Uploaded byprasadGade6
PPTX, PDF39 views

cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx

This document provides an overview of SQL injection techniques. It begins with an introduction describing SQL injection as a code injection attack on data-driven web applications. It then covers topics like the intent of SQL injection attacks, real world examples, how the attacks work by inserting malicious SQL statements, and the impacts like data leakage, loss of control, and denial of service. The document also discusses different types of SQL injection attacks, defenses, other injection types, tools used in SQL injection, and concludes by describing how SQL injection exploits applications that concatenate user input into SQL statements.

Embed presentation

Download to read offline
SQL INJECTION TECHNIQUE NAME – PRASAD GADE ROLL NO – 14
TOPICS • Introduction • Attack Intent • Real World Examples • How SQL Injection works? • Impact of SQL injection • Types of attacks • Defence Against SQL Injection • Other Injection Types • SQL Injection tools • Conclusion
INTRODUCTION • SQL injection is a code injection technique,used to attack data-driven applications, in which malicious SQLstatements are inserted into an entry field for execution • This is a method to attack web applications that have a data repository. • The attacker would send a speciallycrafted SQL statement that is designed tocause some malicious action.
ATTACK INTENT • Determining database schema • Extracting data • Adding or modifying data • Bypassing authentication
REAL WORLD EXAMPLES • On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two Russians with the theft of 130 million credit card numbers using an SQL injection attack. • In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft’s IIS web server and SQL database server. Over 500,000 sites were exploited.
HOW SQL INJECTION WORKS ? • The ability to inject SQL commands into the database engine through an existing Application • SQL injection is the use of publicly available fields to gain entry to your database. • This is done by entering SQL commands into your form fields instead of the expected data. • Improperly coded forms will allow a hacker to use them as an entry point to your database
HOW SQL INJECTION WORKS ? • 1. App sends form to user. • 2. Attacker submits form with SQL exploit data. • 3. Application builds string with exploit data. • 4. Application sends SQL query to DB. • 5. DB executes query, including exploit, sends data back to application. • 6. Application returns data to user. Web Server
IMPACTS OF SQL INJECTION • 1. Leakage of sensitive information. • 2. Reputation decline. • 3. Modification of sensitive information. • 4. Loss of control of db server. • 5. Data loss. • 6. Denial of service.
TYPES OF ATTACKS 1. First order attacks The attacker can simply enter a malicious string and cause the modified code to be executed immediately 2. Second order attacks The attacker injects into a persistent storage (such as a table row) which is deemed as a trusted source. An attack is subsequently executed by another activity. 1. Lateral Injection 3. Lateral Injection The attacker can manipulate the implicit function To_Char() by changing the values of the environment
DEFENCE AGAINST SQL INJECTION • Websites require constant access to the database. • Firewalls provide little or no defense against SQL injection attacks. • Your website is public and firewalls must be set to allow every site visitor access to your database, usually over port 80/443. • Antivirus programs are equally ineffective at blocking SQL injection attacks.
DEFENCE AGAINST SQL INJECTION 1. Comprehensive data sanitization Web sites must filter all user input. 2. Use a web application firewall A popular example is the free, open source module ModSecurity. ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests. 3. Limit database privileges by context Create multiple database user accounts with the minimum levels of privilege for their usage environment.
OTHER INJECTION TYPES • Shell injection. • Scripting language injection. • File inclusion. • XML injection. • XPath injection. • LDAP injection. • SMTP injection.
SQL INJECTION TOOLS • BSQL Hacker • SQLmap • SQLninja • Safe3 SQL Injector • SQLSus • Mole • Havij
CONCLUSION • SQL injection is technique for exploiting applications that use relational databases as their back end. • Applications compose SQL statements and send to database. • SQL injection use the fact that many of these applications concatenate the fixed part of SQL statement with user- supplied data that forms WHERE predicates or additional sub-queries. • The technique is based on malformed user- supplied data • Transform the innocent SQL calls to a malicious call • Cause unauthorized access, deletion of data, or theft of informatio
THANKYOU

More Related Content

PPTX
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 
PPTX
SQL INJECTION
byAnoop T
 
PPTX
Sql Injection
bypenetration Tester
 
PPTX
Sql injection
byThe Avi Sharma
 
PPT
Sql injection
byPallavi Biswas
 
PPTX
Whatis SQL Injection.pptx
bySimplilearn
 
PPTX
Sql injection
byManjushree Mashal
 
PDF
Sql injection bypassing hand book blackrose
byNoaman Aziz
 
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 
SQL INJECTION
byAnoop T
 
Sql Injection
bypenetration Tester
 
Sql injection
byThe Avi Sharma
 
Sql injection
byPallavi Biswas
 
Whatis SQL Injection.pptx
bySimplilearn
 
Sql injection
byManjushree Mashal
 
Sql injection bypassing hand book blackrose
byNoaman Aziz
 

Similar to cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx

PPTX
Sql injection
byUzair ul Haq Khan
 
PPTX
Sql injections (Basic bypass authentication)
byRavindra Singh Rathore
 
PDF
IRJET- Detection of SQL Injection using Machine Learning : A Survey
byIRJET Journal
 
PPTX
SQL Injection: Unraveling the Threats
byInsecureLab
 
DOCX
Understanding SQL Injection_ A Guide to Website Security.docx
byOscp Training
 
PDF
Op2423922398
byIJERA Editor
 
PPT
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
PDF
What is advanced SQL Injection? Infographic
byJW CyberNerd
 
PPTX
SQL Injection.jpg.pptx
bydawitTerefe5
 
PPTX
SQL injection implementation and prevention
byRejaul Islam Royel
 
PPTX
Sql injections
byKK004
 
PPTX
SQL INJECTIONS.pptx
byJayeshYadav53
 
PPTX
seminar report on Sql injection
byJawhar Ali
 
PPTX
Sql Injection
byAju Thomas
 
PDF
Owasp Backend Security Project 1.0beta
bySecurity Date
 
PPTX
Sql injection
bySuraj Tiwari
 
PPTX
Sql injection
byZidh
 
PPTX
Sql injection
byAaron Hill
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPTX
Cyber crime an eye opener 144 te 2 t-7
byGargee Hiray
 
Sql injection
byUzair ul Haq Khan
 
Sql injections (Basic bypass authentication)
byRavindra Singh Rathore
 
IRJET- Detection of SQL Injection using Machine Learning : A Survey
byIRJET Journal
 
SQL Injection: Unraveling the Threats
byInsecureLab
 
Understanding SQL Injection_ A Guide to Website Security.docx
byOscp Training
 
Op2423922398
byIJERA Editor
 
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
What is advanced SQL Injection? Infographic
byJW CyberNerd
 
SQL Injection.jpg.pptx
bydawitTerefe5
 
SQL injection implementation and prevention
byRejaul Islam Royel
 
Sql injections
byKK004
 
SQL INJECTIONS.pptx
byJayeshYadav53
 
seminar report on Sql injection
byJawhar Ali
 
Sql Injection
byAju Thomas
 
Owasp Backend Security Project 1.0beta
bySecurity Date
 
Sql injection
bySuraj Tiwari
 
Sql injection
byZidh
 
Sql injection
byAaron Hill
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
Cyber crime an eye opener 144 te 2 t-7
byGargee Hiray
 

Recently uploaded

PDF
CSE550_ Lecture 02robosssssssssssstik.pdf
byfarfauziar
 
PDF
Phisher Detection in Ethererum Transaction Networks
byKhushiNaik16
 
PPTX
25CSM2R26_AditiMIshra_WDSAttackcybe.pptx
bydrfareesafirdouse
 
PDF
AI 21.pdf Learn How AI Tools Optimize Decision Making, Marketing, HR, and More
byCA Suvidha Chaplot
 
PPTX
AI in Business course, Power BI BNU LHE.
bymuhammadasad96468
 
PDF
Airport Familiarization.pdffffffffffffffff
byamreentahamaqbool8b
 
PPTX
Chapter_3_v9.0.pptxChapter_3_v9.0.pptxChapter_3_v9.0.pptx
bylolagom166
 
PPTX
LinkedIn Lead Generation expert for B2B Lead Generation
byMdBelalSharif1
 
PPTX
Ollama_RAG_retrivewantedvaluesusingModels.pptx
byanjaneyav00
 
PPTX
SlideEgg_66421-Data Lifecycle Management-4-3.pptx
byakashsarkar0424
 
PDF
NY26_Gov.uk_List__Final__18_12_25.pdf New Years Honours 2026
byHenry Tapper
 
PDF
Azure Data Factory Overview for SSIS Developers.pdf
bySrinivas V
 
PDF
exnesfzxufjchfugiysrsigyWtRitzutoyyqKyculYezulcgydueapvlcxiycyu
bysamiabriham12
 
PDF
apidays Paris 2025 | Optimize your architecture for the next wave of AI-infus...
byapidays
 
PPTX
Statistical Analysis for Researchers - Presentation - Lecture Three.pptx
byAmgad Fahmy
 
PPTX
Presentation for data analysis the files
bynishantsontakke2007
 
PPTX
Vector Space Modelin Information Storage and Retrieval .pptx
byhermelamisganew
 
PPTX
Investment and Portfilio. Group no 1.pptx
byAhtshamUlHaq10
 
PDF
AI 30.pdf Practical Insights from CA Suvidha Chaplot for AI Implementation in...
byCA Suvidha Chaplot
 
PPT
unit-3 Introduction to drawing part-1.ppt
byalemayehuc1
 
CSE550_ Lecture 02robosssssssssssstik.pdf
byfarfauziar
 
Phisher Detection in Ethererum Transaction Networks
byKhushiNaik16
 
25CSM2R26_AditiMIshra_WDSAttackcybe.pptx
bydrfareesafirdouse
 
AI 21.pdf Learn How AI Tools Optimize Decision Making, Marketing, HR, and More
byCA Suvidha Chaplot
 
AI in Business course, Power BI BNU LHE.
bymuhammadasad96468
 
Airport Familiarization.pdffffffffffffffff
byamreentahamaqbool8b
 
Chapter_3_v9.0.pptxChapter_3_v9.0.pptxChapter_3_v9.0.pptx
bylolagom166
 
LinkedIn Lead Generation expert for B2B Lead Generation
byMdBelalSharif1
 
Ollama_RAG_retrivewantedvaluesusingModels.pptx
byanjaneyav00
 
SlideEgg_66421-Data Lifecycle Management-4-3.pptx
byakashsarkar0424
 
NY26_Gov.uk_List__Final__18_12_25.pdf New Years Honours 2026
byHenry Tapper
 
Azure Data Factory Overview for SSIS Developers.pdf
bySrinivas V
 
exnesfzxufjchfugiysrsigyWtRitzutoyyqKyculYezulcgydueapvlcxiycyu
bysamiabriham12
 
apidays Paris 2025 | Optimize your architecture for the next wave of AI-infus...
byapidays
 
Statistical Analysis for Researchers - Presentation - Lecture Three.pptx
byAmgad Fahmy
 
Presentation for data analysis the files
bynishantsontakke2007
 
Vector Space Modelin Information Storage and Retrieval .pptx
byhermelamisganew
 
Investment and Portfilio. Group no 1.pptx
byAhtshamUlHaq10
 
AI 30.pdf Practical Insights from CA Suvidha Chaplot for AI Implementation in...
byCA Suvidha Chaplot
 
unit-3 Introduction to drawing part-1.ppt
byalemayehuc1
 

cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx

  • 1.
    SQL INJECTION TECHNIQUE NAME– PRASAD GADE ROLL NO – 14
  • 2.
    TOPICS • Introduction • AttackIntent • Real World Examples • How SQL Injection works? • Impact of SQL injection • Types of attacks • Defence Against SQL Injection • Other Injection Types • SQL Injection tools • Conclusion
  • 3.
    INTRODUCTION • SQL injectionis a code injection technique,used to attack data-driven applications, in which malicious SQLstatements are inserted into an entry field for execution • This is a method to attack web applications that have a data repository. • The attacker would send a speciallycrafted SQL statement that is designed tocause some malicious action.
  • 4.
    ATTACK INTENT • Determiningdatabase schema • Extracting data • Adding or modifying data • Bypassing authentication
  • 5.
    REAL WORLD EXAMPLES •On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two Russians with the theft of 130 million credit card numbers using an SQL injection attack. • In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft’s IIS web server and SQL database server. Over 500,000 sites were exploited.
  • 6.
    HOW SQL INJECTIONWORKS ? • The ability to inject SQL commands into the database engine through an existing Application • SQL injection is the use of publicly available fields to gain entry to your database. • This is done by entering SQL commands into your form fields instead of the expected data. • Improperly coded forms will allow a hacker to use them as an entry point to your database
  • 7.
    HOW SQL INJECTIONWORKS ? • 1. App sends form to user. • 2. Attacker submits form with SQL exploit data. • 3. Application builds string with exploit data. • 4. Application sends SQL query to DB. • 5. DB executes query, including exploit, sends data back to application. • 6. Application returns data to user. Web Server
  • 8.
    IMPACTS OF SQLINJECTION • 1. Leakage of sensitive information. • 2. Reputation decline. • 3. Modification of sensitive information. • 4. Loss of control of db server. • 5. Data loss. • 6. Denial of service.
  • 9.
    TYPES OF ATTACKS 1.First order attacks The attacker can simply enter a malicious string and cause the modified code to be executed immediately 2. Second order attacks The attacker injects into a persistent storage (such as a table row) which is deemed as a trusted source. An attack is subsequently executed by another activity. 1. Lateral Injection 3. Lateral Injection The attacker can manipulate the implicit function To_Char() by changing the values of the environment
  • 10.
    DEFENCE AGAINST SQLINJECTION • Websites require constant access to the database. • Firewalls provide little or no defense against SQL injection attacks. • Your website is public and firewalls must be set to allow every site visitor access to your database, usually over port 80/443. • Antivirus programs are equally ineffective at blocking SQL injection attacks.
  • 11.
    DEFENCE AGAINST SQLINJECTION 1. Comprehensive data sanitization Web sites must filter all user input. 2. Use a web application firewall A popular example is the free, open source module ModSecurity. ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests. 3. Limit database privileges by context Create multiple database user accounts with the minimum levels of privilege for their usage environment.
  • 12.
    OTHER INJECTION TYPES •Shell injection. • Scripting language injection. • File inclusion. • XML injection. • XPath injection. • LDAP injection. • SMTP injection.
  • 13.
    SQL INJECTION TOOLS •BSQL Hacker • SQLmap • SQLninja • Safe3 SQL Injector • SQLSus • Mole • Havij
  • 14.
    CONCLUSION • SQL injectionis technique for exploiting applications that use relational databases as their back end. • Applications compose SQL statements and send to database. • SQL injection use the fact that many of these applications concatenate the fixed part of SQL statement with user- supplied data that forms WHERE predicates or additional sub-queries. • The technique is based on malformed user- supplied data • Transform the innocent SQL calls to a malicious call • Cause unauthorized access, deletion of data, or theft of informatio
  • 15.