SlideShare une entreprise Scribd logo

Vulnerable Active Record: A tale of SQL Injection in PHP Framework

P
Pichaya Morimoto

Event: Thailand PHP User Group 1/2015 Date: January 29, 2015 3 minutes session

Technologie
1  sur  13
Télécharger pour lire hors ligne
Vulnerable Active Record A tale of SQL Injection in PHP Framework pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto Thailand PHP User Group Meetup January 28, 2015
★ What is Active Record ? ★ Secure by Design ? ★ Case Studies ★ Exploitation ★ Input Validation ★ Defence-in-Depth ★ Conclusion Overview
Active record pattern is an approach to accessing data in a database. A database table or view is wrapped into a class. Thus, an object instance is tied to row(s) in the table. PHP frameworks also bundle their own ORM implementing the active record pattern. For example, Laravel (Eloquent), CakePHP, Symfony (Doctrine), CodeIgniter and Yii. $query = $this->db->select('title, content, date'); $query->from('table1'); $query->where('id', $id); $query->get(); Source: https://en.wikipedia.org/wiki/Active_record_pattern What is Active Record ?
Secure by Design ? That’s Magic !
Case Study #1 Get rows from table ‘news’ and order by user input ‘sort’ PHP Framework: CodeIgniter 2.2
Hacker is here, where is SQLi ? SQLMap == Failed Acunetix == Failed Havij == Failed ‘ or ‘1’=’1 , union all select blah blah blah == Failed
SQL Injection Pwnage Pwned ! What if error message is turned off, is it still vulnerable? Ads: http://slideshare.net/pichayaa/sql-injection-owaspthailand
Stand back I know secure coding! No more SQL Injection with Type Validation !
Case Study #2 Secure Coding !!
Keep calm and Think Again Numeric = [Integer, Double, Hex, ...] id value above is hex encoded of “1 and 1>2 union select CHAR(32,58,32),user(),database(),version(),concat_ws (0x3a,username,password) from ci220news_db” + data field is varchar type ***
A list of security techniques that should be included in every software development project. ★ Parameterize Queries ★ Implement Logging, Error Handling and Intrusion Detection ★ Leverage Security Features of Frameworks and Security Libraries and more.. https://www.owasp.org /index.php/OWASP_Proactive_Controls OWASP Proactive Controls ProTip: PHP is not allowed to parameterize ‘Order By’ clause ;) Because it isn’t data, it is a column name!
A layered approach to security can be implemented at any level of a complete information security strategy. ★ Secure Coding in software requirement ★ OS Hardening, reduce attack surface ★ Perimeter Security (Network Firewall, IPS/IDS) ★ Centralized Log Server / SIEM ★ Patch / Vulnerability Management System ★ Incident Response Plans ★ Web Application Firewall Source: http://techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/ Defence-in-Depth
Security Today !== Security Tomorrow Conclusion http://framework.zend.com/security/advisory/ZF2014-04 http://bakery.cakephp. org/articles/markstory/2013/04/28/security_release_- _cakephp_1_2_12_1_3_16_2_2_8_and_2_3_4

Recommandé

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
SQL Injections and Behind...
SQL Injections and Behind...SQL Injections and Behind...
SQL Injections and Behind...
arjunguptam
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
Ferruh Mavituna
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defense
Jose Mato
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
Akash Mahajan
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 

Recommandé

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
SQL Injections and Behind...
SQL Injections and Behind...SQL Injections and Behind...
SQL Injections and Behind...
arjunguptam
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
Ferruh Mavituna
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defense
Jose Mato
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
Akash Mahajan
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
ijtsrd
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
Md Syed Ahamad
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
 
Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!
ralphmigcute
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
Michael Coates
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
 
C days2015
C days2015C days2015
C days2015
Nuno Loureiro
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 Injection
Paul Ionescu
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
amiable_indian
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
Magno Logan
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
Jawhar Ali
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
Cade Zvavanjanja
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
Nuno Loureiro
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Pichaya Morimoto
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
avishkarm
 

Contenu connexe

Tendances

SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
ijtsrd
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
Michael Coates
 

Tendances (20)

Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
 
Secure code
Secure codeSecure code
Secure code
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
C days2015
C days2015C days2015
C days2015
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 Injection
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 

En vedette

XAJA - Reverse AJAX framework
XAJA - Reverse AJAX frameworkXAJA - Reverse AJAX framework
XAJA - Reverse AJAX framework
Sri Prasanna
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
Nitish Kumar
 
Sql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voSql injection attack_analysis_py_vo
Sql injection attack_analysis_py_vo
Jirka Vejrazka
 

En vedette (20)

Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Sql injection
Sql injectionSql injection
Sql injection
 
Extjs presentation
Extjs presentationExtjs presentation
Extjs presentation
 
CodeIgniter i18n Security Flaw
CodeIgniter i18n Security FlawCodeIgniter i18n Security Flaw
CodeIgniter i18n Security Flaw
 
XAJA - Reverse AJAX framework
XAJA - Reverse AJAX frameworkXAJA - Reverse AJAX framework
XAJA - Reverse AJAX framework
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101
 
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesFrom Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutes
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
PHP Frameworks, or how I learnt to stop worrying and love the code
PHP Frameworks, or how I learnt to stop worrying and love the codePHP Frameworks, or how I learnt to stop worrying and love the code
PHP Frameworks, or how I learnt to stop worrying and love the code
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Exploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesExploiting Blind Vulnerabilities
Exploiting Blind Vulnerabilities
 
Lithium: The Framework for People Who Hate Frameworks
Lithium: The Framework for People Who Hate FrameworksLithium: The Framework for People Who Hate Frameworks
Lithium: The Framework for People Who Hate Frameworks
 
How to scale PHP applications
How to scale PHP applicationsHow to scale PHP applications
How to scale PHP applications
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
 
Sql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voSql injection attack_analysis_py_vo
Sql injection attack_analysis_py_vo
 
Metasearch Outlook 2017
Metasearch Outlook 2017Metasearch Outlook 2017
Metasearch Outlook 2017
 

Similaire à Vulnerable Active Record: A tale of SQL Injection in PHP Framework

DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
Coverity
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
DevOps.com
 
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Source Conference
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
Chris Gates
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 

Similaire à Vulnerable Active Record: A tale of SQL Injection in PHP Framework (20)

Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Why haven't we stamped out SQL injection and XSS yet
Why haven't we stamped out SQL injection and XSS yetWhy haven't we stamped out SQL injection and XSS yet
Why haven't we stamped out SQL injection and XSS yet
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
 

Plus de Pichaya Morimoto

Plus de Pichaya Morimoto (8)

ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
 
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationSecuring and Hacking LINE OA Integration
Securing and Hacking LINE OA Integration
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
 
Mysterious Crypto in Android Biometrics
Mysterious Crypto in Android BiometricsMysterious Crypto in Android Biometrics
Mysterious Crypto in Android Biometrics
 
Web Hacking with Object Deserialization
Web Hacking with Object DeserializationWeb Hacking with Object Deserialization
Web Hacking with Object Deserialization
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration Testing
 
Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research Laboratory
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Vulnerable Active Record: A tale of SQL Injection in PHP Framework

  • 1. Vulnerable Active Record A tale of SQL Injection in PHP Framework pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto Thailand PHP User Group Meetup January 28, 2015
  • 2. ★ What is Active Record ? ★ Secure by Design ? ★ Case Studies ★ Exploitation ★ Input Validation ★ Defence-in-Depth ★ Conclusion Overview
  • 3. Active record pattern is an approach to accessing data in a database. A database table or view is wrapped into a class. Thus, an object instance is tied to row(s) in the table. PHP frameworks also bundle their own ORM implementing the active record pattern. For example, Laravel (Eloquent), CakePHP, Symfony (Doctrine), CodeIgniter and Yii. $query = $this->db->select('title, content, date'); $query->from('table1'); $query->where('id', $id); $query->get(); Source: https://en.wikipedia.org/wiki/Active_record_pattern What is Active Record ?
  • 4. Secure by Design ? That’s Magic !
  • 5. Case Study #1 Get rows from table ‘news’ and order by user input ‘sort’ PHP Framework: CodeIgniter 2.2
  • 6. Hacker is here, where is SQLi ? SQLMap == Failed Acunetix == Failed Havij == Failed ‘ or ‘1’=’1 , union all select blah blah blah == Failed
  • 7. SQL Injection Pwnage Pwned ! What if error message is turned off, is it still vulnerable? Ads: http://slideshare.net/pichayaa/sql-injection-owaspthailand
  • 8. Stand back I know secure coding! No more SQL Injection with Type Validation !
  • 10. Keep calm and Think Again Numeric = [Integer, Double, Hex, ...] id value above is hex encoded of “1 and 1>2 union select CHAR(32,58,32),user(),database(),version(),concat_ws (0x3a,username,password) from ci220news_db” + data field is varchar type ***
  • 11. A list of security techniques that should be included in every software development project. ★ Parameterize Queries ★ Implement Logging, Error Handling and Intrusion Detection ★ Leverage Security Features of Frameworks and Security Libraries and more.. https://www.owasp.org /index.php/OWASP_Proactive_Controls OWASP Proactive Controls ProTip: PHP is not allowed to parameterize ‘Order By’ clause ;) Because it isn’t data, it is a column name!
  • 12. A layered approach to security can be implemented at any level of a complete information security strategy. ★ Secure Coding in software requirement ★ OS Hardening, reduce attack surface ★ Perimeter Security (Network Firewall, IPS/IDS) ★ Centralized Log Server / SIEM ★ Patch / Vulnerability Management System ★ Incident Response Plans ★ Web Application Firewall Source: http://techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/ Defence-in-Depth