SlideShare a Scribd company logo

Vulnerable Active Record: A tale of SQL Injection in PHP Framework

P
Pichaya Morimoto

This document summarizes an presentation about SQL injection vulnerabilities in PHP frameworks that use the active record pattern. It discusses what active record is, how SQL injection can still occur even with input validation, and recommends following best practices like parameterized queries and implementing defense in depth to help prevent SQL injection attacks. Case studies show how SQL injection vulnerabilities were found in specific frameworks even when developers thought secure coding practices were followed.

Technology
1 of 13
Downloaded 193 times
1
2
3
4
5
6
7
8
9
10
11
12
13
Vulnerable Active Record A tale of SQL Injection in PHP Framework pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto Thailand PHP User Group Meetup January 28, 2015
★ What is Active Record ? ★ Secure by Design ? ★ Case Studies ★ Exploitation ★ Input Validation ★ Defence-in-Depth ★ Conclusion Overview
Active record pattern is an approach to accessing data in a database. A database table or view is wrapped into a class. Thus, an object instance is tied to row(s) in the table. PHP frameworks also bundle their own ORM implementing the active record pattern. For example, Laravel (Eloquent), CakePHP, Symfony (Doctrine), CodeIgniter and Yii. $query = $this->db->select('title, content, date'); $query->from('table1'); $query->where('id', $id); $query->get(); Source: https://en.wikipedia.org/wiki/Active_record_pattern What is Active Record ?
Secure by Design ? That’s Magic !
Case Study #1 Get rows from table ‘news’ and order by user input ‘sort’ PHP Framework: CodeIgniter 2.2
Hacker is here, where is SQLi ? SQLMap == Failed Acunetix == Failed Havij == Failed ‘ or ‘1’=’1 , union all select blah blah blah == Failed
SQL Injection Pwnage Pwned ! What if error message is turned off, is it still vulnerable? Ads: http://slideshare.net/pichayaa/sql-injection-owaspthailand
Stand back I know secure coding! No more SQL Injection with Type Validation !
Case Study #2 Secure Coding !!
Keep calm and Think Again Numeric = [Integer, Double, Hex, ...] id value above is hex encoded of “1 and 1>2 union select CHAR(32,58,32),user(),database(),version(),concat_ws (0x3a,username,password) from ci220news_db” + data field is varchar type ***
A list of security techniques that should be included in every software development project. ★ Parameterize Queries ★ Implement Logging, Error Handling and Intrusion Detection ★ Leverage Security Features of Frameworks and Security Libraries and more.. https://www.owasp.org /index.php/OWASP_Proactive_Controls OWASP Proactive Controls ProTip: PHP is not allowed to parameterize ‘Order By’ clause ;) Because it isn’t data, it is a column name!
A layered approach to security can be implemented at any level of a complete information security strategy. ★ Secure Coding in software requirement ★ OS Hardening, reduce attack surface ★ Perimeter Security (Network Firewall, IPS/IDS) ★ Centralized Log Server / SIEM ★ Patch / Vulnerability Management System ★ Incident Response Plans ★ Web Application Firewall Source: http://techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/ Defence-in-Depth
Security Today !== Security Tomorrow Conclusion http://framework.zend.com/security/advisory/ZF2014-04 http://bakery.cakephp. org/articles/markstory/2013/04/28/security_release_- _cakephp_1_2_12_1_3_16_2_2_8_and_2_3_4

More Related Content

PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
PPTX
SQL Injections and Behind...
arjunguptam
 
PPT
How To Detect Xss
Ferruh Mavituna
 
PDF
Web Security attacks and defense
Jose Mato
 
PPTX
Secure Programming In Php
Akash Mahajan
 
PPTX
SQL Injection Defense in Python
Public Broadcasting Service
 
PDF
Sql Injection and XSS
Mike Crabb
 
PDF
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
SQL Injections and Behind...
arjunguptam
 
How To Detect Xss
Ferruh Mavituna
 
Web Security attacks and defense
Jose Mato
 
Secure Programming In Php
Akash Mahajan
 
SQL Injection Defense in Python
Public Broadcasting Service
 
Sql Injection and XSS
Mike Crabb
 
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 

What's hot (20)

PDF
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
PDF
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
ijtsrd
 
PDF
Web Application Security II - SQL Injection
Md Syed Ahamad
 
PDF
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
PDF
Secure code
ddeogun
 
PPT
Advanced Sql Injection ENG
Dmitry Evteev
 
PPT
Sql Injection Tutorial!
ralphmigcute
 
KEY
SQL Injection - Mozilla Security Learning Center
Michael Coates
 
PPTX
Sql Injection attacks and prevention
helloanand
 
PDF
C days2015
Nuno Loureiro
 
PPTX
Owasp Top 10 - A1 Injection
Paul Ionescu
 
PPT
Advanced Topics On Sql Injection Protection
amiable_indian
 
PPT
SQL Injection
Adhoura Academy
 
PPT
Sql injection attack
RajKumar Rampelli
 
PDF
SQL Injection Tutorial
Magno Logan
 
PPTX
seminar report on Sql injection
Jawhar Ali
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
PPT
Web application attacks using Sql injection and countermasures
Cade Zvavanjanja
 
PDF
Advanced SQL Injection: Attacks
Nuno Loureiro
 
PPTX
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
ijtsrd
 
Web Application Security II - SQL Injection
Md Syed Ahamad
 
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Secure code
ddeogun
 
Advanced Sql Injection ENG
Dmitry Evteev
 
Sql Injection Tutorial!
ralphmigcute
 
SQL Injection - Mozilla Security Learning Center
Michael Coates
 
Sql Injection attacks and prevention
helloanand
 
C days2015
Nuno Loureiro
 
Owasp Top 10 - A1 Injection
Paul Ionescu
 
Advanced Topics On Sql Injection Protection
amiable_indian
 
SQL Injection
Adhoura Academy
 
Sql injection attack
RajKumar Rampelli
 
SQL Injection Tutorial
Magno Logan
 
seminar report on Sql injection
Jawhar Ali
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Web application attacks using Sql injection and countermasures
Cade Zvavanjanja
 
Advanced SQL Injection: Attacks
Nuno Loureiro
 
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Ad

Viewers also liked (20)

PDF
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Pichaya Morimoto
 
PPT
D:\Technical\Ppt\Sql Injection
avishkarm
 
DOCX
Types of sql injection attacks
Respa Peter
 
PPTX
Sql injection
Zidh
 
PDF
Extjs presentation
Sabari Nathan
 
PPTX
CodeIgniter i18n Security Flaw
Abbas Naderi
 
PPT
XAJA - Reverse AJAX framework
Sri Prasanna
 
PDF
Exploiting WebApp Race Condition Vulnerability 101
Pichaya Morimoto
 
PDF
From Web Vulnerability to Exploit in 15 minutes
Pichaya Morimoto
 
PDF
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
PPTX
PHP Frameworks, or how I learnt to stop worrying and love the code
Michal Juhas
 
PDF
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
PPTX
A5: Security Misconfiguration
Tariq Islam
 
PDF
Exploiting Blind Vulnerabilities
Pichaya Morimoto
 
PDF
Lithium: The Framework for People Who Hate Frameworks
Nate Abele
 
PDF
How to scale PHP applications
Enrico Zimuel
 
PDF
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
Pichaya Morimoto
 
PPT
Sql injection attacks
Nitish Kumar
 
PPTX
Sql injection attack_analysis_py_vo
Jirka Vejrazka
 
PDF
Metasearch Outlook 2017
Michal Juhas
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Pichaya Morimoto
 
D:\Technical\Ppt\Sql Injection
avishkarm
 
Types of sql injection attacks
Respa Peter
 
Sql injection
Zidh
 
Extjs presentation
Sabari Nathan
 
CodeIgniter i18n Security Flaw
Abbas Naderi
 
XAJA - Reverse AJAX framework
Sri Prasanna
 
Exploiting WebApp Race Condition Vulnerability 101
Pichaya Morimoto
 
From Web Vulnerability to Exploit in 15 minutes
Pichaya Morimoto
 
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
PHP Frameworks, or how I learnt to stop worrying and love the code
Michal Juhas
 
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
A5: Security Misconfiguration
Tariq Islam
 
Exploiting Blind Vulnerabilities
Pichaya Morimoto
 
Lithium: The Framework for People Who Hate Frameworks
Nate Abele
 
How to scale PHP applications
Enrico Zimuel
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
Pichaya Morimoto
 
Sql injection attacks
Nitish Kumar
 
Sql injection attack_analysis_py_vo
Jirka Vejrazka
 
Metasearch Outlook 2017
Michal Juhas
 
Ad

Similar to Vulnerable Active Record: A tale of SQL Injection in PHP Framework (20)

PPTX
Top Ten Java Defense for Web Applications v2
Jim Manico
 
PPTX
DevBeat 2013 - Developer-first Security
Coverity
 
PPT
Top Ten Proactive Web Security Controls v5
Jim Manico
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
PDF
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
DevOps.com
 
PPTX
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
PDF
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
Chris Gates
 
PDF
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Source Conference
 
PDF
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
PPTX
Why haven't we stamped out SQL injection and XSS yet
Romain Gaucher
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
PPTX
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
PPTX
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
PDF
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
PPTX
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
LogeekNightUkraine
 
PDF
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin
 
PDF
Zeronights 2016 - Automating iOS blackbox security scanning
Synack
 
Top Ten Java Defense for Web Applications v2
Jim Manico
 
DevBeat 2013 - Developer-first Security
Coverity
 
Top Ten Proactive Web Security Controls v5
Jim Manico
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
DevOps.com
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
Chris Gates
 
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Source Conference
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Why haven't we stamped out SQL injection and XSS yet
Romain Gaucher
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
LogeekNightUkraine
 
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin
 
Zeronights 2016 - Automating iOS blackbox security scanning
Synack
 

More from Pichaya Morimoto (8)

PDF
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
Pichaya Morimoto
 
PDF
Securing and Hacking LINE OA Integration
Pichaya Morimoto
 
PDF
Docker Plugin For DevSecOps
Pichaya Morimoto
 
PDF
Mysterious Crypto in Android Biometrics
Pichaya Morimoto
 
PDF
Web Hacking with Object Deserialization
Pichaya Morimoto
 
PDF
Burp Extender API for Penetration Testing
Pichaya Morimoto
 
PDF
Bug Bounty แบบแมว ๆ
Pichaya Morimoto
 
PDF
Pentest 101 @ Mahanakorn Network Research Laboratory
Pichaya Morimoto
 
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
Pichaya Morimoto
 
Securing and Hacking LINE OA Integration
Pichaya Morimoto
 
Docker Plugin For DevSecOps
Pichaya Morimoto
 
Mysterious Crypto in Android Biometrics
Pichaya Morimoto
 
Web Hacking with Object Deserialization
Pichaya Morimoto
 
Burp Extender API for Penetration Testing
Pichaya Morimoto
 
Bug Bounty แบบแมว ๆ
Pichaya Morimoto
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pichaya Morimoto
 

Recently uploaded (20)

PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 

Vulnerable Active Record: A tale of SQL Injection in PHP Framework

  • 1. Vulnerable Active Record A tale of SQL Injection in PHP Framework [email protected] fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto Thailand PHP User Group Meetup January 28, 2015
  • 2. ★ What is Active Record ? ★ Secure by Design ? ★ Case Studies ★ Exploitation ★ Input Validation ★ Defence-in-Depth ★ Conclusion Overview
  • 3. Active record pattern is an approach to accessing data in a database. A database table or view is wrapped into a class. Thus, an object instance is tied to row(s) in the table. PHP frameworks also bundle their own ORM implementing the active record pattern. For example, Laravel (Eloquent), CakePHP, Symfony (Doctrine), CodeIgniter and Yii. $query = $this->db->select('title, content, date'); $query->from('table1'); $query->where('id', $id); $query->get(); Source: https://en.wikipedia.org/wiki/Active_record_pattern What is Active Record ?
  • 4. Secure by Design ? That’s Magic !
  • 5. Case Study #1 Get rows from table ‘news’ and order by user input ‘sort’ PHP Framework: CodeIgniter 2.2
  • 6. Hacker is here, where is SQLi ? SQLMap == Failed Acunetix == Failed Havij == Failed ‘ or ‘1’=’1 , union all select blah blah blah == Failed
  • 7. SQL Injection Pwnage Pwned ! What if error message is turned off, is it still vulnerable? Ads: http://slideshare.net/pichayaa/sql-injection-owaspthailand
  • 8. Stand back I know secure coding! No more SQL Injection with Type Validation !
  • 10. Keep calm and Think Again Numeric = [Integer, Double, Hex, ...] id value above is hex encoded of “1 and 1>2 union select CHAR(32,58,32),user(),database(),version(),concat_ws (0x3a,username,password) from ci220news_db” + data field is varchar type ***
  • 11. A list of security techniques that should be included in every software development project. ★ Parameterize Queries ★ Implement Logging, Error Handling and Intrusion Detection ★ Leverage Security Features of Frameworks and Security Libraries and more.. https://www.owasp.org /index.php/OWASP_Proactive_Controls OWASP Proactive Controls ProTip: PHP is not allowed to parameterize ‘Order By’ clause ;) Because it isn’t data, it is a column name!
  • 12. A layered approach to security can be implemented at any level of a complete information security strategy. ★ Secure Coding in software requirement ★ OS Hardening, reduce attack surface ★ Perimeter Security (Network Firewall, IPS/IDS) ★ Centralized Log Server / SIEM ★ Patch / Vulnerability Management System ★ Incident Response Plans ★ Web Application Firewall Source: http://techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/ Defence-in-Depth