Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

D:\Technical\Ppt\Sql Injection


Published on

Sql Injection

Published in: Technology
  • Be the first to comment

D:\Technical\Ppt\Sql Injection

  1. 1. SQL Injection What is SQL Injection? SQL Injection Attack SQL Injection Prevention Cross-Site Scripting
  2. 2. What is SQL Injection? <ul><li>SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database. </li></ul><ul><li>SQL injection can occur when an application uses input to construct dynamic SQL statements. Successful SQL injection attacks enable malicious users to execute commands in an application's database. </li></ul><ul><li>Many web applications take user input from a form. Often this user input is used literally in the construction of a SQL query submitted to a database. A SQL injection attack involves placing SQL statements in the user input. </li></ul><ul><li>Almost all existing databases are subject to SQL injection attacks to varying degrees. </li></ul>
  3. 3. SQL Injection Attack <ul><li>Take an asp page that will link you to another page with the following URL: http://sqlinject/index.asp?customer=Talentica </li></ul><ul><li>In the URL, 'customer' is the variable name, and ‘Talentica' is the value assigned to the variable. In order to do that, an ASP might contain the following code </li></ul><ul><li>v_cat = request(&quot;customer&quot;) sqlstr=&quot;SELECT * FROM Customer_Master WHERE Customer='&quot; & v_cat & &quot;'&quot; set rs=conn.execute(sqlstr) </li></ul><ul><li>thus the SQL statement should become: SELECT * FROM Customer_Master WHERE Customer = ‘Talentica' </li></ul><ul><li>Now, assume that we change the URL into something like this: http://sqlinject/index.asp?customer=Talentica or 1=1-- Now, our variable v_cat equals to &quot; Talentica ' or 1=1-- &quot;, if we substitute this in the SQL query, we will have: SELECT * FROM Customer_Master WHERE Customer = ‘Talentica’ or 1=1--' </li></ul>
  4. 4. SQL Injection Attack(Contd) <ul><li>Take the following page for another example: http://sqlinject/index.asp?id=10 </li></ul><ul><li>We will try to UNION the integer '10' with another string from the database: http:// sqlinject/index.asp ?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25USER%25'-- </li></ul><ul><li>SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=‘USERS' AND COLUMN_NAME LIKE ‘%USER%’ </li></ul><ul><li> </li></ul>
  5. 5. SQL Injection Attack( Contd) <ul><li>The login page had a traditional username-and-password form, but also an email-me-my-password link; the latter proved to be the downfall of the whole system. </li></ul><ul><ul><li>SQL SqlDataAdapter myCommand = new SqlDataAdapter( &quot;SELECT username, passowrd FROM users WHERE username = '&quot; + SSN.Text + &quot;'&quot;, myConnection); </li></ul></ul><ul><ul><li>The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user: </li></ul></ul><ul><ul><li>var iusername, ipassword </li></ul></ul><ul><ul><li>user = Request.form (&quot;iusername&quot;); </li></ul></ul><ul><ul><li>password = Request.form (&quot;ipassword&quot;); </li></ul></ul><ul><ul><li>var sql = &quot;SELECT username,passowrd FROM where username = '&quot; + user + &quot;'&quot; password = '&quot; + password + &quot;'&quot;; </li></ul></ul><ul><ul><li>The developer's intention was that when the code runs, it inserts the user's input and generates a SQL the following statement. </li></ul></ul><ul><ul><li>SELECT username,passowrd FROM users WHERE username=@existinguser </li></ul></ul>
  6. 6. <ul><li>select * from User s </li></ul><ul><li>where username ='test' </li></ul><ul><li>Depending on response is a dead giveaway that user input is not being sanitized properly and that the application is ripe for exploitation. </li></ul><ul><ul><li>select * from Users </li></ul></ul><ul><ul><li>where username ='test' OR 'x'='x‘ </li></ul></ul><ul><ul><li>SELECT * </li></ul></ul><ul><li>FROM Users </li></ul><ul><li>WHERE emailid = 'x' OR username LIKE '%test%'; </li></ul><ul><li>SELECT * </li></ul><ul><li>FROM Users </li></ul><ul><li>WHERE emailid = 'x'; DROP TABLE test; --'; </li></ul><ul><li>SELECT * </li></ul><ul><li>FROM Users; </li></ul><ul><li>INSERT INTO Users </li></ul><ul><li>VALUES (3,‘test',‘test','');--'; </li></ul><ul><li>SELECT * </li></ul><ul><li>FROM Users </li></ul><ul><li>WHERE emailid = 'x'; UPDATE Users SET emailid = '‘ ; </li></ul>
  7. 7. SQL Injection Prevention <ul><li>Check and filter user input. </li></ul><ul><ul><li>Length limit on input (most attacks depend on long query strings). </li></ul></ul><ul><ul><li>Do not allow suspicious keywords (DROP, INSERT, SELECT, SHUTDOWN). </li></ul></ul><ul><ul><li>Call stored procedures , instead of directly sending SQL statements to the database. parameter is treated as a literal value and not as executable code </li></ul></ul><ul><li>Eliminate string concatenation to create SqlCommandText </li></ul><ul><li>. Use SqlCommand with Parameters </li></ul><ul><li>. Eliminate EXECUTE (@sql) </li></ul><ul><li>If dynamic SQL required: Use sp_executesql with parameters </li></ul><ul><li>Review Your Application's Use of Parameterized Stored Procedures </li></ul><ul><li>Principal of Least Privilege </li></ul><ul><ul><li>A user or process should have the lowest level of privilege required in order to perform his assigned task. </li></ul></ul><ul><ul><li>If you know a specific user will only read from the database, do not grant him root privileges. </li></ul></ul><ul><ul><li>Segregate users. Define roles. </li></ul></ul><ul><li>The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code </li></ul><ul><li>Coding techniques available for protecting against Sql injection </li></ul>
  8. 8. Cross-Site Scripting <ul><ul><li>Dynamic websites suffer from a threat that static websites don't, called &quot;Cross Site Scripting&quot; </li></ul></ul><ul><ul><li>Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. </li></ul></ul><ul><ul><li>After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. </li></ul></ul><ul><ul><li>e.g. an attack on your database and update up to 5000 rows in every table and replace your strings in your database with random XSS attacks. </li></ul></ul><ul><ul><li>Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. </li></ul></ul><ul><ul><li>To prevent cross-site scripting: </li></ul></ul><ul><ul><li>Check that ASP.NET request validation is enabled. </li></ul></ul><ul><ul><li>Review ASP.NET code that generates HTML output. </li></ul></ul><ul><ul><li>Determine whether HTML output includes input parameters. </li></ul></ul><ul><ul><li>Review potentially dangerous HTML tags and attributes. </li></ul></ul><ul><ul><li>Evaluate countermeasures. </li></ul></ul>