Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zac Fenigshtien  Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting.

Published byEmil Melton Modified over 8 years ago

Similar presentations

Presentation on theme: "Zac Fenigshtien  Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting."— Presentation transcript:

1 Zac Fenigshtien zac.fenigshtien@888holdings.com

2  Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting ◦ Minimizing the Surface Area ◦ Encryption: Hash, Symmetric, Asymmetric  Crawlers  2 nd Degree Injection / HTML Injection 2

3 3 Application Graphical User Interface: Input / Output Client Side Input Validation: Valid Dates, Mandatory Fields, Check Digit Business Logic Layer: Application Logic Server Side Input Validation: Zip Code Match The Address Data Access Layer: Data Source Management: DB: Open Connections, Connection Pooling, Execute Statements, Handle SQL Errors… (EDMX, Linq) GUI (UI)BLL (BL)DAL

4 ‘ OR 1=1;-- 4 http://en.wikipedia.org/wiki/Magic_string

5 DEMO

6  Never concatenate input parameters into your query.  Use the appropriate datatypes for input parameters.  Minimize the length of string input parameters. 6

7  Try to use Whitelisting.  Blacklisting can’t be a full solution.  Remember that Blacklisting require constant maintenance. 7

8  Disable unused features: ◦ CMD Shell. ◦ Trustworthy, Cross DB Ownership Chaining. ◦ SQLCLR, OLE DB.  Use unprivileged SQL users for the application.  Use unprivileged WINDOWS user for the SQL Service. 8

9 DEMO

10  Classic, Error Based or Time Delay.  Bypass the need for application output.  Used by automated tools.  Prolong attacks. 10

11  Hash: One-Way Encryption. ‘ABC’  ASCII('A')+ASCII('B')+ASCII('C')=198  Use it to secure passwords and to validate data.  Always use salt. 11

12  Symmetric: Encrypt & Decrypt data using a key. ‘ABC’  ‘CDE’  Fast and relatively secure.  Use it to secure data.  Transferring and keeping the key is problematic. 12 Encryption algorithm: Forward X Letters Encryption Key: 2

13  Asymmetric: Encrypt & Decrypt data using pair of keys (private & public).  Data that was encrypted with the public key can be decrypted only with the private key, and vice versa.  Relatively slow and very secure.  Used in secure communication (along side the other algorithms). 13

14 DEMO

15  Any public data can be collected.  Try to filter queries according to the user that use the results.  This form of attack is very hard to detect. 15

16  The attacker will place HTML/JavaScript code within a record. This code will be executed on the client side.  This kind of attack dose not jeopardize the DB.  If the application require that HTML/JavaScript code will be stored in the DB – Validate this code by Whitelisting. 16

17 Thank you

Download ppt "Zac Fenigshtien  Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting."

Similar presentations

Chapter 9: The Client/Server Database Environment

Chapter 9: The Client/Server Database Environment
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
ProcessFlow The basics to get you started. Have you used ProcessFlow before?

ProcessFlow The basics to get you started. Have you used ProcessFlow before?
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Overview Explain three application components: presentation, processing, and storage Distinguish between file server, database server, 3-tier, and n-tier.

Overview Explain three application components: presentation, processing, and storage Distinguish between file server, database server, 3-tier, and n-tier.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
1 © Prentice Hall, 2002 The Client/Server Database Environment.

1 © Prentice Hall, 2002 The Client/Server Database Environment.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
The Client/Server Database Environment

The Client/Server Database Environment
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
A Cryptography Education Tool Anna Yu Department of Computer Science College of Engineering North Carolina A&T State University June 18, 2009.

A Cryptography Education Tool Anna Yu Department of Computer Science College of Engineering North Carolina A&T State University June 18, 2009.

Similar presentations

Ads by Google