SlideShare a Scribd company logo
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
How to Hack Your App
Using SQL
Chris Saxon, Oracle Developer Advocate, @ChrisRSaxon, @SQLDaily
www.youtube.com/c/TheMagicofSQL
blogs.oracle.com/sql
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
It's2018!
...do we really need to talk about this?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
http://www.bbc.co.uk/news/technology-34963686
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-
400-000-fine-for-failing-to-prevent-october-2015-attack/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
SQL Vulnerabilities
Wordpress Jan 2017
https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Jul 2017
https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-popular-wordppress-plug-in-again/article/672839/
Oct 2017
https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
codecurmudgeon.com/wp/sql-injection-hall-of-shame/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
https://haveibeenpwned.com/
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
DEMO
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Principle of
Least
Privilege
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Least Privilege
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Least Privilege
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
Least Privilege
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Data
Red*****n
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Data
Red*****n
Can still
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Use Bind Variables!
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = '" + name + "'
and password = '" + pass + "'";
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = 'chris'
and password = 'chris';
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = '' or 1 = 1 --'
and password = 'chris';
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = '' or 1 = 1 --'
and password = 'chris';
Always
true!
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = 'chris'
and password = '' union all
select owner || '.' || table_name
from all_tables where 1='1';
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = 'chris'
and password = '' union all
select owner || '.' || table_name
from all_tables where 1='1';
Everything you
can select
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = ?
and password = ?";
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = ?
and password = ?";
Value
placeholder
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = ?
and password = ?";
Value
placeholder
Inputs never part of SQL =>
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
PL/SQL is
automatically bound
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
begin
select *
into user_rec
from sqlinjection.users u
where u.username = l_name
and u.password = l_pass;
end;
These are
bind variables
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
execute
Pixabay
Least Privilege
plsql f (x)
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
I write dynamic
SQL
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users where 1 = 1 ";
if param_1 is not null then
sql = sql + " and c1 = ? ";
end if;
if param_2 is not null then
sql = sql + " and c2 = ? ";
end if;
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
can still bind
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
…but I accept
identifiers
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Sanitize input!
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Sanitize input!
Pixabay
DBMS_assert
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Change User Passwords
execute immediate 'alter user ' ||
dbms_assert.schema_name ( user ) ||
' identified by "' ||
replace(
dbms_assert.enquote_literal ( pass ), ''''
) || '"';
Can't have single
quotes (') in password!
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
I develop an
internal app
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Gratisography
employees
can has
your dataz?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
How secure is
your network?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 42
Web Browser Web Server Database
SSL
TDE
Encryption
here is
overkill,
right?
Transparent
Data
Encryption?
SSL?
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 43
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 44
Web Browser Web Server Database
SSL
TDE
Native
Encryption
See doc for more details
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
I don't have time
to review all
code
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Test
Deploy
Build
Run sqlmap
Test in CI/CD Process
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Virtual Private Database
Restrict access at source
Employee Name Manager Name Salary SSN
Kevin Mourgos Steven King 5800 650-123-5234
Shanta Vollman Steven King 6500 650-123-4234
Payam Kaufling Steven King 7900 650-123-3234
Adam Fripp Steven King 8200 650-123-2234
Matthew Weiss Steven King 8000 650-123-1234
Girard Geoni Matthew Weiss 2800 650-507-9879
Martha Sullivan Matthew Weiss 2500 650-507-9878
Jean Fleaur Matthew Weiss 3100 650-507-9877
Winston Taylor Matthew Weiss 3200 650-507-9876
Steven Markle Matthew Weiss 2200 650-124-1434
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Virtual Private Database
Restrict access at source
Employee Name Manager Name Salary SSN
Kevin Mourgos Steven King
Shanta Vollman Steven King
Payam Kaufling Steven King
Adam Fripp Steven King
Matthew Weiss Steven King 8000 650-123-1234
Girard Geoni Matthew Weiss 2800
Martha Sullivan Matthew Weiss 2500
Jean Fleaur Matthew Weiss 3100
Winston Taylor Matthew Weiss 3200
Steven Markle Matthew Weiss 2200
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
How at risk am I?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
DBSAT
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
DBSAT
My Oracle Support 2138254.1
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
PL/SQL
Least Privilege
Data R*******n
Bind Variables
Sanitize inputs
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Security Layers
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
It's2018!
no excuses...
... your data!
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Gratisography
sqlmap.org
#MakeDataGreatAgain
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

More Related Content

What's hot

JSON-B for CZJUG
JSON-B for CZJUGJSON-B for CZJUG
JSON-B for CZJUG
Dmitry Kornilov
 
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database APIUKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
Marco Gralike
 
Configuration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and TamayaConfiguration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and Tamaya
Dmitry Kornilov
 
Configuration for Java EE and the Cloud
Configuration for Java EE and the CloudConfiguration for Java EE and the Cloud
Configuration for Java EE and the Cloud
Dmitry Kornilov
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACNZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
Sandesh Rao
 
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
Sandesh Rao
 
What's new in the Java API for JSON Binding
What's new in the Java API for JSON BindingWhat's new in the Java API for JSON Binding
What's new in the Java API for JSON Binding
Dmitry Kornilov
 
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
Frederic Descamps
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
Sandesh Rao
 
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
Sandesh Rao
 
AUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthAUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous Health
Sandesh Rao
 
Data meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow IndiaData meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow India
Sandesh Rao
 
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Sandesh Rao
 
Java EE for the Cloud
Java EE for the CloudJava EE for the Cloud
Java EE for the Cloud
Dmitry Kornilov
 
Developers vs DBAs - How to win the war
Developers vs DBAs - How to win the warDevelopers vs DBAs - How to win the war
Developers vs DBAs - How to win the war
gvenzl
 

What's hot (15)

JSON-B for CZJUG
JSON-B for CZJUGJSON-B for CZJUG
JSON-B for CZJUG
 
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database APIUKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
 
Configuration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and TamayaConfiguration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and Tamaya
 
Configuration for Java EE and the Cloud
Configuration for Java EE and the CloudConfiguration for Java EE and the Cloud
Configuration for Java EE and the Cloud
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACNZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
 
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
 
What's new in the Java API for JSON Binding
What's new in the Java API for JSON BindingWhat's new in the Java API for JSON Binding
What's new in the Java API for JSON Binding
 
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
 
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
 
AUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthAUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous Health
 
Data meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow IndiaData meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow India
 
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
 
Java EE for the Cloud
Java EE for the CloudJava EE for the Cloud
Java EE for the Cloud
 
Developers vs DBAs - How to win the war
Developers vs DBAs - How to win the warDevelopers vs DBAs - How to win the war
Developers vs DBAs - How to win the war
 

Similar to How to Hack Your App Using SQL Injection

18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c
Chris Saxon
 
Step by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment modelStep by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment model
Anil Nair
 
20190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev220190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev2
Ivan Ma
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB Cluster
Frederic Descamps
 
AskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database TriggersAskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database Triggers
Steven Feuerstein
 
Python and the MySQL Document Store
Python and the MySQL Document StorePython and the MySQL Document Store
Python and the MySQL Document Store
Jesper Wisborg Krogh
 
MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!
Frederic Descamps
 
Flashback features in Oracle - UKOUG 2017
Flashback features in Oracle - UKOUG 2017Flashback features in Oracle - UKOUG 2017
Flashback features in Oracle - UKOUG 2017
Connor McDonald
 
Robust easy affordable disaster recovery for MySQL Data
Robust easy affordable disaster recovery for MySQL DataRobust easy affordable disaster recovery for MySQL Data
Robust easy affordable disaster recovery for MySQL Data
OracleMySQL
 
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
Amazon Web Services
 
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
Yukitaka Ohmura
 
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
Frederic Descamps
 
MySQL InnoDB Cluster in a Nutshell - Hands-on Lab
MySQL InnoDB Cluster in a Nutshell - Hands-on LabMySQL InnoDB Cluster in a Nutshell - Hands-on Lab
MySQL InnoDB Cluster in a Nutshell - Hands-on Lab
Frederic Descamps
 
Migrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCIMigrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCI
Alex Zaballa
 
PGQL: A Language for Graphs
PGQL: A Language for GraphsPGQL: A Language for Graphs
PGQL: A Language for Graphs
Jean Ihm
 
ARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million UsersARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million Users
Amazon Web Services
 
Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_
aioughydchapter
 
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
Edureka!
 
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Amazon Web Services
 
RMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New FeaturesRMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New Features
Dave Stokes
 

Similar to How to Hack Your App Using SQL Injection (20)

18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c
 
Step by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment modelStep by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment model
 
20190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev220190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev2
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB Cluster
 
AskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database TriggersAskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database Triggers
 
Python and the MySQL Document Store
Python and the MySQL Document StorePython and the MySQL Document Store
Python and the MySQL Document Store
 
MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!
 
Flashback features in Oracle - UKOUG 2017
Flashback features in Oracle - UKOUG 2017Flashback features in Oracle - UKOUG 2017
Flashback features in Oracle - UKOUG 2017
 
Robust easy affordable disaster recovery for MySQL Data
Robust easy affordable disaster recovery for MySQL DataRobust easy affordable disaster recovery for MySQL Data
Robust easy affordable disaster recovery for MySQL Data
 
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
 
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
 
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
 
MySQL InnoDB Cluster in a Nutshell - Hands-on Lab
MySQL InnoDB Cluster in a Nutshell - Hands-on LabMySQL InnoDB Cluster in a Nutshell - Hands-on Lab
MySQL InnoDB Cluster in a Nutshell - Hands-on Lab
 
Migrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCIMigrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCI
 
PGQL: A Language for Graphs
PGQL: A Language for GraphsPGQL: A Language for Graphs
PGQL: A Language for Graphs
 
ARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million UsersARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million Users
 
Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_
 
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
 
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
 
RMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New FeaturesRMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New Features
 

Recently uploaded

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 

Recently uploaded (20)

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 

How to Hack Your App Using SQL Injection

  • 1. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How to Hack Your App Using SQL Chris Saxon, Oracle Developer Advocate, @ChrisRSaxon, @SQLDaily www.youtube.com/c/TheMagicofSQL blogs.oracle.com/sql blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 2. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! ...do we really need to talk about this? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 3. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 4. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 5. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | http://www.bbc.co.uk/news/technology-34963686 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 6. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record- 400-000-fine-for-failing-to-prevent-october-2015-attack/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 7. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | SQL Vulnerabilities Wordpress Jan 2017 https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Jul 2017 https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-popular-wordppress-plug-in-again/article/672839/ Oct 2017 https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 8. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | codecurmudgeon.com/wp/sql-injection-hall-of-shame/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 9. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon https://haveibeenpwned.com/
  • 10. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DEMO blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 11. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 12. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 13. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 14. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Principle of Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 15. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
  • 16. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
  • 17. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 18. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 19. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n Can still blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 20. Use Bind Variables! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 21. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = '" + name + "' and password = '" + pass + "'"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 22. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 23. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 24. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; Always true! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 25. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 26. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; Everything you can select blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 27. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 28. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 29. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder Inputs never part of SQL => blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 30. PL/SQL is automatically bound blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 31. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | begin select * into user_rec from sqlinjection.users u where u.username = l_name and u.password = l_pass; end; These are bind variables blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 32. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | execute Pixabay Least Privilege plsql f (x) blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 33. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I write dynamic SQL blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 34. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where 1 = 1 "; if param_1 is not null then sql = sql + " and c1 = ? "; end if; if param_2 is not null then sql = sql + " and c2 = ? "; end if; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon can still bind
  • 35. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | …but I accept identifiers blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 36. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 37. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay DBMS_assert blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 38. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Change User Passwords execute immediate 'alter user ' || dbms_assert.schema_name ( user ) || ' identified by "' || replace( dbms_assert.enquote_literal ( pass ), '''' ) || '"'; Can't have single quotes (') in password! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 39. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I develop an internal app blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 40. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography employees can has your dataz? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 41. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay How secure is your network? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 42. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 42 Web Browser Web Server Database SSL TDE Encryption here is overkill, right? Transparent Data Encryption? SSL?
  • 43. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 43
  • 44. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 44 Web Browser Web Server Database SSL TDE Native Encryption See doc for more details
  • 45. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I don't have time to review all code
  • 46. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Test Deploy Build Run sqlmap Test in CI/CD Process
  • 47. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King 5800 650-123-5234 Shanta Vollman Steven King 6500 650-123-4234 Payam Kaufling Steven King 7900 650-123-3234 Adam Fripp Steven King 8200 650-123-2234 Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 650-507-9879 Martha Sullivan Matthew Weiss 2500 650-507-9878 Jean Fleaur Matthew Weiss 3100 650-507-9877 Winston Taylor Matthew Weiss 3200 650-507-9876 Steven Markle Matthew Weiss 2200 650-124-1434
  • 48. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King Shanta Vollman Steven King Payam Kaufling Steven King Adam Fripp Steven King Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 Martha Sullivan Matthew Weiss 2500 Jean Fleaur Matthew Weiss 3100 Winston Taylor Matthew Weiss 3200 Steven Markle Matthew Weiss 2200
  • 49. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How at risk am I? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 50. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 51. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT My Oracle Support 2138254.1 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 52. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay PL/SQL Least Privilege Data R*******n Bind Variables Sanitize inputs blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Security Layers
  • 53. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! no excuses... ... your data! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 54. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography sqlmap.org #MakeDataGreatAgain blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon