This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Backend Security Project PHP Preventing SQL Injection"

From OWASP
Jump to: navigation, search
(Examples)
 
(12 intermediate revisions by one other user not shown)
Line 70: Line 70:
 
?></nowiki>
 
?></nowiki>
  
 +
== Online Catalog ==
  
=== Source Code Exposure ===
+
Let take another example: an Online Book Store:
  
As you can see ''login.php'' include ''db.inc'' to use ''iMysqlConnect'' whose aims is to
+
[[Image:Owasp_bsp_php_3.jpg]]
return a resource link to backend MySQL engine. Since ''.inc'' files are not rendered
 
by WEB Server through the ''PHP Module'' an evil user may retrieve it's content as shown
 
in the following images:
 
  
[[Image:Owasp_bsp_php_2.jpg]]
 
  
  
=== Authentication Bypass ===
 
  
 +
'''catalog.php:'''
  
On our examples user credentials are passed to ''login.php'' wich in turns call the following
+
  <nowiki>
PHP function:
+
function aGetBookEntry($id) {
+
   $aBookEntry = NULL;
+
   $link = iMysqlConnect();
<nowiki>
 
function sAuthenticateUser($username, $password){
 
   $authenticatedUserName="";
 
   if ($link = iMysqlConnect()) {
 
  
    $query = "SELECT username FROM users";
+
  $query = "SELECT * FROM books WHERE id = $id";
    $query .=                " WHERE username = '".$username."'";
+
   $result = mysql_query($query);
    $query .=                " AND   password = md5('".$password."')";
 
    $result = mysql_query($query);
 
  
    if ($result) {
+
  if ($result) {
      if ($row = mysql_fetch_row($result)) {
+
    if ($row = mysql_fetch_array($result)) {
       $authenticatedUserName = $row[0];
+
       $aBookEntry = $row;
      }
 
 
     }
 
     }
 
   }
 
   }
  
   return $authenticatedUserName;
+
   return $aBookEntry;
  
 
}
 
}
</nowiki>
 
 
When user ''larry'' authenticate the following SQL Query it's executed:
 
* SELECT username FROM users WHERE username='larry' AND password=md5('larry')
 
 
Breaking such an authentication schema is quite simple, since we need to :
 
 
* truncate backend authentication query
 
* injection a boolean expression to override WHERE clausole
 
 
 
* On MySQL ''#'' is used as a comment character then whatever follows is discarderd from the engine.
 
* Since our WHERE clausole is something like ''expr AND expr'' we can override it by adding an identity expresssion (E.g.: OR 1=1)
 
 
 
It follows that authentication can be bypassed by supplying the following credentials:
 
* username: ''' OR 1=1#''
 
* password: ''password''
 
 
* username: ''username''
 
* password: ''') OR 1=1 #''
 
 
 
=== User Enumeration ===
 
 
We learned on previous section that an evil user can bypass authentication schema by supplying
 
the following credentials:
 
 
* username: '''OR 1=1#''
 
* password: ''password''
 
 
Let'say again what does ''sAuthenticateUser'' performs:
 
  
<nowiki>
 
function sAuthenticateUser($username, $password){
 
  $authenticatedUserName="";
 
  if ($link = iMysqlConnect()) {
 
  
    $query  = "SELECT username FROM users";
+
$id = $_GET['id'];
    $query .=                " WHERE username = '".$username."'";
+
$aBookEntry = aGetBookEntry($id);
    $query .=                " AND  password = md5('".$password."')";
 
    $result = mysql_query($query);
 
  
    if ($result) {
+
showBook($aBookEntry);
      if ($row = mysql_fetch_row($result)) {
 
      $authenticatedUserName =  $row[0];
 
      }
 
    }
 
  }
 
 
 
  return $authenticatedUserName;
 
 
 
}
 
 
</nowiki>
 
</nowiki>
  
 +
Basicaly it retrieves ''id'' parameter on GET query string and perform the following SQL query:
 +
* ''SELECT * FROM book WHERE id = $_GET['id']''
  
As you can see $query will contains the following SQL statement:
+
As in ''Login Form'' no input validation is performed and SQL Query can be manipulated to returns
* SELECT username FROM users WHERE username = '' OR 1=1#' AND  password = md5('password')
+
arbitrary data and DBMS stored relations/records/functions as well.
  
wich in turns will be executed in:
+
= Application Security strategies =
  
<nowiki>
+
== Hiding DBMS connection strings ==
  $result = mysql_query($query); 
 
</nowiki>
 
  
By adding a ''LIMIT'' operator after the ''OR'' clausole we can index every valid user with the following
+
== Single Quotes Escape ==
queries:
 
  
* SELECT username FROM users WHERE username = '' OR 1=1 LIMIT 0,1
+
== Prepared Statement ==
* SELECT username FROM users WHERE username = '' OR 1=1 LIMIT 1,1
 
* SELECT username FROM users WHERE username = '' OR 1=1 LIMIT 2,1
 
* ''.... and so on''
 
  
We can accomplish the above task by supplying the following ''username/password'' pairs:
+
== Data Validation ==
* username: ''' OR 1=1 LIMIT 0,1#''
 
* password: ''password''
 
  
 +
== Security in Depth ==
  
* username: ''' OR 1=1 LIMIT 1,1#''
+
= Examples Revisited =
* password: ''password''
 
 
 
 
 
* username: ''' OR 1=1 LIMIT 2,1#''
 
* password: ''password''
 
 
 
  
 +
== Login Form ==
  
 
== Online Catalog ==
 
== Online Catalog ==
  
== Message Board ==
+
= Defeating Automated Tools =
 
 
= Application Security strategies =
 
 
 
== Hiding DBMS connection strings ==
 
 
 
== Prepared Statement ==
 
  
== Data Validation ==
+
= References =
  
== Security in Depth ==
+
= Tools =
 
 
= Defeating Automated Tools =
 

Latest revision as of 08:41, 19 May 2008

Examples

To better understand how to secure code a PHP application some examples of vulnerable code is provided in this paragraph.

Login Form

On this example we're going to see a tipical Login Form. On our example WEB SITE user need to supply a username/password pair in order to be authenticated.


Here follows the authentcation form:

Owasp bsp php 1.jpg

Such a login page well call login.php with supplied user credentials. 

 
<?php
include('./db.inc');

function sAuthenticateUser($username, $password){
  $authenticatedUserName="";
  if ($link = iMysqlConnect()) {

    $query  = "SELECT username FROM users";
    $query .=                " WHERE username = '".$username."'";
    $query .=                " AND   password = md5('".$password."')";
    $result = mysql_query($query);

    if ($result) {
      if ($row = mysql_fetch_row($result)) {
	$authenticatedUserName =  $row[0];
      }
    }
  }

  return $authenticatedUserName;

}

if ($sUserName = sAuthenticateUser($_POST["username"], 
				   $_POST["password"])) {
  echo "Wellcome ".$sUserName;
 } else {
  die('Unauthorized Access');
 }

?>

db.inc: 

 

<?php

define('DB_HOST',     "localhost");
define('DB_USERNAME', "user");
define('DB_PASSWORD', "password");
define('DB_DATABASE', "owasp");


function iMysqlConnect(){
  $link = mysql_connect(DB_HOST,
  	  DB_USERNAME,
			DB_PASSWORD);

  if ($link && mysql_select_db(DB_DATABASE))
    return $link;
  return FALSE;
}

?>

Online Catalog

Let take another example: an Online Book Store:

Owasp bsp php 3.jpg



catalog.php: 

 
function aGetBookEntry($id) {
  $aBookEntry = NULL;
  $link = iMysqlConnect();

  $query = "SELECT * FROM books WHERE id = $id";
  $result = mysql_query($query);

  if ($result) {
    if ($row = mysql_fetch_array($result)) {
      $aBookEntry = $row;
    }
  }

  return $aBookEntry;

}


$id = $_GET['id'];
$aBookEntry = aGetBookEntry($id);

showBook($aBookEntry);

Basicaly it retrieves id parameter on GET query string and perform the following SQL query:

  • SELECT * FROM book WHERE id = $_GET['id']

As in Login Form no input validation is performed and SQL Query can be manipulated to returns arbitrary data and DBMS stored relations/records/functions as well.

Application Security strategies

Hiding DBMS connection strings

Single Quotes Escape

Prepared Statement

Data Validation

Security in Depth

Examples Revisited

Login Form

Online Catalog

Defeating Automated Tools

References

Tools

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Backend_Security_Project_PHP_Preventing_SQL_Injection&oldid=29516"