SQL Injection
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

SQL Injection

  • 780 views
Uploaded on

SQL Injection is one of the most common ways to hack into login-based web applications. This presentation defines SQL Injection, discusses why it is dangerous, and how to prevent these types of......

SQL Injection is one of the most common ways to hack into login-based web applications. This presentation defines SQL Injection, discusses why it is dangerous, and how to prevent these types of attacks.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
780
On Slideshare
780
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
34
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SQL Injection By Adam Reagan New York State Insurance Department Systems Bureau April 2009
  • 2. Definition
    • The injection of code that exploits a security vulnerability at the database layer of an application
    • Sometimes referred to as the “buffer overflow” of web applications
    • Takes advantage of gaps in developer-managed memory and often allows for arbitrary remote code execution
    • Often considered the most dangerous attacks in application security
  • 3. The Basic Idea
    • With SQL Injection, we rely on user-supplied input to build queries
    • For example, if a user were to enter a username and password in a logon page, the following lines of code might be used to verify that the user exists:
  • 4. The Basic Idea (Continued)
    • If the user name and password are entered as expected, the query should execute with no problems
    • Example:
      • userName = “bob”
      • password = “secret1”
    • The resulting query from the previous slide would look like this:
  • 5. The Attack
    • Using the same code to verify that the user name and password exist in the database, what if the following parameters were entered by the user at the logon page:
      • userName = bob’ OR ‘1’ = ‘1’ --
      • password = “whocares”
    • In this case, the query to be executed would look like this:
  • 6. The Attack (Continued)
    • In many SQL databases, “--” is a comment delimiter
    • Anything following “--” is commented out and not executed
    • Therefore, we don’t even need to know what the password is, for it won’t be included in the query
    • Also note that ‘1’ = ‘1’ will always be true
    • That being said, the query from the previous slide will return a result set containing ALL rows from the USERS table, regardless of what user name is entered
    • This is sometimes referred to as the “ 1 equals 1 ” attack
    • Keep in mind that this type of attack isn’t just limited to logon pages, but ANYWHERE user input is embedded in an SQL statement
    • Also, by entering a ‘;’ (or several semi-colons) in the user name field, an attacker could potentially execute multiple queries on the database, including malicious queries that could do some SERIOUS damage (i.e. inserts, updates, deletes)
  • 7. The Solution
    • Use PreparedStatements
    • Modify the code to verify that the user exists to look like this:
  • 8. The Solution (Continued)
    • By using a prepared statement, each parameter is explicitly defined upon execution
    • Now, if the “1 equals 1” attack is attempted, an run-time error will occur (code should be written to handle these errors)
    • Thus, we have prevented the attacker from obtaining all of the data from the USERS table
  • 9. Other Tips
    • Set the maxlength attribute in HTML input textfields to limit the amount of allowable user input
    • Validate the user’s input in your java class before query execution
      • In some of our Licensing web applications, the logon page requires a license number and password, both strictly numeric values
      • Apply the Integer.parseInt() method
      • A NumberFormatException will be thrown if the “1 equals 1” attack is attempted
  • 10. Summary
    • SQL Injection attacks are considered one of the most dangerous types of attacks in web application security
    • Applications rely on user-supplied input to build certain queries
    • This input must be validated before being used in a query
      • Check for malicious input (i.e. escape characters)
    • Use PreparedStatements instead of injecting user-supplied input into a string variable to build a query
    • By explicitly defining the parameters of a prepared statement, attacks such as the “1 equals 1” attack are prevented