Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL injection Figure 1 By Kaveri Bhasin. Motive of SQL Injection Obtain data from database Modify system functions Insert data in the backend database.

Published byGabriel Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "SQL injection Figure 1 By Kaveri Bhasin. Motive of SQL Injection Obtain data from database Modify system functions Insert data in the backend database."— Presentation transcript:

1 SQL injection Figure 1 By Kaveri Bhasin

2 Motive of SQL Injection Obtain data from database Modify system functions Insert data in the backend database

3 Figure 2.

4 Victims Mostly Web applications with user input facilities.

5

6 Simplest Procedure 1.Guess field names. 2.Construct a query and check for SQL status 3.If server gives error, field name is incorrect, else lets proceed…

7 Cont. With the correct field, construct SQL query and inject Example: 101 AND Len(( SELECT first_name FROM user_data WHERE userid =15613)) = 6

8 Paper overview Types of Vulnerabilities Measures Tools (Webgoat)

9 Types of vulnerabilities Database system vulnerability Type handling Injected filtered escape characters

10 Measures Web application design: Analyze against vulnerabilities Use strongly defined types and validation for user input Use parameterized queries

11 Tools Webgoat Developed by OWASP.org Free source to experiment and learnt about SQL injection

12 Conclusion SQL injection is a serious concern A single design error can be disastrous for the security of sensitive information

13 References Figure 1. http://ocliteracy.com/techtips/sql-injection.htmlhttp://ocliteracy.com/techtips/sql-injection.html Figure 2. “Towards an Aspect-Oriented Intrusion Detection Framework” Zhi Jian Zhu and Mohammad Zulkernine http://www.owasp.org/ http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdfhttp://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

Download ppt "SQL injection Figure 1 By Kaveri Bhasin. Motive of SQL Injection Obtain data from database Modify system functions Insert data in the backend database."

Similar presentations

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Understand Database Security Concepts

Understand Database Security Concepts
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.

SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
PHP Security Computer Security. overview  Xss, Css  Register_globals  Data Filtering  Sql Injection  Session Fixation.

PHP Security Computer Security. overview  Xss, Css  Register_globals  Data Filtering  Sql Injection  Session Fixation.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Similar presentations

Ads by Google