Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.

Published byEmmeline Summers Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users."— Presentation transcript:

1 1 Avoiding Hacker Attacks

2 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.

3 Getting Started http://www.cse.usf.edu/~turnerr/Software_Systems_Development/ Downloads/2011_04_14_More_Hacker_Attacks/ http://www.cse.usf.edu/~turnerr/Software_Systems_Development/ Downloads/2011_04_14_More_Hacker_Attacks/ File Alt_Databound_Combo_Box_for_Hacker_Attacks.zip 3

4 4 SQL Injection Attacks An Even More Insidious Threat Potentially lets the hacker execute any SQL command. Can take over your database. Destroy your data. Worse, steal it without your knowing.

5 5 How to Invite SQL Injection Attacks Accept text input from the user and make it a part of a SQL command. Suppose we provide a TextBox for the user to enter a search term. Program retrieves information about all products with that search term in their ProductName.

6 6 Add New Product_Info Form

7 7 TextBox for Search Term

8 8 How to Search with SQL The SQL "LIKE" operator permits us to search for a text string containing a specified search target. Two wildcard characters Percent sign (%) Underscore (_) % matches any number of characters in a string, including none. _ matches exactly one character

9 9 How to Search with SQL SELECT * FROM Products WHERE ProductName LIKE '%Tofu%' The string '%Tofu%' matches any ProductName including Tofu.

10 Copy Product_Info.cs http://www.cse.usf.edu/~turnerr/Software_Systems_Development/ Downloads/2011_04_11_Hacker_Attacks/Product_Info.cs http://www.cse.usf.edu/~turnerr/Software_Systems_Development/ Downloads/2011_04_11_Hacker_Attacks/Product_Info.cs Replace stub created by Visual Studio. 10

11 11 Product_Info.cs using System; using System.Collections.Generic; using System.Windows.Forms; namespace Alt_Databound_Combo_Box { public partial class Product_Info : Form { String Username; String Password; List product_list; public Product_Info(String Username_, String Password_) { InitializeComponent(); Username = Username_; Password = Password_; }

12 12 Product_Info.cs private void btnGetProductInfo_Click(object sender, EventArgs e) { String Search_Term = tbSearchTerm.Text; product_list = Products.Get_Products(Username, Password, Search_Term); if (product_list.Count > 0) { foreach (Product p in product_list) { MessageBox.Show(p.Product_name); } else { MessageBox.Show("No product found"); } tbSearchTerm.Text = ""; }

13 13 Reuse Some Code http://www.cse.usf.edu/~turnerr/Software_Systems_Development/ Downloads/2010_10_26_Product_Browser/ http://www.cse.usf.edu/~turnerr/Software_Systems_Development/ Downloads/2010_10_26_Product_Browser/ Copy Product.cs and Products.cs into project folder. Add to project.

14 14 Implement the Search Modify Get_Products to produce a new version that gets products with ProductName containing a specified search term.

15 15 Products.cs public static List Get_Products(String Username, String Password, String Search_Term) { SqlDataReader rdr; SqlConnection cn; List Product_List = new List (); cn = Setup_Connection(Username, Password); rdr = Get_SqlDataReader(cn, Search_Term); while (rdr.Read()) { Product p = new Product(rdr); Product_List.Add(p); } rdr.Close(); cn.Close(); return Product_List; }

16 16 Products.cs private static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term) { SqlCommand cmd = new SqlCommand(); cmd.CommandText = "SELECT * FROM Products " + " WHERE ProductName LIKE '%" + Search_Term + "%'"; cmd.Connection = conn; return cmd.ExecuteReader(); }

17 17 Update Login Form private void btnLogIn_Click(object sender, EventArgs e) { if ((tbUserName.Text.IndexOf(';') >= 0) || (tbPassword.Text.IndexOf(';') >= 0)) { MessageBox.Show("Invalid input"); return; } Product_Info pi = new Product_Info(tbUserName.Text, tbPassword.Text); this.Hide(); pi.ShowDialog(); this.Close(); }

18 18 Program Used as Intended

19 19 An Innocent Error

20 20 Crash!

21 21 Program Subverted

22 22 Another Subversion... Getting All Products

23 23 Defense To foil this attack, and prevent crashes from bad inputs, replace each single quote with a pair of single quotes. The server replaces pairs of single quotes with one single quote. Treats that single quote as part of the string rather than as a delimiter. Only way to include a single quote character in a text string in a SQL query.

24 24 Escape Single Quotes In Products.cs: private static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term) { SqlCommand cmd = new SqlCommand(); Search_Term = Search_Term.Replace("'", "''"); cmd.CommandText = "SELECT * FROM Products " + " WHERE ProductName LIKE '%" + Search_Term + "%'"; cmd.Connection = conn; return cmd.ExecuteReader(); }

25 25 Attempted Subversion

26 26 Search Term with Apostrophe

27 27 Other Defensive Measures Use the MaxLength property of TextBox to limit how many characters a user can enter. For numeric input, parse the input and convert the resulting numeric value back into a string to splice into the command. On exceptions, provide only a generic error message. The actual error message from the exception might provide useful information to a hacker. Use parameterized commands or stored procedures. End of Section

28 28 Parameterized Command A command string that uses placeholders in the SQL text. Placeholders replaced by dynamically supplied values at run time. Uses the Parameters collection of the command object. Specific to ADO.NET. The command object checks the parameter value for attempted SQL injection attacks.

29 29 Parameterized Command Example Rather than SELECT * FROM Customers WHERE CustomerID = 'ALFKI' where ALFKI was read from a TextBox write SELECT * FROM Customers WHERE CustomerID = @CustID @CustID will be replaced by a string containing a real customer ID at run time. Note: No quotes around @CustID

30 30 Using a Parameterized Command private static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term) { SqlCommand cmd = new SqlCommand(); //Search_Term = Search_Term.Replace("'", "''"); cmd.CommandText = "SELECT * FROM Products" + " WHERE ProductName LIKE @Parm1"; cmd.Parameters.AddWithValue("@Parm1", "%" + Search_Term + "%"); cmd.Connection = conn; return cmd.ExecuteReader(); }

31 31 Attempted Subversion

32 32 Term with Apostrophe

33 33 Blank Entry Everything matches!

34 34 Blank Entry If we don't want the user to be able to ask for all products, we have to check for a zero length string in the TextBox. private void btnGetProductInfo_Click(object sender, EventArgs e) { String Search_Term = tbSearchTerm.Text; if (Search_Term.Length == 0) { MessageBox.Show("No search term entered"); return; }...

35 35 Blank Entry End of Section

36 36 Stored Procedures We can store SQL commands in the database and executed them from there. A safer alternative to constructing SQL commands and executing them. Visual Studio and ADO.NET provide support for this.

37 37 Stored Procedures The Northwind Traders database has a lot of stored procedures. Click on the + beside Stored Procedures in Server Explorer to expand the section.

38 38 Northwind Stored Procedures

39 39 Northwind Stored Procedures

40 40 Northwind Stored Procedures We can execute these stored procedures from the Server Explorer. Right click on a stored procedure and select Execute.

41 41 Executing a Stored Procedure

42 42 Executing a Stored Procedure

43 43 Results

44 44 Viewing a Stored Procedure To view the stored procedure right click on the procedure and select Open.

45 45 Viewing a Stored Procedure

46 46 Viewing a Stored Procedure

47 47 Adding a Stored Procedure To add a new stored procedure from the Server Explorer, right click on Stored Procedures and select Add New Stored Procedure. Note that the new stored procedure will be a part of the database. Stays there until you delete it.

48 48 Adding a Stored Procedure

49 49 Adding a Stored Procedure

50 50 Adding a Stored Procedure

51 51 Saving the New Stored Procedure Click icon to save the new stored procedure

52 52 Executing the Stored Procedure Visual Studio changes "CREATE" to "ALTER". We can now execute the procedure from the Server Explorer

53 53 Executing the Stored Procedure

54 54 Supplying the Parameter Value

55 55 Results from the Execution Results

56 56 Executing a Stored Procedure from C# We can execute a stored procedure from within our program. In Products.cs add using System.Data;

57 57 Executing a Stored Procedure Programatically private static SqlDataReader Get_SqlDataReader(SqlConnection conn, String Search_Term) { SqlCommand cmd = new SqlCommand(); cmd.CommandType = CommandType.StoredProcedure; cmd.CommandText = "Product_Search"; cmd.Parameters.AddWithValue("@Param1", "%" + Search_Term + "%"); cmd.Connection = conn; return cmd.ExecuteReader(); }

58 58 Program in Action End of Presentation

Download ppt "1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users."

Similar presentations

Stored procedures and views You can see definitions for stored procedures and views in the demo databases but you can’t change them. For views, expand.

Stored procedures and views You can see definitions for stored procedures and views in the demo databases but you can’t change them. For views, expand.
Understand Database Security Concepts

Understand Database Security Concepts
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Chapter 18 - Data sources and datasets 1 Outline How to create a data source How to use a data source How to use Query Builder to build a simple query.

Chapter 18 - Data sources and datasets 1 Outline How to create a data source How to use a data source How to use Query Builder to build a simple query.
1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.

1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.

A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.
LCT2506 Internet 2 Further SQL Stored Procedures.

LCT2506 Internet 2 Further SQL Stored Procedures.
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Stored Procedures Dr. Ralph D. Westfall May, 2009.

Stored Procedures Dr. Ralph D. Westfall May, 2009.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
JavaScript & jQuery the missing manual Chapter 11

JavaScript & jQuery the missing manual Chapter 11
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
SQL Azure Database Windows Azure SQL Database is a feature-rich, fully managed relational database service that offers a highly productive experience,

SQL Azure Database Windows Azure SQL Database is a feature-rich, fully managed relational database service that offers a highly productive experience,
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Copyright © 2001 by Wiley. All rights reserved. Chapter 10: Advanced Database Operations Revising Vintage Videos Setting RecordSource at run time DBGrid.

Copyright © 2001 by Wiley. All rights reserved. Chapter 10: Advanced Database Operations Revising Vintage Videos Setting RecordSource at run time DBGrid.
11 Updating a Database Table Textbook Chapter 14.

11 Updating a Database Table Textbook Chapter 14.
PART 1 CREATING THE PRODUCT CATALOG. ROADMAP FOR THIS CHAPTER To implement the departments list, you’ll start with the database and make your way to the.

PART 1 CREATING THE PRODUCT CATALOG. ROADMAP FOR THIS CHAPTER To implement the departments list, you’ll start with the database and make your way to the.

Similar presentations

Ads by Google