Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction The concept of “SQL Injection”

Similar presentations


Presentation on theme: "Introduction The concept of “SQL Injection”"— Presentation transcript:

1 Introduction The concept of “SQL Injection”
Commands susceptible to injection attacks Some simple code Some security holes Preventing injection attacks

2 SQL Injects – Start wailing...
Assuming you’ve got good security then the ability to make queries to an online database is difficult. A hacker would need to know the name and server location of the database file and some information about the fields used in a Members table in order to run a hack. This could take a long time to guess... Surprisingly, hacking passwords can be done using SQL injection routines on website forms.

3 SQL Injection This kind of attack is not a technological security hole in the Operating System or server software. It depends on the way that a website is developed. Some developers are unaware of this kind of attack and unknowingly develop web applications which open doors for hackers to inject SQL Queries / Commands into the system. To be able to perform SQL Injection hacking, all an attacker needs is a web browser and some guess work to find important table and field names.

4 SQL Injection Once an attacker realizes that a system is vulnerable to SQL Injection, they are able to inject SQL Query / Commands through an input form field. This is equivalent to handing the attacker the Query Browser, allowing him to send any SQL command like SELECT, INSERT, DELETE and DROP TABLE to the database!

5 Here’s a standard login form:
<form method="post" action="login.php"> <input type="text" name="username"> <input type="password" name="password"> </form> And here’s a standard PHP SELECT SQL statement that is built from the user’s input to the form: "SELECT userid FROM Members WHERE username = '$username' AND password = '$password' ";

6 This would build the following SQL SELECT statement:
Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x This would build the following SQL SELECT statement: "SELECT userid FROM Members WHERE username = 'Joe' AND password = 'anything' OR 'x'='x' "; Because the application is just constructing a string, the use of the single quotes has turned the WHERE into a two- component clause. The 'x'='x' part guarantees to be true regardless of what the first part contains. This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!

7 Finding useful information
Most members-only websites contain a link to retrieve a forgotten password If not carefully designed, then these forms are ripe for hacking! Mostly, these forms just consist of a single input box into which you type your address Put this into a “retrieve login details” form and change 'field' to any fieldname (e.g. ): x' OR field LIKE '%harry%

8 Finding useful information
If the field does not exist, you will get an SQL error Otherwise you’ve found a field name! If the user does not exist, you will probably be told that your username is invalid Otherwise, you will get some kind of "We have ed your user details to your address" type message (usually giving the address in the process) Therefore, by trial and error, you can find a valid user address within the table! Now, what can we do with this information?..

9 Using gained information
In SQL Server, Oracle and MySQL we can run multiple SQL statements by using SQL injections: Assuming we have discovered that the field in the database is ‘ ’ and we have found a valid address then we can change their address in the table to ours: x'\; UPDATE Members SET = WHERE =

10 Using gained information
Now we can get hold of their password by simple entering our address into the retrieve password form Scary huh? How about deleting tables? x' UNION DROP TABLE Users;-- This makes use of the SQL comment - - to close off the statement making it valid Surprisingly, MS Access cannot run multiple SQL commands in one go and so paradoxically is safer!

11 Preventing SQL Injections
The best way to defend against SQL injection attacks is: to use “prepared statements” if possible to filter extensively any input that a user can give You should remove everything but the known good data and filter meta characters from the user input Remember to put maxlength attributes on your input boxes but don’t rely on them This helps to ensure that only what should be entered in the field will be submitted to the server

12 Background Reading SQL injection: tion_Prevention_Cheat_Sheet Prepared statements: syntax-prepared-statements.html


Download ppt "Introduction The concept of “SQL Injection”"

Similar presentations


Ads by Google