Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Injection Attacks An overview by Sameer Siddiqui.

Published byBlaze Preston Modified over 8 years ago

Similar presentations

Presentation on theme: "SQL Injection Attacks An overview by Sameer Siddiqui."— Presentation transcript:

1 SQL Injection Attacks An overview by Sameer Siddiqui

2 Agenda What is a SQL Injection Attack? An Example SQL Injection Attack Defenses Database Practice Infrastructure Practice Short Live DEMO

3 What is a SQL Injection Attack? Many web applications take user input from a form Often this user input is used literally in the construction of a SQL query submitted to a database. For example: –SELECT productdata FROM table WHERE productname = ‘user input product name’; A SQL injection attack involves placing SQL statements in the user input

4 An Example SQL Injection Attack Product Search: This input is put directly into the SQL statement within the Web application: –$query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘”. $_POST[‘prod_search’]. “’”; Creates the following SQL: –SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR ‘x’ = ‘x’ –Attacker has now successfully caused the entire database to be returned. blah‘ OR ‘x’ = ‘x

5 A More Malicious Example What if the attacker had instead entered: –blah‘; DROP TABLE prodinfo; -- Results in the following SQL: –SELECT prodinfo FROM prodtable WHERE prodname = ‘blah’; DROP TABLE prodinfo; --’ –Note how comment (--) consumes the final quote Causes the entire database to be deleted –Depends on knowledge of table name –This is sometimes exposed to the user in debug code called during a database error –Use non-obvious table names, and never expose them to user Usually data destruction is not your worst fear, as there is low economic motivation

6 Other injection possibilities Using SQL injections, attackers can: –Add new data to the database Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site Perform an INSERT in the injected SQL –Modify data currently in the database Could be very costly to have an expensive item suddenly be deeply ‘discounted’ Perform an UPDATE in the injected SQL –Often can gain access to other user’s system capabilities by obtaining their password

7 Defenses Use provided functions for escaping strings –Many attacks can be thwarted by simply using the SQL string escaping mechanism ‘  \’ and “  \” –mysql_real_escape_string() is the preferred function for this Not a silver bullet! –Consider: SELECT fields FROM table WHERE id = 23 OR 1=1 No quotes here!

8 More Defenses Check syntax of input for validity –Many classes of input have fixed languages Email addresses, dates, part numbers, etc. Verify that the input is a valid string in the language Sometime languages allow problematic characters (e.g., ‘*’ in email addresses); may decide to not allow these If you can exclude quotes and semicolons that’s good –Not always possible: consider the name Bill O’Reilly Want to allow the use of single quotes in names Have length limits on input –Many SQL injection attacks depend on entering long strings

9 Even More Defenses Scan query string for undesirable word combinations that indicate SQL statements –INSERT, DROP, etc. –If you see these, can check against SQL syntax to see if they represent a statement or valid user input Limit database permissions and segregate users –If you’re only reading the database, connect to database as a user that only has read permissions –Never connect as a database administrator in your web application

10 More Defenses Never display SQL errors or other raw system errors back to the user. Can provide additional attack vectors for hackers. Whenever an exception occurs, display a generic message, and log the actual error and user input. Whenever a request fails validation or sanitation checks, use a generic response, terminate the user’s session, and log the error in detail.

11 Use Detailed Logs Detailed logging introduces additional storage and process overhead, but it is invaluable in debugging and in identifying security weaknesses. Unexpected conditions, rejected requests, and similar errors are usually the first sign your web application is under attack.

12 Database Practice Create Two accounts: –Database Owner Has rights over all the objects in a database or schema. Equivalent to DBA level access for a database/schema. Used to build out and maintain an application database. Never used by web applications. –Application Account/Database proxy account Has minimal rights needed for application: –All rights to each object are explicitly declared. –Owns no objects directly. –No access to metadata in db platform. –Restricted login locations if possible.

13 Database Practices-Strong Typing Columns must be strongly typed: –Numbers as Numbers. –Characters limited to the exact maximum required. –Dates stored as dates If performance is acceptable use check constraints or triggers: –Force format masks and character ranges such as 0-9 for SSN, etc. Use look up tables for reference values and enforce foreign keys.

14 Infrastructure Practice Use a central logging tool looking for SQL Injection behavior: –SQL Errors –Queries against metadata from web apps Use manual scanning tools such as grep, awk, and log parsers to look for unauthorized queries/sql requests

15 Infrastructure Practice The best security measure is one that catches problems before they are revealed. As part of QAT or UAT testing, applications must be automatically scanned for vulnerabilities. Reveals vulnerabilities above and beyond simple penetration testing. Many excellent products: –Rational APPSCAN from IBM (was Watchfire) –Acunetix –NTO Spider

16 References CS 183 : Hypermedia and the Web UC Santa Cruz OWASP SQLzoo.net

17 Be careful out there!

Download ppt "SQL Injection Attacks An overview by Sameer Siddiqui."

Similar presentations

MSc IT UFCE8K-15-M Data Management Prakash Chatterjee Room 2Q18

MSc IT UFCE8K-15-M Data Management Prakash Chatterjee Room 2Q18
Understand Database Security Concepts

Understand Database Security Concepts
Web Pricing User Manual https://www.commissaries.com/webpricing.

Web Pricing User Manual
SQL’s Data Definition Language (DDL) n DDL statements define, modify and remove objects from data dictionary tables maintained by the DBMS n Whenever you.

SQL’s Data Definition Language (DDL) n DDL statements define, modify and remove objects from data dictionary tables maintained by the DBMS n Whenever you.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.

Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Introduction to Structured Query Language (SQL)

Introduction to Structured Query Language (SQL)
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
+ Housekeeping Project/assignment 6/quiz 6 questions? Quiz 6: Query optimization, database security At 9:10, you’ll have 15 minutes to do on- line student.

+ Housekeeping Project/assignment 6/quiz 6 questions? Quiz 6: Query optimization, database security At 9:10, you’ll have 15 minutes to do on- line student.
EC500 Lecture Made By: Jiaxi Jin, Rashmi Shah, Ludovico Fontana Boston University.

EC500 Lecture Made By: Jiaxi Jin, Rashmi Shah, Ludovico Fontana Boston University.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
Chapter 6: Integrity and Security Thomas Nikl 19 October, 2004 CS157B.

Chapter 6: Integrity and Security Thomas Nikl 19 October, 2004 CS157B.

Similar presentations

Ads by Google