SlideShare a Scribd company logo

Vulnerable Active Record: A tale of SQL Injection in PHP Framework

P
Pichaya Morimoto

This document summarizes an presentation about SQL injection vulnerabilities in PHP frameworks that use the active record pattern. It discusses what active record is, how SQL injection can still occur even with input validation, and recommends following best practices like parameterized queries and implementing defense in depth to help prevent SQL injection attacks. Case studies show how SQL injection vulnerabilities were found in specific frameworks even when developers thought secure coding practices were followed.

Technology
1 of 13
Downloaded 193 times
1
2
3
4
5
6
7
8
9
10
11
12
13
Vulnerable Active Record A tale of SQL Injection in PHP Framework pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto Thailand PHP User Group Meetup January 28, 2015
★ What is Active Record ? ★ Secure by Design ? ★ Case Studies ★ Exploitation ★ Input Validation ★ Defence-in-Depth ★ Conclusion Overview
Active record pattern is an approach to accessing data in a database. A database table or view is wrapped into a class. Thus, an object instance is tied to row(s) in the table. PHP frameworks also bundle their own ORM implementing the active record pattern. For example, Laravel (Eloquent), CakePHP, Symfony (Doctrine), CodeIgniter and Yii. $query = $this->db->select('title, content, date'); $query->from('table1'); $query->where('id', $id); $query->get(); Source: https://en.wikipedia.org/wiki/Active_record_pattern What is Active Record ?
Secure by Design ? That’s Magic !
Case Study #1 Get rows from table ‘news’ and order by user input ‘sort’ PHP Framework: CodeIgniter 2.2
Hacker is here, where is SQLi ? SQLMap == Failed Acunetix == Failed Havij == Failed ‘ or ‘1’=’1 , union all select blah blah blah == Failed
SQL Injection Pwnage Pwned ! What if error message is turned off, is it still vulnerable? Ads: http://slideshare.net/pichayaa/sql-injection-owaspthailand
Stand back I know secure coding! No more SQL Injection with Type Validation !
Case Study #2 Secure Coding !!
Keep calm and Think Again Numeric = [Integer, Double, Hex, ...] id value above is hex encoded of “1 and 1>2 union select CHAR(32,58,32),user(),database(),version(),concat_ws (0x3a,username,password) from ci220news_db” + data field is varchar type ***
A list of security techniques that should be included in every software development project. ★ Parameterize Queries ★ Implement Logging, Error Handling and Intrusion Detection ★ Leverage Security Features of Frameworks and Security Libraries and more.. https://www.owasp.org /index.php/OWASP_Proactive_Controls OWASP Proactive Controls ProTip: PHP is not allowed to parameterize ‘Order By’ clause ;) Because it isn’t data, it is a column name!
A layered approach to security can be implemented at any level of a complete information security strategy. ★ Secure Coding in software requirement ★ OS Hardening, reduce attack surface ★ Perimeter Security (Network Firewall, IPS/IDS) ★ Centralized Log Server / SIEM ★ Patch / Vulnerability Management System ★ Incident Response Plans ★ Web Application Firewall Source: http://techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/ Defence-in-Depth
Security Today !== Security Tomorrow Conclusion http://framework.zend.com/security/advisory/ZF2014-04 http://bakery.cakephp. org/articles/markstory/2013/04/28/security_release_- _cakephp_1_2_12_1_3_16_2_2_8_and_2_3_4

More Related Content

PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
PPTX
SQL Injections and Behind...
arjunguptam
 
PPT
How To Detect Xss
Ferruh Mavituna
 
PDF
Web Security attacks and defense
Jose Mato
 
PPTX
Secure Programming In Php
Akash Mahajan
 
PPTX
SQL Injection Defense in Python
Public Broadcasting Service
 
PDF
Sql Injection and XSS
Mike Crabb
 
PDF
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
SQL Injections and Behind...
arjunguptam
 
How To Detect Xss
Ferruh Mavituna
 
Web Security attacks and defense
Jose Mato
 
Secure Programming In Php
Akash Mahajan
 
SQL Injection Defense in Python
Public Broadcasting Service
 
Sql Injection and XSS
Mike Crabb
 
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 

What's hot (20)

PDF
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
PDF
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
ijtsrd
 
PDF
Web Application Security II - SQL Injection
Md Syed Ahamad
 
PDF
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
PDF
Secure code
ddeogun
 
PPT
Advanced Sql Injection ENG
Dmitry Evteev
 
PPT
Sql Injection Tutorial!
ralphmigcute
 
KEY
SQL Injection - Mozilla Security Learning Center
Michael Coates
 
PPTX
Sql Injection attacks and prevention
helloanand
 
PDF
C days2015
Nuno Loureiro
 
PPTX
Owasp Top 10 - A1 Injection
Paul Ionescu
 
PPT
Advanced Topics On Sql Injection Protection
amiable_indian
 
PPT
SQL Injection
Adhoura Academy
 
PPT
Sql injection attack
RajKumar Rampelli
 
PDF
SQL Injection Tutorial
Magno Logan
 
PPTX
seminar report on Sql injection
Jawhar Ali
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
PPT
Web application attacks using Sql injection and countermasures
Cade Zvavanjanja
 
PDF
Advanced SQL Injection: Attacks
Nuno Loureiro
 
PPTX
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
ijtsrd
 
Web Application Security II - SQL Injection
Md Syed Ahamad
 
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Secure code
ddeogun
 
Advanced Sql Injection ENG
Dmitry Evteev
 
Sql Injection Tutorial!
ralphmigcute
 
SQL Injection - Mozilla Security Learning Center
Michael Coates
 
Sql Injection attacks and prevention
helloanand
 
C days2015
Nuno Loureiro
 
Owasp Top 10 - A1 Injection
Paul Ionescu
 
Advanced Topics On Sql Injection Protection
amiable_indian
 
SQL Injection
Adhoura Academy
 
Sql injection attack
RajKumar Rampelli
 
SQL Injection Tutorial
Magno Logan
 
seminar report on Sql injection
Jawhar Ali
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Web application attacks using Sql injection and countermasures
Cade Zvavanjanja
 
Advanced SQL Injection: Attacks
Nuno Loureiro
 
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Ad

Viewers also liked (20)

PDF
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Pichaya Morimoto
 
PPT
D:\Technical\Ppt\Sql Injection
avishkarm
 
DOCX
Types of sql injection attacks
Respa Peter
 
PPTX
Sql injection
Zidh
 
PDF
Extjs presentation
Sabari Nathan
 
PPTX
CodeIgniter i18n Security Flaw
Abbas Naderi
 
PPT
XAJA - Reverse AJAX framework
Sri Prasanna
 
PDF
Exploiting WebApp Race Condition Vulnerability 101
Pichaya Morimoto
 
PDF
From Web Vulnerability to Exploit in 15 minutes
Pichaya Morimoto
 
PDF
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
PPTX
PHP Frameworks, or how I learnt to stop worrying and love the code
Michal Juhas
 
PDF
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
PPTX
A5: Security Misconfiguration
Tariq Islam
 
PDF
Exploiting Blind Vulnerabilities
Pichaya Morimoto
 
PDF
Lithium: The Framework for People Who Hate Frameworks
Nate Abele
 
PDF
How to scale PHP applications
Enrico Zimuel
 
PDF
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
Pichaya Morimoto
 
PPT
Sql injection attacks
Nitish Kumar
 
PPTX
Sql injection attack_analysis_py_vo
Jirka Vejrazka
 
PDF
Metasearch Outlook 2017
Michal Juhas
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Pichaya Morimoto
 
D:\Technical\Ppt\Sql Injection
avishkarm
 
Types of sql injection attacks
Respa Peter
 
Sql injection
Zidh
 
Extjs presentation
Sabari Nathan
 
CodeIgniter i18n Security Flaw
Abbas Naderi
 
XAJA - Reverse AJAX framework
Sri Prasanna
 
Exploiting WebApp Race Condition Vulnerability 101
Pichaya Morimoto
 
From Web Vulnerability to Exploit in 15 minutes
Pichaya Morimoto
 
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
PHP Frameworks, or how I learnt to stop worrying and love the code
Michal Juhas
 
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
A5: Security Misconfiguration
Tariq Islam
 
Exploiting Blind Vulnerabilities
Pichaya Morimoto
 
Lithium: The Framework for People Who Hate Frameworks
Nate Abele
 
How to scale PHP applications
Enrico Zimuel
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
Pichaya Morimoto
 
Sql injection attacks
Nitish Kumar
 
Sql injection attack_analysis_py_vo
Jirka Vejrazka
 
Metasearch Outlook 2017
Michal Juhas
 
Ad

Similar to Vulnerable Active Record: A tale of SQL Injection in PHP Framework (20)

PDF
Coding Security: Code Mania 101
Narudom Roongsiriwong, CISSP
 
PPTX
SQLi for Security Champions
PetraVukmirovic
 
PPT
PHP Security Basics
John Coggeshall
 
PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
 
PPTX
OWASP Top 10 Proactive Controls
Katy Anton
 
PPT
Php & Web Security - PHPXperts 2009
mirahman
 
ODP
Database security for PHP
Rohan Faye
 
PPTX
OWASP top 10-2013
tmd800
 
PDF
Security in PHP Applications: An absolute must!
Mark Niebergall
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PPT
Advanced sql injection
badhanbd
 
PPSX
Web application security
www.netgains.org
 
PDF
How to Destroy a Database
John Ashmead
 
ODP
My app is secure... I think
Wim Godden
 
PDF
sql-inj_attack.pdf
ssuser07cf8b
 
PDF
Injection techniques conversys
Krishnendu Paul
 
PDF
null Bangalore meet - Php Security
n|u - The Open Security Community
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
PPTX
Database and Database Security..
Rehan Manzoor
 
PDF
Code securely
Maksym Hopei
 
Coding Security: Code Mania 101
Narudom Roongsiriwong, CISSP
 
SQLi for Security Champions
PetraVukmirovic
 
PHP Security Basics
John Coggeshall
 
Secure coding presentation Oct 3 2020
Moataz Kamel
 
OWASP Top 10 Proactive Controls
Katy Anton
 
Php & Web Security - PHPXperts 2009
mirahman
 
Database security for PHP
Rohan Faye
 
OWASP top 10-2013
tmd800
 
Security in PHP Applications: An absolute must!
Mark Niebergall
 
The path of secure software by Katy Anton
DevSecCon
 
Advanced sql injection
badhanbd
 
Web application security
www.netgains.org
 
How to Destroy a Database
John Ashmead
 
My app is secure... I think
Wim Godden
 
sql-inj_attack.pdf
ssuser07cf8b
 
Injection techniques conversys
Krishnendu Paul
 
null Bangalore meet - Php Security
n|u - The Open Security Community
 
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
Database and Database Security..
Rehan Manzoor
 
Code securely
Maksym Hopei
 

More from Pichaya Morimoto (8)

PDF
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
Pichaya Morimoto
 
PDF
Securing and Hacking LINE OA Integration
Pichaya Morimoto
 
PDF
Docker Plugin For DevSecOps
Pichaya Morimoto
 
PDF
Mysterious Crypto in Android Biometrics
Pichaya Morimoto
 
PDF
Web Hacking with Object Deserialization
Pichaya Morimoto
 
PDF
Burp Extender API for Penetration Testing
Pichaya Morimoto
 
PDF
Bug Bounty แบบแมว ๆ
Pichaya Morimoto
 
PDF
Pentest 101 @ Mahanakorn Network Research Laboratory
Pichaya Morimoto
 
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
Pichaya Morimoto
 
Securing and Hacking LINE OA Integration
Pichaya Morimoto
 
Docker Plugin For DevSecOps
Pichaya Morimoto
 
Mysterious Crypto in Android Biometrics
Pichaya Morimoto
 
Web Hacking with Object Deserialization
Pichaya Morimoto
 
Burp Extender API for Penetration Testing
Pichaya Morimoto
 
Bug Bounty แบบแมว ๆ
Pichaya Morimoto
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pichaya Morimoto
 

Recently uploaded (20)

PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Chapter 5: Probability Theory and Statistics
RandyFin
 

Vulnerable Active Record: A tale of SQL Injection in PHP Framework

  • 1. Vulnerable Active Record A tale of SQL Injection in PHP Framework pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto Thailand PHP User Group Meetup January 28, 2015
  • 2. ★ What is Active Record ? ★ Secure by Design ? ★ Case Studies ★ Exploitation ★ Input Validation ★ Defence-in-Depth ★ Conclusion Overview
  • 3. Active record pattern is an approach to accessing data in a database. A database table or view is wrapped into a class. Thus, an object instance is tied to row(s) in the table. PHP frameworks also bundle their own ORM implementing the active record pattern. For example, Laravel (Eloquent), CakePHP, Symfony (Doctrine), CodeIgniter and Yii. $query = $this->db->select('title, content, date'); $query->from('table1'); $query->where('id', $id); $query->get(); Source: https://en.wikipedia.org/wiki/Active_record_pattern What is Active Record ?
  • 4. Secure by Design ? That’s Magic !
  • 5. Case Study #1 Get rows from table ‘news’ and order by user input ‘sort’ PHP Framework: CodeIgniter 2.2
  • 6. Hacker is here, where is SQLi ? SQLMap == Failed Acunetix == Failed Havij == Failed ‘ or ‘1’=’1 , union all select blah blah blah == Failed
  • 7. SQL Injection Pwnage Pwned ! What if error message is turned off, is it still vulnerable? Ads: http://slideshare.net/pichayaa/sql-injection-owaspthailand
  • 8. Stand back I know secure coding! No more SQL Injection with Type Validation !
  • 10. Keep calm and Think Again Numeric = [Integer, Double, Hex, ...] id value above is hex encoded of “1 and 1>2 union select CHAR(32,58,32),user(),database(),version(),concat_ws (0x3a,username,password) from ci220news_db” + data field is varchar type ***
  • 11. A list of security techniques that should be included in every software development project. ★ Parameterize Queries ★ Implement Logging, Error Handling and Intrusion Detection ★ Leverage Security Features of Frameworks and Security Libraries and more.. https://www.owasp.org /index.php/OWASP_Proactive_Controls OWASP Proactive Controls ProTip: PHP is not allowed to parameterize ‘Order By’ clause ;) Because it isn’t data, it is a column name!
  • 12. A layered approach to security can be implemented at any level of a complete information security strategy. ★ Secure Coding in software requirement ★ OS Hardening, reduce attack surface ★ Perimeter Security (Network Firewall, IPS/IDS) ★ Centralized Log Server / SIEM ★ Patch / Vulnerability Management System ★ Incident Response Plans ★ Web Application Firewall Source: http://techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/ Defence-in-Depth