ND
Uploaded byNikunj Dhameliya
PPT, PDF2,989 views

Sql injection

The document discusses SQL injection attacks. It explains that SQL injection works by tricking web applications into treating malicious user input as SQL code rather than data. This allows attackers to view sensitive data from the database or make changes by having the application execute unintended SQL commands. The key to preventing SQL injection is using prepared statements with bound parameters rather than concatenating user input into SQL queries. Other types of injection attacks on different interpreters are also discussed.

Embed presentation

Downloaded 53 times
Topic :- SQL Injection Prepared by: Nikunj Dhameliya(115375) Student @ gvp ORACLE
Topics 1. What are injection attacks? 2. How SQL Injection Works 3. Exploiting SQL Injection Bugs 4. Prevent SQL Injection 5. Other Injection Attacks
Injection  Injection attacks trick an application into including unintended commands in the data send to an interpreter.  Interpreters  Interpret strings as commands.  Ex: SQL, shell (cmd.exe, bash)  Key Idea  Input data from the application is executed as code by the interpreter.
SQL Injection 1. App sends form to user. 2. Attacker submits form with SQL exploit data. 3. Application builds string with exploit data. 4. Application sends SQL query to DB. 5. DB executes query, including exploit, sends data back to application. 6. Application returns data to user. Web Server Attacker DB Server Firewall User Pass ‘ or 1=1-- Form
SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or1=1 -- SQL statement becomes: select count(* ) from use rs where use rnam e = ‘use r’ and passwo rd = ‘’ or1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
SQL Injection Attack #2 Database Modification Attack: password = foo’; delete fromtable use rs where use rnam e like ‘% DB executes two SQL statements: select count(* ) fromuse rs where use rnam e = ‘use r’ and passwo rd = ‘fo o ’ delete fromtable use rs where use rnam e like ‘%’
Finding SQL Injection Bugs Submit a single quote as input. • If an error results, app is vulnerable. • If no error, check for any output changes. Submit two single quotes. • Databases use ’’ to represent literal ’ • If error disappears, app is vulnerable. Try string or numeric operators.  Oracle: ’||’FOO  MS-SQL: ‘+’FOO  MySQL: ’-’FOO  2-2  81+19  49-ASCII(1)
Injecting into SELECT Most common SQL entry point. SELECT columns FROM table WHERE expression ORDER BY expression Places where user input is inserted: WHERE expression ORDER BY expression Table or column names
Injecting into INSERT Creates a new data row in a table. INSERT INTO table (col1, col2, ...) VALUES (val1, val2, ...) Requirements Number of values must match # columns. Types of values must match column types. Technique: add values until no error. foo’)-- foo’, 1)-- foo’, 1, 1)--
Injecting into UPDATE Modifies one or more rows of data. UPDATE table SET col1=val1, col2=val2, ... WHERE expression Places where input is inserted SET clause WHERE clause Be careful with WHERE clause ’ OR 1=1 will change all rows
UNION Combines SELECTs into one result. SELECT cols FROM table WHERE expr UNION SELECT cols2 FROM table2 WHERE expr2 Allows attacker to read any table foo’ UNION SELECT number FROM cc-- Requirements Results must have same number and type of cols. Attacker needs to know name of other table. DB returns results with column names of 1st query.
More Examples (1)  Application authentication bypass using SQL injection.  Suppose a web form takes userID and password as input.  The application receives a user ID and a password and authenticate the user by checking the existence of the user in the USER table and matching the data in the PWD column.  Assume that the application is not validating what the user types into these two fields and the SQL statement is created by string concatenation.
More Example (2)  The following code could be an example of such bad practice: sqlString = “select USERID from USER where USERID = `” & userId & “` and PWD = `” & pwd & “`” result = GetQueryResult(sqlString) If(result = “”) then userHasBeenAuthenticated = False Else userHasBeenAuthenticated = True End If
More Example (3)  User ID: ` OR ``=`  Password: `OR ``=`  In this case the sqlString used to create the result set would be as follows: select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` TRUE TRUE  Which would certainly set the userHasBenAuthenticated variable to true.
More Example (4) User ID: ` OR ``=`` -- Password: abc Because anything after the -- will be ignore, the injection will work even without any specific injection into the password predicate.
More Example (5) User ID: ` ; DROP TABLE USER ; -- Password: `OR ``=` select USERID from USER where USERID = `` ; DROP TABLE USER ; -- ` and PWD = ``OR ``=`` I will not try to get any information, I just wan to bring the application down.
Impact of SQL Injection 1. Leakage of sensitive information. 2. Reputation decline. 3. Modification of sensitive information. 4. Loss of control of db server. 5. Data loss. 6. Denial of service.
The Cause: String Building Building a SQL command string with user input in any language is dangerous. • String concatenation with variables. • String format functions like sprintf(). • String templating with variable replacement.
Mitigating SQL Injection Ineffective Mitigations Blacklists Stored Procedures Partially Effective Mitigations Whitelists Prepared Queries
Blacklists Filter out or Sanitize known bad SQL meta- characters, such as single quotes. Problems: 1. Numeric parameters don’t use quotes. 2. URL escaped metacharacters. 3. Unicode encoded metacharacters. Though it's easy to point out some dangerous characters, it's harder to point to all of them.
Stored Procedures Stored Procedures build strings too: CREATE PROCEDURE dbo.doQuery(@id nchar(128)) AS DECLARE @query nchar(256) SELECT @query = ‘SELECT cc FROM cust WHERE id=‘’’ + @id + ‘’’’ EXEC @query RETURN it's always possible to write a stored procedure that itself constructs a query dynamically: this provides no protection against SQL Injection. It's only proper binding with prepare/execute or direct SQL statements with bound variables that provide protection.
Whitelist Reject input that doesn’t match your list of safe characters to accept.  Identify what is good, not what is bad.  Reject input instead of attempting to repair.  Still have to deal with single quotes when required, such as in names.
Prepared Queries  bound parameters, which are supported by essentially all database programming interfaces. In this technique, an SQL statement string is created with placeholders - a question mark for each parameter - and it's compiled ("prepared", in SQL parlance) into an internal form. Later, this prepared query is "executed" with a list of parameters. Example in Perl: $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email); $email is the data obtained from the user's form, and it is passed as positional parameter #1 (the first question mark), and at no point do the contents of this variable have anything to do with SQL statement parsing. Quotes, semicolons, backslashes, SQL comment notation - none of this has any impact, because it's "just data". There simply is nothing to subvert, so the application is be largely immune to SQL injection attacks.
Prepared Queries  bound parameters in Java Insecure version Statement s = connection.createStatement(); ResultSet rs = s.executeQuery("SELECT email FROM member WHERE name = " + formField); // *boom* Secure version PreparedStatement ps = connection.prepareStatement( "SELECT email FROM member WHERE name = ?"); ps.setString(1, formField); ResultSet rs = ps.executeQuery(); There also may be some performance benefits if this prepared query is reused multiple times (it only has to be parsed once), but this is minor compared to the enormous security benefits. This is probably the single most important step one can take to secure a web application.
Other Injection Types  Shell injection.  Scripting language injection.  File inclusion.  XML injection.  XPath injection.  LDAP injection.  SMTP injection.
SQL injection Conclusion  SQL injection is technique for exploiting applications that use relational databases as their back end.  All databases can be a target of SQL injection and all are vulnerable to this technique.  SQL injection use the fact that many of these applications concatenate the fixed part of SQL statement with user-supplied data that forms WHERE predicates or additional sub-queries.  The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
Thank You !

More Related Content

PPTX
SQL INJECTION
byMentorcs
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PPTX
Sql injection - security testing
byNapendra Singh
 
PPTX
Sql Injection attacks and prevention
byhelloanand
 
PPTX
Sql injection
byHemendra Kumar
 
PPTX
Sql injection
byZidh
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PPTX
Ppt on sql injection
byashish20012
 
SQL INJECTION
byMentorcs
 
Sql injection attack
byRajKumar Rampelli
 
Sql injection - security testing
byNapendra Singh
 
Sql Injection attacks and prevention
byhelloanand
 
Sql injection
byHemendra Kumar
 
Sql injection
byZidh
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
Ppt on sql injection
byashish20012
 

What's hot

PPT
Sql injection
byNitish Kumar
 
PPTX
SQL Injection attack
byRayudu Babu
 
PDF
Lecture #24 : Cross Site Request Forgery (CSRF)
byDr. Ramchandra Mangrulkar
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PPT
SQL Injection
byAdhoura Academy
 
PPT
Secure code practices
byHina Rawal
 
PPTX
Sql injections - with example
byPrateek Chauhan
 
PPT
A Brief Introduction in SQL Injection
bySina Manavi
 
PPT
Sql injection
byPallavi Biswas
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPTX
SQL Injection
byAsish Kumar Rath
 
PPT
Cross Site Request Forgery
byTony Bibbs
 
PPTX
Sql injection
byNuruzzaman Milon
 
PPTX
SQL injection prevention techniques
bySongchaiDuangpan
 
PPTX
seminar report on Sql injection
byJawhar Ali
 
PDF
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
bySandeep Kumbhar
 
PPT
Advanced Sql Injection ENG
byDmitry Evteev
 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPTX
Secure coding practices
byMohammed Danish Amber
 
Sql injection
byNitish Kumar
 
SQL Injection attack
byRayudu Babu
 
Lecture #24 : Cross Site Request Forgery (CSRF)
byDr. Ramchandra Mangrulkar
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
SQL Injection
byAdhoura Academy
 
Secure code practices
byHina Rawal
 
Sql injections - with example
byPrateek Chauhan
 
A Brief Introduction in SQL Injection
bySina Manavi
 
Sql injection
byPallavi Biswas
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
SQL Injection
byAsish Kumar Rath
 
Cross Site Request Forgery
byTony Bibbs
 
Sql injection
byNuruzzaman Milon
 
SQL injection prevention techniques
bySongchaiDuangpan
 
seminar report on Sql injection
byJawhar Ali
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
bySandeep Kumbhar
 
Advanced Sql Injection ENG
byDmitry Evteev
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Secure coding practices
byMohammed Danish Amber
 

Viewers also liked

PPTX
Social Media and Small Business
byStrategyWorks
 
PPT
Man-in-the-Middle in ARP/DNS Poisoning Phishing site
byWillyFooFoo
 
DOCX
impact of social networking sites on business
bynitish_singh
 
DOCX
Types of sql injection attacks
byRespa Peter
 
DOCX
Security Threats In Business Using Social Networking Sites.
byTasheen Sheikh
 
PPTX
The impact of social media
byememdesign
 
DOC
The effect-of-social-networking-sites
byRam Patil
 
Social Media and Small Business
byStrategyWorks
 
Man-in-the-Middle in ARP/DNS Poisoning Phishing site
byWillyFooFoo
 
impact of social networking sites on business
bynitish_singh
 
Types of sql injection attacks
byRespa Peter
 
Security Threats In Business Using Social Networking Sites.
byTasheen Sheikh
 
The impact of social media
byememdesign
 
The effect-of-social-networking-sites
byRam Patil
 

Similar to Sql injection

PPTX
Sql injection
byMehul Boghra
 
PDF
Chapter 14 sql injection
bynewbie2019
 
PPTX
03. sql and other injection module v17
byEoin Keary
 
PPT
Sql Injection Adv Owasp
byAung Khant
 
PPT
Advanced SQL Injection
byamiable_indian
 
PDF
SQL Injection
byMagno Logan
 
PPTX
SQL INJECTION
byZiaullah Khan
 
PDF
Sql injection
bySafwan Hashmi
 
PPTX
SQLi for Security Champions
byPetraVukmirovic
 
PPTX
Sql injection
bySuraj Tiwari
 
PPT
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
PPTX
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
PPSX
Web application security
bywww.netgains.org
 
PPTX
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
PDF
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
PPT
Sql security
bySafwan Hashmi
 
PDF
Blind sql injection
byKagi Adrian Zinelli
 
PDF
Blind sql injection
byKagi Adrian Zinelli
 
PPTX
cybersecurity and sql injection for students
byVeenaShree20
 
PPT
8 sql injection
bydrewz lin
 
Sql injection
byMehul Boghra
 
Chapter 14 sql injection
bynewbie2019
 
03. sql and other injection module v17
byEoin Keary
 
Sql Injection Adv Owasp
byAung Khant
 
Advanced SQL Injection
byamiable_indian
 
SQL Injection
byMagno Logan
 
SQL INJECTION
byZiaullah Khan
 
Sql injection
bySafwan Hashmi
 
SQLi for Security Champions
byPetraVukmirovic
 
Sql injection
bySuraj Tiwari
 
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
Web application security
bywww.netgains.org
 
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
Sql security
bySafwan Hashmi
 
Blind sql injection
byKagi Adrian Zinelli
 
Blind sql injection
byKagi Adrian Zinelli
 
cybersecurity and sql injection for students
byVeenaShree20
 
8 sql injection
bydrewz lin
 

Recently uploaded

PDF
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
PPTX
Boost Productivity the Smart Way with AI Automation Solutions
byEllocent Labs
 
PPTX
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
PDF
DSD-INT 2025 Century-Scale Impacts of Sediment-Based Coastal Restoration unde...
byDeltares
 
PDF
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
PDF
DSD-INT 2025 Reviving a Lost Meander - Deen
byDeltares
 
PDF
DSD-INT 2025 The Sinterklaas Storm in the Southwest of the Netherlands - Wope...
byDeltares
 
PPTX
wAIred_LearnwithoutAI_KotlinDevDay_27112025.pptx
bySimonedeGijt
 
PDF
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
PDF
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
PPTX
CRM Development Company | Custom CRM Development Services
byyugababu033
 
PPTX
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
PPTX
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
PDF
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
PDF
DSD-INT 2025 Timor-Leste Flood exposure and Climate Change assessment - Ogunwumi
byDeltares
 
PDF
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
PDF
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
PDF
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
PDF
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
PDF
Data Integration with Salesforce Bootcamp
byDele Amefo
 
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
Boost Productivity the Smart Way with AI Automation Solutions
byEllocent Labs
 
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
DSD-INT 2025 Century-Scale Impacts of Sediment-Based Coastal Restoration unde...
byDeltares
 
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
DSD-INT 2025 Reviving a Lost Meander - Deen
byDeltares
 
DSD-INT 2025 The Sinterklaas Storm in the Southwest of the Netherlands - Wope...
byDeltares
 
wAIred_LearnwithoutAI_KotlinDevDay_27112025.pptx
bySimonedeGijt
 
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
CRM Development Company | Custom CRM Development Services
byyugababu033
 
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
DSD-INT 2025 Timor-Leste Flood exposure and Climate Change assessment - Ogunwumi
byDeltares
 
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
Data Integration with Salesforce Bootcamp
byDele Amefo
 
In this document
Powered by AI

Introduction to SQL Injection and its various components including injection attacks, how they work, and topics covered such as exploiting and preventing SQL injection.

Injection attacks trick applications into executing unintended commands. Key concept is that input data is executed as code by interpreters like SQL.

Explains the process of SQL injection through examples. Attack scenarios include unauthorized access and database modification using specific SQL exploits.

Different techniques to find SQL injection bugs in applications such as input vulnerability tests, and how injection works in SELECT, INSERT, and UPDATE operations.

Advanced techniques include using UNION to read from tables, various examples showcasing user ID/password exploits leading to unauthorized access or data manipulation.

Describes the consequences of SQL injection including sensitive data leaks, reputation damage, and potential data loss.

Identifies the main cause of SQL injection vulnerabilities as building SQL command strings using user input, emphasizing the dangers of string concatenation.

Discusses ineffective and partially effective mitigations against SQL injection, focusing on prepared queries as the most secure method.

Introduces other types of injection attacks such as shell injection, script injection, and XML injection.

Summarizes SQL injection as a critical exploitation technique targeting relational databases and the vulnerabilities in application layers.

Concludes the presentation with a thank you note to the audience.

Sql injection

  • 1.
    Topic :- SQLInjection Prepared by: Nikunj Dhameliya(115375) Student @ gvp ORACLE
  • 2.
    Topics 1. What areinjection attacks? 2. How SQL Injection Works 3. Exploiting SQL Injection Bugs 4. Prevent SQL Injection 5. Other Injection Attacks
  • 3.
    Injection  Injection attackstrick an application into including unintended commands in the data send to an interpreter.  Interpreters  Interpret strings as commands.  Ex: SQL, shell (cmd.exe, bash)  Key Idea  Input data from the application is executed as code by the interpreter.
  • 4.
    SQL Injection 1. Appsends form to user. 2. Attacker submits form with SQL exploit data. 3. Application builds string with exploit data. 4. Application sends SQL query to DB. 5. DB executes query, including exploit, sends data back to application. 6. Application returns data to user. Web Server Attacker DB Server Firewall User Pass ‘ or 1=1-- Form
  • 5.
    SQL Injection Attack#1 Unauthorized Access Attempt: password = ’ or1=1 -- SQL statement becomes: select count(* ) from use rs where use rnam e = ‘use r’ and passwo rd = ‘’ or1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
  • 6.
    SQL Injection Attack#2 Database Modification Attack: password = foo’; delete fromtable use rs where use rnam e like ‘% DB executes two SQL statements: select count(* ) fromuse rs where use rnam e = ‘use r’ and passwo rd = ‘fo o ’ delete fromtable use rs where use rnam e like ‘%’
  • 7.
    Finding SQL InjectionBugs Submit a single quote as input. • If an error results, app is vulnerable. • If no error, check for any output changes. Submit two single quotes. • Databases use ’’ to represent literal ’ • If error disappears, app is vulnerable. Try string or numeric operators.  Oracle: ’||’FOO  MS-SQL: ‘+’FOO  MySQL: ’-’FOO  2-2  81+19  49-ASCII(1)
  • 8.
    Injecting into SELECT Mostcommon SQL entry point. SELECT columns FROM table WHERE expression ORDER BY expression Places where user input is inserted: WHERE expression ORDER BY expression Table or column names
  • 9.
    Injecting into INSERT Createsa new data row in a table. INSERT INTO table (col1, col2, ...) VALUES (val1, val2, ...) Requirements Number of values must match # columns. Types of values must match column types. Technique: add values until no error. foo’)-- foo’, 1)-- foo’, 1, 1)--
  • 10.
    Injecting into UPDATE Modifiesone or more rows of data. UPDATE table SET col1=val1, col2=val2, ... WHERE expression Places where input is inserted SET clause WHERE clause Be careful with WHERE clause ’ OR 1=1 will change all rows
  • 11.
    UNION Combines SELECTs intoone result. SELECT cols FROM table WHERE expr UNION SELECT cols2 FROM table2 WHERE expr2 Allows attacker to read any table foo’ UNION SELECT number FROM cc-- Requirements Results must have same number and type of cols. Attacker needs to know name of other table. DB returns results with column names of 1st query.
  • 12.
    More Examples (1) Application authentication bypass using SQL injection.  Suppose a web form takes userID and password as input.  The application receives a user ID and a password and authenticate the user by checking the existence of the user in the USER table and matching the data in the PWD column.  Assume that the application is not validating what the user types into these two fields and the SQL statement is created by string concatenation.
  • 13.
    More Example (2) The following code could be an example of such bad practice: sqlString = “select USERID from USER where USERID = `” & userId & “` and PWD = `” & pwd & “`” result = GetQueryResult(sqlString) If(result = “”) then userHasBeenAuthenticated = False Else userHasBeenAuthenticated = True End If
  • 14.
    More Example (3) User ID: ` OR ``=`  Password: `OR ``=`  In this case the sqlString used to create the result set would be as follows: select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` TRUE TRUE  Which would certainly set the userHasBenAuthenticated variable to true.
  • 15.
    More Example (4) UserID: ` OR ``=`` -- Password: abc Because anything after the -- will be ignore, the injection will work even without any specific injection into the password predicate.
  • 16.
    More Example (5) UserID: ` ; DROP TABLE USER ; -- Password: `OR ``=` select USERID from USER where USERID = `` ; DROP TABLE USER ; -- ` and PWD = ``OR ``=`` I will not try to get any information, I just wan to bring the application down.
  • 17.
    Impact of SQLInjection 1. Leakage of sensitive information. 2. Reputation decline. 3. Modification of sensitive information. 4. Loss of control of db server. 5. Data loss. 6. Denial of service.
  • 18.
    The Cause: StringBuilding Building a SQL command string with user input in any language is dangerous. • String concatenation with variables. • String format functions like sprintf(). • String templating with variable replacement.
  • 19.
    Mitigating SQL Injection IneffectiveMitigations Blacklists Stored Procedures Partially Effective Mitigations Whitelists Prepared Queries
  • 20.
    Blacklists Filter out orSanitize known bad SQL meta- characters, such as single quotes. Problems: 1. Numeric parameters don’t use quotes. 2. URL escaped metacharacters. 3. Unicode encoded metacharacters. Though it's easy to point out some dangerous characters, it's harder to point to all of them.
  • 21.
    Stored Procedures Stored Proceduresbuild strings too: CREATE PROCEDURE dbo.doQuery(@id nchar(128)) AS DECLARE @query nchar(256) SELECT @query = ‘SELECT cc FROM cust WHERE id=‘’’ + @id + ‘’’’ EXEC @query RETURN it's always possible to write a stored procedure that itself constructs a query dynamically: this provides no protection against SQL Injection. It's only proper binding with prepare/execute or direct SQL statements with bound variables that provide protection.
  • 22.
    Whitelist Reject input thatdoesn’t match your list of safe characters to accept.  Identify what is good, not what is bad.  Reject input instead of attempting to repair.  Still have to deal with single quotes when required, such as in names.
  • 23.
    Prepared Queries  boundparameters, which are supported by essentially all database programming interfaces. In this technique, an SQL statement string is created with placeholders - a question mark for each parameter - and it's compiled ("prepared", in SQL parlance) into an internal form. Later, this prepared query is "executed" with a list of parameters. Example in Perl: $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email); $email is the data obtained from the user's form, and it is passed as positional parameter #1 (the first question mark), and at no point do the contents of this variable have anything to do with SQL statement parsing. Quotes, semicolons, backslashes, SQL comment notation - none of this has any impact, because it's "just data". There simply is nothing to subvert, so the application is be largely immune to SQL injection attacks.
  • 24.
    Prepared Queries  boundparameters in Java Insecure version Statement s = connection.createStatement(); ResultSet rs = s.executeQuery("SELECT email FROM member WHERE name = " + formField); // *boom* Secure version PreparedStatement ps = connection.prepareStatement( "SELECT email FROM member WHERE name = ?"); ps.setString(1, formField); ResultSet rs = ps.executeQuery(); There also may be some performance benefits if this prepared query is reused multiple times (it only has to be parsed once), but this is minor compared to the enormous security benefits. This is probably the single most important step one can take to secure a web application.
  • 25.
    Other Injection Types Shell injection.  Scripting language injection.  File inclusion.  XML injection.  XPath injection.  LDAP injection.  SMTP injection.
  • 26.
    SQL injection Conclusion SQL injection is technique for exploiting applications that use relational databases as their back end.  All databases can be a target of SQL injection and all are vulnerable to this technique.  SQL injection use the fact that many of these applications concatenate the fixed part of SQL statement with user-supplied data that forms WHERE predicates or additional sub-queries.  The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
  • 27.

Editor's Notes

  • #7 Principle of Least Privilege likely violated as web server user needs privileges to do all operators permitted on users, including deleting them.