D:\Technical\Ppt\Sql Injection
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
8,247
On Slideshare
8,207
From Embeds
40
Number of Embeds
8

Actions

Shares
Downloads
202
Comments
0
Likes
0

Embeds 40

http://avishkarm.blogspot.com 18
http://avishkarm.blogspot.in 12
http://www.slideshare.net 4
http://www.avishkarm.blogspot.com 2
http://www.blogger.com 1
http://avishkarm.blogspot.de 1
http://avishkarm.blogspot.com.ar 1
http://avishkarm.blogspot.cz 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SQL Injection What is SQL Injection? SQL Injection Attack SQL Injection Prevention Cross-Site Scripting
  • 2. What is SQL Injection?
    • SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database.
    • SQL injection can occur when an application uses input to construct dynamic SQL statements. Successful SQL injection attacks enable malicious users to execute commands in an application's database.
    • Many web applications take user input from a form. Often this user input is used literally in the construction of a SQL query submitted to a database. A SQL injection attack involves placing SQL statements in the user input.
    • Almost all existing databases are subject to SQL injection attacks to varying degrees.
  • 3. SQL Injection Attack
    • Take an asp page that will link you to another page with the following URL: http://sqlinject/index.asp?customer=Talentica
    • In the URL, 'customer' is the variable name, and ‘Talentica' is the value assigned to the variable. In order to do that, an ASP might contain the following code
    • v_cat = request("customer") sqlstr="SELECT * FROM Customer_Master WHERE Customer='" & v_cat & "'" set rs=conn.execute(sqlstr)
    • thus the SQL statement should become: SELECT * FROM Customer_Master WHERE Customer = ‘Talentica'
    • Now, assume that we change the URL into something like this: http://sqlinject/index.asp?customer=Talentica or 1=1-- Now, our variable v_cat equals to " Talentica ' or 1=1-- ", if we substitute this in the SQL query, we will have: SELECT * FROM Customer_Master WHERE Customer = ‘Talentica’ or 1=1--'
  • 4. SQL Injection Attack(Contd)
    • Take the following page for another example: http://sqlinject/index.asp?id=10
    • We will try to UNION the integer '10' with another string from the database: http:// sqlinject/index.asp ?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25USER%25'--
    • SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=‘USERS' AND COLUMN_NAME LIKE ‘%USER%’
  • 5. SQL Injection Attack( Contd)
    • The login page had a traditional username-and-password form, but also an email-me-my-password link; the latter proved to be the downfall of the whole system.
      • SQL SqlDataAdapter myCommand = new SqlDataAdapter( "SELECT username, passowrd FROM users WHERE username = '" + SSN.Text + "'", myConnection);
      • The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user:
      • var iusername, ipassword
      • user = Request.form ("iusername");
      • password = Request.form ("ipassword");
      • var sql = "SELECT username,passowrd FROM where username = '" + user + "'" password = '" + password + "'";
      • The developer's intention was that when the code runs, it inserts the user's input and generates a SQL the following statement.
      • SELECT username,passowrd FROM users WHERE username=@existinguser
  • 6.
    • select * from User s
    • where username ='test'
    • Depending on response is a dead giveaway that user input is not being sanitized properly and that the application is ripe for exploitation.
      • select * from Users
      • where username ='test' OR 'x'='x‘
      • SELECT *
    • FROM Users
    • WHERE emailid = 'x' OR username LIKE '%test%';
    • SELECT *
    • FROM Users
    • WHERE emailid = 'x'; DROP TABLE test; --';
    • SELECT *
    • FROM Users;
    • INSERT INTO Users
    • VALUES (3,‘test',‘test','abcd@yahoo.com');--';
    • SELECT *
    • FROM Users
    • WHERE emailid = 'x'; UPDATE Users SET emailid = 'abcd@yahoo.com‘ ;
  • 7. SQL Injection Prevention
    • Check and filter user input.
      • Length limit on input (most attacks depend on long query strings).
      • Do not allow suspicious keywords (DROP, INSERT, SELECT, SHUTDOWN).
      • Call stored procedures , instead of directly sending SQL statements to the database. parameter is treated as a literal value and not as executable code
    • Eliminate string concatenation to create SqlCommandText
    • . Use SqlCommand with Parameters
    • . Eliminate EXECUTE (@sql)
    • If dynamic SQL required: Use sp_executesql with parameters
    • Review Your Application's Use of Parameterized Stored Procedures
    • Principal of Least Privilege
      • A user or process should have the lowest level of privilege required in order to perform his assigned task.
      • If you know a specific user will only read from the database, do not grant him root privileges.
      • Segregate users. Define roles.
    • The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code
    • Coding techniques available for protecting against Sql injection
  • 8. Cross-Site Scripting
      • Dynamic websites suffer from a threat that static websites don't, called "Cross Site Scripting"
      • Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user.
      • After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them.
      • e.g. an attack on your database and update up to 5000 rows in every table and replace your strings in your database with random XSS attacks.
      • Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible.
      • To prevent cross-site scripting:
      • Check that ASP.NET request validation is enabled.
      • Review ASP.NET code that generates HTML output.
      • Determine whether HTML output includes input parameters.
      • Review potentially dangerous HTML tags and attributes.
      • Evaluate countermeasures.