SQL Server Static vs Dynamic Data Masking

Data masking is a data security technique in which a dataset is copied but with sensitive data obfuscated. This benign replica is then used instead of the authentic data for testing or training purposes.

Static Data Masking

Every organization has some confidential data and sensitive information stored in production databases. Since there is always an incessant need to migrate this live data to lower environments for several developments and testing purposes, it becomes important to ensure suitable protection has been provided to this critical data while copying production databases to non-production environments.

In order to reproduce production issues on environments like Dev, Staging, Test, UAT, etc., data professionals tend to create test data by simply copying production data to these lower life cycle environments. The development team typically has unrestricted access to all the sensitive information with no encryption or masking on the production database restore on these environments. This easily accessible data put confidential data of the organization at risk.

SQL Server 2019 with SSMS 18.0 (preview 5 and higher) introduces a new security feature called Static Data Masking. Previously it was available for the Azure SQL DB only.

Applying Static Data Masking against a production database and then creating a backup of the database with the mask applied, followed by restoring this masked copy to non-production environments. It is basically a feature that helps users create a masked copy of a SQL database. Once data is statically masked, it is permanently replaced in the cloned database and we can’t change it. This feature is used for several purposes like sharing sensitive data, database development, database troubleshooting, analytics and business reporting.

Read the full article which explains all the steps in details for Static Data Masking: https://www.mssqltips.com/sqlservertip/5939/sql-server-static-data-masking-example/

Dynamic Data Masking

Application developers often required to access production data for troubleshooting purposes and preventing them from accessing sensitive data without affecting their troubleshooting process is vital. We can use Dynamic Data Masking for sensitive fields and hide those details from such users by keeping original data intake. We can allow different users with different roles to see masked fields differently. Amazing isn’t it.

Dynamic Data Masking is a security feature introduced in SQL Server 2016 that limits the access of unauthorized users to sensitive data at the database layer.

Another example is the call center employee who will access the customer’s information to help him in his request, but the critical financial data, such as the bank account number or the credit card full number, will be masked to that person.

Read the full article which explains all the steps in details for Dynamic Data Masking: https://www.sqlshack.com/dynamic-data-masking-in-sql-server/

Static Data Masking vs. Dynamic Data Masking

Static Data MaskingDynamic Data Masking
Happens on a copy of the databaseOriginal data not retrievable
Mask occurs at the storage levelAll users have access to the same masked data
Happens on the original databaseOriginal data intact
Mask occurs on-the-fly at query timeMask varies based on user permission

That is All. I hope this will help !!!

Encrypt and Decrypt ConnectionString in Web.Config

Encrypting and decrypting config files can be performed programatically using .NET Framework methods or by using the ASP.NET IIS Registration tool (aspnet_regiis.exe). With the encryption commands you can target either the path to the config file or reference an IIS application name. In my examples I will be encrypting and decrypting the connectionStrings section with the .NET Framework 4. I am using Entity Framework in my project so it will have little different format for connectionString value as compared to traditional SQL Server Connection String so don’t get confused 🙂

Before Encrypting Web.Config

If you look at the below Config file, it can be easily readable. This doesn’t seem to be secure if anyone has access to your Web.Config file.


<connectionStrings>
    <add name="DatabaseEntities" connectionString="metadata=res://*/Models.Model.csdl| res://*/Models.Model.ssdl|res://*/Models.Model.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=(LocalDB)\v11.0;attachdbfilename=|DataDirectory|\EmpDB.mdf;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework&quot;" providerName="System.Data.EntityClient" />
    <add name="EmpDBEntities" connectionString="metadata=res://*/Models.EmpDBModel.csdl| res://*/Models.EmpDBModel.ssdl|res://*/Models.EmpDBModel.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=(LocalDB)\v11.0;attachdbfilename=|DataDirectory| \EmpDB.mdf;integrated security=True;multipleactiveresultsets=True;application name=EntityFramework&quot;" providerName="System.Data.EntityClient" />
  </connectionStrings>

You will find aspnet_regiis.exe in the C:\Windows\Microsoft.NET\Framework\version\ folder. With the .NET Framework you can use the builtin protected configuration providers  RSAProtectedConfigurationProvider or DPAPIProtectedConfigurationProvider to encrypt and decrypt sections of your config files.

The general syntax to encrypt a config section is as follows:

aspnet_regiis.exe -pef section physical_directory -prov provider
or
aspnet_regiis.exe -pe section -app virtual_directory -prov provider

It is important to note when using aspnet_regiis.exe to encrypt or decrypt config files and you specify a physical path (rather than a web app name) the command is hardcoded for a file named “web.config”.

If you are trying to run the command against an app.config you will first need to rename that file to web.config before running the command. Rename it back afterwards before using it.

For this reason I find it easier to create a .bat file hardcoded with the necessary command syntax to encrypt my configs and then a 2nd .bat file to decrypt my configs.

For the example below I am using the builtin DPAPI provider to encrypt a web.config in “D:\CodePractice\WebAPICRUDwithBootstrap\WebAPICRUDwithBootstrap”. The encrypted web.config is shown below.

Open Visual Studio Command Prompt with Administrator privileges &  Run the following command.


C:\WINDOWS\system32>ASPNET_REGIIS -pef "connectionStrings" "D:\CodePractice\WebAPICRUDwithBootstrap\WebAPICRUDwithBootstrap" -prov "DataProtectionConfigurationProvider"
Microsoft (R) ASP.NET RegIIS version 4.0.30319.0
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation.  All rights reserved.
Encrypting configuration section...
Succeeded!

Note: The parameter “connectionStrings” is case sensitive.

After Encrypting Web.Config

After encrypting your ConnectionStrings section, your ConnectionStrings will not be in a readable format.


<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
    <EncryptedData>
      <CipherData>
        <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAASngQsfmlQUm5xLTzrlz1fQQAAAACAAAAAAAQZgAAAAEAACAAAAB/hV+ondATNHaaHnJRPjZcljgUEaG2WbY8YsXfgylN/QAAAAAOgAAAAAIAACAAAAB/OUXEFeT8LRgHl0vgpAhuDXU6BYXEsSfxSBhivlSlaMAGAACqBxJbXx2//R7w7DVEq+JeeQQJYcrHja8Vth/kqPzXMJuPgxxaGVdm0NuFaUbzd6tFUWMW6vuMyuGhPHvAnbMel7tUe/FthjBGw1fBuS3gDRTNqb4YrUWomWlPW1Nvx11t3gGyCSiTChvBpTzZ2ENU92OHndMVbi2D/8dHJS4fA9tyqXKqVbelwpHn/7jdMPbLjdHSjtcmA5tf/VQNOu8JfuiBIa0UrcUcwiX/UYs3awH+jjMkHlEykT15Nd/vndl1oC8223eQ32GvCLg5DCeXhPzGTNFqZtWRaYiP7A7KOLPksvJIe60OlUt/yylzDufSfgxh6Y8YrWqmWfjKqWuqqqHZr1m8WDun+qLINQXEG++P8nKzrUzkjMxRzrq0kVcmwcMSS4QTdObhJt1NNZaEzy9HNOtfCKCAMYEzedrf0V5ENRLOUJAnk4RZYi9Hb5LNckKiyAQJhO2HTFfkZHa0WHi7zFwLJx149DYM5+YY8Fut3i7wi0jKfcP4c6+o2kpGRb9mjrQQkMvQgkJleuxouuDPGO+guLr6tjiSa4WXoSeCBbefEd3rPuZ2yWr9tfXbiVsYPcXQFTKo18sAxflJQVgZXgHqbHLvUwA/LKbhbshY0iPLUcEovFAFyFCSvaWDe36JMl6rbP58YXyO1ikod1DB2MPmcUYrOJsCFqJEws7U6k/I15mA9wMpKB+5HVahX6O77QEES3vXlesLdYWaWlYVI5jnKrJFQ3otSM+ZuWAIYCU57Py5+Yi6q40dEWwCocH4XdLwWnB+7SpJaG7O+HW1/sIYxvW7NbNzZwPPAI6LDJWOinwZdb33vXA3NGNdFYWT7A8mI8PsgABwD7k/V318knveECxpEyza5MDzsRbSLoMeiJzIM35jULRYYicnWGwNd+dPTLo9s+iP1mi8tH+IMK3AJp9ku8ohIG10Aor7u+moHeBLlVZwkOBEga05ZT0t8x+Hbpn7ZDeRvtPwr1AoXG1zQRDt684ctML79JgwYKsdk9WQ2PScc1uTuKuAv9w+0q/TdSgd1jzzAkYa4eZZ9AyQYrEnhmkM2ccuHSB0eXBHRcXDfvYo7RWgjAUH845sFglFgSTxeMmwgHG1XyES+F6ebVDXjlluykM1UHP/Eo2QhCfR283SJFK6EmalwDUPy109WSjeJWghb65QFec/d7o177J30O7S/cIy6FVQjEqTRHNbB/UVSpX8NfRdnpsaonMnSxQe1XQ6nMjExl51NRMKzV74POotDE9bv+RfEblTuSo/baDMaTMgEOj3S/Ajsp7d+RYFP6B4/cN+0hplqH4n+ZLY7Ue7Vjvz/nNxD6BxO8oHAOwvpMYTfbZwehH4Gg0ZfvH3TM5Q/vEOVVMxM1y4o5TDCD+dOCA917jW8E2bB3r/rHBPgC1neLcL64VPCwsQchzlRvEmyblIk0G+GLXqA9fG/Iw6UrMxk1wlRWoTw6dfvj3I88sLO2x0+xUSEbuOnjHtgPAcEMkNG3MceOi8z5pTzKdQI/87bi3Mi6Vr8CDR6caxToEpp4ruXJ63EXIWaA2Hnp6TXSGt41pHrup12ewLHfa7yT4f2aXRS3QPrC8HJhHH9mxiiyju7ItnjpMx9qYJASgEZjtSzf+lvK6kPgAuLaWgUZCcDF1/PnkaA7qn5bzrYp7Hv3Wz5vkvfAtN63iyxziCn1SN3uHFStR1xx9ulVssQCpuOOpXIzfhtxQWc8Jh2D8NsA13E9iqRVhRkozH1oC7ZhTYkoOg9iyYYmJNHOQdkwN8US9sIYtw5CGUblBT+ZyI54tjQXibDHjxkdxcrDy1i67Hkgo/MvoCFtBRwoBaoEreWdw7+PBkWGxZsa47+OFZ5FrCSsvjePDnwyW1vJT8cE+AcAivFnPNu2k4PDaQEgHV07FbzMCzwTGKt3hyPRinTpKMO+yUlwXUs4YLwV4NOgXrI0jMeyY47502aNbAVFRKgLYRJj8U/flXmt7v9qQ1QQAc73VFjQvCRIe6QGkC4R1ACVJfnMhDFibmqw8eZpOSCmZB2doiOBonaGMWZTehY19LYeyTzUH3hk5Ks8vU77XAEr+bDiggZEivWFUaajVBezy+Vo9fZEOOtJTxj3MIbw4PjaZpR1St7uhl7Y/wxdIsKP6ignTThcmcRTitxHTh8LYQdKQZyS1kgilYY+oVsCvaeNkftWXSBIDPuLNBo899dKNjDS3fJjJnfGux2n8nnSi/bJ+o3F4wlIhrv3+7+1vjKamjGqVty+GJEjdD9SpdjPN22ItXhfq021JW5HFoWl9/HMx+0ZIfqeBbNU4RHoZAAAAAZskzzUob+vaXFjZwZ5m2OtFM2T4wDGb72VioAfQnTqmL4wMA1cYCVhL4ne2K+en8gzenGK1Cfk4FwlDAeu6Etw==</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>

Accessing Decrypted Configuration Settings

It’s very good to know that ASP.NET automatically decrypts the contents of the Web.Config file when it processes the file. Therefore, no additional steps are required to decrypt the encrypted configuration settings. You can run your existing application by encrypting your Web.Config file and it will run perfectly without any modification to your existing code.

Decrypting the Connection String

When decrypting a config section you do not need to specify the protected configuration provider. Just like when encrypting a config file we can target either a file path or IIS web application name. Here is the syntax to decrypt a configuration file section:

aspnet_regiis.exe –pdf section physical_directory
or
aspnet_regiis.exe –pd section -app virtual_directory

In my example below I decrypt the connectionStrings section of my web.config in “D:\CodePractice\WebAPICRUDwithBootstrap\WebAPICRUDwithBootstrap”. As a reminder again when using the –pdf option we do not need to specify “web.config” in the syntax.

C:\WINDOWS\system32>aspnet_regiis.exe -pdf "connectionStrings" "D:\CodePractice\WebAPICRUDwithBootstrap\WebAPICRUDwithBootstrap"
Microsoft (R) ASP.NET RegIIS version 4.0.30319.0
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation.  All rights reserved.
Decrypting configuration section...
Succeeded!

After running the above command, the connectionStrings section of the web.config is decrypted as shown below.


 <connectionStrings>
    <add name="DatabaseEntities" connectionString="metadata=res://*/Models.Model.csdl| res://*/Models.Model.ssdl|res://*/Models.Model.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=(LocalDB)\v11.0;attachdbfilename=|DataDirectory|\EmpDB.mdf;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework&quot;" providerName="System.Data.EntityClient" />
    <add name="EmpDBEntities" connectionString="metadata=res://*/Models.EmpDBModel.csdl| res://*/Models.EmpDBModel.ssdl|res://*/Models.EmpDBModel.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=(LocalDB)\v11.0;attachdbfilename=|DataDirectory| \EmpDB.mdf;integrated security=True;multipleactiveresultsets=True;application name=EntityFramework&quot;" providerName="System.Data.EntityClient" />
  </connectionStrings>

Failed to decrypt using provider error

It is important to note that when encrypting your config files the encryption key is stored locally on the server which means if you need to move your encrypted config file to another server you will need to either decrypt the config file first before moving it to the new server or export the key prior to moving and install it on the new server. If you move an encrypted config file to a server without exporting the encryption key you will receive an error like “Failed to decrypt using provider…. “.

So it is better to do any encryption and decryption on server itself where your web.config exists. rather creating RSA keys and moving them here and there. Last choice will be yours 🙂

For more information: https://msdn.microsoft.com/en-us/library/2w117ede.aspx

I Hope this will help !!!

SQL Injection through SQLMap Burp Plugin

SQL Injection (SQLi) is a web based attack used by hackers to steal sensitive information from organizations through web applications. It is one of the most common application layer attacks used today. This attack takes advantage of improper coding of web applications, which allows hackers to exploit the vulnerability by injecting SQL commands into the prior web application.The underlying fact that allows for SQLi is that the fields available for user input in the web application allow SQL statements to pass through and interact with or query the database directly.

For example, let us consider a web application that implements a form-based login mechanism to store the user credentials and performs a simple SQL query to validate each login attempt. Here is a typical example:

select * from users where username=’admin’ and password=’admin123′;

If the attacker knows the username of the application administrator is admin, then he can log into the app as admin by entering the username as admin’– and without supplying any password. The query in the back-end looks like:

Select * from users where username=’admin’–’ and password=’xxx’;

Note the comment sequence (–-) causes the followed query to be ignored, so query executed is equivalent to:

Select * from users where username=’admin’;

Hence the password check is bypassed and the attacker is logged into the app as admin. SQL Injection can be tested in two ways – Manual Pen-Testing & Automation.

Read full articlehttp://www.securitylearn.net/tag/sqlmap-tutorial/

Hope this will help !!!!!

reCAPTCHA

reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows. Check out our paper in Science about it (or read more below).

A CAPTCHA is a program that can tell whether its user is a human or a computer. You’ve probably seen them — colorful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from “bots,” or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots cannot navigate sites protected by CAPTCHAs.

About 200 million CAPTCHAs are solved by humans around the world every day. In each case, roughly ten seconds of human time are being spent. Individually, that’s not a lot of time, but in aggregate these little puzzles consume more than 150,000 hours of work each day. What if we could make positive use of this human effort? reCAPTCHA does exactly that by channeling the effort spent solving CAPTCHAs online into “reading” books.

To archive human knowledge and to make information more accessible to the world, multiple projects are currently digitizing physical books that were written before the computer age. The book pages are being photographically scanned, and then transformed into text using “Optical Character Recognition” (OCR). The transformation into text is useful because scanning a book produces images, which are difficult to store on small devices, expensive to download, and cannot be searched. The problem is that OCR is not perfect.

For more information click here.

Hope this will help !!!