Your SlideShare is downloading. ×
0
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sql Injection attacks and prevention

7,206

Published on

I recently gave this presentation to our engineers here at Network18. Thought I'll share it with a larger audience also.

I recently gave this presentation to our engineers here at Network18. Thought I'll share it with a larger audience also.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,206
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
309
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SQL Injection Anand Jain @helloanand Tech at Network18 1
  • 2. What is it?SQL Injection allows a programmer user specified query to execute in the database 2
  • 3. Excuse me, WHAT? Unintended SQL queries run in the DBMost of the times it also alters the original query 3
  • 4. see how it happens we 4
  • 5. Actual use case$sql = “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”];//executed query - SELECT * FROM ARTICLES WHERE ID = 1234$result = mysql_query($sql); 5
  • 6. SQL injected input$sql = “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”];//executed query - SELECT * FROM ARTICLES WHERE ID = 1234; DROPTABLE ARTICLES$result = mysql_query($sql); 6
  • 7. Ok, but…How will the attacker knowwhat I’ve named my table? 7
  • 8. Good question 8
  • 9. There are queries for that too…http://www.site.com/articles.php ?id=1234 UNION SELECTgroup_concat(schema_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24 from information_schema.schemata -- 9
  • 10. There are queries for that too…http://www.site.com/articles.php ?id=1234 UNION SELECTgroup_concat(table_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ,18,19,20,21,22,23,24 frominformation_schema.tables where table_schema=database()-- 10
  • 11. 11
  • 12. SQL Attack steps• Searching for a vulnerable point• Fingerprinting the backend DB• Enumerating or retrieving data of interest – table dumps, usernames/passwords etc.• Eventual exploiting the system once the information is handy – OS take over, data change, web server take over etc. 12
  • 13. It is a very serious problem• The attacker can delete, modify or even worse, steal your data• Compromises the safety, security & trust of user data• Compromises a company’s competitiveness or even the ability to stay in business 13
  • 14. How to mitigate the risk• Escape all user supplied input• Always validate input• Use prepared statements – For PHP+MySQL – use PDO with strongly typed parameterized queries (using bindParam())• Code reviews• Don’t store password in plain text in the DB – Salt them and hash them 14
  • 15. Escape & Validate input• Escape all input – Whether supplied via the URL or via POST data – Even for internal APIs – Anything that goes to the DB is escaped• Validate all input - Validating a Free Form Text Field for allowed chars (numbers, letters, whitespace, .-_) – ^[a-zA-Z0-9s._-]+$ (Any number of characters) – ^[a-zA-Z0-9s._-]{1-100}$ (This is better, since it limits this field to 1 to 100 characters)• source https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet 15
  • 16. Least privilege• To minimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment.• Do not assign DBA or admin type access rights to your application accounts.• Dont run your DBMS as root or system! 16
  • 17. URL rules• No parentheses or angular brackets in the URLs – While saving or generating remove from the URLs – If you really need to have parentheses or angular brackets in the URL, then encode them• URL should not end with two or more dashes “--“ – While saving or generating remove these from the URLs• URL should not end with “/*” – While saving or generating remove these from the URLs• No schema, table or column names should be part of your URL• These rules should be followed even for AJAX/JSON URLs 17
  • 18. Quick fixes• For companies that have a large setup or a lot of legacy code that will take a long time to audit and fix, put some SQL injection detection patterns in your Load Balancer itself• Enable mod_security on Apache• Run the RIPS scanner on your PHP code for detecting vulnerabilities - http://sourceforge.net/projects/rips-scanner/ 18
  • 19. Common (My)SQL injection URL patterns• ending with “--”• ending with “/*”• containing UNION, (ALL), SELECT and FROM• BENCHMARK• Containing “information_schema”• Containing “load_file” 19
  • 20. Further reading• SQL attacks by example - http://www.unixwiz.net/techtips/sql- injection.html• OWASP - https://www.owasp.org/index.php/SQL_Inject ion 20
  • 21. source: http://xkcd.com/327/Thanks 21

×