Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Slides:

Advertisements

Similar presentations

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.

Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Sql Server Advanced Features MIS 424 Professor Sandvig.

Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.

Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

Session 11: Security with ASP.NET

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Database Design for DNN Developers Sebastian Leupold.

4-1 INTERNET DATABASE CONNECTOR Colorado Technical University IT420 Tim Peterson.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Databases and security continued CMSC 461 Michael Wilson.

Attacking Applications: SQL Injection & Buffer Overflows.

Sofia, Bulgaria | 9-10 October Writing Secure Code for ASP.NET Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA) Stephen Forte CTO,

Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.

C# Tutorial -1 ASP.NET Web Application with Visual Studio 2005.

Module 4 : Installation Jong S. Bok

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

ASP.NET The Clock Project. The ASP.NET Clock Project The ASP.NET Clock Project is the topic of Chapter 23. By completing the clock project, you will learn.

Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )

CHAPTER 9 PHP AND MYSQL. A POSSIBLE SITE CONFIGURATION Application Folder index.php includes (folder)header.phpfooter.phpstyle.cssmodel (folder)mysqli_connect.php.

1 Chapter Overview Performing Configuration Tasks Setting Up Additional Features Performing Maintenance Tasks.

A Brief Documentation.  Provides basic information about connection, server, and client.

Module 11: Securing a Microsoft ASP.NET Web Application.

Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com

Group Name: PNT Group Members: Prabin Joshi and Ngoc Vu.

ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Introduction to SQL Server  Working with MS SQL Server and SQL Server Management Studio.

Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile.

Troubleshooting Laserfiche Systems

Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER.

SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.

Defense In Depth: Minimizing the Risk of SQL Injection

SQL Server Security & Intrusion Prevention

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Introduction to Dynamic Web Programming

Chapter 5 : Designing Windows Server-Level Security Processes

SQL INJECTION ATTACKS.

Developing Production Quality SQL Code

Introduction to SQL Server 2000 Security

Security mechanisms and vulnerabilities in .NET

Common Security Mistakes

Security concerns of web applications with database access

Created by : Asst. Prof. Ashish Shah

Lecture 2 - SQL Injection

Presentation transcript:

Security in SQL Jon Holmes CIS 407 Fall 2007

Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections

Reduce Surface Area Database Engine Analysis Service Engine Reporting Services Integration Services Notification Services Documentation and Samples

Reduce Surface Area SQL Server Active Directory Helper SQL Server Agent SQL Server FullText Search SQL Server Browser SQL Server VSS Writer

Blocking ports MSSQL Ports 1433 / 1434 MySQL Ports 3306 Oracle 1521 / 1526

Connection Strings Contains –Database Name –Server Address/Name May Reveal Network Schema –UserName –Password

Connection Strings (Where?) Options? –In Code –Place in Text file –In Application Configuration file Web.Config Application Settings

Authentication Windows accounts –Machine Specific –High Security SQL accounts –Portable –Less Secure

Permissions Microsoft says use Groups not User Specific rights. What happens when user leaves? Who is responsible?

Permissions One Database = One Owner Lowest possible Permissions Segregation of Duties –Read –Write

Storing Data Minimum Size Data Type –Sproc Data Types match

SQL Injections Source:

PrincipleImplementation Never trust user input Validate all textbox entries using validation controls, regular expressions, code, and so on Never use dynamic SQLUse parameterized SQL or stored procedures Never connect to a database using an admin-level account Use a limited access account to connect to the database Don't store secrets in plain text Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings Exceptions should divulge minimal information Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false Basic Rules

Injections Inputs Example Critical Information Outputs Sanitization

Handling Inputs Never trust the user. –DropDown Lists –ListBoxes –Tables –Query Strings –Hidden Fields

Login Forms Login UserName Password LoginCancel X

Dynamic SQL //This code is susceptible to SQL injection attacks. Dim strQry As String strQry = "SELECT Count(*) FROM Users WHERE UserName='" & txtUser.Text & "' AND Password='" & txtPassword.Text & "'"

What will happen? Login ’ or 1=1 -- ********* UserName Password LoginCancel X

Critical Information Passwords –Strong –Hashing –Salts Other Information –Hashing –Salts

Handling Outputs Know what you are showing off –What data is shown? –Always validate authority –Do not display schema –Custom Tables –Careful object reuse –Errors –Exceptions

Validation - Can use ASP.Net validation tools –Pros Fast Easy –Cons Javascript False security –Know what is running where –Always best to handle in code Sanitization

References Stop SQL Injection Attacks Before They Stop You SQL Server 2005 Security Best Practices