SQL injection Figure 1 By Kaveri Bhasin
Motive of SQL Injection Obtain data from database Modify system functions Insert data in the backend database
Figure 2.
Victims Mostly Web applications with user input facilities.
Simplest Procedure 1.Guess field names. 2.Construct a query and check for SQL status 3.If server gives error, field name is incorrect, else lets proceed…
Cont. With the correct field, construct SQL query and inject Example: 101 AND Len(( SELECT first_name FROM user_data WHERE userid =15613)) = 6
Paper overview Types of Vulnerabilities Measures Tools (Webgoat)
Types of vulnerabilities Database system vulnerability Type handling Injected filtered escape characters
Measures Web application design: Analyze against vulnerabilities Use strongly defined types and validation for user input Use parameterized queries
Tools Webgoat Developed by OWASP.org Free source to experiment and learnt about SQL injection
Conclusion SQL injection is a serious concern A single design error can be disastrous for the security of sensitive information
References Figure 1. Figure 2. “Towards an Aspect-Oriented Intrusion Detection Framework” Zhi Jian Zhu and Mohammad Zulkernine