SQL Injection and Clickjacking Attack in Web security

Information Security
Web Security
Presented by: Moutasm Tamimi
Information Security
2017
-SQL injection
-Clickjacking attacks

Outline of SQL injection
 Related definitions
 What is SQL injection?
 The history of SQL injection
 SQL injection architecture
 How does SQL injection work?
 Best practices for preventing SQL injection attacks

Outline of Clickjacking Attack
 Frame busting and Clickjacking attacks
 An attacker builds a CJ attack in three steps
 Visualization of a clickjacking attack
 Framebuster
 Breaking the Integrity of display

Important concepts
 SQL: is Structured Query Language, which is a computer language for storing, manipulating
and retrieving data stored in relational database.
Reference: [1] SQL TUTORIAL-Simply Easy Learning by tutorialspoint.com

What is SQL injection?
 SQL injection vulnerabilities have been described as one of the most serious threats for Web
applications [2, 3]. Web applications that are vulnerable to SQL injection may allow an attacker
to gain complete access to their underlying databases.
Reference:
[2] D. Aucsmith. Creating and Maintaining Software that Resists Malicious Attack. http://www.gtisc.gatech.edu/bio
aucsmith.html, September 2004. Distinguished Lecture Series.
[3] T. O. Foundation. Top Ten Most Critical Web Application Vulnerabilities, 2005. http:
//www.owasp.org/documentation/topten.html

SQL injection architecture
Reference: [4] System Architecture for SQL Injection and Insider Misuse Detection System for DBMS , Aziah Asmawi Faculty of Computer
Science and Information System Universiti Teknologi Malaysia aziah@fsktm.upm.edu.my , © 2008 IEEE

How does SQL injection work?
1. Application presents a form to the attacker.
2. Attacker sends an attack in the form data.
3. Application forwards attack to the database in a SQL query
4. Database runs query containing attack and sends encrypted results back to
application.
5. Application decrypts data as normal and sends results to the user.

SQL injection practices in web forms
Account:
SKU:
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
"SELECT * FROM accounts WHERE
acct=‘’ OR 1=1--’"

Logical code injection analysis

Example
 Server Code
 txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
 Let UserId= 105; DROP TABLE Suppliers
 Result
 SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers
 The SQL above will return all rows in the Users table, and then delete the table called Suppliers

The primary way to protect
a database , SQL Server and application
developers
For both SQL Server and application developers, the primary
goal is isolating the SQL command language from user
input as much as possible.

Best practices for preventing SQL injection attacks
 Use stored procedures
 Use dynamic SQL only when you can't avoid it
 Use the principle of least access when granting database access
 Use testing and monitoring to guard against SQL injection
[5] http://searchsqlserver.techtarget.com/tip/Best-practices-for-preventing-a-SQL-
injection-attack

Use stored procedures
 When possible, permit applications to interact with the database only through stored
procedures.
 Even if the application code is susceptible to SQL injection attacks, those attacks will fail
because the application lacks the permissions necessary to access or manipulate those
tables.
 Plus, stored procedures type-check input parameters, which can help mitigate an attack if
a hacker tries to inject a value that violates the type.

Use dynamic SQL only when you can't avoid it
 Dynamic SQL can greatly increase your risk of SQL injection attacks when the command
language is concatenated with user input.
 One way you can help mitigate the risks associated with dynamic SQL is by properly escaping
all user input.
 Escaping user-supplied values helps to render special characters harmless that can be passed
in with that input, such as brackets or single quotes. These characters, when used with other
language elements, can pose a threat to the database when concatenated with the static part
of the SQL statement.
 To escape these characters, use the QUOTENAME function as appropriate to handle
identifiers and string values
Example: delimiting string using double quote.
 SELECT QUOTENAME('Syntax-Example','"')

Complement ….
 Use the sp_executesql system-stored procedure to execute your dynamic SQL, rather than a
simple EXCECUTE statement.
 By using the sp_executesql stored procedure, you have a way to parameterize the dynamic
SQL so the data remains separate from the command language.

Use the principle of least access when granting
database access
 Every database account should be assigned the least privileges necessary to access the
database.
 That is why restricting access to stored procedures can be so effective.
 Ideally, you grant execute access to the procedures and permit no access to anything else.

Use testing and monitoring to guard against SQL
injection
 No matter how careful you've been in protecting against SQL injection attacks, you should still
run your database code through the necessary checks to make sure it's safe.
 Finally, once the database has gone live, log files and other tracking devices should be used to
monitor the database for any indication of SQL injections.

Frame busting and Clickjacking attacks
 Clickjacking attacks:is a malicious technique of tricking a Web user into
clicking on something different from what the user perceives they are
clicking on
 Frame busting: is considered the most common defence to the Web
framing attacks to clickjacking by prevents a site from functioning when
loaded inside a Frame.
References:
[6] Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites, June 7, 2010.
2013 11th International Conference on Frontiers of Information Technology, On Detection and Prevention of
Clickjacking Attack for OSNs, © 2013 IEEE.
[7] https://www.microsoft.com/en-us/research/publication/clickjacking-attacks-and-defenses/

Clickjacking
Jeremiah Grossman and Robert Hansen, 2008

An attacker builds a CJ attack in three steps:
 The attacker creates a Web page (called a displayed page, or DP) including parts
that look like the usual clickable objects, such as text hyperlinks or buttons.
 The attacker then creates a malicious page (called a hidden page, or HP) including
clickable objects whose position on the page fits perfectly with the previous ones.
 The attacker then displays the DPs on top of the HPs so that visitors to the page
might decide to click on the DP’s fake hyperlink, thus clicking on a real HP
hyperlink, which could be the starting point of an attack on the system.
Reference: [8] Attack Trends Editors: Marcus Sachs, marcus.sachs@verizon.com David Ahmad,drma@mac.com

Visualization of a clickjacking attack
 The victim site is framed in a transparent iframe that is put on top of what
appears to be a normal page.
 When users interact with the normal page, they are unwittingly interacting
with the victim site.
Reference: [9] Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites, June 7,

Framebuster
 A framebuster is a piece of JavaScript code that prevents a web page from being
rendered within a frame. There are many variations of framebusters in use in
different web sites. As recommended by the OWASP community, the most
reliable framebuster is:
o <head>
o <style> body { display : none;} </style>
o </head>
o <body> <
o script> if (self == top)
o { var theBody = document.getElementsByTagName('body')[0]; theBody.style.display = "block";
}
o else { top.location = self.location; }
o </script>

Breaking the Integrity of display
 Forgery the elements
Displaying the target element using CSS properties like opacity, z-index layer over layer to
overlapping the elements and hiding the real elements.
Using CSS pointer-events: none property to cover other
element over the target element

Click
Event
z-index: -
1
opacity: 0.1 pointer-event: none
Real
element
Target
Breaking the Integrity of display

Speaker Information
 Moutasm tamimi
 Independent Consultant , IT Researcher ,
CEO at ITG7
 Instructor of: Project Management.
DBMS Specialist.
.NET Applications.
Digital Marketing.
– Email: tamimi@itg7.com
Click Here
Click HereITG7
Click Here

SQL Injection and Clickjacking Attack in Web security

More Related Content

What's hot

Similar to SQL Injection and Clickjacking Attack in Web security

More from Moutasm Tamimi

Recently uploaded

In this document

SQL Injection and Clickjacking Attack in Web security