Presentation on SQL Injection
Transcript of Presentation on SQL Injection
-
8/11/2019 Presentation on SQL Injection
1/19
SQL INJECTION
-
8/11/2019 Presentation on SQL Injection
2/19
Contents
SQL
SQL Injection
Classification of Attacks
Attack Techniques
Prevention Techniques
Conclusion
-
8/11/2019 Presentation on SQL Injection
3/19
SQL (Structured QueryLanguage)
Standard language for relational database mansystems, as per ANSI.
Used to perform tasks such as update data on a datretrieve data from a database.
Standard SQL commands such as SelectInsert,Delete,Create,and Drop.
-
8/11/2019 Presentation on SQL Injection
4/19
SQL Injection
A technique used to take advantage of non-validatto pass SQL commands through a web applicaexecution by a backend database.
Programmers often chain together SQL commands w
provided parameters.
-
8/11/2019 Presentation on SQL Injection
5/19
Classification of Attacks
Identifying Database Finger-Print
Identifying Injectable Parameters
Discovering Database Schema
Bypassing Authentication
Extracting/Modifying Database Data
Downloading/Uploading File
-
8/11/2019 Presentation on SQL Injection
6/19
-
8/11/2019 Presentation on SQL Injection
7/19
1.Tautology : Exploit whereclause
Create a query that always evaluates to true for entthe database. To bypass authentication pages and e
data. If attacker submits user or 1=1 - for the
input field.
The resulting query is:SELECT info FROM userTable WHERE username=us
1=1ANDpassword=
-
8/11/2019 Presentation on SQL Injection
8/19
Injecting through input string
user = ' or 1=1
password = anything
Final query would look like this:
SELECT * FROM acctWHERE username = '' or 1=1
' AND password = 'anything'
-
8/11/2019 Presentation on SQL Injection
9/19
2. Piggy-backed Query
Injecting through input string
usr = xyz
pwd = 0;drop table users
Final query would look like this:SELECT * FROM acct
WHERE username = ' xyz'
AND password = 0;drop table users
-
8/11/2019 Presentation on SQL Injection
10/19
3. Union Query: To retrieve specificinformation
Injecting through input string
usr = ' UNION SELECT cardNo from CreditCards whe
acctNo = 7032 --
pwd = anythingFinal query would look like this:SELECT * FROM acctWHERE username = UNIONSELECT cardNo fromCreditCards where acctNo = 7032
-- AND password = anything
-
8/11/2019 Presentation on SQL Injection
11/19
Prevention Techniqu
-
8/11/2019 Presentation on SQL Injection
12/19
1. Use Parameterized Queri
Separates data from query.
Allow creation of static queries with bind variables.
-
8/11/2019 Presentation on SQL Injection
13/19
2. Customized Error Messag
Knowing database schema makes attackersjob easie
Avoid display detailed error messages and stack external users.
-
8/11/2019 Presentation on SQL Injection
14/19
3. White List Based Validati
Involves defining exactly what IS authorized
Allow input within well-defined set of safe values
- By defining a very strong validation pattern
Implement stringent "known bad" filters
Eg: Reject "select", "insert", "update", "sh"delete", "drop", "--",
-
8/11/2019 Presentation on SQL Injection
15/19
-
8/11/2019 Presentation on SQL Injection
16/19
5. Other preventions
Validate and filter the input data using strongexpression patterns.
System Stored Procedure Reduction.
Encrypting Sensitive Data.
-
8/11/2019 Presentation on SQL Injection
17/19
Conclusion
Present day development is more focused Applications so there is an urgent need for educdevelopers & Students on SQL Injection thereby programmers and system administrators to undersattacks more thoroughly, more attacks will be dete
more countermeasures will be introduced into the s
-
8/11/2019 Presentation on SQL Injection
18/19
Thank You
-
8/11/2019 Presentation on SQL Injection
19/19