Zac Fenigshtien  Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting.

Slides:



Advertisements
Similar presentations
Chapter 9: The Client/Server Database Environment
Advertisements

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
ProcessFlow The basics to get you started. Have you used ProcessFlow before?
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Overview Explain three application components: presentation, processing, and storage Distinguish between file server, database server, 3-tier, and n-tier.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
1 © Prentice Hall, 2002 The Client/Server Database Environment.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
The Client/Server Database Environment
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
A Cryptography Education Tool Anna Yu Department of Computer Science College of Engineering North Carolina A&T State University June 18, 2009.
Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
SQL INJECTION COUNTERMEASURES &
1 © Prentice Hall, 2002 Chapter 8: The Client/Server Database Environment Modern Database Management 6 th Edition Jeffrey A. Hoffer, Mary B. Prescott,
MBA 664 Database Management Systems Dave Salisbury ( )
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
CIS 450 – Network Security Chapter 8 – Password Security.
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
© 2005 by Prentice Hall 1 Chapter 9: The Client/Server Database Environment Modern Database Management 7 th Edition Jeffrey A. Hoffer, Mary B. Prescott,
Architecture Planning and designing a successful system Use tried and tested techniques Easy to maintain Robust and long lasting.
Attacking Applications: SQL Injection & Buffer Overflows.
Protect Your Data's Privacy! Data Encryption with SQL Server Joe
CYBORG Domain Independent Distributed Database Retrieval System Alok Khemka Kapil Assudani Kedar Fondekar Rahul Nabar.
Network Security Jiuqin Wang June, 2000 Security & Operating system To protect the system, we must take security measures at two levels: Physical level:
Personal Computer - Stand- Alone Database  Database (or files) reside on a PC - on the hard disk.  Applications run on the same PC and directly access.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Middleware Vulnerabilities Damian Tamayo Kansas State University MSE 2 nd Semester.
SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005.
Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.
Designing a Middleware Server for Abstract Database Connection.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
A CROSS PLATFORM REMOTE DESKTOP CONNECTION SUITE A.V.D.S.S.BHADRI RAJU D.RAMESH BABU U.JAYASREE G.NANIBABU.
Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile.
Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.
Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."
SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang.
Information Systems Design and Development Security Precautions Computing Science.
1 Example security systems n Kerberos n Secure shell.
Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Azure SQL Database Updates
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 9: The Client/Server Database Environment
The Client/Server Database Environment
SQL Injection Attacks Many web servers have backing databases
The Client/Server Database Environment
Security.
Defense in Depth Web Server Custom HTTP Handler Input Validation
PHP: Security issues FdSc Module 109 Server side scripting and
Security.
Objectives In this lesson, you will learn to:
Presentation transcript:

Zac Fenigshtien

 Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting ◦ Minimizing the Surface Area ◦ Encryption: Hash, Symmetric, Asymmetric  Crawlers  2 nd Degree Injection / HTML Injection 2

3 Application Graphical User Interface: Input / Output Client Side Input Validation: Valid Dates, Mandatory Fields, Check Digit Business Logic Layer: Application Logic Server Side Input Validation: Zip Code Match The Address Data Access Layer: Data Source Management: DB: Open Connections, Connection Pooling, Execute Statements, Handle SQL Errors… (EDMX, Linq) GUI (UI)BLL (BL)DAL

‘ OR 1=1;-- 4

DEMO

 Never concatenate input parameters into your query.  Use the appropriate datatypes for input parameters.  Minimize the length of string input parameters. 6

 Try to use Whitelisting.  Blacklisting can’t be a full solution.  Remember that Blacklisting require constant maintenance. 7

 Disable unused features: ◦ CMD Shell. ◦ Trustworthy, Cross DB Ownership Chaining. ◦ SQLCLR, OLE DB.  Use unprivileged SQL users for the application.  Use unprivileged WINDOWS user for the SQL Service. 8

DEMO

 Classic, Error Based or Time Delay.  Bypass the need for application output.  Used by automated tools.  Prolong attacks. 10

 Hash: One-Way Encryption. ‘ABC’  ASCII('A')+ASCII('B')+ASCII('C')=198  Use it to secure passwords and to validate data.  Always use salt. 11

 Symmetric: Encrypt & Decrypt data using a key. ‘ABC’  ‘CDE’  Fast and relatively secure.  Use it to secure data.  Transferring and keeping the key is problematic. 12 Encryption algorithm: Forward X Letters Encryption Key: 2

 Asymmetric: Encrypt & Decrypt data using pair of keys (private & public).  Data that was encrypted with the public key can be decrypted only with the private key, and vice versa.  Relatively slow and very secure.  Used in secure communication (along side the other algorithms). 13

DEMO

 Any public data can be collected.  Try to filter queries according to the user that use the results.  This form of attack is very hard to detect. 15

 The attacker will place HTML/JavaScript code within a record. This code will be executed on the client side.  This kind of attack dose not jeopardize the DB.  If the application require that HTML/JavaScript code will be stored in the DB – Validate this code by Whitelisting. 16

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.