SlideShare a Scribd company logo

Sql injection

Download as PPTX, PDF
U
Uzair ul Haq Khan

This document discusses SQL injection, including how it works, examples of attacks, impact, types of SQL injection attacks, and defenses against SQL injection. SQL injection allows malicious SQL code to be injected into an entry field of a web application to gain unauthorized access to the underlying database. It remains a common web application security vulnerability. The document recommends data sanitization, web application firewalls, limiting database privileges, and using prepared statements instead of constructing SQL queries with user input to help defend against SQL injection attacks.

Software
1 of 16
• uzair
• Introduction • Attack Intent • Real World Examples • How SQL Injection works? • Video • Impact of SQL injection • Types of attacks • Hack a website • Defence Against SQL Injection • Other Injection Types • SQL Injection tools • Conclusion
• On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two Russians with the theft of 130 million credit card numbers using an SQL injection attack. • In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL database server. Over 500,000 sites were exploited.
• The ability to inject SQL commands into the database engine through an existing application • SQL injection is the use of publicly available fields to gain entry to your database. • This is done by entering SQL commands into your form fields instead of the expected data. • Improperly coded forms will allow a hacker to use them as an entry point to your database
Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’
What it is? SQL Injection allows a programmer user specified query to execute in the database
• Shell injection. • Scripting language injection. • File inclusion. • XML injection. • XPath injection. • LDAP injection. • SMTP injection.
• BSQL Hacker • SQLmap • SQLninja • Safe3 SQL Injector • SQLSus • Mole • Havij
1. Comprehensive data sanitization • Web sites must filter all user input • For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address. • Its SQL injection defenses can catch most attempts to sneak SQL through web channels.
2. Use a web application firewall • A popular example is the free, open source module ModSecurity. • ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests.
3. Limit database privileges by context • Create multiple database user accounts with the minimum levels of privilege for their usage environment. • For example, the code behind a login page should query the database using an account limited only to the relevent credentials table. • This way, a breach through this channel cannot be leveraged to compromise the entire database.
4. Avoid constructing SQL queries with user input • Even data sanitization routines can be flawed. • Using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries.
• The technique is based on malformed user-supplied data • Transform the innocent SQL calls to a malicious call • Cause unauthorized access, deletion of data, or theft of information • All databases can be a target of SQL injection and all are vulnerable to this technique. • The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
• https://www.owasp.org/index.php/Query_Parameterization_Cheat_S heet#Parameterized_Query_Examples • www.slideshare.net • www.beyondsecurity.com • www.breakthesecurity.cysecurity.org • http://www.esecurityplanet.com/ • http://resources.infosecinstitute.com/best-free-and-open-source-sql- injection-tools/

Recommended

Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404sRonan Dunne, CEH, SSCP
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
Shubham Takode
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthanRaghunath G
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
Ronan Dunne, CEH, SSCP
 

Recommended

Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404sRonan Dunne, CEH, SSCP
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
Shubham Takode
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthanRaghunath G
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
Ronan Dunne, CEH, SSCP
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoS
Emil Tan
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
Fun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. CastroFun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. CastroMohammad Tayseer
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
Secure Code Warrior
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
Edugeeklogontracker
EdugeeklogontrackerEdugeeklogontracker
EdugeeklogontrackerEduGeek.net
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
Sam Bowne
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extensionNat Sakimura
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
Brute force
Brute forceBrute force
Brute forcePrajwal Panchmahalkar
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
prasadGade6
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
penetration Tester
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
Web security
Web securityWeb security
Web security
dogangcr
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 

More Related Content

What's hot

SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoS
Emil Tan
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
Fun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. CastroFun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. CastroMohammad Tayseer
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
Secure Code Warrior
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
Edugeeklogontracker
EdugeeklogontrackerEdugeeklogontracker
EdugeeklogontrackerEduGeek.net
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
Sam Bowne
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extensionNat Sakimura
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 

What's hot (16)

SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoS
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
Fun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. CastroFun With Http Handlers - Miguel A. Castro
Fun With Http Handlers - Miguel A. Castro
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
Edugeeklogontracker
EdugeeklogontrackerEdugeeklogontracker
Edugeeklogontracker
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
 
Brute force
Brute forceBrute force
Brute force
 

Similar to Sql injection

SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
prasadGade6
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
penetration Tester
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
Web security
Web securityWeb security
Web security
dogangcr
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
Aju Thomas
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless Hacking
Don Anto
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
PetraVukmirovic
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
Mohammed Fazuluddin
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
siti829412
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVA
Hossein Yavari
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
csf_ppt.pptx
csf_ppt.pptxcsf_ppt.pptx
csf_ppt.pptx
0567Padma
 

Similar to Sql injection (20)

SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Web security
Web securityWeb security
Web security
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless Hacking
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
a
aa
a
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVA
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
csf_ppt.pptx
csf_ppt.pptxcsf_ppt.pptx
csf_ppt.pptx
 

Recently uploaded

Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
bim.edu.pl
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
KrzysztofKkol1
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
Peter Caitens
 
Strategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptxStrategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptx
varshanayak241
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
XfilesPro
 

Recently uploaded (20)

Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
Strategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptxStrategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptx
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 

Sql injection

  • 2. • Introduction • Attack Intent • Real World Examples • How SQL Injection works? • Video • Impact of SQL injection • Types of attacks • Hack a website • Defence Against SQL Injection • Other Injection Types • SQL Injection tools • Conclusion
  • 3. • On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two Russians with the theft of 130 million credit card numbers using an SQL injection attack. • In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL database server. Over 500,000 sites were exploited.
  • 4. • The ability to inject SQL commands into the database engine through an existing application • SQL injection is the use of publicly available fields to gain entry to your database. • This is done by entering SQL commands into your form fields instead of the expected data. • Improperly coded forms will allow a hacker to use them as an entry point to your database
  • 5. Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
  • 6. Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’
  • 7. What it is? SQL Injection allows a programmer user specified query to execute in the database
  • 8.
  • 9. • Shell injection. • Scripting language injection. • File inclusion. • XML injection. • XPath injection. • LDAP injection. • SMTP injection.
  • 10. • BSQL Hacker • SQLmap • SQLninja • Safe3 SQL Injector • SQLSus • Mole • Havij
  • 11. 1. Comprehensive data sanitization • Web sites must filter all user input • For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address. • Its SQL injection defenses can catch most attempts to sneak SQL through web channels.
  • 12. 2. Use a web application firewall • A popular example is the free, open source module ModSecurity. • ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests.
  • 13. 3. Limit database privileges by context • Create multiple database user accounts with the minimum levels of privilege for their usage environment. • For example, the code behind a login page should query the database using an account limited only to the relevent credentials table. • This way, a breach through this channel cannot be leveraged to compromise the entire database.
  • 14. 4. Avoid constructing SQL queries with user input • Even data sanitization routines can be flawed. • Using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries.
  • 15. • The technique is based on malformed user-supplied data • Transform the innocent SQL calls to a malicious call • Cause unauthorized access, deletion of data, or theft of information • All databases can be a target of SQL injection and all are vulnerable to this technique. • The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
  • 16. • https://www.owasp.org/index.php/Query_Parameterization_Cheat_S heet#Parameterized_Query_Examples • www.slideshare.net • www.beyondsecurity.com • www.breakthesecurity.cysecurity.org • http://www.esecurityplanet.com/ • http://resources.infosecinstitute.com/best-free-and-open-source-sql- injection-tools/