July 18, 2005 - SQL Injection v. Input Validation - New Theories
by Jeff Moss
While simple SQL injection techniques lead to some of the most costly attacks today, researchers are hard at work rethinking the primary defense against injection: input validation. Input validation is something that every web application must feature, but quite frankly, it’s pretty annoying to implement. Robert Hansen and Merideth Patterson join us today to explain how their academic research might hold the solution to more convenient way to prevent injection attacks. Additionally, Michael Pomraning “crosses the gulf” from academic to practical by teaching us that we must unlearn input validation to fully understand it.
Validating Input with Convenience and Security
by Robert Hansen and posted July 18, 2005
In January 2005 I was having dinner with a computational linguist friend at a Red Lobster. While talking about provably-secure software, I ranted that with software as bad as it is today almost anything would be an improvement. "I mean," I said between bites of crab, "the right thing to do with input validation is so obvious, and nobody's doing it. You could stop most SQL injection just by moving to pushdown automatawhy aren't people doing this?"
Meredith thought about it for a moment and said she hadn't thought of that, and hadn't heard of it before. She suggested there might be a paper in there somewhere, and I brushed it off. "No, no," I said, "for that I'd need to pick some hapless computational linguist's brain, and..."
I went on for another few sentences before I realized I was talking to a computational linguist.
We finished Draft 11 of Guns and Butter: Towards Formal Axioms of Input Validation on February 15. After circulating this within the department, our feedback was strongly positive. Our only problem was that if it got published in an academic journal, nobody in industry would ever read it. This led us to creating a presentation aimed at an industry audience, without theoretical computer science backgrounds. If you know SQL and you aren't scared by regular expressions, listen up.
Unlearning: The First Step Towards Stopping SQL Injection
by Michael Pomraning posted July 18, 2005
Two injection flaws, XSS and SQL Injection, are the low-hanging fruit of the web application orchard. A day or two reviewing vulnerability feeds grimly suggests that developers are still just realizing what this class of attack means, and that the attackers are, as usual, two steps ahead.
By and large, we view these weaknesses as "input validation errors." That kind of language has a distinguished academic history dating back as far as the early Nineties -- perhaps even earlier, though our records of those ancient times are fragmentary. I'd happily blather about the merits of those vulnerability taxonomies for hours, but that won't cross the gulf between the academic and the practical.
So, let's unlearn what we have learned, at least briefly. We'll be able to avoid reinventing the input validation wheel, particularly that unending stream of broken or incomplete s/// perl-style substitution regexes. (I still see industry experts going so far as to label this a "best practice".) If thinking about "input validation" hasn't helped the typical developer, perhaps overtly ignoring it will.
I'll give a quick illustration of XSS and SQL Injection attacks portrayed as input validation flaws, and their proposed remediation, drawing from thoroughly unsurprising public mailing lists. I'll then hypnotize the audience, exploiting this suggestible state to implant general techniques and language-specific examples of injection flaw prevention.
We’ve seen a new breed of hackers thrive using a soldering iron with their shell code. Companies need to rethink how they build and secure their products because hackers like me like to take new things apart and see how they work. Joe Grand’s dissection of hardware and the industry surrounding it consequences to blind trust. Darrin Barrall and David Dewey prove it by showing us how a USB-stick mod can root your box... read more
Poking at Protocols: SSH and SPA
Protocol layer research allows us hackers to both secure and exploit everyday operational communications. On this BlackPage, Adam Boileau walks us through a day of formulating his latest SSH hijacking techniques while Mad Hat provides a first look at Single Packet Authentication, and how it might land system administrators a few extra dates... read more
The Black Page is always looking for concise and interesting comments from researchers and experts about issues that affect the security community. Contact us here to learn more about submission rules