How Did I Steal Your Database Mostafa

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

Web Security Never, ever, trust user inputs Supankar.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Introduction The concept of “SQL Injection”
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Oracle PL/SQL Injection David Litchfield. What is PL/SQL? Procedural Language / Structured Query Language Oracle’s extension to standard SQL Programmable.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Sql Server Advanced Features MIS 424 Professor Sandvig.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
MIS Week 11 Site:
Session 5: Working with MySQL iNET Academy Open Source Web Development.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Attacking Applications: SQL Injection & Buffer Overflows.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Injection CSC 482/582: Computer SecuritySlide #1.
SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Web Applications Testing By Jamie Rougvie Supported by.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
What’s a database? Data stored in a structured format that lends itself to easy manipulation and recall.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.
SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.
Error-based SQL Injection
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel.
SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang.
Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER.
SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.
SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
SQL Injection.
Database System Implementation CSE 507
Group 18: Chris Hood Brett Poche
CSC 482/582: Computer Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Dynamic SQL Writing Efficient Queries on the Fly
World Wide Web policy.
SQL Injection.
SQL INJECTION ATTACKS.
Dynamic SQL Writing Efficient Queries on the Fly
Intro to Ethical Hacking
Database Driven Websites
Chapter 13 Security Methods Part 3.
Lecture 2 - SQL Injection
Intro to Ethical Hacking
Presentation transcript:

How Did I Steal Your Database Mostafa

Agenda Noooo, it kills suspense

DISCLAIMER Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account

What is it? The application dynamically generates an SQL query based on user input, but it does not sufficiently prevent that input from modifying the intended structure of the query. SQL Injection

SQL Injection Example, Bypassing Logon Original SQL Query String sqlQuery = "SELECT * FROM user WHERE name = '" + username +"' AND pass='" + password + "'“ ….. Setting username to Mostafa & password to ' OR '1'= '1 produces SELECT * FROM user WHERE name = 'Mostafa' AND pass='' OR '1'='1' Attacker is logged on without Authentication

Not only your web app and DB are at risk Depending on the DB, an attacker can access the operating system MS SQL Server: Execute OS command xp_cmdshell Set username to '; exec master.dbo.xp_cmdshell "dir";-- produces SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell "dir"; -- Note: dir list directory content

Let's play Hide and Seek Original: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell "dir"; -- Defender: Disallow double quotes: Attacker: SELECT * FROM user WHERE name=''; exec master.dbo.xp_cmdshell dir; -- Defender: Filter out string “xp_cmdshell” Attacker: varchar(1000); = 'master.dbo.xp_' + 'cmdshell dir'; exec Defender: Filter out “xp”, “cmd”, “shell”, …. Attacker: varchar(1000); = reverse('rid llehsdmc_px.obd.retsam'); exec

Finding SQL Injection Bugs

Submit single quotation mark and observe the result Submit two single quotation and observe the result Identify the database (e.g. Oracle: ‘||’FOO MS-SQL: ‘+’FOO MySQL: ‘ ‘FOO [note the space btw the 2 quotes]

Finding SQL Injection Bugs For multistate processes, complete all the states before observing the results For search fields try using the wildcard character %

Finding SQL Injection Bugs For numeric data, if the original value was 2 try submitting 1+1 or 3-1 If successful try using SQL-specific keywords, e.g. 67-ASCII(‘A’) If single quotes are filtered try 51-ASCII(1)[note ASCII(1)=49]

Inject into different statement types You can do the same for all SQL statements (INSERT, UPDATE or DELETE) Watch out when injecting in UPDATE or DELETE

Demo WebGoat

Demo HacmeBank

Demo Using UNION Operator

Demo MS-SQL Error

Solution Validate the input -accept only known good- Process SQL queries using prepared statements, parameterized queries, or stored procedures. Enforce least privilege Avoid detailed error messages Show care when using stored procedures (e.g. exec)

Thank

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.