Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
How Did I Steal Your Database Mostafa
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Introduction The concept of “SQL Injection”
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
DotNet Market Web Site “EMarket” Milena Natanov Project Supervisor: Victor Kulikov Lab Chief Engineer: Dr. Ilana David Semester spring, – Project.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
New Student Orientation Registration System Stephen Nakamura EE496 Preliminary Design Review Fall 2008.
Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.
SQL Injection and Buffer overflow
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Sql Server Advanced Features MIS 424 Professor Sandvig.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
SQL Injection Timmothy Boyd CSE 7330.
MIS Week 11 Site:
CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Attacking Applications: SQL Injection & Buffer Overflows.
An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
CSCI 6962: Server-side Design and Programming Database Manipulation in ASP.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.
Okalo Daniel Ikhena Dr. V. Z. Këpuska December 7, 2007.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Building Secure Web Applications With ASP.Net MVC.
Crash Course in Web Hacking
ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
SQL. Originally developed by IBM Standardized in 80’s by ANSI and ISO Language to access relational database and English-like non-procedural Predominant.
SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel.
Chapter 7 SQL Injection I: Identification
SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.
M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.
SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Database and Cloud Security
ASP.NET Programming with C# and SQL Server First Edition
SQL Injection.
Database System Implementation CSE 507
Introduction to Dynamic Web Programming
Theodore Lawson CSCE548 Student Presentation, Topic #2
Unix System Administration
SQL INJECTION ATTACKS.
Intro to Ethical Hacking
Chapter 13 Security Methods Part 3.
Lecture 2 - SQL Injection
Intro to Ethical Hacking
Presentation transcript:

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin

Presentation Outline Introduction to the problem (SQL injection) Motivation for the project (example) Block diagram of work focus Current status Timeline Concluding remarks Questions

SQL injection SQL Injection is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database. An attacker is able to insert a series of SQL statements into a 'query' by manipulating data input.

SQL injection

Example Vulnerable web page

In ASP, a critical vulnerability is the way in which the query string is created. example: var SQL = "select * from users where username = ' "+ username +" ' and password = ' "+ password +" '"; Example

Username: ‘;drop table users-- the 'users' table will be deleted, denying access to the application for all users

Example Query executed: select * from users where username = “ drop table users

Example

Implementation Step

Current Status Analyse the structure of SQL query commands Build a filter that will check allowable patterns of SQL statements Create a proxy server that will filter SQL commands. Prevent a SQL injection attack to a database using this proxy server. Prove that SQL injection can be prevented using the filter developed to work on the proxy server. Produce a list of best practices for –Web design –Database administration

Current Status Working proxy server –Extracts the SQL from a TDS packet –Prevents SQL injection attacks White list Black list Gray list –Logs Extracted SQL queries Halted SQL Work in progress: –Benchmarking –Error reporting to database administrator –Project write up

Results - Filter

diagrams; : ; Sql injection attempt with: “diagrams; in design - in this section we design the class diagrams; this is because the class” Found with search signature: ; found match using black list by : by Sql injection attempt with: “by in diagrams define the data structure required by an application. We also look at” Found with search signature: by found match using white list, so this query is safe Query Count: 950 bad query count: 150 took seconds average time to process a query: seconds

Performance issues Advantages –Independent of flaws in application coding and database privileges –Separate server with real time analysis Disadvantages –False positives also filtered out too –Won’t work if data is encrypted –May turn out to be resource intensive

Timeline First semester: –Project proposal –Presentation 1 –Literature survey –Project website and Honours Blog –Design and implementation Second Semester –Benchmarking –Final write up thesis short paper –Project poster

Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.