Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

How Did I Steal Your Database Mostafa

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

ITEC403 Graduation Project Applications’ Security – Cem Yağlı.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

SQL Injection and Buffer overflow

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Introduction to Application Penetration Testing

MIS Week 11 Site:

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

SQL INJECTION COUNTERMEASURES &

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Attacking Applications: SQL Injection & Buffer Overflows.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Security Vulnerabilities and Their Impact upon Poirot Jun Lin Supervised by Dr. Jane Huang.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister.

WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.

Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.

Error-based SQL Injection

ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.

SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang.

SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.

Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.

SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll

Database and Cloud Security

Application Vulnerabilities

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

SQL Injection Attacks Many web servers have backing databases

Introduction to SQL Server 2000 Security

Intro to Ethical Hacking

Chapter 13 Security Methods Part 3.

Lecture 2 - SQL Injection

Intro to Ethical Hacking

Protecting Against Common Web Application Vulnerabilities

Presentation transcript:

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science

 Many of the Web applications employ database driven content on the Internet. yahoo, Amazon  The interactive nature of web applications that employ database services consist vulnerabilities to SQL injection attacks  Web applications receive user inputs via form fields and then transfer those inputs as database requests

 Transaction may consist of user name, password and information that have large amounts of monetary value.  A national security and privacy matter, such as social security numbers in the U.S.  SQL injection attacks are widespread and Web applications are vulnerable to SQL Injection Attacks (SQLIAs).  over 300 Internet Web sites has shown that most of them could be vulnerable to SQLIAs- Study by Gartner Group  SQLIA Examples: Travelocity, FTD.com, and Guess Inc.

 SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application  Data provided by the user is NOT validated and included in an SQL query in such a way that part of the user’s input is treated as SQL code.

 Tautologies  Illegal/Logically Incorrect Queries  Union Query  Piggy-Backed Queries  Stored Procedures  Inference  Alternate Encodings

 Attack Intent: Bypassing authentication, identifying injectable parameters, extracting data.  The general goal of a tautology-based attack is to inject code in one or more conditional statements so that they always evaluate to true.  An attacker exploits an injectable field that is used in a query’s WHERE conditional SELECT accounts FROM users WHERE login=’’ or 1=1 -- AND pass=’’ AND pin=

 Attack Intent: Identifying injectable parameters, performing database finger-printing, extracting data.  Description: This attack lets an attacker gather important information about the type and structure of the back-end database of a Web application. SELECT accounts FROM users WHERE login=’’ AND pass=’’ AND pin= convert (int,(select top 1 name from sysobjects where xtype=’u’))

 Attack Intent: Bypassing Authentication, extracting data.  Description: In union-query attacks, an attacker exploits a vulnerable parameter to change the data set returned for a given query.  SELECT accounts FROM users WHERE login=’’ UNION SELECT cardNo from CreditCards where acctNo= AND pass=’’ AND pin=

 Attack Intent: Extracting data, adding or modifying data, performing denial of service, executing remote commands.  Description: In this attack type, an attacker tries to inject additional queries into the original query. Vulnerability to this type of attack is often dependent on having a database configuration that allows multiple statements to be contained in a single string. SELECT accounts FROM users WHERE login=’doe’ AND pass=’’; drop table users -- ’ AND pin=123

 Attack Intent: Performing privilege escalation, performing denial of service, executing remote commands.  Description: SQLIAs of this type try to execute stored procedures  An attacker determines which backend database is in use CREATE PROCEDURE int AS EXEC("SELECT accounts FROM users WHERE login=’" "’ and pass=’" "’ and pin=" GO

 Attack Intent: Identifying injectable parameters, extracting data, determining database schema.  Description: The query is modified to recast it in the form of an action that is executed based on the answer to a true/false question about data values in the database.  Attackers are generally trying to attack a site that has been secured enough so that, when an injection has succeeded, there is no usable feedback via database error messages. SELECT accounts FROM users WHERE login=’legalUser’ and ASCII(SUBSTRING((select top 1 name from sysobjects),1,1)) > X WAITFOR 5 -- ’ AND pass=’’ AND pin=0

 Attack Intent: Evading detection.  Description: In this attack, the injected text is modified so as to avoid detection by defensive coding practices and also many automated prevention techniques. SELECT accounts FROM users WHERE login=’legalUser’; exec(char(0x f776e)) -- AND pass=’’ AND pin=tion with other attacks.

* Apply Instruction-set randomization to SQL * Creating instances of the language that are unpredictable to the attacker * Queries injected by the attacker will be caught by the database parser. * An intermediary proxy that translates the random SQL to its standard language. * Mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems.

Mechanism provides a tool reads an SQL statement(s) and rewrites all keywords with the random key appended. select gender, avg(age) from cs101.students where dept = %d group by gender The utility will identify the six keywords in the example query and append the key to each one (e.g., when the key is “123”): select123 gender, avg123 (age) from123 cs101.students where123 dept = %d group123 by123 gender

 Built proxy server that sits between the client (web server) and SQL server, de-randomizes requests received from the client, and conveys the query to the server.  If an SQL injection attack has occurred, the proxy’s parser will fail to recognize the randomized  implementation focused on CGI scripts as the query generators, a similar approach applies when using JDBC query and will reject it.

 THANK YOU