SlideShare a Scribd company logo

How to Hack Your App Using SQL Injection

C
Chris Saxon

An introduction to SQL injection, explaining how this vulnerability exists and steps you can take to protect your application.

Technology
1 of 54
Download to read offline
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How to Hack Your App Using SQL Chris Saxon, Oracle Developer Advocate, @ChrisRSaxon, @SQLDaily www.youtube.com/c/TheMagicofSQL blogs.oracle.com/sql blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! ...do we really need to talk about this? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | http://www.bbc.co.uk/news/technology-34963686 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record- 400-000-fine-for-failing-to-prevent-october-2015-attack/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | SQL Vulnerabilities Wordpress Jan 2017 https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Jul 2017 https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-popular-wordppress-plug-in-again/article/672839/ Oct 2017 https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | codecurmudgeon.com/wp/sql-injection-hall-of-shame/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon https://haveibeenpwned.com/
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DEMO blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Principle of Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n Can still blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Use Bind Variables! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = '" + name + "' and password = '" + pass + "'"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; Always true! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; Everything you can select blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder Inputs never part of SQL => blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
PL/SQL is automatically bound blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | begin select * into user_rec from sqlinjection.users u where u.username = l_name and u.password = l_pass; end; These are bind variables blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | execute Pixabay Least Privilege plsql f (x) blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I write dynamic SQL blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where 1 = 1 "; if param_1 is not null then sql = sql + " and c1 = ? "; end if; if param_2 is not null then sql = sql + " and c2 = ? "; end if; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon can still bind
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | …but I accept identifiers blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay DBMS_assert blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Change User Passwords execute immediate 'alter user ' || dbms_assert.schema_name ( user ) || ' identified by "' || replace( dbms_assert.enquote_literal ( pass ), '''' ) || '"'; Can't have single quotes (') in password! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I develop an internal app blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography employees can has your dataz? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay How secure is your network? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 42 Web Browser Web Server Database SSL TDE Encryption here is overkill, right? Transparent Data Encryption? SSL?
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 43
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 44 Web Browser Web Server Database SSL TDE Native Encryption See doc for more details
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I don't have time to review all code
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Test Deploy Build Run sqlmap Test in CI/CD Process
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King 5800 650-123-5234 Shanta Vollman Steven King 6500 650-123-4234 Payam Kaufling Steven King 7900 650-123-3234 Adam Fripp Steven King 8200 650-123-2234 Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 650-507-9879 Martha Sullivan Matthew Weiss 2500 650-507-9878 Jean Fleaur Matthew Weiss 3100 650-507-9877 Winston Taylor Matthew Weiss 3200 650-507-9876 Steven Markle Matthew Weiss 2200 650-124-1434
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King Shanta Vollman Steven King Payam Kaufling Steven King Adam Fripp Steven King Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 Martha Sullivan Matthew Weiss 2500 Jean Fleaur Matthew Weiss 3100 Winston Taylor Matthew Weiss 3200 Steven Markle Matthew Weiss 2200
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How at risk am I? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT My Oracle Support 2138254.1 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay PL/SQL Least Privilege Data R*******n Bind Variables Sanitize inputs blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Security Layers
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! no excuses... ... your data! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography sqlmap.org #MakeDataGreatAgain blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

Recommended

12 Things Developers Will Love About Oracle Database 12c Release 2
12 Things Developers Will Love About Oracle Database 12c Release 212 Things Developers Will Love About Oracle Database 12c Release 2
12 Things Developers Will Love About Oracle Database 12c Release 2Chris Saxon
 
Why Isn't My Query Using an Index? An Introduction to SQL Performance
Why Isn't My Query Using an Index? An Introduction to SQL PerformanceWhy Isn't My Query Using an Index? An Introduction to SQL Performance
Why Isn't My Query Using an Index? An Introduction to SQL PerformanceChris Saxon
 
Using Edition-Based Redefinition for Zero Downtime PL/SQL Changes
Using Edition-Based Redefinition for Zero Downtime PL/SQL ChangesUsing Edition-Based Redefinition for Zero Downtime PL/SQL Changes
Using Edition-Based Redefinition for Zero Downtime PL/SQL ChangesChris Saxon
 
How to Find Patterns in Your Data with SQL
How to Find Patterns in Your Data with SQLHow to Find Patterns in Your Data with SQL
How to Find Patterns in Your Data with SQLChris Saxon
 
Polymorphic Table Functions in SQL
Polymorphic Table Functions in SQLPolymorphic Table Functions in SQL
Polymorphic Table Functions in SQLChris Saxon
 
Hyderabad Mar 2019 - Database 18c / 19c
Hyderabad Mar 2019 - Database 18c / 19cHyderabad Mar 2019 - Database 18c / 19c
Hyderabad Mar 2019 - Database 18c / 19cConnor McDonald
 
Melbourne Groundbreakers Tour - Hints and Tips
Melbourne Groundbreakers Tour - Hints and TipsMelbourne Groundbreakers Tour - Hints and Tips
Melbourne Groundbreakers Tour - Hints and TipsConnor McDonald
 
OpenWorld 2018 - SQL Tuning in 20 mins
OpenWorld 2018 - SQL Tuning in 20 minsOpenWorld 2018 - SQL Tuning in 20 mins
OpenWorld 2018 - SQL Tuning in 20 minsConnor McDonald
 

Recommended

12 Things Developers Will Love About Oracle Database 12c Release 2
12 Things Developers Will Love About Oracle Database 12c Release 212 Things Developers Will Love About Oracle Database 12c Release 2
12 Things Developers Will Love About Oracle Database 12c Release 2Chris Saxon
 
Why Isn't My Query Using an Index? An Introduction to SQL Performance
Why Isn't My Query Using an Index? An Introduction to SQL PerformanceWhy Isn't My Query Using an Index? An Introduction to SQL Performance
Why Isn't My Query Using an Index? An Introduction to SQL PerformanceChris Saxon
 
Using Edition-Based Redefinition for Zero Downtime PL/SQL Changes
Using Edition-Based Redefinition for Zero Downtime PL/SQL ChangesUsing Edition-Based Redefinition for Zero Downtime PL/SQL Changes
Using Edition-Based Redefinition for Zero Downtime PL/SQL ChangesChris Saxon
 
How to Find Patterns in Your Data with SQL
How to Find Patterns in Your Data with SQLHow to Find Patterns in Your Data with SQL
How to Find Patterns in Your Data with SQLChris Saxon
 
Polymorphic Table Functions in SQL
Polymorphic Table Functions in SQLPolymorphic Table Functions in SQL
Polymorphic Table Functions in SQLChris Saxon
 
Hyderabad Mar 2019 - Database 18c / 19c
Hyderabad Mar 2019 - Database 18c / 19cHyderabad Mar 2019 - Database 18c / 19c
Hyderabad Mar 2019 - Database 18c / 19cConnor McDonald
 
Melbourne Groundbreakers Tour - Hints and Tips
Melbourne Groundbreakers Tour - Hints and TipsMelbourne Groundbreakers Tour - Hints and Tips
Melbourne Groundbreakers Tour - Hints and TipsConnor McDonald
 
OpenWorld 2018 - SQL Tuning in 20 mins
OpenWorld 2018 - SQL Tuning in 20 minsOpenWorld 2018 - SQL Tuning in 20 mins
OpenWorld 2018 - SQL Tuning in 20 minsConnor McDonald
 
JSON-B for CZJUG
JSON-B for CZJUGJSON-B for CZJUG
JSON-B for CZJUGDmitry Kornilov
 
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database APIUKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database APIMarco Gralike
 
Configuration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and TamayaConfiguration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and TamayaDmitry Kornilov
 
Configuration for Java EE and the Cloud
Configuration for Java EE and the CloudConfiguration for Java EE and the Cloud
Configuration for Java EE and the CloudDmitry Kornilov
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACNZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACSandesh Rao
 
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...Sandesh Rao
 
What's new in the Java API for JSON Binding
What's new in the Java API for JSON BindingWhat's new in the Java API for JSON Binding
What's new in the Java API for JSON BindingDmitry Kornilov
 
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0Frederic Descamps
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...Sandesh Rao
 
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...Sandesh Rao
 
AUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthAUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthSandesh Rao
 
Data meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow IndiaData meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow IndiaSandesh Rao
 
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Sandesh Rao
 
Java EE for the Cloud
Java EE for the CloudJava EE for the Cloud
Java EE for the CloudDmitry Kornilov
 
Developers vs DBAs - How to win the war
Developers vs DBAs - How to win the warDevelopers vs DBAs - How to win the war
Developers vs DBAs - How to win the wargvenzl
 
18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18cChris Saxon
 
Step by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment modelStep by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment modelAnil Nair
 
20190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev220190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev2Ivan Ma
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterFrederic Descamps
 
AskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database TriggersAskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database TriggersSteven Feuerstein
 
Python and the MySQL Document Store
Python and the MySQL Document StorePython and the MySQL Document Store
Python and the MySQL Document StoreJesper Wisborg Krogh
 
MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!Frederic Descamps
 

More Related Content

What's hot

UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database APIUKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database APIMarco Gralike
 
Configuration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and TamayaConfiguration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and TamayaDmitry Kornilov
 
Configuration for Java EE and the Cloud
Configuration for Java EE and the CloudConfiguration for Java EE and the Cloud
Configuration for Java EE and the CloudDmitry Kornilov
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACNZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACSandesh Rao
 
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...Sandesh Rao
 
What's new in the Java API for JSON Binding
What's new in the Java API for JSON BindingWhat's new in the Java API for JSON Binding
What's new in the Java API for JSON BindingDmitry Kornilov
 
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0Frederic Descamps
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...Sandesh Rao
 
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...Sandesh Rao
 
AUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthAUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthSandesh Rao
 
Data meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow IndiaData meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow IndiaSandesh Rao
 
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Sandesh Rao
 
Developers vs DBAs - How to win the war
Developers vs DBAs - How to win the warDevelopers vs DBAs - How to win the war
Developers vs DBAs - How to win the wargvenzl
 

What's hot (15)

JSON-B for CZJUG
JSON-B for CZJUGJSON-B for CZJUG
JSON-B for CZJUG
 
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database APIUKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
 
Configuration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and TamayaConfiguration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and Tamaya
 
Configuration for Java EE and the Cloud
Configuration for Java EE and the CloudConfiguration for Java EE and the Cloud
Configuration for Java EE and the Cloud
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACNZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
 
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
 
What's new in the Java API for JSON Binding
What's new in the Java API for JSON BindingWhat's new in the Java API for JSON Binding
What's new in the Java API for JSON Binding
 
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
 
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
 
AUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthAUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous Health
 
Data meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow IndiaData meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow India
 
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
 
Java EE for the Cloud
Java EE for the CloudJava EE for the Cloud
Java EE for the Cloud
 
Developers vs DBAs - How to win the war
Developers vs DBAs - How to win the warDevelopers vs DBAs - How to win the war
Developers vs DBAs - How to win the war
 

Similar to How to Hack Your App Using SQL Injection

18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18cChris Saxon
 
Step by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment modelStep by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment modelAnil Nair
 
20190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev220190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev2Ivan Ma
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterFrederic Descamps
 
AskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database TriggersAskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database TriggersSteven Feuerstein
 
Python and the MySQL Document Store
Python and the MySQL Document StorePython and the MySQL Document Store
Python and the MySQL Document StoreJesper Wisborg Krogh
 
MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!Frederic Descamps
 
Flashback features in Oracle - UKOUG 2017
Flashback features in Oracle - UKOUG 2017Flashback features in Oracle - UKOUG 2017
Flashback features in Oracle - UKOUG 2017Connor McDonald
 
Robust easy affordable disaster recovery for MySQL Data
Robust easy affordable disaster recovery for MySQL DataRobust easy affordable disaster recovery for MySQL Data
Robust easy affordable disaster recovery for MySQL DataOracleMySQL
 
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...Amazon Web Services
 
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のことYukitaka Ohmura
 
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...Frederic Descamps
 
MySQL InnoDB Cluster in a Nutshell - Hands-on Lab
MySQL InnoDB Cluster in a Nutshell - Hands-on LabMySQL InnoDB Cluster in a Nutshell - Hands-on Lab
MySQL InnoDB Cluster in a Nutshell - Hands-on LabFrederic Descamps
 
Migrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCIMigrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCIAlex Zaballa
 
PGQL: A Language for Graphs
PGQL: A Language for GraphsPGQL: A Language for Graphs
PGQL: A Language for GraphsJean Ihm
 
ARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million UsersARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million UsersAmazon Web Services
 
Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_aioughydchapter
 
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...Edureka!
 
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018Amazon Web Services
 
RMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New FeaturesRMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New FeaturesDave Stokes
 

Similar to How to Hack Your App Using SQL Injection (20)

18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c
 
Step by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment modelStep by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment model
 
20190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev220190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev2
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB Cluster
 
AskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database TriggersAskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database Triggers
 
Python and the MySQL Document Store
Python and the MySQL Document StorePython and the MySQL Document Store
Python and the MySQL Document Store
 
MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!
 
Flashback features in Oracle - UKOUG 2017
Flashback features in Oracle - UKOUG 2017Flashback features in Oracle - UKOUG 2017
Flashback features in Oracle - UKOUG 2017
 
Robust easy affordable disaster recovery for MySQL Data
Robust easy affordable disaster recovery for MySQL DataRobust easy affordable disaster recovery for MySQL Data
Robust easy affordable disaster recovery for MySQL Data
 
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
 
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
 
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
 
MySQL InnoDB Cluster in a Nutshell - Hands-on Lab
MySQL InnoDB Cluster in a Nutshell - Hands-on LabMySQL InnoDB Cluster in a Nutshell - Hands-on Lab
MySQL InnoDB Cluster in a Nutshell - Hands-on Lab
 
Migrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCIMigrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCI
 
PGQL: A Language for Graphs
PGQL: A Language for GraphsPGQL: A Language for Graphs
PGQL: A Language for Graphs
 
ARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million UsersARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million Users
 
Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_
 
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
 
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
 
RMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New FeaturesRMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New Features
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

How to Hack Your App Using SQL Injection

  • 1. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How to Hack Your App Using SQL Chris Saxon, Oracle Developer Advocate, @ChrisRSaxon, @SQLDaily www.youtube.com/c/TheMagicofSQL blogs.oracle.com/sql blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 2. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! ...do we really need to talk about this? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 3. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 4. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 5. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | http://www.bbc.co.uk/news/technology-34963686 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 6. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record- 400-000-fine-for-failing-to-prevent-october-2015-attack/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 7. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | SQL Vulnerabilities Wordpress Jan 2017 https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Jul 2017 https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-popular-wordppress-plug-in-again/article/672839/ Oct 2017 https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 8. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | codecurmudgeon.com/wp/sql-injection-hall-of-shame/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 9. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon https://haveibeenpwned.com/
  • 10. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DEMO blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 11. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 12. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 13. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 14. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Principle of Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 15. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
  • 16. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
  • 17. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 18. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 19. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n Can still blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 20. Use Bind Variables! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 21. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = '" + name + "' and password = '" + pass + "'"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 22. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 23. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 24. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; Always true! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 25. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 26. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; Everything you can select blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 27. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 28. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 29. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder Inputs never part of SQL => blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 30. PL/SQL is automatically bound blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 31. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | begin select * into user_rec from sqlinjection.users u where u.username = l_name and u.password = l_pass; end; These are bind variables blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 32. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | execute Pixabay Least Privilege plsql f (x) blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 33. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I write dynamic SQL blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 34. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where 1 = 1 "; if param_1 is not null then sql = sql + " and c1 = ? "; end if; if param_2 is not null then sql = sql + " and c2 = ? "; end if; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon can still bind
  • 35. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | …but I accept identifiers blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 36. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 37. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay DBMS_assert blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 38. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Change User Passwords execute immediate 'alter user ' || dbms_assert.schema_name ( user ) || ' identified by "' || replace( dbms_assert.enquote_literal ( pass ), '''' ) || '"'; Can't have single quotes (') in password! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 39. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I develop an internal app blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 40. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography employees can has your dataz? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 41. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay How secure is your network? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 42. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 42 Web Browser Web Server Database SSL TDE Encryption here is overkill, right? Transparent Data Encryption? SSL?
  • 43. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 43
  • 44. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 44 Web Browser Web Server Database SSL TDE Native Encryption See doc for more details
  • 45. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I don't have time to review all code
  • 46. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Test Deploy Build Run sqlmap Test in CI/CD Process
  • 47. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King 5800 650-123-5234 Shanta Vollman Steven King 6500 650-123-4234 Payam Kaufling Steven King 7900 650-123-3234 Adam Fripp Steven King 8200 650-123-2234 Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 650-507-9879 Martha Sullivan Matthew Weiss 2500 650-507-9878 Jean Fleaur Matthew Weiss 3100 650-507-9877 Winston Taylor Matthew Weiss 3200 650-507-9876 Steven Markle Matthew Weiss 2200 650-124-1434
  • 48. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King Shanta Vollman Steven King Payam Kaufling Steven King Adam Fripp Steven King Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 Martha Sullivan Matthew Weiss 2500 Jean Fleaur Matthew Weiss 3100 Winston Taylor Matthew Weiss 3200 Steven Markle Matthew Weiss 2200
  • 49. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How at risk am I? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 50. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 51. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT My Oracle Support 2138254.1 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 52. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay PL/SQL Least Privilege Data R*******n Bind Variables Sanitize inputs blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Security Layers
  • 53. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! no excuses... ... your data! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 54. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography sqlmap.org #MakeDataGreatAgain blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon