SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level

Presented at DEF CON 32 (2024), Aug. 10, 2024, 2 p.m. (45 minutes).

SQL injections seem to be a solved problem; databases even have built-in support for prepared statements, leaving no room for injections. In this session, we will go a level deeper: instead of attacking the query syntax, we will explore smuggling attacks against database wire protocols, through which remote, unauthenticated attackers can inject entire (No)SQL statements into an application's database connection. Using vulnerable database driver libraries as case studies, we will bring the concept of HTTP request smuggling to binary protocols. By corrupting the boundaries between protocol messages, we desynchronize an application and its database, allowing the insertion of malicious messages that lead to authentication bypasses, data leakage, and remote code execution. To put our findings into context, we will explore the real-world applicability of this new concept by comparing how robust various languages and frameworks are against these attacks. We will also discuss how smuggling attacks are not specific to database wire protocols but affect all kinds of binary protocols, from databases over message queues to caching. We will end the session with inspirations for future research to explore the topic further. - [link](https://www.postgresql.org/docs/current/protocol.html) - [link](https://dev.mysql.com/doc/dev/mysql-server/latest/PAGE_PROTOCOL.html) - [link](https://www.mongodb.com/docs/manual/reference/mongodb-wire-protocol/) - [link](https://redis.io/docs/latest/develop/reference/protocol-spec/) - [link](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn) - [link](https://portswigger.net/research/http2) - [link](https://portswigger.net/research/browser-powered-desync-attacks)

Presenters:

  • Paul Gerste - Vulnerability Researcher, R&D team at Sonar
    Paul Gerste is a vulnerability researcher on Sonar's R&D team. He has a proven talent for finding security issues, demonstrated by his two successful Pwn2Own participations and discoveries in popular applications like Proton Mail, Visual Studio Code, and Rocket.Chat. When Paul is not at work, he enjoys playing CTFs with team FluxFingers and organizing Hack.lu CTF.

Similar Presentations: