Kevin Alcock, profile picture
Uploaded byKevin Alcock
PPTX, PDF248 views

Protecting your data from SQL Injection attacks

The presentation by Kevin Alcock discusses SQL injection attacks, outlining their risks and the importance of protection against them. It covers defensive techniques like prepared statements, stored procedures, and least privilege access, as well as the use of web application firewalls. The speaker emphasizes the need for comprehensive testing and awareness to prevent such vulnerabilities.

Software
Related topics:
Information Security

Embed presentation

Download to read offline
Protecting your data from SQL Injection attacks July 20, 2016 Kevin Alcock
WARNING! This presentation contains live hacking by a trained professional* Please do not try this at home * Kevin is a Offensive Security Certified Profession (OSCP), only try this on computer on which you are authorised to do so.
Who is this old guy? • 30 years of software development and delivery • 10 years in North America • Mainly in Banking, Utilities, Telcos, Local Government and Health • @kevinnz
this old guy… • Co-organiser ISIG-CHC meetup • Offensive Security Certified Professional (OSCP) • Katipo Information Security Ltd. • Been using MS-SQL since Version 1.1 (AKA Sybase 4.2)
OWASP TOP 10 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
SQL Injection (SQLi) • First reported in 1998 (http://phrack.org/issues/54/1.html) • insertion or "injection" of a SQL query via the input data from the client to the application • ‘ or 1 =1 ;#
Why is it bad? • can read sensitive data from the database • modify database data (Insert/Update/Delete) • execute administration operations on the database (such as shutdown the DBMS) • recover the content of a given file present on the DBMS file system • in some cases issue commands to the operating system
Demo
Defense
Prepared Statements (with Parameterized Queries) cmd.CommandText = "SELECT T1.postid, T1.catid, T1.posttitle, T1.postbrief, T1.postbody, T1.postenabled, T2.catid, T2 cmd.Connection = conn; var idParam = new SqlParameter { ParameterName = "@POSTID", sqlDbType = SqlDbType.Integer, Size = 8, Direction = ParameterDirection.Input, Value = postId }; cmd.Parameters.Add(idParam); C#
Stored Procedures Try Dim command As SqlCommand = new SqlCommand("sp_getAccountBalance", connection) command.CommandType = CommandType.StoredProcedure command.Parameters.Add(new SqlParameter("@CustomerName", CustomerName.Text)) Dim reader As SqlDataReader = command.ExecuteReader() ‘ … Catch se As SqlException ‘ error handling End Try VB
White List Input Validation public String someMethod(boolean sortOrder) { String SQLquery = "some SQL ... order by Salary " + (sortOrder ? "ASC" : "DESC"); ...
Escaping All User Supplied Input declare @data sysname set @data = ‘data’ — Will print [data] print quotename( @data ) set @data = ‘this data needs to be escaped: ] ‘ — Will print [this data needs to be escaped: ]] ] print quotename( @data ) TSQL
Least Privilege • Use a separate user account ( not SA) • GRANT as least amount of access • Don’t run as SYSTEM!!!!!!! • Don’t assume trust across boundaries
Web Application Firewall (WAF) • Commercial (F5, Check Point, Imperva) • Cloud (Red Shield, CloudFlare) • Open Source (mod-security, AppArmor)
Test for it • Yes you can • Automated integration of OWASP ZAP into your CI • Add to junk input of scripts • … humans • Pentest from internal or external team • “Free” Pentest
Code Review • Add SQLi to your list to look for • Get a code review • Peer • Intra company teams • External
Summary • SQLi is bad • Don’t use one defensive technique • Catch it before the bad guys do • http://security.stackexchange.com/questions/12841 2/sql-injection-is-17-years-old-why-is-it-still-around
Check out • http://bobby-tables.com • https://bitbucket.org/t0x0/fooblog • Open Web Security Project (http://owasp.org) • Local ISIG and OWASP meet ups • https://2016.chcon.nz
Thanks • @TheHybridDBA for inviting me • @t0x0_nz for his broken app • and you for listening to me rant :)

More Related Content

PDF
NestJS
byWilson Su
 
PDF
2nd-Order-SQLi-Josh
byJoshua S. Clark, CISSP
 
PDF
Nestjs MasterClass Slides
byNir Kaufman
 
PPT
Asegúr@IT IV - Remote File Downloading
byChema Alonso
 
PDF
End to end todo list app with NestJs - Angular - Redux & Redux Saga
byBabacar NIANG
 
PPTX
Codemotion 2013: Feliz 15 aniversario, SQL Injection
byChema Alonso
 
ZIP
Introduction to SQLite in Adobe AIR 1.5
byPeter Elst
 
DOCX
C#
byArmando Gonzalez
 
NestJS
byWilson Su
 
2nd-Order-SQLi-Josh
byJoshua S. Clark, CISSP
 
Nestjs MasterClass Slides
byNir Kaufman
 
Asegúr@IT IV - Remote File Downloading
byChema Alonso
 
End to end todo list app with NestJs - Angular - Redux & Redux Saga
byBabacar NIANG
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
byChema Alonso
 
Introduction to SQLite in Adobe AIR 1.5
byPeter Elst
 
C#
byArmando Gonzalez
 

What's hot

PPTX
Learn AJAX at ASIT
byASIT
 
PDF
MegaScriptSample - Released x-x-15
byBob Powers
 
PDF
What's new in Django 1.7
byDaniel Roseman
 
PPTX
Understanding reactive programming with microsoft reactive extensions
byOleksandr Zhevzhyk
 
PDF
iOS Keychain by 흰, 민디
byMINJICHO20
 
PDF
What's New in Django 1.6
bySiva Arunachalam
 
PDF
第一次用Parse就深入淺出
byYmow Wu
 
PPTX
Asp.net identity 2.0
byGelis Wu
 
PPTX
Кирилл Безпалый, .NET Developer, Ciklum
byAlina Vilk
 
PPTX
SQL and XPATH Injection with Fusion Lite Insight
byiAppSecure Solutions
 
PDF
Scala.js - yet another what..?
byArtur Skowroński
 
PDF
Fighting security trolls_with_high-quality_mindsets
byddeogun
 
PPTX
Leveraging parse.com for Speedy Development
byAndrew Kozlik
 
TXT
Birhanu distributive assignment
byuniversity
 
PDF
Take Data Validation Seriously - Paul Milham, WildWorks
byNodejsFoundation
 
PPTX
20131004 - Sq lite sample by Jax
byLearningTech
 
PDF
Supercharging WordPress Development - Wordcamp Brighton 2019
byAdam Tomat
 
PDF
BDD in iOS with Cedar
byJason McCreary
 
PPTX
Getting started with Elasticsearch and .NET
byTomas Jansson
 
PDF
Performance Tuning of .NET Application
byMainul Islam, CSM®
 
Learn AJAX at ASIT
byASIT
 
MegaScriptSample - Released x-x-15
byBob Powers
 
What's new in Django 1.7
byDaniel Roseman
 
Understanding reactive programming with microsoft reactive extensions
byOleksandr Zhevzhyk
 
iOS Keychain by 흰, 민디
byMINJICHO20
 
What's New in Django 1.6
bySiva Arunachalam
 
第一次用Parse就深入淺出
byYmow Wu
 
Asp.net identity 2.0
byGelis Wu
 
Кирилл Безпалый, .NET Developer, Ciklum
byAlina Vilk
 
SQL and XPATH Injection with Fusion Lite Insight
byiAppSecure Solutions
 
Scala.js - yet another what..?
byArtur Skowroński
 
Fighting security trolls_with_high-quality_mindsets
byddeogun
 
Leveraging parse.com for Speedy Development
byAndrew Kozlik
 
Birhanu distributive assignment
byuniversity
 
Take Data Validation Seriously - Paul Milham, WildWorks
byNodejsFoundation
 
20131004 - Sq lite sample by Jax
byLearningTech
 
Supercharging WordPress Development - Wordcamp Brighton 2019
byAdam Tomat
 
BDD in iOS with Cedar
byJason McCreary
 
Getting started with Elasticsearch and .NET
byTomas Jansson
 
Performance Tuning of .NET Application
byMainul Islam, CSM®
 

Viewers also liked

PDF
Андрей Лисниченко "SQL Injection"
byAnna Shymchenko
 
PPT
Sql injection attacks
byNitish Kumar
 
PPTX
Sql injection attack_analysis_py_vo
byJirka Vejrazka
 
PPT
Sql Injection Attacks And Defense Presentatio (1)
byguest32e5cfe
 
PPT
Sql injection
byNitish Kumar
 
PDF
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 
PDF
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
byPichaya Morimoto
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
PPTX
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
byShivam Sahu
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PPT
D:\Technical\Ppt\Sql Injection
byavishkarm
 
PDF
Advanced SQL injection to operating system full control (whitepaper)
byBernardo Damele A. G.
 
PPTX
Sql injection
byHemendra Kumar
 
PPTX
SQL Injection Defense in Python
byPublic Broadcasting Service
 
PPTX
SQL Injection
byMarios Siganos
 
DOCX
Types of sql injection attacks
byRespa Peter
 
PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
PPT
SQL Injection
byAdhoura Academy
 
PPTX
Sql injection
byZidh
 
PDF
SQL injection: Not Only AND 1=1 (updated)
byBernardo Damele A. G.
 
Андрей Лисниченко "SQL Injection"
byAnna Shymchenko
 
Sql injection attacks
byNitish Kumar
 
Sql injection attack_analysis_py_vo
byJirka Vejrazka
 
Sql Injection Attacks And Defense Presentatio (1)
byguest32e5cfe
 
Sql injection
byNitish Kumar
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
byPichaya Morimoto
 
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
byShivam Sahu
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
D:\Technical\Ppt\Sql Injection
byavishkarm
 
Advanced SQL injection to operating system full control (whitepaper)
byBernardo Damele A. G.
 
Sql injection
byHemendra Kumar
 
SQL Injection Defense in Python
byPublic Broadcasting Service
 
SQL Injection
byMarios Siganos
 
Types of sql injection attacks
byRespa Peter
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
SQL Injection
byAdhoura Academy
 
Sql injection
byZidh
 
SQL injection: Not Only AND 1=1 (updated)
byBernardo Damele A. G.
 

Similar to Protecting your data from SQL Injection attacks

PPTX
SQLi for Security Champions
byPetraVukmirovic
 
PPTX
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
PDF
SQL injection Colombo Cybersecurity Meetup
byJanith Malinga
 
PDF
How to identify and prevent SQL injection
byEguardian Global Services
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
PPTX
Sql injection
byMehul Boghra
 
PPTX
Intro to SQL Injection
byhon1nbo
 
PDF
Owasp Backend Security Project 1.0beta
bySecurity Date
 
PPTX
SQL Injection Attacks: Is Your Data Secure? .NET Edition
byBert Wagner
 
PPTX
Understanding and preventing sql injection attacks
byKevin Kline
 
PPTX
Sql injection
byManjushree Mashal
 
PPTX
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
PPTX
SQL Injection: Unraveling the Threats
byInsecureLab
 
PPTX
Sql injection
byPraneeth Perera
 
PDF
Sql injection
bySafwan Hashmi
 
PPTX
Sql Injection V.2
byTjylen Veselyj
 
PPTX
SQL INJECTION
byZiaullah Khan
 
PPT
Sql injection
byNikunj Dhameliya
 
PPTX
SQL INJECTION
byAnoop T
 
SQLi for Security Champions
byPetraVukmirovic
 
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
SQL injection Colombo Cybersecurity Meetup
byJanith Malinga
 
How to identify and prevent SQL injection
byEguardian Global Services
 
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
Sql injection
byMehul Boghra
 
Intro to SQL Injection
byhon1nbo
 
Owasp Backend Security Project 1.0beta
bySecurity Date
 
SQL Injection Attacks: Is Your Data Secure? .NET Edition
byBert Wagner
 
Understanding and preventing sql injection attacks
byKevin Kline
 
Sql injection
byManjushree Mashal
 
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
SQL Injection: Unraveling the Threats
byInsecureLab
 
Sql injection
byPraneeth Perera
 
Sql injection
bySafwan Hashmi
 
Sql Injection V.2
byTjylen Veselyj
 
SQL INJECTION
byZiaullah Khan
 
Sql injection
byNikunj Dhameliya
 
SQL INJECTION
byAnoop T
 

Recently uploaded

PPTX
European Food Delivery Benchmarking – Wolt, Bolt Food, Foodora, TakeAway
byinfoactowizsolutions
 
PDF
REST in Peace (Laravel Senegal Meetup 2025)
byWendell Adriel
 
PPTX
Aviation Fleet Management Software for Airlines & Operators
bySISGAIN
 
PPTX
The Triple Bottom Line of Software: Uses, Misuses, and Strategic Risks
byrawaisah124
 
PDF
AI Concepts - MCP Neurons - part of a series
byPhilip Schwarz
 
PDF
SXP Market 2025-2035: $6.1B Future of Student Experience Platforms
bySatyanarayan Shambhu
 
PDF
DSD-INT 2025 Flexible Reservoir Modelling with Ribasim - From Simple to Compl...
byDeltares
 
PDF
DSD-INT 2025 Groundwatermodel Flanders coastal zone - Application of parallel...
byDeltares
 
PDF
The Hidden Cost of “Quick” Web App Development
byiProgrammer Solutions Private Limited
 
PPTX
How to Extract Google Maps Business Leads Efficiently
bywakasoftteam
 
PPTX
Choosing Your Web3 Architecture: L1 vs L2 vs Appchain
bystorygamemarketing
 
PDF
Mitr Sarthi: A Smart ERP for Modern Manufacturers
byGamavis Software Solutions
 
PDF
DSD-INT 2025 MODFLOW 6 Developments - Langevin
byDeltares
 
PDF
DSD-INT 2025 Overview of iMOD and new developments - van Engelen
byDeltares
 
PPTX
A practical and beginner-friendly guide to understanding data structures in J...
bynaingseihahs
 
PDF
DSD-INT 2025 An Introduction to MODFLOW 6 Solver Settings (Without the Agoniz...
byDeltares
 
PDF
HTML 5 CSS 3 DEVELOPMENT TECHNOLOGY.pdf
bydavidjohansen1597
 
PDF
DSD-INT 2025 MODFLOW 6 and iMOD User Day - Introduction - Kroon
byDeltares
 
PDF
Job Interview for Global Federal Government MD Panel Presentation
byafnupe09
 
PDF
Cloud Engineering Services | Infysion Technologies
bysolutioninginfysion
 
European Food Delivery Benchmarking – Wolt, Bolt Food, Foodora, TakeAway
byinfoactowizsolutions
 
REST in Peace (Laravel Senegal Meetup 2025)
byWendell Adriel
 
Aviation Fleet Management Software for Airlines & Operators
bySISGAIN
 
The Triple Bottom Line of Software: Uses, Misuses, and Strategic Risks
byrawaisah124
 
AI Concepts - MCP Neurons - part of a series
byPhilip Schwarz
 
SXP Market 2025-2035: $6.1B Future of Student Experience Platforms
bySatyanarayan Shambhu
 
DSD-INT 2025 Flexible Reservoir Modelling with Ribasim - From Simple to Compl...
byDeltares
 
DSD-INT 2025 Groundwatermodel Flanders coastal zone - Application of parallel...
byDeltares
 
The Hidden Cost of “Quick” Web App Development
byiProgrammer Solutions Private Limited
 
How to Extract Google Maps Business Leads Efficiently
bywakasoftteam
 
Choosing Your Web3 Architecture: L1 vs L2 vs Appchain
bystorygamemarketing
 
Mitr Sarthi: A Smart ERP for Modern Manufacturers
byGamavis Software Solutions
 
DSD-INT 2025 MODFLOW 6 Developments - Langevin
byDeltares
 
DSD-INT 2025 Overview of iMOD and new developments - van Engelen
byDeltares
 
A practical and beginner-friendly guide to understanding data structures in J...
bynaingseihahs
 
DSD-INT 2025 An Introduction to MODFLOW 6 Solver Settings (Without the Agoniz...
byDeltares
 
HTML 5 CSS 3 DEVELOPMENT TECHNOLOGY.pdf
bydavidjohansen1597
 
DSD-INT 2025 MODFLOW 6 and iMOD User Day - Introduction - Kroon
byDeltares
 
Job Interview for Global Federal Government MD Panel Presentation
byafnupe09
 
Cloud Engineering Services | Infysion Technologies
bysolutioninginfysion
 

Protecting your data from SQL Injection attacks

  • 1.
    Protecting your datafrom SQL Injection attacks July 20, 2016 Kevin Alcock
  • 2.
    WARNING! This presentation containslive hacking by a trained professional* Please do not try this at home * Kevin is a Offensive Security Certified Profession (OSCP), only try this on computer on which you are authorised to do so.
  • 3.
    Who is thisold guy? • 30 years of software development and delivery • 10 years in North America • Mainly in Banking, Utilities, Telcos, Local Government and Health • @kevinnz
  • 4.
    this old guy… •Co-organiser ISIG-CHC meetup • Offensive Security Certified Professional (OSCP) • Katipo Information Security Ltd. • Been using MS-SQL since Version 1.1 (AKA Sybase 4.2)
  • 5.
    OWASP TOP 10 A1- Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
  • 6.
    SQL Injection (SQLi) •First reported in 1998 (http://phrack.org/issues/54/1.html) • insertion or "injection" of a SQL query via the input data from the client to the application • ‘ or 1 =1 ;#
  • 7.
    Why is itbad? • can read sensitive data from the database • modify database data (Insert/Update/Delete) • execute administration operations on the database (such as shutdown the DBMS) • recover the content of a given file present on the DBMS file system • in some cases issue commands to the operating system
  • 8.
  • 9.
  • 10.
    Prepared Statements (with ParameterizedQueries) cmd.CommandText = "SELECT T1.postid, T1.catid, T1.posttitle, T1.postbrief, T1.postbody, T1.postenabled, T2.catid, T2 cmd.Connection = conn; var idParam = new SqlParameter { ParameterName = "@POSTID", sqlDbType = SqlDbType.Integer, Size = 8, Direction = ParameterDirection.Input, Value = postId }; cmd.Parameters.Add(idParam); C#
  • 11.
    Stored Procedures Try Dim commandAs SqlCommand = new SqlCommand("sp_getAccountBalance", connection) command.CommandType = CommandType.StoredProcedure command.Parameters.Add(new SqlParameter("@CustomerName", CustomerName.Text)) Dim reader As SqlDataReader = command.ExecuteReader() ‘ … Catch se As SqlException ‘ error handling End Try VB
  • 12.
    White List Input Validation publicString someMethod(boolean sortOrder) { String SQLquery = "some SQL ... order by Salary " + (sortOrder ? "ASC" : "DESC"); ...
  • 13.
    Escaping All UserSupplied Input declare @data sysname set @data = ‘data’ — Will print [data] print quotename( @data ) set @data = ‘this data needs to be escaped: ] ‘ — Will print [this data needs to be escaped: ]] ] print quotename( @data ) TSQL
  • 14.
    Least Privilege • Usea separate user account ( not SA) • GRANT as least amount of access • Don’t run as SYSTEM!!!!!!! • Don’t assume trust across boundaries
  • 15.
    Web Application Firewall (WAF) •Commercial (F5, Check Point, Imperva) • Cloud (Red Shield, CloudFlare) • Open Source (mod-security, AppArmor)
  • 16.
    Test for it •Yes you can • Automated integration of OWASP ZAP into your CI • Add to junk input of scripts • … humans • Pentest from internal or external team • “Free” Pentest
  • 17.
    Code Review • AddSQLi to your list to look for • Get a code review • Peer • Intra company teams • External
  • 18.
    Summary • SQLi isbad • Don’t use one defensive technique • Catch it before the bad guys do • http://security.stackexchange.com/questions/12841 2/sql-injection-is-17-years-old-why-is-it-still-around
  • 19.
    Check out • http://bobby-tables.com •https://bitbucket.org/t0x0/fooblog • Open Web Security Project (http://owasp.org) • Local ISIG and OWASP meet ups • https://2016.chcon.nz
  • 20.
    Thanks • @TheHybridDBA forinviting me • @t0x0_nz for his broken app • and you for listening to me rant :)