Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Injection.

Published byCrystal Primrose Skinner Modified over 6 years ago

Similar presentations

Presentation on theme: "SQL Injection."— Presentation transcript:

1 SQL Injection

2 SQL Injection SQL Injection is ranked number one in the CWE/SANS list of the top 25 most dangerous software errors!

3 SQL Injection: Basic Idea
An application sends a form to user. An attacker submits form with SQL exploit data. The application builds string with exploit data. (does not filter the data) The application sends SQL query to a relational DBMS. The DBMS executes query, including exploit, sends data back to application. The application returns data to user.

4 Example: SQL Injection
Form for “ me my password” Assume that the application takes the user input and creates a SQL statement of the form select <fieldlist> from <table> where <field> = '<%= %>'; Consider what would happen if the user entered the following into the form anything' or 'x' = 'x Address: value entered into form by the user

5 Example: SQL Injection (continued)
SQL statement becomes select <fieldlist> from <table> where <field> = 'anything' or 'x' = 'x'; Note that the second statement is guaranteed to be true, and therefore the select statement would return the entire table. What if the response to submitting the form was something like At this point we know that the web site is subject to an SQL injection attack. Your login information has been mailed to

6 Exploits of a Mom

7 Finding SQL Injection Bugs
Submit a single quote as input. If an error results, the application is vulnerable. If no error, check for any output changes. Submit two single quotes. Databases use two single quotes to represent the literal ' If an error disappears, the application is vulnerable. Try string or numeric operators. Oracle: '||'FOO MS-SQL: '+'FOO MySQL: ' 'FOO 2-2 81+19 49-ASCII(1)

8 Make Guesses for Field Names
Enter data so that query becomes something like select ... where <field> = 'x' and is null; -- Can try various values for field names such as – _addr _address – mail Repeat on other forms to guess field names for password – pwd user_id – login_id name – last_name guess for field name comments out any remaining SQL parts

9 Make Guesses for Table Name
Use a subquery. Enter data so that the query becomes something like select ... where = 'x' and 1 = (select count(*) from users); --; Try different guesses. When the query returns “ unknown”, we know that the SQL was well-formed and that we have guessed the table name. guess for table name

10 Impact of SQL Injection
Leakage of sensitive information. Reputation decline. Modification of sensitive information. Loss of control of db server. Data loss. Denial of service.

11 Mitigating SQL Injection
Use blacklists (a.k.a., filtering). filter out potentially bad characters such as a single quote Use whitelists. restrict input to only allowable characters such as letters, sign, etc. Process SQL queries using prepared statements, parameterized queries, or stored procedures. the user input is supplied as a value for the parameter Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid; e.g., Hibernate or Enterprise Java Beans.

12 Blacklists (a.k.a., Filtering)
Filter out or sanitize known bad SQL meta-characters such as single quotes. Problems: Numeric parameters don’t use quotes. URL escaped metacharacters. Unicode encoded metacharacters. Did you miss any metacharacters? Although it’s easy to point out some dangerous characters, it’s harder to point to all of them.

13 JavaServer Pages (JSP)
Filters in Java Filters can be used in a web application to intercept, examine, and possibly transform requests or responses associated with servlets, JSP pages, HTML pages, etc. Filters can be used to query the request and act accordingly block the request and response pair from passing any further modify the request headers and data, providing a customized version of the request modify the response headers and data, providing a customized version of the response. Think of filters as a chain of steps that requests and responses must go through before reaching a servlet, JSP page, or HTML page. ©SoftMoore Consulting

14 Filters in Action Server Filter 1 HTML Page Client (browser) JSP Page
HTTP Request Filter 1 HTML Page Client (browser) HTTP Response JSP Page HTTP Request Client (browser) Filter 2 Servlet HTTP Response ©SoftMoore Consulting

15 BadInputFilter revisited
BadInputFilter provides a frontline of defense against common web application security exploits such as SQL injection attacks and cross-site scripting. Unfortunately, BadInputFilter was designed for a specific version of Tomcat (a Java web server), and it breaks silently in newer versions of Tomcat. This paper provided an update and correction to BadInputFilter that should run correctly in any Java web server. John I. Moore, Jr.

16 Whitelist Reject input that doesn’t match your list of safe characters to accept. Identify which characters should be allowed for each input field. Reject input instead of attempting to repair. Might still need to handle some potentially dangerous characters such as single quotes in a name (e.g., O’Neill).

17 Prepared Statements in Java
String query = "SELECT FROM members WHERE name = ?"; PreparedStatement ps = connection.prepareStatement(query); ps.setString(1, formField); ResultSet rs = ps.executeQuery(); Since a prepared statement is parsed only once, there could also be performance benefits if it is reused multiple times (e.g., in a loop), but the performance benefits are minor compared to the security benefits.

18 Relevant Links SQL Injection Attacks by Example
SQL Injection (Wikipedia) BadInputFilter revisited (John Moore, JavaWorld) 2011 CWE/SANS Top 25 Most Dangerous Software Errors ©SoftMoore Consulting

Download ppt "SQL Injection."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
DT211/3 Internet Application Development JSP: Processing User input.

DT211/3 Internet Application Development JSP: Processing User input.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Attacking Applications: SQL Injection & Buffer Overflows.

Attacking Applications: SQL Injection & Buffer Overflows.

Similar presentations

Ads by Google