CS
Uploaded byChris Saxon
PDF, PPTX320 views

How to Hack Your App Using SQL Injection

The document discusses SQL vulnerabilities and security practices, emphasizing the importance of sanitizing inputs and using bind variables to prevent SQL injections. It highlights various real-world hacking incidents and suggests employing a layered security approach. Overall, the document serves as a tutorial for developers on securing their applications against SQL-related attacks.

Embed presentation

Download as PDF, PPTX
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How to Hack Your App Using SQL Chris Saxon, Oracle Developer Advocate, @ChrisRSaxon, @SQLDaily www.youtube.com/c/TheMagicofSQL blogs.oracle.com/sql blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! ...do we really need to talk about this? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | http://www.bbc.co.uk/news/technology-34963686 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record- 400-000-fine-for-failing-to-prevent-october-2015-attack/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | SQL Vulnerabilities Wordpress Jan 2017 https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Jul 2017 https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-popular-wordppress-plug-in-again/article/672839/ Oct 2017 https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | codecurmudgeon.com/wp/sql-injection-hall-of-shame/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon https://haveibeenpwned.com/
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DEMO blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Principle of Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n Can still blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Use Bind Variables! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = '" + name + "' and password = '" + pass + "'"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; Always true! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; Everything you can select blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder Inputs never part of SQL => blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
PL/SQL is automatically bound blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | begin select * into user_rec from sqlinjection.users u where u.username = l_name and u.password = l_pass; end; These are bind variables blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | execute Pixabay Least Privilege plsql f (x) blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I write dynamic SQL blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where 1 = 1 "; if param_1 is not null then sql = sql + " and c1 = ? "; end if; if param_2 is not null then sql = sql + " and c2 = ? "; end if; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon can still bind
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | …but I accept identifiers blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay DBMS_assert blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Change User Passwords execute immediate 'alter user ' || dbms_assert.schema_name ( user ) || ' identified by "' || replace( dbms_assert.enquote_literal ( pass ), '''' ) || '"'; Can't have single quotes (') in password! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I develop an internal app blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography employees can has your dataz? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay How secure is your network? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 42 Web Browser Web Server Database SSL TDE Encryption here is overkill, right? Transparent Data Encryption? SSL?
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 43
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 44 Web Browser Web Server Database SSL TDE Native Encryption See doc for more details
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I don't have time to review all code
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Test Deploy Build Run sqlmap Test in CI/CD Process
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King 5800 650-123-5234 Shanta Vollman Steven King 6500 650-123-4234 Payam Kaufling Steven King 7900 650-123-3234 Adam Fripp Steven King 8200 650-123-2234 Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 650-507-9879 Martha Sullivan Matthew Weiss 2500 650-507-9878 Jean Fleaur Matthew Weiss 3100 650-507-9877 Winston Taylor Matthew Weiss 3200 650-507-9876 Steven Markle Matthew Weiss 2200 650-124-1434
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King Shanta Vollman Steven King Payam Kaufling Steven King Adam Fripp Steven King Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 Martha Sullivan Matthew Weiss 2500 Jean Fleaur Matthew Weiss 3100 Winston Taylor Matthew Weiss 3200 Steven Markle Matthew Weiss 2200
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How at risk am I? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT My Oracle Support 2138254.1 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay PL/SQL Least Privilege Data R*******n Bind Variables Sanitize inputs blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Security Layers
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! no excuses... ... your data! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography sqlmap.org #MakeDataGreatAgain blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

More Related Content

PDF
12 Things Developers Will Love About Oracle Database 12c Release 2
byChris Saxon
 
PDF
Why Isn't My Query Using an Index? An Introduction to SQL Performance
byChris Saxon
 
PDF
Using Edition-Based Redefinition for Zero Downtime PL/SQL Changes
byChris Saxon
 
PDF
How to Find Patterns in Your Data with SQL
byChris Saxon
 
PDF
Polymorphic Table Functions in SQL
byChris Saxon
 
PDF
Hyderabad Mar 2019 - Database 18c / 19c
byConnor McDonald
 
PPTX
Melbourne Groundbreakers Tour - Hints and Tips
byConnor McDonald
 
PPTX
OpenWorld 2018 - SQL Tuning in 20 mins
byConnor McDonald
 
12 Things Developers Will Love About Oracle Database 12c Release 2
byChris Saxon
 
Why Isn't My Query Using an Index? An Introduction to SQL Performance
byChris Saxon
 
Using Edition-Based Redefinition for Zero Downtime PL/SQL Changes
byChris Saxon
 
How to Find Patterns in Your Data with SQL
byChris Saxon
 
Polymorphic Table Functions in SQL
byChris Saxon
 
Hyderabad Mar 2019 - Database 18c / 19c
byConnor McDonald
 
Melbourne Groundbreakers Tour - Hints and Tips
byConnor McDonald
 
OpenWorld 2018 - SQL Tuning in 20 mins
byConnor McDonald
 

What's hot

PPTX
JSON-B for CZJUG
byDmitry Kornilov
 
PPTX
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
byMarco Gralike
 
PPTX
Configuration for Java EE: Config JSR and Tamaya
byDmitry Kornilov
 
PPTX
Configuration for Java EE and the Cloud
byDmitry Kornilov
 
PDF
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
bySandesh Rao
 
PDF
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
bySandesh Rao
 
PPTX
What's new in the Java API for JSON Binding
byDmitry Kornilov
 
PDF
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
byFrederic Descamps
 
PDF
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
bySandesh Rao
 
PDF
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
bySandesh Rao
 
PDF
AUSOUG - Applied Machine Learning for Database Autonomous Health
bySandesh Rao
 
PDF
Data meets AI - ATP Roadshow India
bySandesh Rao
 
PDF
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
bySandesh Rao
 
PPTX
Java EE for the Cloud
byDmitry Kornilov
 
PDF
Developers vs DBAs - How to win the war
bygvenzl
 
JSON-B for CZJUG
byDmitry Kornilov
 
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
byMarco Gralike
 
Configuration for Java EE: Config JSR and Tamaya
byDmitry Kornilov
 
Configuration for Java EE and the Cloud
byDmitry Kornilov
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
bySandesh Rao
 
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
bySandesh Rao
 
What's new in the Java API for JSON Binding
byDmitry Kornilov
 
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
byFrederic Descamps
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
bySandesh Rao
 
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
bySandesh Rao
 
AUSOUG - Applied Machine Learning for Database Autonomous Health
bySandesh Rao
 
Data meets AI - ATP Roadshow India
bySandesh Rao
 
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
bySandesh Rao
 
Java EE for the Cloud
byDmitry Kornilov
 
Developers vs DBAs - How to win the war
bygvenzl
 

Similar to How to Hack Your App Using SQL Injection

PPT
Sql injection
byNikunj Dhameliya
 
PPTX
03. sql and other injection module v17
byEoin Keary
 
PDF
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
PPTX
References - sql injection
byMohammed
 
PPTX
References
byMohammed
 
PPT
Sql Injection Adv Owasp
byAung Khant
 
PPT
Advanced SQL Injection
byamiable_indian
 
PDF
business articles
byclient001competitors
 
PDF
POWER OF VISUALIZATION
bysihleGumede3
 
PDF
Chapter 14 sql injection
bynewbie2019
 
PPT
Sql injection
byNitish Kumar
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PDF
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
PPT
Advanced Sql Injection ENG
byDmitry Evteev
 
PPTX
Hacking Oracle From Web Apps 1 9
bysumsid1234
 
PPT
Sql Injection Attacks Siddhesh
bySiddhesh Bhobe
 
PDF
Ch 9 Attacking Data Stores (Part 2)
bySam Bowne
 
PPTX
Understanding sql Injection
byPotato
 
PDF
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
PPTX
Oracle database threats - LAOUC Webinar
byOsama Mustafa
 
Sql injection
byNikunj Dhameliya
 
03. sql and other injection module v17
byEoin Keary
 
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
References - sql injection
byMohammed
 
References
byMohammed
 
Sql Injection Adv Owasp
byAung Khant
 
Advanced SQL Injection
byamiable_indian
 
business articles
byclient001competitors
 
POWER OF VISUALIZATION
bysihleGumede3
 
Chapter 14 sql injection
bynewbie2019
 
Sql injection
byNitish Kumar
 
Sql injection attack
byRajKumar Rampelli
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
Advanced Sql Injection ENG
byDmitry Evteev
 
Hacking Oracle From Web Apps 1 9
bysumsid1234
 
Sql Injection Attacks Siddhesh
bySiddhesh Bhobe
 
Ch 9 Attacking Data Stores (Part 2)
bySam Bowne
 
Understanding sql Injection
byPotato
 
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
Oracle database threats - LAOUC Webinar
byOsama Mustafa
 

Recently uploaded

PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 

How to Hack Your App Using SQL Injection

  • 1.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | How to Hack Your App Using SQL Chris Saxon, Oracle Developer Advocate, @ChrisRSaxon, @SQLDaily www.youtube.com/c/TheMagicofSQL blogs.oracle.com/sql blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 2.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | It's2018! ...do we really need to talk about this? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 3.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 4.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 5.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | http://www.bbc.co.uk/news/technology-34963686 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 6.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record- 400-000-fine-for-failing-to-prevent-october-2015-attack/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 7.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | SQL Vulnerabilities Wordpress Jan 2017 https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Jul 2017 https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-popular-wordppress-plug-in-again/article/672839/ Oct 2017 https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 8.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | codecurmudgeon.com/wp/sql-injection-hall-of-shame/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 9.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon https://haveibeenpwned.com/
  • 10.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | DEMO blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 11.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 12.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 13.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 14.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Principle of Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 15.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
  • 16.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
  • 17.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Pixabay Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 18.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Data Red*****n blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 19.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Data Red*****n Can still blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 20.
    Use Bind Variables! blogs.oracle.com/sqlwww.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 21.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = '" + name + "' and password = '" + pass + "'"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 22.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 23.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 24.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; Always true! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 25.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 26.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; Everything you can select blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 27.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 28.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 29.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder Inputs never part of SQL => blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 30.
    PL/SQL is automatically bound blogs.oracle.com/sqlwww.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 31.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | begin select * into user_rec from sqlinjection.users u where u.username = l_name and u.password = l_pass; end; These are bind variables blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 32.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | execute Pixabay Least Privilege plsql f (x) blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 33.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | I write dynamic SQL blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 34.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where 1 = 1 "; if param_1 is not null then sql = sql + " and c1 = ? "; end if; if param_2 is not null then sql = sql + " and c2 = ? "; end if; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon can still bind
  • 35.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | …but I accept identifiers blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 36.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 37.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay DBMS_assert blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 38.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Change User Passwords execute immediate 'alter user ' || dbms_assert.schema_name ( user ) || ' identified by "' || replace( dbms_assert.enquote_literal ( pass ), '''' ) || '"'; Can't have single quotes (') in password! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 39.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | I develop an internal app blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 40.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Gratisography employees can has your dataz? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 41.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Pixabay How secure is your network? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 42.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | 42 Web Browser Web Server Database SSL TDE Encryption here is overkill, right? Transparent Data Encryption? SSL?
  • 43.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | 43
  • 44.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | 44 Web Browser Web Server Database SSL TDE Native Encryption See doc for more details
  • 45.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | I don't have time to review all code
  • 46.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Test Deploy Build Run sqlmap Test in CI/CD Process
  • 47.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King 5800 650-123-5234 Shanta Vollman Steven King 6500 650-123-4234 Payam Kaufling Steven King 7900 650-123-3234 Adam Fripp Steven King 8200 650-123-2234 Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 650-507-9879 Martha Sullivan Matthew Weiss 2500 650-507-9878 Jean Fleaur Matthew Weiss 3100 650-507-9877 Winston Taylor Matthew Weiss 3200 650-507-9876 Steven Markle Matthew Weiss 2200 650-124-1434
  • 48.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King Shanta Vollman Steven King Payam Kaufling Steven King Adam Fripp Steven King Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 Martha Sullivan Matthew Weiss 2500 Jean Fleaur Matthew Weiss 3100 Winston Taylor Matthew Weiss 3200 Steven Markle Matthew Weiss 2200
  • 49.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | How at risk am I? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 50.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | DBSAT blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 51.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | DBSAT My Oracle Support 2138254.1 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 52.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Pixabay PL/SQL Least Privilege Data R*******n Bind Variables Sanitize inputs blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Security Layers
  • 53.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | It's2018! no excuses... ... your data! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 54.
    Copyright © 2017,Oracle and/or its affiliates. All rights reserved. | Gratisography sqlmap.org #MakeDataGreatAgain blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon