SQL Injection<br />Vadim Gellerman<br />
What is SQL Injection?<br />SQL injection is a code injection technique that exploits a security vulnerability occurring i...
3 Classes of SQL Injection<br />SQL Injection can be broken up into 3 classes:<br />Inband - data is extracted using the s...
Inband is the most common, so let’s focus on that:<br />Assume that you have a website with this existing hyperlink:<br />...
Inband ctd.<br />Some other examples of SQL injection through the inbound use of a hyperlink are:<br />http://www.mydomain...
SQL Injection for Login Credential Manipulation<br />SQL injection can also be used to grant login access onto a website, ...
Defending against SQL Injection<br />URL based injection:<br />Avoid using clear text when coding in SQL.<br />If your dat...
Defending Against Injection ctd.<br />Login based injection:<br />Restrict input field length. Instead of allowing an unli...
FIN<br />
Upcoming SlideShare
Loading in …5
×

SQL Injections - A Powerpoint Presentation

13,815
-1

Published on

A presentation going over various SQL injections and how to secure your website and server from them. Written by Vadim Gellerman.

Published in: Technology
1 Comment
7 Likes
Statistics
Notes
  • plz snd slids in this mail
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
13,815
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
647
Comments
1
Likes
7
Embeds 0
No embeds

No notes for slide

SQL Injections - A Powerpoint Presentation

  1. 1. SQL Injection<br />Vadim Gellerman<br />
  2. 2. What is SQL Injection?<br />SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed. This allows alteration of, for example, a hyperlink, which would then cause a false positive query result from the database and grant you access.<br />
  3. 3. 3 Classes of SQL Injection<br />SQL Injection can be broken up into 3 classes:<br />Inband - data is extracted using the same channel that is used to inject the SQL code. <br />This is the most straightforward kind of attack, in which the retrieved data is presented <br />directly in the application web page<br />2. Out-of-Band - data is retrieved using a different channel (e.g.: an email with the results of <br />the query is generated and sent to the tester)‏<br />3. Inferential - there is no actual transfer of data, but the tester is able to reconstruct the <br />information by sending particular requests and observing the resulting behaviour of the <br />website/DB Server.<br />
  4. 4. Inband is the most common, so let’s focus on that:<br />Assume that you have a website with this existing hyperlink:<br />http://[sitedomain]/products/products.asp?productid=123<br />This is a common format, and clicking it would take you to the product with ProductID = 123.<br />From a SQL standpoint, this would could look like:<br />SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber = 123<br />Since the product id is actually visible in the link, it’s not very safe, and is open to alteration and injection.<br />Append or 1=1 to the link, to make it:<br />http://[sitedomain]/products/products.asp?productid=123 or 1=1<br />Now from a SQL standpoint this becomes:<br />SELECT ProductName, Product Description FROM Products WHERE ProductNumber = 123 OR 1=1<br />Since 1 = 1 is always true, this grants you access to the database, and displays all Product Names and Descriptions.<br />
  5. 5. Inband ctd.<br />Some other examples of SQL injection through the inbound use of a hyperlink are:<br />http://www.mydomain.com/products/products.asp?productid=123; DROP TABLE Products<br />http://www.mydomain.com/products/products.asp?productid=123 UNION SELECT user-name, password FROM USERS<br />The first will drop the products table, while the second while return two tables, the productID, and the union joined table with a list of user names and passwords.<br />
  6. 6. SQL Injection for Login Credential Manipulation<br />SQL injection can also be used to grant login access onto a website, or online database GUI.<br />In order to do this, you use true statements to bypass security, or in some cases by using the administrative rights account.<br />When logging onto a site, or server, the user name and password you put in is compared to an encrypted list in order to determine what type of access, if any, you have.<br />By using a true statement, such as ‘or 1=1’ will cause the database to believe you input proper credentials.<br />
  7. 7. Defending against SQL Injection<br />URL based injection:<br />Avoid using clear text when coding in SQL.<br />If your database and webpage are constructed in a way where you can view the data, it’s open to injection.<br />http://mysite.com/listauthordetails.aspx?SSN=172-32-9999<br />As in prior example, you could add a drop, or other command, to alter the database.<br />Passwords, and other sensitive information need to be either encrypted or one way hashed. There is no full proof way to defend from injection, but by limiting sensitive information, you can insure that your information is at least somewhat protected.<br />
  8. 8. Defending Against Injection ctd.<br />Login based injection:<br />Restrict input field length. Instead of allowing an unlimited amount of characters to be entered for user name and password, restricting them will make it more difficult for someone to run a malicious query. While it may not prevent direct read access, it can prevent statements like drop.<br />User privileges:<br />Have a “Superuser/Admin” with full rights, but limit other users to only the things they need to do. This way, if someone accesses the database, they’ll have a restricted amount of privileges.<br />Use proper escapes strings, generally created through PHP.<br />$SQL = "SELECT * FROM users where username = "mysql_real_escape_string($POST['user']);<br />When someone tries to access the database using a command like OR 1’”;, their query would return ’ OR 1’, because your query was created to have a defined escape string.<br />
  9. 9. FIN<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×