COMMAND INJECTION ATTACKS CAN PUT YOU OUT OF BUSINESS in Font

Encoder Data Matrix 2d barcode in Font COMMAND INJECTION ATTACKS CAN PUT YOU OUT OF BUSINESS

SQL injection and other types of command injection attacks can ruin entire businesses. For example, an SQL injection attack was revealed in June 2005 in which a credit card payment processing company called CardSystems had 263,000 credit card numbers stolen from its database. Even worse, since the credit card numbers were stored in its database in an unencrypted form, over 40 million credit card numbers were potentially exposed to the attack! The attack was arguably the worst cyber-attack of all time at the time of writing this book, and was investigated by Congress and the FTC. CardSystems lost large amounts of business and its assets were acquired by another company. In addition, awareness of SQL injection vulnerabilities seems to be on the rise. In the first half of 2004, there were 57 SQL injection vulnerabilities reported to the BugTraq security vulnerability mailing list (www.securityfocus.com/archive/1), and that number more than tripled to 194 during the first half of 2005 (Ng 2006). In this chapter, we show how SQL injection attacks work and discuss how they can be prevented.

In this section, we outline an example attack scenario for SQL injection. SQL (Structured Query Language) is the language that most relational databases provide as the means for applications to communicate with the database.1 Programs can use an SQL statement to specify what data they want the database to retrieve or update. Given an SQL statement, the database determines how to efficiently obtain or modify the relevant data, and returns the results to the program. An SQL injection attack is possible if an application uses data that can be controlled by an attacker as part of an SQL query. The attacker may be able to submit specially crafted input, such that the query that is sent to the database is interpreted by the database differently from what the programmer intended. Suppose the pizza-ordering application from the previous chapter includes a feature that allows users to review the orders they have made in a given month. The user is presented with the form in Figure 8-1, which allows her to enter the month for which she would like to see past orders.

Figure 8-1. The pizza order review form When the form is submitted, it results in an HTTP request to the web application that includes the month as a query parameter for example, 10 for October. https://www.deliver-me-pizza.com/show_orders month=10 When receiving such a request, the application constructs an SQL query as follows:2 sql_query = "SELECT pizza, toppings, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " " + "AND order_month=" + request.getParameter("month"); This query instructs the database to retrieve from the orders table the columns containing the name of the ordered pizza, its toppings, the order quantity, and the day of the month the order was placed. Furthermore, only those rows are to be returned for which the user who

1. A relational database is one in which data is stored in tables with columns and rows. 2. In this chapter, we use examples written in Java. Note that this example is somewhat simplified; a real application would also record and query for the year the order was placed, and use a normalized database schema.

placed the order matches the currently logged-in user, and that correspond to an order made in the requested month. For example, the preceding HTTP request would result in the following string being assigned to the variable sql_query (assuming the current user s user-id is 4123): SELECT pizza, toppings, quantity, order_day FROM orders WHERE userid=4123 AND order_month=10 The application then executes the query and retrieves the result set. It then inserts the data returned into an HTML table to be returned to the user s browser as part of the resulting web page shown in Figure 8-2. <TABLE> <TR><TD>Pizza</TD> <TD>Toppings</TD> <TD>Quantity</TD> <TD>Order Day</TD> </TR> <TR><TD>Diavola</TD> <TD>Tomato, Mozzarella, Pepperoni, ...</TD> <TD>2</TD> <TD>12</TD> </TR> <TR><TD>Napoli</TD> <TD>Tomato, Mozzarella, Anchovies, ...</TD> <TD>1</TD> <TD>17</TD> </TR> </TABLE>

Figure 8-2. Pizza order history How can this feature in the application be attacked We note that the application does not perform any input validation on the query parameter month. In particular, we don t verify or enforce that the parameter is a string representing an integer; rather, we accept arbitrary strings and insert them directly into the SQL query.