Avoiding Hacker Attacks

ObjectivesYou will be able to Avoid certain hacker attacks and

crashes due to bad inputs from users.

Getting Started http://www.cse.usf.edu/~turnerr/Software_Systems_Develo

pment/Downloads/2011_04_14_More_Hacker_Attacks/ File Alt_Databound_Combo_Box_for_Hacker_Attacks.zip

SQL Injection Attacks An Even More Insidious Threat

Potentially lets the hacker execute any SQL command. Can take over your database. Destroy your data. Worse, steal it without your knowing.

How to Invite SQL Injection Attacks Accept text input from the user and

make it a part of a SQL command.

Suppose we provide a TextBox for the user to enter a search term.

Program retrieves information about all products with that search term in their ProductName.

Add New Product_Info Form

TextBox for Search Term

How to Search with SQL The SQL "LIKE" operator permits us to

search for a text string containing a specified search target.

Two wildcard characters Percent sign (%) Underscore (_)

% matches any number of characters in a string, including none.

_ matches exactly one character

How to Search with SQL

SELECT * FROM ProductsWHERE ProductName LIKE '%Tofu%'

The string '%Tofu%' matches any ProductName including Tofu.

Copy Product_Info.cs http://www.cse.usf.edu/~turnerr/Software_Systems_Develo

pment/Downloads/2011_04_11_Hacker_Attacks/Product_Info.cs

Replace stub created by Visual Studio.

Product_Info.csusing System;using System.Collections.Generic;using System.Windows.Forms;

namespace Alt_Databound_Combo_Box{ public partial class Product_Info : Form { String Username; String Password; List<Product> product_list;

public Product_Info(String Username_, String Password_) { InitializeComponent(); Username = Username_; Password = Password_; }

Product_Info.csprivate void btnGetProductInfo_Click(object sender, EventArgs e){ String Search_Term = tbSearchTerm.Text;

product_list = Products.Get_Products(Username, Password, Search_Term);

if (product_list.Count > 0) { foreach (Product p in product_list) { MessageBox.Show(p.Product_name); } } else { MessageBox.Show("No product found"); } tbSearchTerm.Text = "";}

Reuse Some Code http://www.cse.usf.edu/~turnerr/Software_Systems_Develo

pment/Downloads/2010_10_26_Product_Browser/

Copy Product.cs and Products.cs into project folder.

Add to project.

Implement the Search Modify Get_Products to produce a

new version that gets products with ProductName containing a specified search term.

Products.cspublic static List<Product> Get_Products(String Username, String Password, String Search_Term){ SqlDataReader rdr; SqlConnection cn; List<Product> Product_List = new List<Product>(); cn = Setup_Connection(Username, Password); rdr = Get_SqlDataReader(cn, Search_Term);

while (rdr.Read()) { Product p = new Product(rdr);

Product_List.Add(p); } rdr.Close(); cn.Close(); return Product_List;}

Products.csprivate static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term){ SqlCommand cmd = new SqlCommand(); cmd.CommandText = "SELECT * FROM Products " + " WHERE ProductName LIKE '%" + Search_Term + "%'"; cmd.Connection = conn; return cmd.ExecuteReader();}

Update Login Formprivate void btnLogIn_Click(object sender, EventArgs e){ if ((tbUserName.Text.IndexOf(';') >= 0) || (tbPassword.Text.IndexOf(';') >= 0)) { MessageBox.Show("Invalid input"); return; }

Product_Info pi = new Product_Info(tbUserName.Text, tbPassword.Text); this.Hide(); pi.ShowDialog(); this.Close();}

Program Used as Intended

An Innocent Error

Crash!

Program Subverted

Another Subversion

Getting All Products

Defense To foil this attack, and prevent crashes

from bad inputs, replace each single quote with a pair of single quotes.

The server replaces pairs of single quotes with one single quote. Treats that single quote as part of the

string rather than as a delimiter. Only way to include a single quote

character in a text string in a SQL query.

Escape Single Quotes

In Products.cs:private static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term){ SqlCommand cmd = new SqlCommand();

Search_Term = Search_Term.Replace("'", "''");

cmd.CommandText = "SELECT * FROM Products " + " WHERE ProductName LIKE '%" + Search_Term + "%'"; cmd.Connection = conn; return cmd.ExecuteReader();}

Attempted Subversion

Search Term with Apostrophe

Other Defensive Measures Use the MaxLength property of TextBox to

limit how many characters a user can enter. For numeric input, parse the input and

convert the resulting numeric value back into a string to splice into the command.

On exceptions, provide only a generic error message. The actual error message from the exception

might provide useful information to a hacker. Use parameterized commands or stored

procedures.

End of Section

Parameterized Command A command string that uses placeholders

in the SQL text. Placeholders replaced by dynamically

supplied values at run time. Uses the Parameters collection of the

command object. Specific to ADO.NET.

The command object checks the parameter value for attempted SQL injection attacks.

Parameterized Command Example Rather thanSELECT * FROM Customers WHERE CustomerID = 'ALFKI' where ALFKI was read from a TextBox

writeSELECT * FROM Customers WHERE CustomerID = @CustID

@CustID will be replaced by a string containing a real customer ID at run time.

Note: No quotes around @CustID

Using a Parameterized Commandprivate static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term){ SqlCommand cmd = new SqlCommand();

//Search_Term = Search_Term.Replace("'", "''");

cmd.CommandText = "SELECT * FROM Products" + " WHERE ProductName LIKE @Parm1";

cmd.Parameters.AddWithValue("@Parm1", "%" + Search_Term + "%");

cmd.Connection = conn; return cmd.ExecuteReader();}

Attempted Subversion

Term with Apostrophe

Blank Entry

Everything matches!

Blank Entry If we don't want the user to be able to

ask for all products, we have to check for a zero length string in the TextBox.

private void btnGetProductInfo_Click(object sender, EventArgs e){ String Search_Term = tbSearchTerm.Text;

if (Search_Term.Length == 0) { MessageBox.Show("No search term entered"); return; } ...

Blank Entry

End of Section

Stored Procedures We can store SQL commands in the

database and executed them from there.

A safer alternative to constructing SQL commands and executing them.

Visual Studio and ADO.NET provide support for this.

Stored Procedures The Northwind Traders database

has a lot of stored procedures.

Click on the + beside Stored Procedures in Server Explorer to expand the section.

Northwind Stored Procedures

Northwind Stored Procedures We can execute these stored

procedures from the Server Explorer. Right click on a stored procedure and

select Execute.

Executing a Stored Procedure

Results

Viewing a Stored Procedure

To view the stored procedure right click on the procedure and select Open.

Viewing a Stored Procedure

Adding a Stored Procedure To add a new stored procedure from

the Server Explorer, right click on Stored Procedures and select Add New Stored Procedure.

Note that the new stored procedure will be a part of the database.

Stays there until you delete it.

Adding a Stored Procedure

Saving the New Stored Procedure

Click icon to save the new stored procedure

Executing the Stored ProcedureVisual Studio changes "CREATE" to "ALTER".

We can now execute the procedure from the Server Explorer

Executing the Stored Procedure

Supplying the Parameter Value

Results from the Execution

Results

Executing a Stored Procedure from C#

We can execute a stored procedure from within our program.

In Products.cs add using System.Data;

Executing a Stored Procedure Programatically

private static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term){ SqlCommand cmd = new SqlCommand();

cmd.CommandType = CommandType.StoredProcedure; cmd.CommandText = "Product_Search";

cmd.Parameters.AddWithValue("@Param1", "%" + Search_Term + "%");

cmd.Connection = conn; return cmd.ExecuteReader();}

Program in Action

End of Presentation

Avoiding Hacker Attacks

Documents

Top tips to avoiding imminent cyber attacks within your business

A COMPONENT UNIT OF THE STATE OF GEORGIA ......blocked 1,312,049 hacker probes and 17,533 hacker attacks on the network infrastructure. We added Positive Pay, a fraud detection tool,

Avoiding Leakage and Synchronization Attacks through ... · Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control Marcus Völp, Adam Lackorzynski *,

Polytechnic University Attacks 1 Attacks & Hacker Tools r Reconnaissance r Network mapping r Port scanning r Sniffing Before talking about defenses, need

Avoiding dns amplification attacks

Black Hat Europe 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,

uestioni di Economia e Finanza...raised controls on foreign devices and equipment, for avoiding espionage or supply chain attacks.9 Nation-state and state-sponsored cyber-attacks are

Hacker-Powered Cybersecurity - Synack€¦ · Cyber attacks aren’t just likely to happen, they are already happening. Over 98% of organizations take only minutes to compromise,

Hacker Kültürü ve Etik Hacker - CEHTurkiye · “Nasıl Hacker Olunur” makaleleri ile Hacker kültürünü, örf-adetlerini belgeledi. Raymond’a göre en temel fark “hacker”

Investigating PowerShell Attacks - DEF CON · Ryan Kazanciyan, Matt Hastings, Investigating PowerShell Attacks, DEFCON, DEF CON, Hacker, Security Conference, Presentations, Technology,

Avoiding Heart Attacks and Strokes - WHO | World Health ... · PDF fileWHO Library Cataloguing-in-Publication Data Avoiding heart attacks and strokes : don’t be a victim - protect

‘Operation Oceansalt’ Attacks South Korea, U.S., and ... · REPORT 2 ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group

Healthcare Held for Ransom: Hacker Attacks and Employee Theft Create a Data Epidemic for Healthcare IT Teams

RECOGNIZING AND AVOIDING BUSINESS EMAIL ......BEC attacks cannot succeed if you don’t take the bait! Use these tips to identify and avoid these types of attacks, and protect your

Computer and Internet Security. Introduction Both individuals and companies are vulnerable to data theft and hacker attacks that can compromise data,

The intelligent software that protects consumers and banks from the most sophisticated hacker attacks Thee-banking antifraud solution The e-banking antifraud

Avoiding Heart Attacks and Strokes - WHO · avoiding heart attacks and strokes don’t be a victim protect yourself. 1 531 534 702 925 674 881 marshall islands tuvalu nauru samoa

Systems, Networks and Information Integration Context for ... · Hacker attacks cost the world economy a whopping $1.6 trillion in 2000. PricewaterhouseCoopers, 2000 U.S. virus and

CERTIFIED ETHICAL HACKER - Zero2Infynite11. Session hijacking techniques and countermeasures. 12. Different types of webserver attacks, attack methodology, and countermeasures. 13

IT Security Awareness Briefing - NUS Information Technology · 2019. 12. 23. · common targets of hacker attacks. Vulnerabilities, bugs and glitches of software grant hackers remote