Uploaded byhelloanand
PPTX, PDF26,379 views

Sql Injection attacks and prevention

SQL injection is a critical security vulnerability that allows attackers to execute unintended SQL queries in a database, potentially leading to data theft or loss. To mitigate the risk, it is essential to escape and validate all user input, use prepared statements, and apply the principle of least privilege to database accounts. Additionally, guidelines for safe URL practices and awareness of common SQL injection patterns can help prevent these attacks.

Embed presentation

Downloaded 1,290 times
SQL Injection Anand Jain @helloanand Tech at Network18 1
What is it? SQL Injection allows a programmer user specified query to execute in the database 2
Excuse me, WHAT? Unintended SQL queries run in the DB Most of the times it also alters the original query 3
see how it happens we 4
Actual use case $sql = “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”]; //executed query - SELECT * FROM ARTICLES WHERE ID = 1234 $result = mysql_query($sql); 5
SQL injected input $sql = “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”]; //executed query - SELECT * FROM ARTICLES WHERE ID = 1234; DROP TABLE ARTICLES $result = mysql_query($sql); 6
Ok, but… How will the attacker know what I’ve named my table? 7
Good question 8
There are queries for that too… http://www.site.com/articles.php ?id=1234 UNION SELECT group_concat(schema_name),2,3,4, 5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24 from information_schema.schemata -- 9
There are queries for that too… http://www.site.com/articles.php ?id=1234 UNION SELECT group_concat(table_name),2,3,4,5 ,6,7,8,9,10,11,12,13,14,15,16,17 ,18,19,20,21,22,23,24 from information_schema.tables where table_schema=database()-- 10
11
SQL Attack steps • Searching for a vulnerable point • Fingerprinting the backend DB • Enumerating or retrieving data of interest – table dumps, usernames/passwords etc. • Eventual exploiting the system once the information is handy – OS take over, data change, web server take over etc. 12
It is a very serious problem • The attacker can delete, modify or even worse, steal your data • Compromises the safety, security & trust of user data • Compromises a company’s competitiveness or even the ability to stay in business 13
How to mitigate the risk • Escape all user supplied input • Always validate input • Use prepared statements – For PHP+MySQL – use PDO with strongly typed parameterized queries (using bindParam()) • Code reviews • Don’t store password in plain text in the DB – Salt them and hash them 14
Escape & Validate input • Escape all input – Whether supplied via the URL or via POST data – Even for internal APIs – Anything that goes to the DB is escaped • Validate all input - Validating a Free Form Text Field for allowed chars (numbers, letters, whitespace, .-_) – ^[a-zA-Z0-9s._-]+$ (Any number of characters) – ^[a-zA-Z0-9s._-]{1-100}$ (This is better, since it limits this field to 1 to 100 characters) • source https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet 15
Least privilege • To minimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment. • Do not assign DBA or admin type access rights to your application accounts. • Don't run your DBMS as root or system! 16
URL rules • No parentheses or angular brackets in the URLs – While saving or generating remove from the URLs – If you really need to have parentheses or angular brackets in the URL, then encode them • URL should not end with two or more dashes “--“ – While saving or generating remove these from the URLs • URL should not end with “/*” – While saving or generating remove these from the URLs • No schema, table or column names should be part of your URL • These rules should be followed even for AJAX/JSON URLs 17
Quick fixes • For companies that have a large setup or a lot of legacy code that will take a long time to audit and fix, put some SQL injection detection patterns in your Load Balancer itself • Enable mod_security on Apache • Run the RIPS scanner on your PHP code for detecting vulnerabilities - http://sourceforge.net/projects/rips-scanner/ 18
Common (My)SQL injection URL patterns • ending with “--” • ending with “/*” • containing UNION, (ALL), SELECT and FROM • BENCHMARK • Containing “information_schema” • Containing “load_file” 19
Further reading • SQL attacks by example - http://www.unixwiz.net/techtips/sql- injection.html • OWASP - https://www.owasp.org/index.php/SQL_Inject ion 20
source: http://xkcd.com/327/ Thanks 21

More Related Content

PDF
Advanced SQL injection to operating system full control (whitepaper)
byBernardo Damele A. G.
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PPTX
Ppt on sql injection
byashish20012
 
PPTX
Sql injections - with example
byPrateek Chauhan
 
PPT
SQL Injection
byAdhoura Academy
 
PPT
Sql injection
byPallavi Biswas
 
PPTX
SQL Injection
byAsish Kumar Rath
 
Advanced SQL injection to operating system full control (whitepaper)
byBernardo Damele A. G.
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
Ppt on sql injection
byashish20012
 
Sql injections - with example
byPrateek Chauhan
 
SQL Injection
byAdhoura Academy
 
Sql injection
byPallavi Biswas
 
SQL Injection
byAsish Kumar Rath
 

What's hot

PPT
A Brief Introduction in SQL Injection
bySina Manavi
 
PPTX
SQL injection prevention techniques
bySongchaiDuangpan
 
PPTX
SQL Injections (Part 1)
byn|u - The Open Security Community
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PPTX
Sql injection - security testing
byNapendra Singh
 
PPTX
SQL INJECTION
byMentorcs
 
PPTX
Sql injection
byZidh
 
PPTX
seminar report on Sql injection
byJawhar Ali
 
PPT
Sql injection
byNikunj Dhameliya
 
PPTX
SQL injection
byRaj Parmar
 
PPT
Sql injection
byNitish Kumar
 
PPTX
SQL Injection attack
byRayudu Babu
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PPTX
Secure Code Warrior - Cross site scripting
bySecure Code Warrior
 
PPTX
Sql injection
byHemendra Kumar
 
PPTX
Pentesting ReST API
byNutan Kumar Panda
 
PPTX
OWASP Top Ten 2017
byMichael Furman
 
PDF
How to identify and prevent SQL injection
byEguardian Global Services
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PPTX
API Security Fundamentals
byJosé Haro Peralta
 
A Brief Introduction in SQL Injection
bySina Manavi
 
SQL injection prevention techniques
bySongchaiDuangpan
 
SQL Injections (Part 1)
byn|u - The Open Security Community
 
Sql injection attack
byRajKumar Rampelli
 
Sql injection - security testing
byNapendra Singh
 
SQL INJECTION
byMentorcs
 
Sql injection
byZidh
 
seminar report on Sql injection
byJawhar Ali
 
Sql injection
byNikunj Dhameliya
 
SQL injection
byRaj Parmar
 
Sql injection
byNitish Kumar
 
SQL Injection attack
byRayudu Babu
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Secure Code Warrior - Cross site scripting
bySecure Code Warrior
 
Sql injection
byHemendra Kumar
 
Pentesting ReST API
byNutan Kumar Panda
 
OWASP Top Ten 2017
byMichael Furman
 
How to identify and prevent SQL injection
byEguardian Global Services
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
API Security Fundamentals
byJosé Haro Peralta
 

Similar to Sql Injection attacks and prevention

PDF
20111204 web security_livshits_lecture01
byComputer Science Club
 
PPSX
Web application security
bywww.netgains.org
 
PDF
Not so blind SQL Injection
byFrancisco Ribeiro
 
PPT
Sql injection attacks
bychaitanya Lotankar
 
PPT
Sql injection attacks
byNitish Kumar
 
PDF
My app is secure... I think
byWim Godden
 
PPT
Sql injection attacks
byKumar
 
PPTX
Sql injection
byMehul Boghra
 
PPTX
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
PPTX
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PPTX
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
SQL INJECTION
byAnoop T
 
PDF
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
PDF
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
PPT
SQLSecurity.ppt
byLokeshK66
 
PPT
SQLSecurity.ppt
byCNSHacking
 
PDF
SQL Injection: complete walkthrough (not only) for PHP developers
byKrzysztof Kotowicz
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PPT
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
20111204 web security_livshits_lecture01
byComputer Science Club
 
Web application security
bywww.netgains.org
 
Not so blind SQL Injection
byFrancisco Ribeiro
 
Sql injection attacks
bychaitanya Lotankar
 
Sql injection attacks
byNitish Kumar
 
My app is secure... I think
byWim Godden
 
Sql injection attacks
byKumar
 
Sql injection
byMehul Boghra
 
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
SQL INJECTION
byAnoop T
 
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
SQLSecurity.ppt
byLokeshK66
 
SQLSecurity.ppt
byCNSHacking
 
SQL Injection: complete walkthrough (not only) for PHP developers
byKrzysztof Kotowicz
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 

Recently uploaded

PDF
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
PDF
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
PDF
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PPTX
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PPTX
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
PPTX
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
PDF
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 

Sql Injection attacks and prevention

  • 1.
    SQL Injection Anand Jain @helloanand Tech at Network18 1
  • 2.
    What is it? SQLInjection allows a programmer user specified query to execute in the database 2
  • 3.
    Excuse me, WHAT? Unintended SQL queries run in the DB Most of the times it also alters the original query 3
  • 4.
    see how ithappens we 4
  • 5.
    Actual use case $sql= “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”]; //executed query - SELECT * FROM ARTICLES WHERE ID = 1234 $result = mysql_query($sql); 5
  • 6.
    SQL injected input $sql= “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”]; //executed query - SELECT * FROM ARTICLES WHERE ID = 1234; DROP TABLE ARTICLES $result = mysql_query($sql); 6
  • 7.
    Ok, but… How willthe attacker know what I’ve named my table? 7
  • 8.
  • 9.
    There are queriesfor that too… http://www.site.com/articles.php ?id=1234 UNION SELECT group_concat(schema_name),2,3,4, 5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24 from information_schema.schemata -- 9
  • 10.
    There are queriesfor that too… http://www.site.com/articles.php ?id=1234 UNION SELECT group_concat(table_name),2,3,4,5 ,6,7,8,9,10,11,12,13,14,15,16,17 ,18,19,20,21,22,23,24 from information_schema.tables where table_schema=database()-- 10
  • 11.
  • 12.
    SQL Attack steps •Searching for a vulnerable point • Fingerprinting the backend DB • Enumerating or retrieving data of interest – table dumps, usernames/passwords etc. • Eventual exploiting the system once the information is handy – OS take over, data change, web server take over etc. 12
  • 13.
    It is avery serious problem • The attacker can delete, modify or even worse, steal your data • Compromises the safety, security & trust of user data • Compromises a company’s competitiveness or even the ability to stay in business 13
  • 14.
    How to mitigatethe risk • Escape all user supplied input • Always validate input • Use prepared statements – For PHP+MySQL – use PDO with strongly typed parameterized queries (using bindParam()) • Code reviews • Don’t store password in plain text in the DB – Salt them and hash them 14
  • 15.
    Escape & Validateinput • Escape all input – Whether supplied via the URL or via POST data – Even for internal APIs – Anything that goes to the DB is escaped • Validate all input - Validating a Free Form Text Field for allowed chars (numbers, letters, whitespace, .-_) – ^[a-zA-Z0-9s._-]+$ (Any number of characters) – ^[a-zA-Z0-9s._-]{1-100}$ (This is better, since it limits this field to 1 to 100 characters) • source https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet 15
  • 16.
    Least privilege • Tominimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment. • Do not assign DBA or admin type access rights to your application accounts. • Don't run your DBMS as root or system! 16
  • 17.
    URL rules • Noparentheses or angular brackets in the URLs – While saving or generating remove from the URLs – If you really need to have parentheses or angular brackets in the URL, then encode them • URL should not end with two or more dashes “--“ – While saving or generating remove these from the URLs • URL should not end with “/*” – While saving or generating remove these from the URLs • No schema, table or column names should be part of your URL • These rules should be followed even for AJAX/JSON URLs 17
  • 18.
    Quick fixes • Forcompanies that have a large setup or a lot of legacy code that will take a long time to audit and fix, put some SQL injection detection patterns in your Load Balancer itself • Enable mod_security on Apache • Run the RIPS scanner on your PHP code for detecting vulnerabilities - http://sourceforge.net/projects/rips-scanner/ 18
  • 19.
    Common (My)SQL injectionURL patterns • ending with “--” • ending with “/*” • containing UNION, (ALL), SELECT and FROM • BENCHMARK • Containing “information_schema” • Containing “load_file” 19
  • 20.
    Further reading • SQLattacks by example - http://www.unixwiz.net/techtips/sql- injection.html • OWASP - https://www.owasp.org/index.php/SQL_Inject ion 20
  • 21.