Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Published byLinette Carroll Modified over 8 years ago

Similar presentations

Presentation on theme: "Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science."— Presentation transcript:

1 Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science

2  Many of the Web applications employ database driven content on the Internet. yahoo, Amazon  The interactive nature of web applications that employ database services consist vulnerabilities to SQL injection attacks  Web applications receive user inputs via form fields and then transfer those inputs as database requests

3  Transaction may consist of user name, password and information that have large amounts of monetary value.  A national security and privacy matter, such as social security numbers in the U.S.  SQL injection attacks are widespread and Web applications are vulnerable to SQL Injection Attacks (SQLIAs).  over 300 Internet Web sites has shown that most of them could be vulnerable to SQLIAs- Study by Gartner Group  SQLIA Examples: Travelocity, FTD.com, and Guess Inc.

4  SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application  Data provided by the user is NOT validated and included in an SQL query in such a way that part of the user’s input is treated as SQL code.

5  Tautologies  Illegal/Logically Incorrect Queries  Union Query  Piggy-Backed Queries  Stored Procedures  Inference  Alternate Encodings

6  Attack Intent: Bypassing authentication, identifying injectable parameters, extracting data.  The general goal of a tautology-based attack is to inject code in one or more conditional statements so that they always evaluate to true.  An attacker exploits an injectable field that is used in a query’s WHERE conditional SELECT accounts FROM users WHERE login=’’ or 1=1 -- AND pass=’’ AND pin=

7  Attack Intent: Identifying injectable parameters, performing database finger-printing, extracting data.  Description: This attack lets an attacker gather important information about the type and structure of the back-end database of a Web application. SELECT accounts FROM users WHERE login=’’ AND pass=’’ AND pin= convert (int,(select top 1 name from sysobjects where xtype=’u’))

8  Attack Intent: Bypassing Authentication, extracting data.  Description: In union-query attacks, an attacker exploits a vulnerable parameter to change the data set returned for a given query.  SELECT accounts FROM users WHERE login=’’ UNION SELECT cardNo from CreditCards where acctNo=10032 -- AND pass=’’ AND pin=

9  Attack Intent: Extracting data, adding or modifying data, performing denial of service, executing remote commands.  Description: In this attack type, an attacker tries to inject additional queries into the original query. Vulnerability to this type of attack is often dependent on having a database configuration that allows multiple statements to be contained in a single string. SELECT accounts FROM users WHERE login=’doe’ AND pass=’’; drop table users -- ’ AND pin=123

10  Attack Intent: Performing privilege escalation, performing denial of service, executing remote commands.  Description: SQLIAs of this type try to execute stored procedures  An attacker determines which backend database is in use CREATE PROCEDURE DBO.isAuthenticated @userName varchar2, @pass varchar2, @pin int AS EXEC("SELECT accounts FROM users WHERE login=’" +@userName+ "’ and pass=’" +@password+ "’ and pin=" +@pin); GO

11  Attack Intent: Identifying injectable parameters, extracting data, determining database schema.  Description: The query is modified to recast it in the form of an action that is executed based on the answer to a true/false question about data values in the database.  Attackers are generally trying to attack a site that has been secured enough so that, when an injection has succeeded, there is no usable feedback via database error messages. SELECT accounts FROM users WHERE login=’legalUser’ and ASCII(SUBSTRING((select top 1 name from sysobjects),1,1)) > X WAITFOR 5 -- ’ AND pass=’’ AND pin=0

12  Attack Intent: Evading detection.  Description: In this attack, the injected text is modified so as to avoid detection by defensive coding practices and also many automated prevention techniques. SELECT accounts FROM users WHERE login=’legalUser’; exec(char(0x73687574646f776e)) -- AND pass=’’ AND pin=tion with other attacks.

13 * Apply Instruction-set randomization to SQL * Creating instances of the language that are unpredictable to the attacker * Queries injected by the attacker will be caught by the database parser. * An intermediary proxy that translates the random SQL to its standard language. * Mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems.

14

15 Mechanism provides a tool reads an SQL statement(s) and rewrites all keywords with the random key appended. select gender, avg(age) from cs101.students where dept = %d group by gender The utility will identify the six keywords in the example query and append the key to each one (e.g., when the key is “123”): select123 gender, avg123 (age) from123 cs101.students where123 dept = %d group123 by123 gender

16  Built proxy server that sits between the client (web server) and SQL server, de-randomizes requests received from the client, and conveys the query to the server.  If an SQL injection attack has occurred, the proxy’s parser will fail to recognize the randomized  implementation focused on CGI scripts as the query generators, a similar approach applies when using JDBC query and will reject it.

17  THANK YOU

Download ppt "Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
ITEC403 Graduation Project Applications’ Security – Cem Yağlı.

ITEC403 Graduation Project Applications’ Security – Cem Yağlı.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Similar presentations

Ads by Google