Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Published byRandall Dorsey Modified over 8 years ago

Similar presentations

Presentation on theme: "Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin."— Presentation transcript:

1 Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin

2 Presentation Outline What SQL injection is Example Project Objectives Design and Implementation Expected Results Current Status Possible Extensions Questions

3 SQL injection SQL Injection is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database. An attacker is able to insert a series of SQL statements into a 'query' by manipulating data input.

4 SQL injection

5 Example Vulnerable web page

6 In ASP, a critical vulnerability is the way in which the query string is created. example: var SQL = "select * from users where username = ' "+ username +" ' and password = ' "+ password +" '"; Example

7 Username: ‘;drop table users-- the 'users' table will be deleted, denying access to the application for all users

8 Example Query executed: select * from users where username = “ drop table users

9 Example

10 Project Goals Analyse the structure of SQL query commands Build a parser that will check allowable patterns of SQL statements Create a proxy server that will filter SQL commands. Prevent a SQL injection attack to a database using this proxy server. Prove that SQL injection can be prevented using the filter developed to work on the proxy server.

11 Development Environment Microsoft Windows XP Microsoft Visual Studio.net - C Sharp Microsoft Visual Source Safe Microsoft SQL Server 2000

12 Implementation Step

13 Expected Results Prevention of a SQL injection attack by filtering the queries using the proxy server List of best practices for –Web design –Database administration

14 Current Status Working proxy server –Extracts the SQL from a TDS packet –Logs that SQL query to a separate log file Work in progress: –Log to the database –Prevent a SQL injection attack White listing Black listing

15 Possible Extensions Handle other databases examples: Oracle, MySQL and Postgres Other operating systems example: Linux

16 Questions

Download ppt "Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.

Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
MIS2502: Data Analytics MySQL and SQL Workbench David Schuff

MIS2502: Data Analytics MySQL and SQL Workbench David Schuff
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Sql Server Advanced Features MIS 424 Professor Sandvig.

Sql Server Advanced Features MIS 424 Professor Sandvig.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
A Guide to SQL, Eighth Edition Chapter Three Creating Tables.

A Guide to SQL, Eighth Edition Chapter Three Creating Tables.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
True or False? Programming languages can be used to update databases and communicate with other systems. True.

True or False? Programming languages can be used to update databases and communicate with other systems. True.
How to Hack a Database.  What is SQL?  Database Basics  SQL Insert Basics  SQL Select Basics  SQL Where Basics  SQL AND & OR Basics  SQL Update.

How to Hack a Database.  What is SQL?  Database Basics  SQL Insert Basics  SQL Select Basics  SQL Where Basics  SQL AND & OR Basics  SQL Update.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google