View
4.671
Download
4
Category
Preview:
Citation preview
Vulnerable Active RecordA tale of SQL Injection in PHP Framework
pichaya@ieee.orgfb.com/index.htmlilinkedin.com/in/pich4ya
Pichaya MorimotoThailand PHP User Group Meetup
January 28, 2015
★ What is Active Record ?★ Secure by Design ?★ Case Studies★ Exploitation★ Input Validation ★ Defence-in-Depth★ Conclusion
Overview
Active record pattern is an approach to accessing data in a database. A database table or view is wrapped into a class. Thus, an object instance is tied to row(s) in the table.
PHP frameworks also bundle their own ORM implementing the active record pattern. For example, Laravel (Eloquent), CakePHP, Symfony (Doctrine), CodeIgniter and Yii.
$query = $this->db->select('title, content, date');$query->from('table1');$query->where('id', $id);$query->get();
Source: https://en.wikipedia.org/wiki/Active_record_pattern
What is Active Record ?
Case Study #1
Get rows from table ‘news’ and order by user input ‘sort’
PHP Framework: CodeIgniter 2.2
Hacker is here, where is SQLi ?
SQLMap == FailedAcunetix == FailedHavij == Failed‘ or ‘1’=’1 , union all select blah blah blah == Failed
SQL Injection Pwnage
Pwned !
What if error message is turned off, is it still vulnerable? Ads: http://slideshare.net/pichayaa/sql-injection-owaspthailand
Keep calm and Think Again
Numeric = [Integer, Double, Hex, ...]
id value above is hex encoded of “1 and 1>2 union select CHAR(32,58,32),user(),database(),version(),concat_ws(0x3a,username,password) from ci220news_db” + data field is varchar type ***
A list of security techniques that should be included in every software development project.
★ Parameterize Queries★ Implement Logging, Error Handling and Intrusion Detection★ Leverage Security Features of Frameworks and Security Libraries
and more.. https://www.owasp.org /index.php/OWASP_Proactive_Controls
OWASP Proactive Controls
ProTip: PHP is not allowed to parameterize ‘Order By’ clause ;)Because it isn’t data, it is a column name!
A layered approach to security can be implemented at any level of a complete information security strategy.★ Secure Coding in software requirement★ OS Hardening, reduce attack surface★ Perimeter Security (Network Firewall, IPS/IDS)★ Centralized Log Server / SIEM★ Patch / Vulnerability Management System★ Incident Response Plans★ Web Application Firewall
Source: http://techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/
Defence-in-Depth
Recommended