUID MECHANICS & KINEMATICSIntroduction to FLUID MECHANICS & KINEMATICS
Introduction to FLUID MECHANICS & KINEMATICS
narayanaswamygdas
 
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E..."Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
Infopitaara
 
Compiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptxCompiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptx
RushaliDeshmukh2
 
DSP and MV the Color image processing.ppt
DSP and MV the Color image processing.pptDSP and MV the Color image processing.ppt
DSP and MV the Color image processing.ppt
HafizAhamed8
 
Mathematical foundation machine learning.pdf
Mathematical foundation machine learning.pdfMathematical foundation machine learning.pdf
Mathematical foundation machine learning.pdf
TalhaShahid49
 
Main cotrol jdbjbdcnxbjbjzjjjcjicbjxbcjcxbjcxb
Main cotrol jdbjbdcnxbjbjzjjjcjicbjxbcjcxbjcxbMain cotrol jdbjbdcnxbjbjzjjjcjicbjxbcjcxbjcxb
Main cotrol jdbjbdcnxbjbjzjjjcjicbjxbcjcxbjcxb
SunilSingh610661
 
ELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdfELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdf
Shiju Jacob
 
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
charlesdick1345
 
Oil-gas_Unconventional oil and gass_reseviours.pdf
Oil-gas_Unconventional oil and gass_reseviours.pdfOil-gas_Unconventional oil and gass_reseviours.pdf
Oil-gas_Unconventional oil and gass_reseviours.pdf
M7md3li2
 
theory-slides-for react for beginners.pptx
theory-slides-for react for beginners.pptxtheory-slides-for react for beginners.pptx
theory-slides-for react for beginners.pptx
sanchezvanessa7896
 
introduction to machine learining for beginers
introduction to machine learining for beginersintroduction to machine learining for beginers
introduction to machine learining for beginers
JoydebSheet
 
Metal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistryMetal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistry
mee23nu
 

SQL injection and buffer overflows are hacking techniques used to exploit weaknesses in applications

  • 2. 2 Application Vulnerabilities SQL injection and buffer overflows are hacking techniques used to exploit weaknesses in applications. When programs are written, some parameters used in the creation of the application code can leave weaknesses in the program.
  • 3. 3 Application Vulnerabilities  SQL injection and buffer overflows are methods used to attack application and are generally caused by programming flaws.  SQL injection is a hacking method used to attack SQL databases  Buffer overflows can exist in many different types of applications.  SQL injection and buffer overflows are similar exploits in that they’re both usually delivered via a user input field.  The input field is – where a user may enter a username and password on a website, – add data to a URL, – or perform a search for a keyword in another application.
  • 4. 4 Application Vulnerabilities  Both SQL Server injection and buffer overflow vulnerabilities are caused by the same issue: – invalid parameters that are not verified by the application.  If programmers don’t take the time to validate the variables a user can enter into a variable field, the results can be serious and unpredictable.  Sophisticated hackers can exploit this vulnerability, causing an execution fault and shutdown of the system or application, or a command shell to be executed for the hacker.
  • 5. 5 Application Vulnerabilities  SQL injection and buffer overflow countermeasures are designed to utilize secure programming methods.  By changing the variables used by the application code, weaknesses in applications can be greatly minimized.
  • 6. 6 SQL Injection  Generally, the purpose of SQL injection is to convince the application to run SQL code that was not intended.  SQL injection occurs when an application processes user-provided data to create a SQL statement without first validating the input.
  • 7. 7 SQL Injection  The user input is then submitted to a web application database server for execution.  When successfully exploited, SQL injection can give an attacker access to database content or allow the hacker to remotely execute system commands.  In the worst-case scenario, the hacker can take control of the server that is hosting the database.
  • 8. 8 SQL Injection  This exploit can give a hacker access to a remote shell into the server file system.  The impact of a SQL injection attacks depends on – where the vulnerability is in the code, – how easy it is to exploit the vulnerability, – what level of access the application has to the database.  Theoretically, SQL injection can occur in any type of application, but it is most commonly associated with web applications.  The web applications are easy targets because by their very nature they are open to being accessed from the Internet.
  • 9. 9 SQL Injection  During a web application SQL injection attack, – The malicious code is inserted into a web form field – Or the website’s code to make a system execute a command shell – Or other arbitrary commands.  Just as a legitimate user enters queries and additions to the SQL database via a web form,  The hacker can insert commands to the SQL Server through the same web form field.
  • 10. 10 SQL Injection  For example: – An arbitrary command from a hacker might open a command prompt – or display a table from the database.  A database table may contain personal information such as credit card numbers, social security numbers, or passwords.  SQL Servers are very common database servers and used by many organizations to store confidential data.  This makes a SQL Server a high-value target and therefore a system that is very attractive to hackers.
  • 11. 11 Finding a SQL Injection Vulnerability  Before launching a SQL injection attack, the hacker determines whether the configuration of the database and related tables and variables is vulnerable.  The steps to determine the SQL Server’s vulnerability are as follows: 1. Using your web browser, search for a website that uses a login page or other database input or query fields (such as an “I forgot my password” form). Look for web pages that display the POST or GET HTML commands by checking the site’s source code.
  • 12. 12 Finding a SQL Injection Vulnerability 2.Test the SQL Server using single quotes (‘’). Doing so indicates whether the user input variable is sanitized or interpreted literally by the server. If the server responds with an error message that says use 'a'='a' (or something similar), then it’s most likely susceptible to a SQL injection attack. 3. Use the SELECT command to retrieve data from the database or the INSERT command to add information to the database.
  • 13. 13 Finding a SQL Injection Vulnerability  Here are some examples of variable field text you can use on a web form to test for SQL vulnerabilities: – Blah’ or 1=1-- – Login:blah’ or 1=1-- – Password::blah’ or 1=1-- – http://search/index.asp?id=blah’ or 1=1--
  • 14. 14 Finding a SQL Injection Vulnerability  These commands and similar variations may allow a user to bypass a login depending on the structure of the database.  When entered in a form field, the commands may return many rows in a table or even an entire database table because the SQL Server is interpreting the terms literally.  The double dashes near the end of the command tell SQL to ignore the rest of the command as a comment.
  • 15. 15 Finding a SQL Injection Vulnerability  Here are some examples of how to use SQL commands to take control:  To get a directory listing, type the following in a form field: – Blah‘;exec master..xp_cmdshell “dir c:*.* /s >c:directory.txt”--  To create a file, type the following in a form field: – Blah‘;exec master..xp_cmdshell “echo hacker-was-here > c: hacker.txt”--  To ping an IP address, type the following in a form field: – Blah‘;exec master..xp_cmdshell “ping 192.168.1.1”--
  • 16. 16 The Purpose of SQL Injection  SQL injection attacks are used by hackers to achieve certain results. Some SQL exploits will produce valuable user data stored in the database, and some are just precursors to other attacks.  The following are the most common purposes of a SQL injection attack:
  • 17. 17 The Purpose of SQL Injection  Identifying SQL Injection Vulnerability – The purpose is to probe a web application to discover which parameters and user input fields are vulnerable to SQL injection.  Performing Database Finger-Printing – The purpose is to discover the type and version of database that a web application is using and “fingerprint” the database. – Knowing the type and version of the database used by a web application allows an attacker to craft database specific attacks.
  • 18. 18 The Purpose of SQL Injection  Determining Database Schema – To correctly extract data from a database, the attacker often needs to know database schema information, such as table names, column names, and column data types. – This information can be used in a follow-on attack.  Extracting Data – These types of attacks employ techniques that will extract data values from the database. – Depending on the type of web application, this information could be sensitive and highly desirable to the attacker.
  • 19. 19 The Purpose of SQL Injection  Adding or Modifying Data – The purpose is to add or change information in a database.  Performing Denial of Service – These attacks are performed to shut down access to a web application, thus denying service to other users. – Attacks involving locking or dropping database tables also fall under this category.  Evading Detection – This category refers to certain attack techniques that are employed to avoid auditing and detection.
  • 20. 20 The Purpose of SQL Injection  Bypassing Authentication – The purpose is to allow the attacker to bypass database and application authentication mechanisms. – Bypassing such mechanisms could allow the attacker to assume the rights and privileges associated with another application user.  Executing Remote Commands – These types of attacks attempt to execute arbitrary commands on the database. These commands can be stored procedures or functions available to database users.  Performing Privilege Escalation – These attacks take advantage of implementation errors or logical flaws in the database in order to escalate the privileges of the attacker.
  • 21. 21 SQL Injection Using Dynamic Strings  Many functions of a SQL database receive static user input where the only variable is the user input fields.  Such statements do not change from execution to execution.  They are commonly called static SQL statements.
  • 22. 22 SQL Injection Using Dynamic Strings  Some programs must build and process a variety of SQL statements at runtime.  In many cases the full text of the statement is unknown until application execution.  Such statements can, and probably will, change from execution to execution.  So, they are called dynamic SQL statements.
  • 23. 23 SQL Injection Using Dynamic Strings  Dynamic SQL is an enhanced form of SQL that, unlike standard SQL, facilitates the automatic generation and execution of program statements.  Dynamic SQL is a term used to mean SQL code that is generated by the web application before it is executed.  Dynamic SQL is a flexible and powerful tool for creating SQL strings.
  • 24. 24 SQL Injection Using Dynamic Strings  It can be helpful when you find it necessary to write code that can adjust to varying databases, conditions, or servers.  Dynamic SQL also makes it easier to automate tasks that are repeated many times in a web application.  A hacker can attack a web-based authentication form using SQL injection through the use of dynamic strings.
  • 25. 25 SQL Injection Using Dynamic Strings  For example, the underlying code for a web authentication form on a web server may look like the following: SQLCommand = “SELECT Username FROM Users WHERE Username = ‘“ SQLCommand = SQLComand & strUsername SQLCommand = SQLComand & “‘ AND Password = ‘“ SQLCommand = SQLComand & strPassword SQLCommand = SQLComand & “‘“ strAuthCheck = GetQueryResult(SQLQuery)
  • 26. 26 SQL Injection Using Dynamic Strings  A hacker can exploit the SQL injection vulnerability by entering a login and password in the web form that uses the following variables: Username: kimberly Password: graves’ OR ‘’=’
  • 27. 27 SQL Injection Using Dynamic Strings  The SQL application would build a command string from this input as follows: SELECT Username FROM Users WHERE Username = ‘kimberly’ AND Password = ‘graves’ OR ‘’=’’
  • 28. 28 SQL Injection Using Dynamic Strings  This query will return all rows from the user’s database, regardless of whether kimberly is a real username in the database or graves is a legitimate password.  This is due to the OR statement appended to the WHERE clause.  The comparison ‘’=’’ will always return a true result, making the overall WHERE clause evaluate to true for all rows in the table.  This will enable the hacker to log in with any username and password.
  • 29. 29 SQL Injection Vulnerability Scanning  We can use the HP’s Scrawlr to test for SQL Injection Vulnerabilities 1. Download Scrawlr from www.HP.com. 2. Install Scrawlr on your Windows lab PC. 3. Open the Scrawlr program. 4. Type a target web address in the URL Of Site To Scan field: 5. Click the Start button to start the audit of the website for SQL injection vulnerabilities. 6. Once the SQL injection vulnerability scan is complete, Scrawlr will display additional hosts linked from the scanned site. It is a best practice to scan the linked sites as well as the main site to ensure no SQL injection vulnerabilities exist.
  • 30. 30 SQL Injection Countermeasures  The cause of SQL injection vulnerabilities is relatively simple and well understood: – Insufficient validation of user input.  To address this problem, defensive coding practices, such as encoding user input and validation, can be used when programming applications.  It is a laborious and time-consuming process to check all applications for SQL injection vulnerabilities.
  • 31. 31 SQL Injection Countermeasures  When implementing SQL injection countermeasures, review source code for the following programming weaknesses: – Single quotes – Lack of input validation  The first countermeasures for preventing a SQL injection attack are – Minimizing the privileges of a user’s connection to the database and – Enforcing strong passwords for SA and Administrator accounts.
  • 32. 32 SQL Injection Countermeasures  You should also disable verbose or explanatory error messages so no more information than necessary is sent to the hacker;  Such information could help them determine whether the SQL Server is vulnerable.
  • 33. 33 SQL Injection Countermeasures  Another countermeasure for preventing SQL injection is checking user data input and validating the data prior to sending the input to the application for processing.  Some countermeasures to SQL injection are – Rejecting known bad input – Sanitizing and validating the input field
  • 34. 34 Buffer Overflows  As an ethical hacker; – You must be able to identify different types of buffer overflows. – You should also know how to detect a buffer overflow vulnerability and understand the steps a hacker may use to perform a stack- based overflow attack.
  • 35. 35 Types of Buffer Overflows  Buffer overflows are exploits that hackers use against an operating system or application;  like SQL injection attacks, they’re usually targeted at user input fields.  A buffer overflow exploit causes – a system to fail by overloading memory – or executing a command shell – or arbitrary code on the target system.
  • 36. 36 Types of Buffer Overflows  A buffer overflow vulnerability is caused by – a lack of bounds checking – or a lack of input-validation sanitization in a variable field (such as on a web form).  If the application doesn’t check or validate the size or format of a variable before sending it to be stored in memory, an overflow vulnerability exits.  The two types of buffer overflows are – stack based – heap based.
  • 37. 37 Types of Buffer Overflows  The stack and the heap are storage locations for user-supplied variables within a running program.  Variables are stored in the stack or heap until the program needs them. – Stacks are static locations of memory address space. – Heaps are dynamic memory address spaces that occur while a program is running.  A heap-based buffer overflow occurs in the lower part of the memory and overwrites other dynamic variables.
  • 38. 38 Types of Buffer Overflows
  • 39. 39 Types of Buffer Overflows  A call stack, or stack, is used to keep track of where in the programming code the execution pointer should return after each portion of the code is executed.  A stack-based buffer overflow attack occurs when the memory assigned to each execution routine is overflowed.  As a consequence of both types of buffer overflows, – A program can open a shell or – command prompt or stop the execution of a program.
  • 40. 40 Types of Buffer Overflows
  • 41. 41 Types of Buffer Overflows  To detect program buffer overflow vulnerabilities that result from poorly written source code, – a hacker sends large amounts of data to the application via a form field – and sees what the program does as a result.
  • 42. 42 Types of Buffer Overflows  The following are the steps a hacker uses to execute a stack-based buffer overflow: 1. Enter a variable into the buffer to exhaust the amount of memory in the stack. 2. Enter more data than the buffer has allocated in memory for that variable, which causes the memory to overflow or run into the memory space for the next process. Then, add another variable, and overwrite the return pointer that tells the program where to return to after executing the variable.
  • 43. 43 Types of Buffer Overflows 3. A program executes this malicious code variable and then uses the return pointer to get back to the next line of executable code. If the hacker successfully overwrites the pointer, the program executes the hacker’s code instead of the program code.  Most hackers don’t need to be this familiar with the details of buffer overflows.  Prewritten exploits can be found on the Internet and are exchanged between hacker groups (example: Metasploit).
  • 44. 44 Buffer Overflow Countermeasures  Hackers can graduate from standard buffer overflows to redirecting the return pointer to the code of their choosing.  A hacker must know the exact memory address and the size of the stack in order to make the return pointer execute their code.  A hacker can use a No Operation (NOP) instruction, which is just padding to move the instruction pointer and does not execute any code.  The NOP instruction is added to a string before the malicious code to be executed.
  • 45. 45 Buffer Overflow Countermeasures  If an intrusion detection system (IDS) is present on the network, it can thwart (not allowed) a hacker who sends a series of NOP instructions to forward to the instruction pointer.  To bypass the IDS, the hacker can randomly replace some of the NOP instructions with equivalent pieces of code, such as x++,x-;? NOPNOP.  This example of a mutated buffer overflow attack can bypass detection by an IDS.
  • 46. 46 Buffer Overflow Countermeasures  Programmers should not use the built-in strcpy(), strcat(), and streadd() C/C++ functions because they are susceptible to buffer overflows.  Alternatively, Java can be used as the programming language since Java is not susceptible to buffer overflows.