Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
OWASP Community                  Lviv                  SQL – injections for DummiesBohdan Serednytskyi, Security Engineer,...
Easy to exploit!   Severe impact!       Common in Web Apps!
SQL-Injection The ability to inject SQL commands into the database engine through an existing application.
SQL-Injection Impact
Data Leakage
Data Modification
Denial of Access
Data Loss
Complete host takeover
SQL-InjectionVulnerable request canhandle Insert, Update,Delete                               Almost all SQL databases and...
SQL-Injection Anatomy                SQL-injectionSQL-injection                      Blind SQL-injection                 B...
Scenario          http://example.com/app/accountView?id=          % or ‘0’=‘0’ union select null, version() #             ...
Exampleprivate void queryDB(String u_name){      string sql = “select * from users where name = „ “+ u_name + “ ‟ ”;      ...
Example BlindSQL-injection 1) http://newspaper.com/items.php?id=2 and 1=2 SELECT title, description, body FROM items WHERE...
Detection
Discovery of VulnerabilitiesFields in web formScript parameters in URLquery stringsValues stored in cookies orhidden fields
FuzzingCharacter sequence:  " ) # || + >SQL reserved words with white spacedelimitersDelay query:  waitfor delay 0:0:10--
Protection
Use of Prepared Statements(Parameterized Queries)String custname = request.getParameter("customerName");String query = "SE...
Use of Stored Procedures String custname = request.getParameter("customerName"); try {        CallableStatement cs = conne...
Escaping all User Supplied Input        OWASP Enterprise Security API
Web Application FirewallA security solution on theweb application levelwhich does not dependon the application itself
Additional Defenses                               IDS, IPS                        Least Privilege            White List In...
Sql Injection V.2
Sql Injection V.2
Upcoming SlideShare
Loading in …5
×

Sql Injection V.2

1,435 views

Published on

Highlevel review of SQL injections technique and methods of avoiding security fails

  • Be the first to comment

  • Be the first to like this

Sql Injection V.2

  1. 1. OWASP Community Lviv SQL – injections for DummiesBohdan Serednytskyi, Security Engineer, R&D Team, SoftServeAugust, 2012
  2. 2. Easy to exploit! Severe impact! Common in Web Apps!
  3. 3. SQL-Injection The ability to inject SQL commands into the database engine through an existing application.
  4. 4. SQL-Injection Impact
  5. 5. Data Leakage
  6. 6. Data Modification
  7. 7. Denial of Access
  8. 8. Data Loss
  9. 9. Complete host takeover
  10. 10. SQL-InjectionVulnerable request canhandle Insert, Update,Delete Almost all SQL databases and programming languages are potentially vulnerableIt is a flaw in "webapplication" development,it is not a DB or web serverproblem
  11. 11. SQL-Injection Anatomy SQL-injectionSQL-injection Blind SQL-injection Blind SQL-injection Double blind SQL-injection
  12. 12. Scenario http://example.com/app/accountView?id= % or ‘0’=‘0’ union select null, version() # База даних Attacker WEB-server DB SELECT first_name, last_name FROM users WHERE user_id = % or ‘0’=‘0’ union select null, version() #;
  13. 13. Exampleprivate void queryDB(String u_name){ string sql = “select * from users where name = „ “+ u_name + “ ‟ ”; doQuery(sql);}1) select * from users where name = „Jerry‟2) select * from users where name = „Jerry‟ or „1‟ =„1‟
  14. 14. Example BlindSQL-injection 1) http://newspaper.com/items.php?id=2 and 1=2 SELECT title, description, body FROM items WHERE ID = 2 and 1=2 2) http://newspaper.com/items.php?id=2 and 1=1
  15. 15. Detection
  16. 16. Discovery of VulnerabilitiesFields in web formScript parameters in URLquery stringsValues stored in cookies orhidden fields
  17. 17. FuzzingCharacter sequence: " ) # || + >SQL reserved words with white spacedelimitersDelay query: waitfor delay 0:0:10--
  18. 18. Protection
  19. 19. Use of Prepared Statements(Parameterized Queries)String custname = request.getParameter("customerName");String query = "SELECT account_balance FROM user_data WHEREuser_name = ? ";PreparedStatement pstmt = connection.prepareStatement( query );pstmt.setString( 1, custname);ResultSet results = pstmt.executeQuery( );
  20. 20. Use of Stored Procedures String custname = request.getParameter("customerName"); try { CallableStatement cs = connection.prepareCall("{call sp_getAccountBalance(?)}"); cs.setString(1, custname); ResultSet results = cs.executeQuery(); // … result set handling } catch (SQLException se) { // … logging and error handling }
  21. 21. Escaping all User Supplied Input OWASP Enterprise Security API
  22. 22. Web Application FirewallA security solution on theweb application levelwhich does not dependon the application itself
  23. 23. Additional Defenses IDS, IPS Least Privilege White List Input Validation

×