Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Published byKendall Allerton Modified over 10 years ago

Similar presentations

Presentation on theme: "Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013."— Presentation transcript:

1 Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013

2 Bio

3 How Important is SQL Injection?

4 SQL injection continues to reign as hackers' most consistently productive technique for stealing massive dumps of sensitive information within corporate databases. In fact, according to analysis done by database security firm Imperva of breach events between 2005 and July of this year, 82 percent of lost data due to hacking was courtesy of SQL injection. http://www.darkreading.com/database- security/167901020/security/news/240006491/hacktivists-continue-to-own- systems-through-sql-injection.html

5 http://news.techworld.com/security/3331283/barclays-97- percent-of-data-breaches-still-due-to-sql-injection/

6 In 2008 SQL Injection became the leading method of malware distribution 16 percent of websites are vulnerable to SQL Injection http://jeremiahgrossman.blogspot.com/2009/02/sql-injection-eye-of- storm.html

7

8 Are You Vulnerable?

9 Example SQL Injection Vulnerability

10

11

12

13 The Commands Used to Steal the Data

14 Data Breach

15

16 Hands-On SQL Injection Project http://samsclass.info/124/proj11/SQLi-MPICT.htm

17 Series of Projects

18 Open Web Application Security Project (OWASP) –Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web applications –Publishes the Ten Most Critical Web Application Security Vulnerabilities

19 Top-10 Web application vulnerabilities Cross-site scripting (XSS) flaws –Attackers inject code into a web page, such as a forum or guestbook –When others user view the page, confidential information is stolen –See link Ch 10za Command injection flaws –An attacker can embed malicious code and run a program on the database server –Example: SQL Injection

20 Top-10 Web application vulnerabilities Malicious file execution –Users allowed to upload or run malicious files Unsecured Direct Object Reference –Information in the URL allows a user to reference files, directories, or records Cross-site Request Forgery (CSRF) –Stealing an authenticated session, by replaying a cookie or other token

21 Top-10 Web application vulnerabilities Information Leakage and Incorrect Error Handling –Error messages that give away too much information Broken Authentication and Session Management –Allow attackers to steal cookies or passwords

22 Top-10 Web application vulnerabilities Unsecured cryptographic Storage –Storing keys, certificates, and passwords on a Web server can be dangerous Unsecured Communication –Using HTTP instead of HTTPS Failure to Restrict URL Access –Security through obscurity –Hoping users don't find the "secret" URLs

23 Cross-Site Scripting (XSS) One client posts active content, with tags or other programming content When another client reads the messages, the scripts are executed in his or her browser One user attacks another user, using the vulnerable Web application as a weapon 23

24 alert("XSS vulnerability!") alert(document.cookie) window.location="http://www.ccsf.edu" 24

25 XSS Scripting Effects Steal another user's authentication cookie – Hijack session Harvest stored passwords from the target's browser Take over machine through browser vulnerability Redirect Webpage Many, many other evil things… 25

Download ppt "Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft.

More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Similar presentations

Ads by Google