Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel.

Published byHelena Tate Modified over 8 years ago

Similar presentations

Presentation on theme: "SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel."— Presentation transcript:

1 SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel Majeed Hossam Salah Eldin Mostafa Presented To: Dr. Nermin Hamza

2 Topic Outline :  What is SQL Injection?  How does SQL Injection work?  Examples  Types Of SQL Injection  Avoidance Strategies Against SQL Injection Attacks.  References

3 What is SQL Injection ? SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. Most common vulnerability found in websites. Can be easily exploited due to poor coding. Even though its very common, very little attention is given to prevention of these types of attack.

4 How does it work ? Several website have forms where it asks for user input. Forms such as login, search, etc. Often times, user input from these forms is directly used into SQL query construction. For example: SELECT from Users WHERE user = “USER INPUT” AND password = “USER INPUT” SQL injection happens when a attacker puts a SQL statement into this forms.

5 Simple Attack : USERNAME : PASSWORD : Resulting Query: SELECT FROM USERS WHERE user = ‘blah‘ OR ‘1’ = ‘1’ And password = ‘blah‘ OR ‘1’ = ‘1’ Thus, attacker was able login without valid credentials. blah‘ OR ‘1’ = ‘1

6 Another Simple attack : USERNAME : Resulting Query : SELECT FROM USERS WHERE user = blah‘; DROP TABLE USERS; -- *Note how comment (--) consumes the final quote. *Many popular Database software do not allow multiple queries anymore. This query will cause our entire Users database to be deleted. –blah‘; DROP TABLE USERS; --

7 Types of SQL Injection Attacks : First Order Attack Second Order Attack Lateral Injection

8 First Order Attack : The attacker can simply enter a malicious string and cause the modified code to be executed immediately. Examples: - UNIONS added to an existing statement to execute a second statement - Sub-query added to an existing statement - Existing SQL short-circuited to bring back all the data (for example, adding a query condition such as OR 1=1)

9 Second Order Attack : The attacker injects into persistent storage (such as a table row) which is deemed as a trusted source. An attack is subsequently executed by another activity. Examples: -Suppose you have a Web-based application which stores usernames alongside other session information. Given a session identifier such as a cookie you want to retrieve the current username and then use it in turn to retrieve some user information.

10 You might therefore have code for an "Update User Profile" screen somewhat similar to the following: -execute immediate 'SELECT username FROM sessiontable WHERE session ='''||sessionid||'''' into username; -execute immediate 'SELECT ssn FROM users WHERE username='''||username||'''' into ssn; This will be injectable if the attacker had earlier on the "Create Account" screen created a username such as: XXX' OR username='JANE Which creates the query … SELECT ssn FROM users WHERE username='XXX’ OR username='JANE'

11 If the user XXX does not exist, the attacker has successfully retrieved Jane’s social security number. Sub-query added to an existing statement. The attacker can create malicious database objects such as a function called as part of an API, or a maliciously named table by using double quotation marks to introduce dangerous constructs. For example : an attacker can create a table using a table name such as "tab') or 1=1--", which can be exploited later in a second order SQL injection attack.

12 Lateral Injection : The attacker can manipulate the implicit function To_Char( ) by changing the values of the environment variables, NLS_Date_Format or NLS_Numeric_Characters. For Example: Using Lateral SQL Injection, an attacker can exploit a PL/SQL procedure that does not even take user input. When a variable whose data type is date or number is concatenated into the text of a SQL statement, then, contrary to popular belief, there still is a risk of injection.

13 The implicit function TO_CHAR() can be manipulated by using NLS_Date_Format or NLS_Numeric_Characters. You can include arbitrary text in the format model, and you do not need to include any of the “structured” elements such as Mon, hh24, and so on.

14 For examples : SQL> SET SERVEROUTPUT ON SQL> ALTER session SET NLS_Date_Format = '"The time is"... hh24:mi' 2 / Session altered. SQL> SELECT TO_CHAR(SYSDATE) d FROM Dual 2 / D -------------------- The time is... 19:49 SQL> DECLARE 2 d DATE := TO_DATE('The time is... 23:15'); 3 BEGIN 4 -- Implicit To_Char() 5 DBMS_OUTPUT.PUT_LINE(d); 6 END; 7 / The time is... 23:15 PL/SQL procedure successfully completed.

15 Avoidance Strategies Against SQL Injection Attacks : Reduce the attack surface. Avoid dynamic SQL with concatenated input. Use bind arguments. Filter and sanitize input.

16 Reduce the attack surface : Ensure that all excess database privileges are revoked and that only those routines that are intended for end-user access are exposed. Though this does not entirely eliminate SQL injection vulnerabilities, it mitigates the impact of the attacks.

17 Avoid dynamic SQL with concatenated input : Dynamic SQL built with concatenated input values presents the easiest entry point for SQL injections. Avoid constructing dynamic SQL this way.

18 Use bind arguments : Here are high Parameterize queries by using bind arguments. Bind arguments eliminate the possibility of SQL injections and enhance performance.

19 Filter and sanitize input : The Oracle-supplied DBMS_ASSERT package contains a number of functions that can be used to sanitize user input and help in guarding against SQL injection in applications that use dynamic SQL built with concatenated input values. In case your filtering requirements cannot be satisfied by the DBMS_ASSERT package, you may need to create your own filter.

20 References : http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx http://st- curriculum.oracle.com/tutorial/SQLInjection/html/lesson1/les01_tm_ovw. htm http://hakipedia.com/index.php/SQL_Injection

Download ppt "SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Understand Database Security Concepts

Understand Database Security Concepts
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Lecture-5 Though SQL is the natural language of the DBA, it suffers from various inherent disadvantages, when used as a conventional programming language.

Lecture-5 Though SQL is the natural language of the DBA, it suffers from various inherent disadvantages, when used as a conventional programming language.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.

By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
IMS 4212: Application Architecture and Intro to Stored Procedures 1 Dr. Lawrence West, Management Dept., University of Central Florida

IMS 4212: Application Architecture and Intro to Stored Procedures 1 Dr. Lawrence West, Management Dept., University of Central Florida
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Similar presentations

Ads by Google