10. SQL Injection
Example
Firewall
Hardened OS
Web Server
App Server
Firewall
Databases
LegacySystems
WebServices
Directories
HumanResrcs
Billing
Custom Code
APPLICATION
ATTACK
NetworkLayerApplicationLayer
Accounts
Finance
Administration
Transactions
Communication
KnowledgeMgmt
E-Commerce
Bus.Functions
HTTP
request
SQL
query
DB Table
HTTP
response
"SELECT * FROM
accounts WHERE
acct=‘’ OR 1=1--
’"
1. Application presents a form to the
attacker
2. Attacker sends an attack in the form
data
3. Application forwards attack to the
database in a SQL query
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
4. Database runs query containing
attack and sends encrypted results
back to application
5. Application decrypts data as normal
and sends results to the user
Account:
SKU:
Account:
SKU:
10
11. How RASP Works?
SQL Injection
Firewall
Hardened OS
Web Server
App Server
Firewall
Databases
LegacySystems
WebServices
Directories
HumanResrcs
Billing
Custom Code
APPLICATION
ATTACK
NetworkLayerApplicationLayer
Accounts
Finance
Administration
Transactions
Communication
KnowledgeMgmt
E-Commerce
Bus.Functions
HTTP
request
SQL
query
HTTP
response
"SELECT * FROM
accounts WHERE
acct=‘’ OR 1=1--
’"
1. Application presents a form to the
attacker
2. Attacker sends an attack in the form
data. Agent taint the getParameter
variable
3. Application create SQL Query
based on getParameter.
Exception: Invalid SQL
Query
4. Agent intercept malicious query at
instrumented executeSQL method in
JDBC
5. Agent respond back SQL Exception.
Application will return back error to
the attacker
Account:
SKU:
Account:
SKU:
11
Exception
12. How IAST Works?
SQL Injection
Firewall
Hardened OS
Web Server
App Server
Firewall
Databases
LegacySystems
WebServices
Directories
HumanResrcs
Billing
Custom Code
APPLICATION
ATTACK
NetworkLayerApplicationLayer
Accounts
Finance
Administration
Transactions
Communication
KnowledgeMgmt
E-Commerce
Bus.Functions
SQL
query
"SELECT * FROM
accounts WHERE
acct=‘’ OR 1=1--
’"
1. Application presents a form to the
attacker
2. DAST Engine sends an attack in the
form data. Agent taint the
getParameter variable
3. Application create SQL Query
based on getParameter.
Some Data.
4. Agent stores the malicious query at
instrumented executeSQL method in
JDBC
5. DB execute query containing attack
and sends results back to application.
Account:
SKU:
Account:
SKU:
12
DAST
Engine
Correlation
Engine
HTTP
request
DB Table
6. Application decrypts data as normal
and sends results to the user
HTTP
response
Confirmed
Vulnerability!!
16. How Instrumentation Works?
a.class
Web Application
JVM
Transformation
Module
a.classa.class
Instrumentation
Byte Code
Instrumentation
Agent
Runtime Data Areas
Method Area
Thread
Stacks
Heap
Constant
Pool
Set of Class
Loaders
Apache Tomcat
b.class
17. How Instrumentation Works?
a.class
Web Application
JVM
Transformation
Module
a.classa.class
Instrumentation
Byte Code
Instrumentation
Agent
Runtime Data Areas
Method Area
Thread
Stacks
Heap
Constant
Pool
Set of Class
Loaders
b.class
Apache Tomcat
18. How Instrumentation Works?
java -java agent:/path/to/agent.jar com/example/mains/QueryDBTransactions
JVM
Agent
Agent.class:
void premain(String agentArgs, Instrumentation inst)
MyTransformer.class:
byte[] transform( . . . , byte[] queryTransBytes)
1. call Agent premain in manifest
2. JVM registers my transformer
3. Give QueryDBTransaction bytes to
MyTransformer
4. MyTransformer performs byte code
manipulation
QueryDBTransaction.class:
void main(String[] args)
5. QueryDBTransactionloaded and
main runs
20. Byte Code Manipulation
Class Parser
Class Adapter
Class Generator
b.class
Loaded into JVM
Visit
VisitMethod*
VisitEnd
Visit
VisitMethod*
VisitEnd
New Classes
New Methods
New Fields
21. Dynamic Taint Analysis
(Quick & Dirty)
21
x = Request.getQueryParam(“username”)
…
y = copyString(x)
…
r = executeSQL(y)
22. Dynamic Taint Analysis
(Quick & Dirty)
22
x = Request.getQueryParam(“username”)
…
y = copyString(x)
…
r = executeSQL(y)
Input is
tainted
23. Dynamic Taint Analysis
(Quick & Dirty)
23
x = Request.getQueryParam(“username”)
…
y = copyString(x)
…
r = executeSQL(y)
Input is
tainted
Tainted Untainted
24. Taint Propagtion
24
x = Request.getQueryParam(“username”)
…
y = copyString(x)
…
r = executeSQL(y)
Tainted Untainted
Data derived
from user
input is
tainted
25. Taint Sink
25
x = Request.getQueryParam(“username”)
…
y = copyString(x)
…
r = executeSQL(y)
Tainted Untainted
Policy
violation
detected
27. Challenges in Taint Analysis
Under Tainting
False Negatives
Over Tainting
False Positives
Taint Sanitization
False Positives
28. Challenges
RASP
Performance overhead of Instrumentation and Taint Analysis.
Are you ready for it?
Taint Analysis Challenges
False Positives
False Negatives
No protection from logical vulnerabilities
IAST
Time to discover vs. time to fix
Instrumentation of the production code
Has all the limitation of DAST