Securing Against SQL Injection Attacks with MariaDB MaxScale

© 2015, MariaDB Corp.© 2015, MariaDB Corp.

Securing Against SQL Injection Attacks with MariaDB MaxScale

Serge FrezefondCloud Solution Architect MariaDB

@sfrezefond

© 2015, MariaDB Corp.

MariaDB: A Deep Bench of Talent

● Nexus of Open Source Database Innovation● Broad Community Adoption Linux distros, leading web companies● Innovative products enhance MariaDB.● Enterprise Subscriptions documentation, optimized binaries, patches,

bug fixes, included upgrades, 24/7 support, certain legal protections, customer portal.

● Core MySQL founding team, including Monty Widenius and David Axmark - over 400 years cumulative MySQL Experience.

● Proven Open Source and Cloud management team


Leader, Gartner Magic Quadrant for Operational Databases, 2014

● Unusual to debut as a leader!● Strengths:

○ Functionality○ Value○ Community○ Partners

MariaDB received one of the three highest scores for value for money, as it did for suitability of pricing method. It also received one of the highest scores for "no problems encountered."

-- Gartner


Content

● Impact of Data Breaches● SQL Injection Attacks● Securing Against SQL Injection● MariaDB MaxScale● Improving SQL Injection Security with MaxScale


Cost of Data Breaches

Source: Ponemon Institute: 2014 Cost of Data Breach Study: Global Analysis

Average cost post data breach Average cost of lost business

http://public.dhe.ibm.com/common/ssi/ecm/se/en/sel03027usen/SEL03027USEN.PDF


Type of Data Breaches in Last 10 Years

Source: Verizon: 2015 Data Breach Investigation Report

Leaders:● Web App Attacks● POS Instruction● Cyber Espionage

http://www.verizonenterprise.com/DBIR/2015/


1.SQL Injection2. Broken Authentication and Session Management3. Cross-Site Scripting (XSS)4. Insecure Direct Object References5. Security Misconfiguration6. Sensitive Data Exposure7. Missing Function Level Access Control8. Cross-Site Request Forgery (CSRF)9. Using Components with Known Vulnerabilities10.Unvalidated Redirects and Forwards

Source: OWASP Top 10 List

Open Web Application Security Project (OWASP)

Top 10 Security Flaws

https://www.owasp.org/index.php/Top_10_2013-Top_10


Recent SQL Injection Attacks

● World Trade: Organization Personal data on 53,000 people

● Magento e-commerce software: 98,000 online merchants at risk

● Mapp.nl: 157,000 email addresses and passwords

● SAP: flaw in medical app allows access to medical records database.

● University of Sydney: Personal details of 5,000 students

● Archos: Personal data for 100,000 people● Aussie Travel Cover: Personal data for approx

800,000 people leaked

● Indiana Dept of Education: Drupal SQL injection used to deface site

● Drupal: Drupal v7 based websites vulnerable to attack

● Wordpress security plugin:Potentially 400,000 installations

● Over 400,000 websites: botnet using SQL injection to pull data from sites both large and small

● Wall Street Journal: SQL injection exposed database

● Tesla: Research accessed customer records and administrative areas of site

● Johns Hopkins University:Data published on 878 students from biomedical engineering servers

● Tesla: White hat discovered access to all online customer records and admin access

Source: Reported SQL Injection Attacks

http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/

© 2015, MariaDB Corp.© MariaDB Corporation Ab. Company Confidential.

SQL Injection


What is SQL Injection ?

A kind of web application attack, where user- supplied input coming from:

URL: www.app.com?id=1Forms: [email protected] elements: e.g. cookie, HTTP headers

is manipulated so that a vulnerable application executes SQL commands injected by attacker


What Damage Can SQL Injection Cause

●Unauthorized access to application●Access to whole database / databases on the server●Denial of service●Database modification●Read / write files on server's filesystem●Code execution●Modern attack techniques are advanced and automated○ Not only in WHERE part○ Found on a daily basis, even in new applications


Example: Incorrect Type Handling● Asking for the customer’s ID:

http://app.com/show.php?cid=1234 SELECT * FROM Customers WHERE customer_id = 12341 customer record returned

● Web application is not validating input parameter type● Attacker passes a string for the customer id and retrieves all records:

http://app.com/show.php?cid=1234 OR 1=1SELECT * FROM Customers WHERE customer_id = 1234 OR 1=1All customer records returned - Data Breach !


Example: SQL Injection Prevention Attempt

SELECT * FROM Customers WHERE customer_id = ? LIMIT 1

http://app.com/show.php?cid=1234

SELECT * FROM Customers WHERE customer_id = 1234 LIMIT 11 Record returned

http://app.com/show.php?cid=1234 OR 1=1 --

SELECT * FROM Customers WHERE customer_id = 1234 OR 1=1 -- LIMIT 1All customer records returned - Data Breach !


More Exploitable Application Flaws

Incorrectly filtered escape characters● http://app.com/show.php?uname=admin’--&pwd=adpwd● SELECT * FROM members WHERE username = 'admin' AND password =

'adpwd'● SELECT * FROM members WHERE username = 'admin'-- ' &pwd=adpwd AND

password =

Results for http://app.com/show.php?id=5 AND 1=1 and results for http://app.com/show.php?id=5 are same

● First normal SQL : create record for user named admin’--○ INSERT INTO siteusers (username, pwd) values (‘admin’--’, ‘mypassord’))

● Second SQL : update pwd for user ‘admin’--’○ UPDATE siteusers set pwd = ‘cracked’ WHERE username = ‘admin’ -- ‘

Blind SQL injection

Second Order SQL Injection


Securing Against SQL Injection


Coding Practice: Prepared Statements

● Prepared statements○ Use place holder for input data

● PREPARE stmt1 FROM 'SELECT * FROM userinfo WHERE id = ?’;● SET @a = user-input● EXECUTE stmt1 USING @a

○ Do not use place holders for table name and column names● PREPARE stmt1 FROM 'SELECT * FROM ?’;● PREPARE stmt1 FROM 'SELECT * FROM mytable WHERE ?=100’;● table name and column name can be used to inject “ name; DROP * FROM USERS”

○ If column names needed as dynamic parameter, whitelist valid column names

● http://app.com/show.php?&sortorder=name● PREPARE stmt1 FROM ‘SELECT * FROM mytable ORDER BY ?’


Coding Practice: Stored Procedures

● Stored procedures ○ Use typed parameters for input data○ Do not use table name and column names as input or output parameters

■If needed, then validate the input data against valid values(whitelisting)


Coding Practice: Escaping

● Use mysql_real_escape_string() function to process string input parameters○ Injected URL: http://app.com/show.php?uname=admin’--&pwd=adminpassword○ SQL Statement:

■SELECT * FROM members WHERE username = 'admin\'--' AND password =adminpassword

● Limitation○ \ “swallowed” by multibyte character

○ Escaping not enough for numeric input parameters

■id=1 OR 1=1

○ Does not prevent wildcard injection of ‘%’ with LIKE operator

○ Database interface of the framework such as Drupal, Wordpress may introduce bugs with vulnerability

○ Legacy application code can still have vulnerability

○ For hosted database providers, clients developed applications are not in provider’s control


Whitelisting

● White list input parameters and queries ○ SELECT * from userinfo where userid = ?○ If user id is a valid number between 1 and 100, look for values [1,100]○ If userid is an alphanumeric string, look for values [a-zA-Z0-9]*$○ Queries that match certain regular expressions

● Limitation○ For free-form text fields, not easy to map to a subset

■ i.e. an input parameter for description of an item○ As application and database evolves, whitelist need to be kept up to date


Blacklisting

● Blacklist keywords and queries ○ DROP, DELETE, INSERT, GRANT○ All Select queries with wildcard in FROM clause○ All queries with “1=1” in WHERE clause○ Queries that match certain regular expression

● Limitation○ DBAs wanting to do valid operations may be blocked from doing such operations○ For certain search field, blacklisted keys words such as DROP(drop clothe), GRANT(‘The boy

named Grant) actually are valid input parameter values

© 2015, MariaDB Corp.© MariaDB Corporation Ab. Company Confidential.

How MariaDB MaxScale Can Help


MariaDB Enterprise

EnterpriseSoftware

MariaDB Enterprise Cluster

Platform PartnerProducts

Bundled Software & Services

Additional Software & Services

+ + +

MariaDB Enterprise

Customer Portal, Exclusive Content

● MONyog● SQLyog

Management

Backup

High Availability

+

Patch and Security Notification

MariaDB MaxScale(1)

(1) Optional - SeveralNines ClusterControl

Remote DBA

Consulting

Training

CustomEngineering (NRE)

24 x 7WorldwideSupport


MariaDB MaxScale: Database Aware Proxy

Client

SimpleRequests

MaxScale

● Open source configurable database proxy platform for

○ Scalability○ Reliability○ Security○ Reduced complexity and risk

● Flexible, easy to write plugins for○ Protocol support○ Database monitoring○ Request filters○ Routing○ Authentication

Filter Plugin

• A filter may block, modify or log a request as it passes through MaxScale

• Filters may be built up into chains

• Filters may duplicate requests

24

Filter


MaxScale Database Firewall Filter

●Block queries that match a set of rules

●Block queries matching rules for specified users

●Multiple ordered rules


Types of Firewall Filter Rules

● Blocks all queries that use the wildcard character *.

● Block queries that refer to a certain column in result set

● Block queries that match a regular expression

● Block queries with no WHERE clause

● Block queries at certain times of day

● Block certain types of queries (e.g. SELECT, INSERT, DELETE, DROP, GRANT)

● Limit the rate of the queries


Examples: Prevent Wholesale Data Access

● http://app.com/show.php?id=5; SELECT * FROM CUSTOMERS;○ SELECT * FROM CUSTOMER WHERE id = 5; SELECT * FROM CUSTOMERS;

● Rule to prevent select on customer table ○ rule safe_select deny no_where_clause on_queries select

○ rule safe_customer_select deny regex '.*from.*customers.*'

○ user %app-user@% match all rules safe_customer_select safe_select

Application users cannot select from customer table if it does not have where clause


Examples: Prevent Data Damage

● http://app.com/show.php?id=5; DELETE FROM users○ SELECT * FROM userinfo WHERE id = 5; DELETE FROM USERS;

● Rule to prevent delete ○ rule safe_delete deny no_where_clause on_queries delete

○ user %@% match all rules safe_delete● Rule to block “DROP TABLE”

○ rule drop_tbl_rule_1 deny regex ‘.*drop[ ]+table[ ].*’○ user %app-users@% match all rules drop_tbl_rule

No one can delete without where clause

Application users cannot drop any tables


Examples: Prevent Data Export

● http://app.com/show.php?username=john; SELECT * FROM mytable INTO dumpfile '\\\\host.com\\share\\output.txt'○ SELECT * FROM userinfo WHERE username = john; SELECT * FROM mytable INTO dumpfile '\\\\

host.com\\share\\output.txt'

● Rule to prevent data export to file ○ rule no_data_export deny regex ‘.*into.*’ on_queries select○ user %app-users@% match all rules no_data_export

Application users cannot bulk export into a out or dump file

DBA or non-application user (ETL) can still do data export


Example: Prevent Unauthorized Access

●http://app.com/show.php?id=5; CREATE USER username IDENTIFIED BY 'password'; --

● Rule to prevent CREATE USER○ rule no_ceate_user deny regex ‘^[ ]*CREATE[ ]+USER.*|[;][ ]*CREATE[ ]+USER.*’’○ user %app-users@% match all rules no_create_user

Application users cannot CREATE USER

DBA can still CREATE USER


Examples: Handle Incorrect Type

● http://app.com/show.php?id= 5 OR 1=1○ SELECT * FROM userinfo WHERE id = 5 OR 1=1

● Rule to reject ‘OR numeric = numeric○ rule no_or_where_rule deny regex ‘.*WHERE.*[ |(]+OR[ ]+[0-9]*[ ]*=[ ]*[0-9]*.*’ on_quereies

select○ user %@% match all rules no_or_where_rule

OR cannot be injected in Where clause


Examples: Rate Limiting Queries

● Limit the rate of the queries○ Hold off queries at rate more than 10 within 2 seconds for next 60 seconds○ rule limit_rate_of_queries deny limit_queries 10 2 60

Client

MaxScale


Future

● Support for whitelisting - “allow”

● Additional query type filtering - DROP, CREATE

● Tablename filtering

● Function calls and system variables filtering


Resources

● Learn more about MariaDB MaxScale: https://mariadb.com/products/mariadb-

maxscale

● Download MariaDB MaxScale: https://mariadb.com/resources/downloads

● Blog on Database Firewall Filter: https://mariadb.com/blog/maxscale-firewall-

filter

● Access MariaDB Expertise: https://mariadb.com/services/mariadb-mysql-

consulting

● Contact MariaDB MaxScale Team: https://mariadb.com/about/contact

● Connect with MaxScale community: [email protected]

https://mariadb.com/about/contact


Thank You !

Serge FrezefondCloud Solution Architect MariaDB

@sfrezefond