Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Similar presentations


Presentation on theme: "SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a."— Presentation transcript:

1 SQL INJECTIONS Presented By: Eloy Viteri

2 What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a text box that will be used to run a query against the data base SQL injection attacks revolve around poorly written code which does not handle meta- characters such as / or \ -

3 SQL Query What happens when a user submits a username and password on a webpage? SQL Injection. Digital image. VAPT MIT Project Welcome. Web. 30 July 2013..

4 The Attacker The attacker begins by seeing if the SQL server can provide some error messages. When the URL http://www.***.com/login.php?user=’a&pass=’a is entered. An Error page is generated and is displayed as: http://www.***.com/login.php?user=’a&pass=’a

5 SQL Attack When the error page is displayed, the attacker can then see some vital information such as:

6 SQL Attack By Knowing that the SQL Server belongs to Microsoft the attacker knows that the comment characters is :-- Now the side has been identified as being vulnerable and the SQL query underlying the website process has been obtained. The attacker can now change the query to something more useful

7 SQL Attack The above query would result in logging in as admin without needing the password, due to the location of characters: --

8 SQL Attack Or, the attacker could interact with the HTTP Get request directly by typing the URL:

9 SQL Injection SQL Injection Diagram. Digital image. Securing Your Database Server. Web. 30 July 2013.

10 What to do? Client-side input validation: Minimizing the number of necessary communication hits between the submitted form and received error message. Server-side input validation: Use to validate sensitive data on a server before processing them by an application server Double checking input validation: Duplicate the form validation modules on both client and server sides.


Download ppt "SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a."

Similar presentations


Ads by Google