SQL Smuggling

The Attack That Wasn’t There

Avi Douglen
Senior AppSec Consultant
Comsec Global
[email protected]
OWASP Based on
http://www.ComsecGlobal.com/Research/SQL_Smuggling.pdf

Israel 2007
December 3rd
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org
OWASP 2
Agenda

SQL Injection Revisited

Classic Smuggling

Introducing SQL Smuggling

Common SQL Smuggling
Unicode Smuggling

Unicode

Applicability

Recommendations and Conclusions

OWASP 3
OWASP
SQL Injection Revisited
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org
SQL Injection Basics

Well known attack against DB

Main cause: Lack of data validation

Causes input to “break out” of query

Most often based on special characters
E.g. Quote (‘) to terminate strings
E.g.

Rest of string seen as SQL commands

OWASP 5
Prevention Mechanisms

Data validation

Stored Procedures

Parameterized queries

Command / Parameter objects
Strongly typed API
Strongly

Least Privilege

OWASP 6
Data Validation

Best to limit input to specific format

E.g. 9 digits for Id
Email address
Etc.

Can use Regular Expressions

But not always possible
Sometimes need to accept free text
E.g. comments, forums, etc

OWASP 7
Parent Injection – Exploits of a Mom

OWASP 8
Data Validation

Ensure parameter types

E.g. numeric fields must be numeric

Size

Range
E.g. 0 < age < 120

Escape special characters
E.g. Quotes

Block SQL keywords
E.g. UNION SELECT, INSERT etc.

OWASP 9
Data Validation

Best Practice: Whitelist allowed patterns

Don’t Blacklist blocked patterns/characters
Never complete
Hard to maintain
May affect performance…

Blacklist not best – but can block attacks
Assuming specific attack was defined

BUT…. Does it work??

OWASP 10
OWASP
Classic Smuggling
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org
The Beerbelly…

OWASP 12
General Smuggling Attacks

Based on sneaking data where prohibited

Smuggling avoids detection or prevention
Even against mechanisms that look for it

Bad data looks good

Malicious data does not yet exist
At least not in context of validation

Cannot be detected with standard checks
By definition

OWASP 13
HTTP Request Smuggling

Discovered by Amit Klein et al. in 2005

Based on discrepancies in parsing HTTP

Differences in handling malformed requests

Attacker can bypass protection mechanisms
Causes devices to “see” different requests

Causes

Usually not detected by IDS/IPS, WAF …

OWASP 14
OWASP
Introducing SQL Smuggling
http://www.ComsecGlobal.com/Research/SQL_Smuggling.pdf
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org
Definition

SQL Injection that evades detection

Even when searched for

Exploits differences of interpretation

Attack does not exist in validation context

Accepted by DB server as valid

OWASP 16
Characteristics

Malicious strings not present

Cannot be found by validation

WAF and IDS/IPS mostly do not help

Application checks do not work
Evades Blacklists

Evades

May be mitigated by architecture / design

OWASP 17
OWASP 18
OWASP
Common SQL Smuggling
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org
Platform-Specific Syntax

Non-standard extensions to ANSI SQL

Might not be recognized by validations

E.g. MySQL backslash (“\”) escaping
Simply doubling quotes doesn’t work:
“\’” translates to “\’’”
MySQL sees: “\’’”

E.g. Who blocks [MS-SQL] OPENROWSET?

OWASP 20
Signature Evasion

Many validations search for known strings

E.g. INSERT, DELETE, UNION SELECT, etc.

Numerous ways to evade patterns
Innovative use of whitespace
Inline comments (using /*…*/)
Different encodings
Dynamic concatenation/execution of strings

E.g. CHAR() or "EXEC ('INS' + 'ERT INTO…')"

OWASP 21
OWASP
Unicode Smuggling
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org
Homoglyphs

Many Unicode characters “look like” others

E.g. Ā (U+0100) is similar to A (U+0041)
Stronger homoglyphs look identical

Visually misleading
Can be dependant on font

Usually mentioned as user-misdirection

Referred to in context of IDNs

OWASP 23
OWASP 24
Character Set Support

Servers can support translation from Unicode to

Localized character sets

Local charsets do not contain all Unicode
E.g. Ā not in Windows-1255
E.g. ‫( א‬U+05D0) not in latin1

So what happens?

OWASP 25
Homoglyphic Transformation

If a character is “forced” to local charset:

Error
Character is dropped
Automatic translation

Translation occurs if similar character exists

Based on “best fit” heuristic

E.g. Ā is forced to A

OWASP 26
But Ā is not A!

OWASP 27
Exploit Scenario

Attacker sends U+02BC

Application/WAF search for quote U+0027

Does not exist!

Database “forces” input to local charset
U+02BC  quote… on the database!

U+02BC

Now there’s quote, get some SQL Injection!

OWASP 28
Analysis

Characters created by DB

Quote does NOT exist before

Can bypass filters and get a quote to DB

Same with many other characters
Can’t find a quote if it’s not there

Can’t

Validation CANNOT work!

OWASP 29
OWASP
Applicability
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org
So, How Common IS This?

Well, not very…

BUT it does exist

Originally discovered at client

OWASP 31
Unicode-based Smuggling

Depends on:
Dynamic SQL concatenation (can be in SP)
Validation based on Blacklists
Unicode forced into local charset
DB support of homoglyphic transformation…

So far:

MS-SQL

MySQL Connect/J (old version)

OWASP 32
On The Other Hand…

SQL Smuggling is more common

Aspects exist in most systems

It is likely there are other issues to be
discovered

Most blacklists can be penetrated

OWASP 33
OWASP
Recommendations & Conclusion
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org
Recommendations

Context-based validation
Relate to DB attributes

White-list known characters

Avoid any dynamic SQL

Do not translate character sets

See http://www.ComsecGlobal.com/Research/
SQL_Smuggling.pdf for more information

OWASP 35
Conclusion

Input validation is not always enough

SQL Smuggling can get through

Blacklists don’t work
Besides being inefficient

Best Practices are there for a reason!

Time to look at the DB platform a little more
closely…

OWASP 36
 Thank you!
http://www.ComsecGlobal.com/
Research/SQL_Smuggling.pdf

Questions?
[email protected]

OWASP 37