Injection Attacks: Defending an Application Takedown

the sponsors today I actually do my work your service I won't make it I think ever to comment on it but too much so we're going to talk about today I'm going to talk my injection attacks and how to defend them if you're a software developer because for me this is important I am a software developer so some corporation I actually venture with a small team of people here but in writing software almost taking various different things when the last five years have been doing rails and Java services and applications and I've got about a year secured using it so when I say security experience for me it's not typical security experiences we're trading tools to kind of measure

some security stuff here at CERN ourselves it's not common penetration testing or other security things some of you were probably and so when that comes down to is that my experiences so far are all relatively pure so most of you can see today is what I learned as a developer is kind of getting some mild introduction into two inches in degree so that we tender if you guys just kind of start to talk about what sequel injection is just in case because hardware it's gonna be real brief so if you are where you just check out for the next two minutes you'll be okay well I'll show you some basic vulnerabilities because that's really what it is as

developers we want to see what our code looks like it makes it vulnerable and we surprised them how easy that is in some cases I'll show you how to do injection just mainly by hand in a really cryptic fashion that is going to be really hard to never find anything important automated tools which is when you're here before you wanna see the tools right and then how we fix that one show clear on that tool and then hasn't had questions at the end so let's start with what it is here's the big wallet text and everybody loves to see we don't have time to read that so let's just head in that bypass right by that here's

what it really is okay guys so we're gonna offend some seeking commands to the end of some point that this program is expecting for us so if Congress saying let's select user ID name from users table where the name is Andy what we're doing is we're just adding some extra to it in this case or one equals one so this effectively turns this sequel command so that everything qualifies is true and we get everything every time does that make sense so there's an awesome slide an xkcd that also explains missing you kind of to put this in every party in one sequel injection in my opinions it's really great but effectively they named their kid okay I'd say Roberts ' Fred C : drop

table students and then the school called and says hey what problem with your kid is to help what he do it they said well you dropped all the tables in our database they say Oh a little poppy tables when we call them right because you know every every school he goes to all the tables get dropped because they've been sanitized their inputs so so let's quickly just cover why Stephen injection matters every time we've had coop tops and this come out in 2010 thirteen to seventeen injection is the number one of the list is it's unfortunate it's the same time every time but the list of the change very much but this one's always at the time

so this is one of the biggest reason why matters I found this awesome Hall of Shame website I'll post my slides later no see the URLs in Linnton but this one just quickly shows a bunch of different attacks that have happened the last that this one the screenshot shows last six months or so and what they were you can see even back to this list I know I you were excellent slist it's one of the places where they got everything that makes will trade for them too but this website school is you get to see anybody that had sequel injection somewhere in there breach and you can see how how often this is actually happen in the

world well why does this is a packet right because it's been around for a long time but there's a typically and you heard this this morning if you were I think in the keynote or one of the talks this morning where you you have a Kickstarter campaign of something you're going to create it's an IOT device if you put it out on the internet and then you just shut down and you sell it off to somebody you had some pcs they can invite your product and you're done that in other corporate is this like a big enterprise have been around for a while but in some cases just a lack of focus security development it's not typically something

that comes up in coated oops I can probably cut the number of times on on my hands here how many times the sequel injection or other security things happen on a coder do I've been doing this for a long time I'm curious if you know if there's anybody disagrees with me that loves hearing you come talk to me afterwards because it's just is another thing that happens if from what I've seen and I'd love to hear how to make that better for everything I work on so we have all these guys in security everybody sees you know here's what I shouldn't be doing in the rails community Java hybrid review or other libraries there's a hold off she she

actually found that into crackling this on your little hobby tables we go back to that reference they have a website a little bombing tables and it's got 10 to 12 languages for that site then we'll go through in reference a bunch different ways to do injection for Python Java really just any rate the languages and go through me right so we have this bad practice where you read about the functionality and then we don't go read the rest of the eighty I heard of how to be was securely right so music developer like oh it's done ship it right oh I didn't do it how I should have probably done it because I didn't read all this

stuff and it's just our mindset when we get things done quickly and get it out the door because that's what makes people happen to think of functionality so and we just we have new people that join all the time and they just have a lack of awareness so you your responsibilities engineers is trying to teach each other and make ourselves better so so that's why it's been happening in my opinion it was for a while they said some research I've done so let's let's quickly look at what code looks like that's vulnerable okay so if anybody's familiar with maybe with Ruby on Rails before made a lot of developers here I actually don't know okay so

that's a good number so if you're writing Ruby on Rails this is a very very basic vulnerability in here I'm just writing a sequel stick and the sequel statement if you look at it it's a select star from users where ID equals two parameters in this case to present ID and we're just taking the direct user and book and we're just putting it right in the sequel state so this is a very very exploitable of quick returning ID and the same thing for first name I've created this whole little database that's just a users table and for this example and all he gets all this code later you can see no so that's that there's also an interesting website

called real test as to alive just simple injection network which talks a bunch of different things that you can expose one rebuilding ones from rails and this one I found interesting because I didn't realize this but some of the methods I use somewhat more regularly and calculate may not be one that use but there's others and you run calculate and you can pass an actual column is the second parameter there and that column itself has never seen the time spent of rails we have to do that on your own and call any other methods to sanitize it before you do anything with it and this is a pretty common practice in rails there's lots of methods that say you

know select a new passenger X equal more from you pass it a table you want and none of those things are ever sanitized you have to do that manually which is not what I would expect from a DSL in this case rails the same thing holds true if a job may be a Java developers here yeah so if you're writing a channel encoder and you recommend web services in Java very very same kind of vulnerability exists if you look at this middle block all we do is we recap being a big string with some owner with some vulnerable pre parameters in there being ie username first name last name all those are vulnerable in this code and if

somebody passes to us with something potentially malicious from a ejection point they would all compacted as things that are that okay so if you see those things that are injectable and so you kind of know what we can inject so if we don't look at manual injection so in this case when I talk about meeting rejection I'm not gonna use any cool tools I'm just going to use my knowledge of the API a lot of cases if you're familiar with swagger swagger is great because I can see everything it's available on an API it's great for developers it's great for people that are coding mystery guys it's really great for people that are trying to take

advantage of your API if it's vulnerable because they can see all your influence all your grammars everything and just plain text on a screen now you find it other ways may be too but this way for them and enemies postman postman appear after the postman just allows me to make requests to a web service really straightforward and easy so the first point we're going to do and this is if you were to take my foot down but locally you just hit localhost and then it's just user basic injection as the endpoint I've got a little recording to show a record all my stuff up all you can see is I hit that it just returns

100 users that I've seen in my database with so in this case I got all my data back and you can see this first guy his name was our money camp it's just all fake data so and it just got generated so we don't hit this and we get all that data back so now if we wanted we'll get a single user if you're not foreigners how you know you add query parameters and we've got sorry ID first name last name when we go get this feels like or get those people back based on that and so in this case I go get a single user back just by ID in this case name is 1

and then you got that guy back and then we can do the same thing with last thing or sorry first thing and then do the same go back and then when you go in sorry last name it the same that back and you can see that we're just able to hit a rest endpoint service endpoint and get all this data back that's important so now I want to do this actual injection right so in this case we're going to change up our our query parameters so instead of just passing equals 1 I'm going to give it or in 1 equals 1 so that we do we did earlier were saying give me everything effectively if this statement multiplies

is true so if we do this just be a postman again I changed this last parameter sorry I should have typed faster for demo it's slow maybe it's low for good reason you can see how everyone has changed in this parameter to over 1 equals 1 and you can see now I've got all the data back so we know immediately as a developer or as somebody that's looking at trying to attack your code I can inject on that parameter I can do a test by other parameters to in this case first name because we know first name is also injectable and you can also see all I did is package in the morning when equals 1 and then if we go change to

last name and this case we made this parameter of not gentle so this just kind of shows you did if I add 1 or 1 equals 1 sorry next slide so in last name we had an order 1 equals 1 and then we added 2 here you can see I hit this for his last name unemployment then it said and I don't get paying data back in this case because it's a disqualified the entire query so so they're kind of shows you guys quickly how you can do that manually with just some attempts at this nobody's ever going to get a significant amount of value of doing this because most the time that happen to know

immediately like in what you're trying to get and what you're trying to gather but what they're gonna do is use some automated tool right so let's talk about the hard way into when I talk about this I'm talking about the hacker tools part of my talk description because that's why you guys are here you don't see the hacker tools right there's a couple out there but really as you look through these the one that stands out to me is called sequel map and the reason for that is it is as follows but the biggest ones being that I can run off my console locally it's also included with Metasploit so if you use Metasploit regularly for

it's already installed so you can use it there it supports almost every major database language that I would use between my single my single server Postgres that you fill the list is long long you're going to numerate all your users so you can start extracting data out just based on you set users that are in the database it supports a handful of different techniques so when you look at doing sequel injection there's a handful of techniques boolean based blind error based Union green based stack cruise and time based blinds are all techniques supported by this tool it's pretty feature-rich so we're going to know what the features are here in a second you guys will see like how you can just

absolutely take over some of these database without really even knowing that's happened and then just because this tool has so many features and its really well maintained I think as the when I was create this slide the other day I think had an update there's push to the master and their github repo three or four days ago so they're constantly to development on this thing so this tool as new things are coming out is constantly being involved and this is just the open source tool that like people can use it's not the stuff behind closed doors that somebody created on their own and they're working through on their own and it's really well written with tutorials and

instructions is a developer had never used this tool until two months ago and I was able to figure everything out that I would ever want to do with this tool almost immediately so as developers we're going to be under attack by things like this the second we run and they're available so let's get happy okay this is this is what we're going to do so look at usage so the first thing we knew though we didn't target so in this case we know our target already because we found that earlier and in this case it's ID and first name those two parameters right there are the ones that are going to be the ones who are

susceptible to getting data out of there will be a sequel injection okay so we're gonna use the - view command and actually super map - to do and then we're gonna do it that entire query stream and then there's other flags you can give it in some of these cases divided by using I'll talk about them but the verbosity is the one I'm going to use primarily and I use a per vaasthu level 4 and everything I did here for this presentation but it goes 1 to 5 and 1 being people and then there's a riskiness level risking ourselves a little I was tempted to try it out for this but it really but there's three

levels of riskiness one is the default and you get a bunch of data with one two and three is really where it looks like you you can start taking the data and do some more things I didn't investigate those too much of this talked about and then you can actually you know the database already you can target that database makes your queries into projection a little bit faster because it doesn't have to today's target is it what's going on and I'll let you guys go read more know more about super Matt because they have like I said great usage of documentation so we want to look at this demo real quick so if we're running that command into

sent you sorry I should preface is shortly so on the left hand side so I just have side by side two consoles on the left hand side I've got my application service being vulnerable rails is what I call this service is just running in the console what you're gonna see on the logs from that just being pipe tests in the console and on the right you're gonna see the 2 the sequel map tool with all the commands are running so you can see them side by side and you can watch the log so they spin by and you can see really quickly like what's all happening behind the scenes as well as in the physical map tool so here a type of

sinking back and I give it my URL with those programmers on is copy paste is in there and then they think I gave it verbosity for yeah so velocity before and then I said that other commands flush session because I didn't do something there earlier and I wanted to make sure it did some other things then that just says accept all the default default prompts because I didn't care for the promise work and you can see that's what you have to do and then as soon as you run this there's certainly an output in this case our output you can see on the right is just the spew of of data and it's not easy immediately to

understand what's going on here you try to scroll up and quickly find what it's doing is it's in your service with some payloads so we can actually go over and look at our service and we can see immediately in our access logs that hidden that halo and this payload is something that's that's causing it to be having the injection against whatever that query parameter obsessive in this case and so if we scroll all the way down we can see more logs and you see here it's actually said this again ID per hour and I get my ID perimeter is actually injectable so it identifies it even tells you immediately what what endpoints that found in that our boys

are what great partner is injectable and we scroll all the way to the bottom it tells you a breakdown where things you should basically go next and it keeps all this in memory so when you come back and you start using single map the next several you don't have to redo anything when you've already done it stores all my - that's what I've seen a tough session earlier so reset my passion but so what you can see here is if you look at get perimeter idea tells you what type you used in that case it was really amazed blind and then tells you the paper reviews and then if you look down you know it also found them do a union

query and take you to Hitler for that one so we know that now this this is injectable and also found out that my database based on the the command to read by the scenes and I think it run sorry I have 14 error codes but somewhere there I'm sorry I don't have that out there it'll tell you how many different payloads extensa company to you or else and you can get that data from there to see what it did so this is awesome right now we've got success right we can inject and run this against here and do some more things more malicious things they identify the injectable parameter so let's exfiltrate the because that's where we as much

happiness system won't get to do that right so he's fine all the databases this is what we want to do first use this command - daddy yes list all the database and this is where we'll talk about prevention tips later but this is all depending on if the session user has read access so let's talk about filled with least privileged income and so we just give it that command - - GPS along with the rest of the we did earlier so we did this down same command as before except we just - - - PBS [Music]

and you can see it prints out more stuff it doesn't have to do all the same things that looked up earlier because it still has the same session and you can see really quickly about two available databases information schema and security view in this case I know I'm gonna go in the tech security that's it that's the name guys have created for this specific presentation but information schema and it doesn't sound very important to me but what does that work me a security beat so we go out here we want to supply all the tables in this database you can give it - - tables and then you can go and give it your database and F - tables and then from

here you so you'll see down here on the right sorry so - - R - security or security be in the nester stables and her friend all the tables like I care about so me is a rails developer I know I don't care about a our internal metadata and healthcare outs - migrations those are important I care about us users right we is people that are trying to defend things we are sorry people that are trying to attack things the building for user information what kind of man I shouldn't get out of there so we were disloyal to columns so we wanna know what data we can get out so - - columns it's the president of this API reads

really easy similar work with lists all the tables for the column in this case I just want to see what they are after - columns on the users day or two - two

so we printed all this sort of entertainment career or change our statement and then here now you can see I print that out all the columns in this table and so on this table we're looking at some stuff first you're going to find the the median engineer that did this he wrote phone number wrong or something I have a typo so you can see that one quickly but what we also see is we've got user names and passwords they store this stuff by another table and more compliment than not this is how thing this is how easy databases are being or how simply babies to be created and all these companies that we've reached we're

finding passwords in plain text on tables just like this so the first thing you want to look at is maybe having a different model for having a password sort of mechanism so if we continue along here we're gonna dump the state ours that's weirder than one that the people are doing the hacker this is what they're trying to get this data time so it's - - don't you can actually just print it constantly for intimacy speed all kinds of different things you can get it from so I just again conceding our pending on our statement there it's just - - dump so we dump this out

so here we give it the columns that I'm going to give it or I'm going to display some name and password just the illness I care about this case I should've been using its name and you can see really quickly here's all the data from that database and that's how easy it is just I be as a developer making one small mistake in my development cover until that developer where should that be stored should we should ask for the first how and where should you store that other way so that's a good question I don't know the right answer to that question okay I I just don't think that unencrypted information so it shouldn't be encrypted somewhere I just don't have

the right answer for that so if you actually want to attend Matt Randall's giving a talk to you shortly about hey yeah there is in the back of JK there what's up Matt rate no please already got yeah I don't actually know her password so you actually just want to cache insult them and particularly algorithms called s cryptic decrypt there you have hashed algorithm over them and was making computationally expensive just go online and look up the decrypt and comedy salt and hash passwords I find that where you physically store them is probably add on much Wednesday the system just as long as you down so but they've given enough you know as long as you're doing that and you're

making some good in types of things so thanks man for that what you'll run into still though is they have your data and so if they were using this anywhere else right then they can go and try to figure out things based on for use everywhere so so this is awesome right this is the data people are looking for when they're trying to hack into our systems and so so we want to fix these things we want to prevent them right and you know what's really funny about this is it's actually really easy and it just is commonly overlooked so in rails they have a whole API on the fine in this case we just it's called it's just

called passing around the hash values and then explicitly in this case is just using where it's saying ID is living through crime idea so it's really easy it's actually not like I said not very hard at all Java same way in this case we're using prepared statements and here it's just a matter of giving it a set of question marks and then below me to set the strings now these are all going to depend on what libraries in the obvious reasons you for hibernate or or any you know different library you need to go read and see exactly how to use prepared statements but if we rerun sequel map now that we've changed that what we're

going to see change the API and user makes basic injection this you can see this and if I rerun this thing and go ahead and you can see it's kind of like do all the same things we did before except now at the very end it says I couldn't find any was a checkable based on what I know today and so that as developers that's what we want to see so as developers use this tool and running again Sir David are running against your services your navigation to go testing things so let's look at some action I'm gonna take aways from today so first of all I understand the security concerns your technology you're using you're developing it

if you don't really be anything if you don't really the security documentation for it you guys or the guys are working with they're gonna have one more ability somewhere and always use language-specific prepared statements so I showed those in Java it's not called prepared statements and rails but they're very similar and never never trust user input in doing that no matter what it is you're gonna run into some problems because users are gonna be malicious somewhere down the road they're going to give you some that it might participate in code or uses developers this is a probably the number one problem I have just developed in general most people don't spend enough time on code reviews and just looking at

code and understanding what it does and making sure we understand you know what kinds of things we should be looking at and so me as a developer this is one thing that I focus on and I heart my team to do the same thing and then we talked about privilege at least our sorry cuz well at least privilege a little bit ago if we had just locked down our user from a developer perspective to not being able to see all those other things there's potential that it wouldn't be able in this case it was just a single database with a single table in it but if we had you know everything's stored and then single my single instance we

could have gone to everything at that point and so by walking down the users that are that have access to that was individual things we don't lock that down so today I'm gonna take some time for questions real quick we've got like two or three minutes anything on Caleb already asked questions to be pulled out else's question more than happy to drive afterwards so to ask the question is there any third party services which ones you have news for you whatever the world is higher penetration tester they do now they're gonna do way more than this but they're gonna be the guys that are going to be heaven experience so Jeff security elevated of securities and at the back those guys do

penetration testing and they regularly you know take down applications and they [Music] but I'm talking about or there's other companies here today the most is for what's called in abeyance K which is definitely try to buy quality to the downside and testing and also a static analysis which is one dakota trip so all the Wiggles all that tells us to is all there told me it's got almost everything so if you have any questions after this you can reach me on Twitter it's just al support you Father and then if you want see this code is a few things I haven't committed without their consent this is my interpreter you can go see it right

there it's really again it's a pretty trivial place it's all set with docker compose so you don't actually have to have Ruby or rails or anything so hopefully if you have doctor ended up and running in a couple minutes and this is where I said I'm gonna 3ds quite a bit but you're just I'll get it updated gonna get pushed and then if you have any feedback here's your QR codes for feedback I appreciate feedback provided comments thank you

[Applause] you