Developer's disappointed expectations manifested in poor code
- Some examples from plain vanilla SQL injection flaws to time based blindSQL injections attacks and exploitable HQL (Hibernate) injections dueto the bad usage of a good O/R mapper.
- Ralf Reinhardt
- Tuesday, June 23rd, 7:00pm - 8:00pm
SQL injections seems to be an eternal pain in web applications, web services or idiosyncratic rich clients since they were first discussed at the end of the 90s. Assuming that your data, your information, your knowledge are your core assets, your intellectual property, your trade secrets â the impact of SQLI is very often fatal.
It's a history of 17 years of disappointment: The stupid application user simply does not behave as the clever software developer thought he or she should do. In the meantime his boss meanders with phrases like time to market, milestones, deadline or going live. Form follows function is quite nice for buildings, but absolutely not sufficient for hacking proof products:
The disappointment derives from irregular user activities, which can be performed easily by anyone just by typing in some data into an input field. Due to missing or inadequate input validation this data becomes command. Together with old school duct-tape style query concatenation failure is inevitable: The genuine query (as expected by the developer) is altered into a malicious one (as manipulated by the attacker) before hitting the interpreter and therefore finally hitting the database. It is very common that several developers are working on one project, so the guy handling the user input from the client or browser is probably not necessarily the same who is handling Persistence in the database. They both might think: Didn't YOU handle this?
The good news is: Mitigation is (usually) very simple. Once a developer â or even better, also the project manager - is aware what really can (and sooner or later will) happen, he or she might start looking beyond his or her nose and hopefully stop to stubbornly cast functional use cases into simple source code. A lack of security is always a quality issue. Knowledge helps in prevention. This talk tries to give some technical insights as described in the title.
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
Monday, June 22
|PowerShell for Pentesters||James Shewmaker||Monday, June 22nd, 7:30pm - 8:30pm||SANS@Night|
Tuesday, June 23
|Bypassing HTTP Strict Transport Security||Jose Selvi||Tuesday, June 23rd, 6:00pm - 7:00pm||SANS@Night|
|Developer's disappointed expectations manifested in poor code||Ralf Reinhardt||Tuesday, June 23rd, 7:00pm - 8:00pm||SANS@Night|
Thursday, June 25
|Playing with SCADA's Modbus Protocol||Justin Searle||Thursday, June 25th, 6:00pm - 7:00pm||SANS@Night|
|Hacking Survival: So, you want to compute post-apocalypse?||Larry @haxorthematrix Pesce||Thursday, June 25th, 7:00pm - 8:00pm||SANS@Night|
Friday, June 26
|A History of ATM Violence - From blowing up safes over jackpotting to all-round malware||Erik Van Buggenhout||Friday, June 26th, 6:00pm - 7:00pm||SANS@Night|