Presentation is loading. Please wait.

Presentation is loading. Please wait.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

Published byMorris Quinn Modified over 8 years ago

Similar presentations

Presentation on theme: "(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References."— Presentation transcript:

1 (CPSC620) Sanjay Tibile Vinay Deore

2 Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References

3 Database : A database is an organized collection of data for one or more purposes in digital form. SQL : It is a programming language designed for managing data in relational database management systems (RDBMS).

4 SQL Injection: SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to dump the database content to the attacker. Many web applications take user input from a form, Often this user input is used literally in the construction of a SQL query submitted to a database.

5 Examples : Brute-force password guessing SELECT email, passwd, login_id, full_name FROM members WHERE email = 'bob@example.com' AND passwd = 'hello123'; The database isn't readonly SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; DROP TABLE members; Adding a new member SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; INSERT INTO members ('email','passwd','login_id','full_name') VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl'); Mail me a password SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; UPDATE members SET email = 'steve@unixwiz.net' WHERE email = 'bob@example.com';

6 Types  Incorrect Type Handling  Poorly Filtered Strings  White Space Multiplicity tackers get hold of the error information

7 Using SQL injections, attackers can  Add new data to the database Could be embarrassing to find yourself selling some inappropriate items on your site Perform an INSERT in the injected SQL  Modify data currently in the database Could be very costly to have an expensive item suddenly be deeply ‘discounted’Perform an UPDATE in the injected SQL  Often can gain access to other user’s system capabilities by obtaining their password

8 Examples:  In January 2008, tens of thousands of PCs were infected by an automated SQL injection attack that exploited a vulnerability in application code that uses Microsoft SQL Server as the database store.  On March 27, 2011 mysql.com, the official homepage for MySQL, was compromised by TinKode using SQL blind injection.  In August, 2011, Hacker Steals User Records From Nokia Developer Site using "SQL injection“.  Sony Playstation user data compromised.

9 DefensesPrivilege Restrictions  Restrict functions that are not necessary for the application  Use stored procedures for database access  use stored procedures for performing access on the application's behalf, which can eliminate SQL entirely.

10 More Defenses  Check syntax of input for validity Many classes of input have fixed languages Email addresses, dates, part numbers, etc. Verify that the input is a valid string in the language Sometime languages allow problematic characters (e.g., ‘*’ in email addresses); may decide to not allow these If you can exclude quotes and semicolons that’s good  Have length limits on input  Many SQL injection attacks depend on entering long strings

11  Limit database permissions and segregate users  Even a "successful" SQL injection attack is going to have much more limited success.  Isolate the webserver  For instance, putting the machine in a DMZ with extremely limited pinholes.

12 Configure database error reporting Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.) Configure so that this information is never exposed to a user If possible, use bound variables Some libraries allow you to bind inputs to variables inside a SQL statement PERL example (from http://www.unixwiz.net/techtips/sql-injection.html) $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email);

13 References:-  http://www.unixwiz.net/techtips/sql- injection.html http://www.unixwiz.net/techtips/sql- injection.html  http://msdn.microsoft.com/en- us/library/ms161953.aspx http://msdn.microsoft.com/en- us/library/ms161953.aspx  http://php.net/manual/en/security.databa se.sql-injection.php http://php.net/manual/en/security.databa se.sql-injection.php  http://en.wikipedia.org/wiki/SQL_injectio n http://en.wikipedia.org/wiki/SQL_injectio n

14

Download ppt "(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Understand Database Security Concepts

Understand Database Security Concepts
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
LCT2506 Internet 2 Further SQL Stored Procedures.

LCT2506 Internet 2 Further SQL Stored Procedures.
DT211 Stage 2 Databases Lab 1. Get to know SQL Server SQL server has 2 parts: –A client, running on your machine, in the lab. You access the database.

DT211 Stage 2 Databases Lab 1. Get to know SQL Server SQL server has 2 parts: –A client, running on your machine, in the lab. You access the database.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Structured Query Language SQL: An Introduction. SQL (Pronounced S.Q.L) The standard user and application program interface to a relational database is.

Structured Query Language SQL: An Introduction. SQL (Pronounced S.Q.L) The standard user and application program interface to a relational database is.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
+ Housekeeping Project/assignment 6/quiz 6 questions? Quiz 6: Query optimization, database security At 9:10, you’ll have 15 minutes to do on- line student.

+ Housekeeping Project/assignment 6/quiz 6 questions? Quiz 6: Query optimization, database security At 9:10, you’ll have 15 minutes to do on- line student.
EC500 Lecture Made By: Jiaxi Jin, Rashmi Shah, Ludovico Fontana Boston University.

EC500 Lecture Made By: Jiaxi Jin, Rashmi Shah, Ludovico Fontana Boston University.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
SQL Injection Timmothy Boyd CSE 7330.

SQL Injection Timmothy Boyd CSE 7330.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Similar presentations

Ads by Google