Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang.

Published byRegina Sharp Modified over 8 years ago

Similar presentations

Presentation on theme: "SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang."— Presentation transcript:

1 SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang

2 Content What are injection attack? Types of SQL injection attack. Mitigating SQL Injection Q&A

3 What are injection attack? “SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of dynamically- generated string literals embedded in SQL statements. “ (Wikipedia)

4 What are injection attack? Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters Interpret strings as commands. Ex: SQL, shell (cmd.exe, bash), LDAP, XPath Key Idea Input data from the application is executed as code by the interpreter.

5 What are injection attack? Many web applications take user input from a form Often this user input is used literally in the construction of a SQL query submitted to a database. For example: SELECT productdata FROM table WHERE productname = ‘user input product name’; A SQL injection attack involves placing SQL statements in the user input

6 What are injection attack? Example Html URL http://webserver/login.jsp?userid=[user input]

7 Content What are injection attack? Types of SQL injection attack. Mitigating SQL Injection Q&A

8 Types of SQL injection attacks SQL Injection Types Tautologies Illegal/Logically Incorrect Queries Union Query Piggy Backed Queries Stored Procedures Inference Alternate Encodings

9 Types of SQL injection attacks Tautologies: Intent : bypassing authentication, identifying injectable parameters, extracting data. Example SELECT accounts FROM users WHERE login=’’ or 1=1 -- AND pass=’’

10 Types of SQL injection attacks Illegal/Logically Incorrect Queries Intent: identifying injectable parameters, performing database finger-printing. Example SELECT accounts FROM users WHERE login=’’ AND 1 = convert (int,(select top 1 name from sysobjects where xtype=’u’)) -- AND pass=’’ Shown Error: ”Microsoft OLE DB Provider for SQL Server (0x80040E07) Error converting nvarchar value ’CreditCards’ to a column of data type int.”

11 Types of SQL injection attacks Union Query Intent: bypassing authentication, extracting data. Example SELECT cols FROM table WHERE expr UNION SELECT cols2 FROM table2 WHERE expr2 foo’ UNION SELECT number FROM cc--

12 Types of SQL injection attacks Piggy Backed Query Intent: extracting data, adding or modifying data, performing denial of service, execute remote command. Example User input = whatever’; drop table –- User input = whatever’; xp_cmdshell(…)

13 Types of SQL injection attacks Stored Procedures Intent: performing privilege escalation, denial of service, executing remote commands. Example SELECT accounts FROM users WHERE login=’admin’; SHUTDOWN; -- AND pass=’’

14 Types of SQL injection attacks Inference Intent: identifying injectable parameters, extracting data, determining database schema. Example SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0 SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’

15 Types of SQL injection attacks Alternate Encodings Intent: evading detection Example SELECT accounts FROM users WHERE login=’legalUser’; exec(char(0x73687574646f776e)) -- AND pass=’’ legalUser == char(0x73687574646f776e)

16 Content What are injection attack? Types of SQL injection attack. Mitigating SQL Injection Q&A

17 Mitigating SQL injection attacks Victim server Victim SQL DB Attacker post malicious form unintende d query 1 2 receive valuable data

18 Mitigating SQL injection attacks Enter Username & Password Web server Web browser (Client) DB Server SELECT passwd FROM USERS WHERE uname IS ‘$user’

19 Mitigating SQL injection attacks Input Validation Static query statement Least Privilege Code Verification Web Application Gateway SQL Driver Proxy MISC methods OWASP: Open Web Application Security Project Development Phase QA Phase Production Phase

20 Mitigating SQL injection attacks Paper Solution: Use Information theory based framework for SQL Injection attack detection. Client: implements a filter program that checks the length and data type of the submitted variables and detect the injection-sensitive characters and keywords Server: implement entropy computational model it measures the complexity of a given query.

21 Mitigating SQL injection attacks Client:

22 Mitigating SQL injection attacks Client Algorithm: 1. Input text. 2. Check for length of input submitted. 3. Check for injection sensitive characters and keywords as specified. 4. If found sensitive character is found or size greater than specified return error message. 5. Else submit query to server.

23 Mitigating SQL injection attacks Server:

24 Mitigating SQL injection attacks Server: implement entropy computational model it measures the complexity of a given query. 1. Training phase  Program source code and server script analyzer: during training phase first program source code is analyzed to find all static the queries in the application.

25 Mitigating SQL injection attacks 1. Training phase  Static entropy calculator Q = {q1, q2, q3...............qn}be set of queries in the application ′ = {x1,x2,x3............................xl} set of all tokens present in a query. P(x) probability of a token x in query q

26 Mitigating SQL injection attacks 1. Training phase  Static entropy calculator Entropy of the query is represented by:

27 Mitigating SQL injection attacks 1. Training phase  MAC (Message Authentication Code) MAC = C(K, M) 1. Retrieve static entropy (E) from entropy calculator. 2. Retrieve key (K) form key database. 3. Take hash of entropy and key, we get static MAC. MAC(K, E) = H(K ∥ E) // SMAC : Static

28 Mitigating SQL injection attacks 1. Detection phase  Query invocation  Dynamic entropy calculator  MAC  Comparison  Execute  Block  // DMAC : Dynamic

29 Mitigating SQL injection attacks 1. Detection phase  Query invocation  Dynamic entropy calculator  MAC  Comparison  Execute  Block  // DMAC : Dynamic

30 Mitigating SQL injection attacks Server Algorithm: 1. Analyze program source code to find all queries. 2. For all queries in application calculate entropy which is called static entropy. 3. Apply MAC (Message authentication code) on static query we get static MAC (SMAC). 4. SMAC is stored in db. 5. At Runtime when query is invoked. Dynamic entropy is calculated.

31 Mitigating SQL injection attacks Server Algorithm: 6. Apply MAC (Message authentication code) on dynamic entropy we get dynamic MAC (DMAC). 7. Compare DMAC and SMAC. 8. If they are equal query is genuine. 9. Else attack is detected, query is not executed. ip address is blocked and recorded

32 Mitigating SQL injection attacks Advantages: Client side reduces CPU cycles (from Server). Detect all known SQLI attacks. Unknown vulnerabilities: specific type of attack inputs. Not require tainted data flow analysis or complex static analysis. Applied for awide variety of scripting languages Application of MAC provide additional layer of security.

33 Mitigating SQL injection attacks Result:

34 Mitigating SQL injection attacks Result: Client Side

35 Mitigating SQL injection attacks Result: Server Side

36 Mitigating SQL injection attacks Example of Entropy Calculation

37 Mitigating SQL injection attacks Example of Entropy Calculation

38 Mitigating SQL injection attacks Example of Entropy Calculation

39 Mitigating SQL injection attacks Example of Entropy Calculation

40 Mitigating SQL injection attacks Result: Server Side

41 Mitigating SQL injection attacks Example of Entropy Calculation

42 Mitigating SQL injection attacks Example of Entropy Calculation

43 Mitigating SQL injection attacks Example of Entropy Calculation

44 Mitigating SQL injection attacks Example of Entropy Calculation

45 Mitigating SQL injection attacks Example of Entropy Calculation “select id, level from tlogin where login =’’ or 1=1 --’ a nd password =’’”

46 Mitigating SQL injection attacks Example of Entropy Calculation

47 Mitigating SQL injection attacks Example of Entropy Calculation

48 Mitigating SQL injection attacks Future Scope:  extending the model to stored procedures.  detecting other web-based attacks such as cross-site scripting.

49 Ref: 1.MAC based solution for SQL injection (Diksha Gautam Kumar · Madhumita Chatterjee) 2.Early Dectection of SQL, (Hossain Shahriar, Sarah North, and Wei-Chuen Chen) 3.Information-Theoretic Detection of SQL Injection Attacks, (Hossain Shahriar* and Mohammad Zulkernine ) 4.Entropy và Thông tin, (PGS.PTS.NGUT. Đoan Phan Tan) 5.OWASP: Advanced_Topics_on_SQL_Injection_Protectio n 6.Internet: SQL Injection

50 THANKS FOR LISTENING Q&A

Download ppt "SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
ITEC403 Graduation Project Applications’ Security – Cem Yağlı.

ITEC403 Graduation Project Applications’ Security – Cem Yağlı.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 14 Web Database Programming Using PHP.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 14 Web Database Programming Using PHP.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTION COUNTERMEASURES &

SQL INJECTION COUNTERMEASURES &
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Similar presentations

Ads by Google