Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Published byChester Cooper Modified over 8 years ago

Similar presentations

Presentation on theme: "SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a."— Presentation transcript:

1 SQL INJECTIONS Presented By: Eloy Viteri

2 What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a text box that will be used to run a query against the data base SQL injection attacks revolve around poorly written code which does not handle meta- characters such as / or \ -

3 SQL Query What happens when a user submits a username and password on a webpage? SQL Injection. Digital image. VAPT MIT Project Welcome. Web. 30 July 2013..

4 The Attacker The attacker begins by seeing if the SQL server can provide some error messages. When the URL http://www.***.com/login.php?user=’a&pass=’a is entered. An Error page is generated and is displayed as: http://www.***.com/login.php?user=’a&pass=’a

5 SQL Attack When the error page is displayed, the attacker can then see some vital information such as:

6 SQL Attack By Knowing that the SQL Server belongs to Microsoft the attacker knows that the comment characters is :-- Now the side has been identified as being vulnerable and the SQL query underlying the website process has been obtained. The attacker can now change the query to something more useful

7 SQL Attack The above query would result in logging in as admin without needing the password, due to the location of characters: --

8 SQL Attack Or, the attacker could interact with the HTTP Get request directly by typing the URL:

9 SQL Injection SQL Injection Diagram. Digital image. Securing Your Database Server. Web. 30 July 2013.

10 What to do? Client-side input validation: Minimizing the number of necessary communication hits between the submitted form and received error message. Server-side input validation: Use to validate sensitive data on a server before processing them by an application server Double checking input validation: Duplicate the form validation modules on both client and server sides.

Download ppt "SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
PHP SQL. Connection code:- mysql_connect(server, username, password); Connect to the Database Server with the authorised user and password. Eg $connect.

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Languages for Dynamic Web Documents

Languages for Dynamic Web Documents
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
DT211/3 Internet Application Development JSP: Processing User input.

DT211/3 Internet Application Development JSP: Processing User input.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.

Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.
WEB FORM DESIGN. Creating forms for a web page For your web project you have to design a form for inclusion on your web site (the form information should.

WEB FORM DESIGN. Creating forms for a web page For your web project you have to design a form for inclusion on your web site (the form information should.
Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.

Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.
Validation Controls. Validation Server Controls These are a special type of Web server control. They significantly reduce some of the work involved in.

Validation Controls. Validation Server Controls These are a special type of Web server control. They significantly reduce some of the work involved in.

Similar presentations

Ads by Google