The document discusses SQL injection, including its types, methodology, attack queries, and prevention. SQL injection is a code injection technique where a hacker manipulates SQL commands to access a database and sensitive information. It can result in identity spoofing, modifying data, gaining administrative privileges, denial of service attacks, and more. The document outlines the steps of a SQL injection attack and types of queries used. Prevention methods include minimizing privileges, coding standards, and firewalls.

1. SQL INJECTION
Types, Methodology, Attack Queries and
Prevention
Presented By
Sidharth s Rajeev
Titty Mareena George
Guided By
Dr. Juby Mathew

2. SQL Injection
 Structured Query Language (SQL) is a text language that allows
manipulating the data stored in the database through the commands
such as INSERT, UPDATE and DELETE etc.
 Code injection technique in which hacker manipulates the logic of
SQL command to obtain access on the database and other sensitive
information.
 Most common vulnerability present on the network.

3. Consequences of
SQL injection
 Loss of Confidentiality
 Loss Of authentication
 Loss of authorization
 Lack of Integrity

4. SQL Injection Threats
S.no Threat Description
1 Identity Spoofing In this attack people are duped to believe that
the respective mail or website is genuine while
actually not.
2 Changing the price
of original data
In this attack hacker modifies the original data
3 Modifying the
records resent in
the database
Attacker either detects the data from the
database or completely replaces the existing
data.
4 Gaining access over
administrative
privileges
Once the hacker gets successful in gaining
access on the system then to gain complete
access on both the system and the network he
seeks for the high privileges which are used by
the administrative number.
5 Denial of Service Multiple bugs request are sent to the server
which cannot be handle by the server as a
result there is a temporary halt in the service
and thus user is unable to access the system.

5. 6 Gaining access over highly sensitive
information
Once the hacker gain
access on the network,
the attacker obtain
access on the highly
sensitive information
such as credit card
number and other
monetary information.
7 Destroys the existing data present in the
database
After gaining the
complete access over the
system the attacker
destroys the existing data
completely resulting into
huge loss.
8 Attacks machine’s performance The attacker halts all the
important transactions
which is performed by
the system.
9 Modifies the existing data present in the
record
Once attacker obtains
complete access over the
system, he modifies the
existing data resulting
into huge losses

6. SQL Injection Attacks
 Authentication Bypass
 Leaking sensitive information
 Loss of Data Integrity
 Loss of availability of Data
 Remote Code Execution

7. Types of SQL Injection

8. SQL Injection
Step by Step

9. Steps involved are:
1. Information Gathering
2. SQL injection Vulnerability Detection
 First attacker lists all the input fields, hidden fields and posts requests
 Then attacker injects codes into the input field to generate an error
 Attacker enter ('), (;), (––), AND and/or in input field, if it generates an
error page then it means that the website is vulnerable towards the SQL
injection.
3. Launch SQL injection attack
4. Extract the data
5. Interact with operating system
6. Compromise the system

10. SQL Injection Queries
 SQL Injection Query
• This query is always true.

11.  Query for Updating Table
 Query for Adding New Records

12.  Query for Identifying Table Name
 Query for Deleting the Table

14. SQL Injection Tools

15. Preventing SQL Injection Attacks
 Minimizing the Privileges
 Implementation of Consistent Coding Standards
 SQL Server Firewalling