SQL Injection Stephen Frein Comcast.

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

Nick Tsamis University of Tulsa CS 7493 April 2013.
Understand Database Security Concepts
How Did I Steal Your Database Mostafa
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Introduction The concept of “SQL Injection”
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Peter Torres, Tim Poley CS526 Spring  What is SQL Injection?  Basic Example  Case Studies  Defensive Techniques  Demo.
SQL Injection Timmothy Boyd CSE 7330.
Introduction to Application Penetration Testing
MIS Week 11 Site:
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
MySQL + PHP.  Introduction Before you actually start building your database scripts, you must have a database to place information into and read it from.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Introduction to databases and SQL. What is a database?  A database is an organized way of holding together pieces of information  A database refers.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
11 Using ADO.NET II Textbook Chapter Getting Started Last class we started a simple example of using ADO.NET operations to access the Addresses.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com
Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.
ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
1 Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks Ben Smith Laurie Williams Andrew Austin North Carolina.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel.
SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.
Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."
Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."
M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.
SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll
SQL Injection.
Database System Implementation CSE 507
# 66.
SQL Injection.
Unix System Administration
SQL INJECTION ATTACKS.
SQL Injection Attacks Many web servers have backing databases
Computer Security Fundamentals
Web Systems Development (CSC-215)
PHP: Security issues FdSc Module 109 Server side scripting and
Network Security: DNS Spoofing, SQL Injection, ARP Poisoning
Chapter 13 Security Methods Part 3.
Lecture 2 - SQL Injection
Web Hacking: Beginners
Presentation transcript:

SQL Injection Stephen Frein Comcast

Introduction About Me About the Presentation Director of Quality Assurance @ Comcast Web / database development background CISSP and some other alphabet soup http://www.frein.com http://www.linkedin.com/in/stephenfrein About the Presentation Hands-on SQL knowledge helpful Frein: SQL Injection

Topics Covered What is SQL Injection? Why is it a big deal? What makes applications vulnerable to it? What is the general strategy of an attack? What would a sample attack look like? How can attacks be prevented? Frein: SQL Injection

If only I had gone to Frein's talk … Take-Aways If only I had gone to Frein's talk … SQL injection attacks are: Damaging  Easy  Preventable  LULZ! Frein: SQL Injection

In the News … June 2011 – hackers steal account information for at least 150k Sony users June 2012 – hackers steal account information for 6.5 million LinkedIn users July 2012 – hackers steal account information for 450k Yahoo users Technique used in all 3 cases? Frein: SQL Injection

Scary Stuff Many systems vulnerable (even among big-name players) SQL Injection goes directly after your most valuable asset (your data) Uses the same connectivity as legitimate web application usage (network and operating system security won't help you) Many systems vulnerable (even among big-name players) Extremely easy to learn / attempt Frein: SQL Injection

What is SQL? SQL SQL: Structured Query Language Web Application SQL: Structured Query Language Used to store, edit, and retrieve database data Applications issue SQL commands that manage data Changes Retrieval SQL SQL Database Frein: SQL Injection

SQL Mini-Lesson "Users" Table SELECT UserName, Password FROM Users WHERE LastName = 'Smith' UserName FirstName LastName Password CJONES Cynthia Jones XXXXXX BSMITH Bill Smith YYYYYY SKING Susan King ZZZZZZZ RSMITH Rob AAAAA Column data returned Table containing data UserName Password BSMITH YYYYYY RSMITH AAAAA Criteria rows must meet Query Results Frein: SQL Injection

SQL Injection Malicious user input employed to change the STRUCTURE of SQL statements instead of the VALUES on which these operate Statements hijacked, and made to do unintended things, using full permissions of the application Tricky Inputs Web Application Changes Retrieval BAD SQL Database Frein: SQL Injection

Vulnerable Code Code excerpt from vulnerable PHP page handling login: Query Users table to match supplied username and password If at least one record matches Log user in as the matched account Frein: SQL Injection

The Trick SQL statements created by concatenating SQL code fragments with user-supplied values What if user-supplied values were constructed to contain SQL code fragments that changed the meaning of the statement? What if we could turn it into a statement that matched records without matching on the username and password, as was intended? Frein: SQL Injection

Attack Strategy Determine if application is injectable by putting special values (e.g., an apostrophe) in user input and seeing if an error is returned, suggesting that we have altered the structure of the code being executed Imagine possibilities for what code in application might look like; Assume one for the sake of experimentation Construct inputs that would change the code so that it is doing something different If you get an error, you guessed wrong about what the code looks like; Assume a new variation and experiment with that Once you get a working statement, vary it / elaborate it to discover the names of tables and columns through guesswork and the feedback provided by error messages Use this knowledge to build additional statements until you have succeeded in making the application do your bidding Frein: SQL Injection

Demo Goals Will attack http://www.frein.net/injection Feel free to attack with me or on own time Goal 1: Discover if app is SQL injectable Goal 2: Log in without valid credentials Goal 3: Escalate permissions to admin Frein: SQL Injection

[live attack on our sample application] Demonstration [live attack on our sample application] Frein: SQL Injection

Prevention Handle inputs safely: Stored procedures: values passed in can't become part of the executed statement Parameterized queries: ditto Object-relational mapping tools (e.g., Hibernate): will use parameterized queries in SQL it writes for you Escape or strip out special characters / commands (e.g., apostrophes): just make sure you get them all Techniques for the above vary by database and programming language Frein: SQL Injection

Remember SQL injection attacks are: Damaging  Easy  Preventable  Frein: SQL Injection

Questions? ??? [Thank you.] Frein: SQL Injection

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.