UK
Uploaded byUzair ul Haq Khan
PPTX, PDF81 views

Sql injection

This document discusses SQL injection, including how it works, examples of attacks, impact, types of SQL injection attacks, and defenses against SQL injection. SQL injection allows malicious SQL code to be injected into an entry field of a web application to gain unauthorized access to the underlying database. It remains a common web application security vulnerability. The document recommends data sanitization, web application firewalls, limiting database privileges, and using prepared statements instead of constructing SQL queries with user input to help defend against SQL injection attacks.

Embed presentation

Download to read offline
• uzair
• Introduction • Attack Intent • Real World Examples • How SQL Injection works? • Video • Impact of SQL injection • Types of attacks • Hack a website • Defence Against SQL Injection • Other Injection Types • SQL Injection tools • Conclusion
• On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two Russians with the theft of 130 million credit card numbers using an SQL injection attack. • In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL database server. Over 500,000 sites were exploited.
• The ability to inject SQL commands into the database engine through an existing application • SQL injection is the use of publicly available fields to gain entry to your database. • This is done by entering SQL commands into your form fields instead of the expected data. • Improperly coded forms will allow a hacker to use them as an entry point to your database
Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’
What it is? SQL Injection allows a programmer user specified query to execute in the database
• Shell injection. • Scripting language injection. • File inclusion. • XML injection. • XPath injection. • LDAP injection. • SMTP injection.
• BSQL Hacker • SQLmap • SQLninja • Safe3 SQL Injector • SQLSus • Mole • Havij
1. Comprehensive data sanitization • Web sites must filter all user input • For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address. • Its SQL injection defenses can catch most attempts to sneak SQL through web channels.
2. Use a web application firewall • A popular example is the free, open source module ModSecurity. • ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests.
3. Limit database privileges by context • Create multiple database user accounts with the minimum levels of privilege for their usage environment. • For example, the code behind a login page should query the database using an account limited only to the relevent credentials table. • This way, a breach through this channel cannot be leveraged to compromise the entire database.
4. Avoid constructing SQL queries with user input • Even data sanitization routines can be flawed. • Using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries.
• The technique is based on malformed user-supplied data • Transform the innocent SQL calls to a malicious call • Cause unauthorized access, deletion of data, or theft of information • All databases can be a target of SQL injection and all are vulnerable to this technique. • The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
• https://www.owasp.org/index.php/Query_Parameterization_Cheat_S heet#Parameterized_Query_Examples • www.slideshare.net • www.beyondsecurity.com • www.breakthesecurity.cysecurity.org • http://www.esecurityplanet.com/ • http://resources.infosecinstitute.com/best-free-and-open-source-sql- injection-tools/

More Related Content

PPTX
Web application attacks
byhruth
 
PPTX
Rapid Android Application Security Testing
byNutan Kumar Panda
 
PPTX
Error codes & custom 404s
byRonan Dunne, CEH, SSCP
 
PPTX
Website Hacking and Preventive Measures
byShubham Takode
 
PPTX
Web Security Attacks
bySajid Hasan
 
PDF
Xss 101 by-sai-shanthan
byRaghunath G
 
PPTX
Presentation on Web Attacks
byVivek Sinha Anurag
 
PPTX
ASP.NET View State - Security Issues
byRonan Dunne, CEH, SSCP
 
Web application attacks
byhruth
 
Rapid Android Application Security Testing
byNutan Kumar Panda
 
Error codes & custom 404s
byRonan Dunne, CEH, SSCP
 
Website Hacking and Preventive Measures
byShubham Takode
 
Web Security Attacks
bySajid Hasan
 
Xss 101 by-sai-shanthan
byRaghunath G
 
Presentation on Web Attacks
byVivek Sinha Anurag
 
ASP.NET View State - Security Issues
byRonan Dunne, CEH, SSCP
 

What's hot

PPTX
SQL injection implementation and prevention
byRejaul Islam Royel
 
PDF
SQL Injection and DoS
byEmil Tan
 
PPT
Hacking A Web Site And Secure Web Server Techniques Used
bySiddharth Bhattacharya
 
PPTX
ASP.NET Web Security
bySharePointRadi
 
PDF
XSS And SQL Injection Vulnerabilities
byMindfire Solutions
 
PPTX
Cross Domain Hijacking - File Upload Vulnerability
byRonan Dunne, CEH, SSCP
 
PPTX
Security asp.net application
byZAIYAUL HAQUE
 
PPT
Fun With Http Handlers - Miguel A. Castro
byMohammad Tayseer
 
PPTX
Secure Code Warrior - Cross site scripting
bySecure Code Warrior
 
PPTX
Secure Code Warrior - Issues with origins
bySecure Code Warrior
 
PPTX
Authentication and Authorization in Asp.Net
byShivanand Arur
 
PPTX
Edugeeklogontracker
byEduGeek.net
 
PDF
CNIT 128 9. Writing Secure Android Applications
bySam Bowne
 
PPTX
Transient client secret extension
byNat Sakimura
 
PPTX
Secure Code Warrior - Remote file inclusion
bySecure Code Warrior
 
PPT
Brute force
byPrajwal Panchmahalkar
 
SQL injection implementation and prevention
byRejaul Islam Royel
 
SQL Injection and DoS
byEmil Tan
 
Hacking A Web Site And Secure Web Server Techniques Used
bySiddharth Bhattacharya
 
ASP.NET Web Security
bySharePointRadi
 
XSS And SQL Injection Vulnerabilities
byMindfire Solutions
 
Cross Domain Hijacking - File Upload Vulnerability
byRonan Dunne, CEH, SSCP
 
Security asp.net application
byZAIYAUL HAQUE
 
Fun With Http Handlers - Miguel A. Castro
byMohammad Tayseer
 
Secure Code Warrior - Cross site scripting
bySecure Code Warrior
 
Secure Code Warrior - Issues with origins
bySecure Code Warrior
 
Authentication and Authorization in Asp.Net
byShivanand Arur
 
Edugeeklogontracker
byEduGeek.net
 
CNIT 128 9. Writing Secure Android Applications
bySam Bowne
 
Transient client secret extension
byNat Sakimura
 
Secure Code Warrior - Remote file inclusion
bySecure Code Warrior
 
Brute force
byPrajwal Panchmahalkar
 

Similar to Sql injection

PPTX
SQL INJECTION
byAnoop T
 
PPTX
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
byprasadGade6
 
PDF
Sql injection bypassing hand book blackrose
byNoaman Aziz
 
PPTX
Sql injections (Basic bypass authentication)
byRavindra Singh Rathore
 
PPTX
Sql injection
byThe Avi Sharma
 
PPTX
Sql Injection
bypenetration Tester
 
PPT
Sql injection
byPallavi Biswas
 
PDF
IRJET- Detection of SQL Injection using Machine Learning : A Survey
byIRJET Journal
 
PPT
SQLSecurity.ppt
byLokeshK66
 
PPT
SQLSecurity.ppt
byCNSHacking
 
PPTX
Understanding and preventing sql injection attacks
byKevin Kline
 
PPTX
Sql injection
byManjushree Mashal
 
PPTX
Sql Injection
byAju Thomas
 
PPT
Sql security
bySafwan Hashmi
 
PDF
Introduction to SQL Injections
byHaim Michael
 
PPTX
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PPT
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
PPT
Sql injection attacks
bychaitanya Lotankar
 
PPTX
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 
SQL INJECTION
byAnoop T
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
byprasadGade6
 
Sql injection bypassing hand book blackrose
byNoaman Aziz
 
Sql injections (Basic bypass authentication)
byRavindra Singh Rathore
 
Sql injection
byThe Avi Sharma
 
Sql Injection
bypenetration Tester
 
Sql injection
byPallavi Biswas
 
IRJET- Detection of SQL Injection using Machine Learning : A Survey
byIRJET Journal
 
SQLSecurity.ppt
byLokeshK66
 
SQLSecurity.ppt
byCNSHacking
 
Understanding and preventing sql injection attacks
byKevin Kline
 
Sql injection
byManjushree Mashal
 
Sql Injection
byAju Thomas
 
Sql security
bySafwan Hashmi
 
Introduction to SQL Injections
byHaim Michael
 
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
Sql injection attacks
bychaitanya Lotankar
 
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 

Recently uploaded

PPTX
Java Spring Boot Development Services in USA
bydavidjohansen1597
 
PDF
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
PDF
LogiNext Media Kit & Company Overview 2025
bydhrutipatelk5617
 
PDF
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
PDF
Malware_Detection_A_Framework_for_Reverse_Engineered_Android_Applications_Thr...
byKiritiyadavGoskula
 
PDF
How to find your event photos instantly with a selfie using SnapSeek
bySnapSeek.app
 
PDF
Own Your Domain Before It Owns You - Domain Driven Design for Pragmaticians
byPosedio GmbH
 
PDF
Physiotherapist App Development for Modern Rehabilitation
byV3CUBE TECHNOLABS
 
PPTX
iufdh gugh w4i rvhdio tj43ko jdi90ft kj32whidglt
byjeromeschool1976
 
PDF
ChampionMATES – Compete With Friends. Predict Sports. Become the Champion.
byRafal Ksiazek
 
PDF
Introducing MySQL HeatWave Migration Assistant
byAlexander Hitrov
 
PDF
LogiNext Media Kit & Company Overview 2025
bynidhisharmaq7184
 
PDF
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
PDF
GDG ON CAMPUS NETAJI SUBHASH ENGINEERING COLLEGE BUILDING INTELLIGENT WEB APP...
bydscnsecorg
 
PDF
Accelerating Data Validation with QuerySurge AI
byRTTS
 
PDF
LogiNext Media Kit & Company Overview 2025
bysanikaroy72
 
PDF
🤖🧰 SPRING AI AGENTIC PATTERNS (PART 1): AGENT SKILLS
byVincent Vauban
 
PDF
LogiNext Media Kit & Company Overview 2025
byswatishahz9031
 
PDF
LogiNext Media Kit & Company Overview 2025
bysmritipatil055
 
PPTX
Marketo API Deep Dive From Basics to AI-Ready Foundations - January 2026.pptx
bybbedford2
 
Java Spring Boot Development Services in USA
bydavidjohansen1597
 
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
LogiNext Media Kit & Company Overview 2025
bydhrutipatelk5617
 
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
Malware_Detection_A_Framework_for_Reverse_Engineered_Android_Applications_Thr...
byKiritiyadavGoskula
 
How to find your event photos instantly with a selfie using SnapSeek
bySnapSeek.app
 
Own Your Domain Before It Owns You - Domain Driven Design for Pragmaticians
byPosedio GmbH
 
Physiotherapist App Development for Modern Rehabilitation
byV3CUBE TECHNOLABS
 
iufdh gugh w4i rvhdio tj43ko jdi90ft kj32whidglt
byjeromeschool1976
 
ChampionMATES – Compete With Friends. Predict Sports. Become the Champion.
byRafal Ksiazek
 
Introducing MySQL HeatWave Migration Assistant
byAlexander Hitrov
 
LogiNext Media Kit & Company Overview 2025
bynidhisharmaq7184
 
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
GDG ON CAMPUS NETAJI SUBHASH ENGINEERING COLLEGE BUILDING INTELLIGENT WEB APP...
bydscnsecorg
 
Accelerating Data Validation with QuerySurge AI
byRTTS
 
LogiNext Media Kit & Company Overview 2025
bysanikaroy72
 
🤖🧰 SPRING AI AGENTIC PATTERNS (PART 1): AGENT SKILLS
byVincent Vauban
 
LogiNext Media Kit & Company Overview 2025
byswatishahz9031
 
LogiNext Media Kit & Company Overview 2025
bysmritipatil055
 
Marketo API Deep Dive From Basics to AI-Ready Foundations - January 2026.pptx
bybbedford2
 

Sql injection

  • 1.
  • 2.
    • Introduction • AttackIntent • Real World Examples • How SQL Injection works? • Video • Impact of SQL injection • Types of attacks • Hack a website • Defence Against SQL Injection • Other Injection Types • SQL Injection tools • Conclusion
  • 3.
    • On August17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two Russians with the theft of 130 million credit card numbers using an SQL injection attack. • In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL database server. Over 500,000 sites were exploited.
  • 4.
    • The abilityto inject SQL commands into the database engine through an existing application • SQL injection is the use of publicly available fields to gain entry to your database. • This is done by entering SQL commands into your form fields instead of the expected data. • Improperly coded forms will allow a hacker to use them as an entry point to your database
  • 5.
    Unauthorized Access Attempt: password= ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.
  • 6.
    Database Modification Attack: password= foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’
  • 7.
    What it is? SQLInjection allows a programmer user specified query to execute in the database
  • 9.
    • Shell injection. •Scripting language injection. • File inclusion. • XML injection. • XPath injection. • LDAP injection. • SMTP injection.
  • 10.
    • BSQL Hacker •SQLmap • SQLninja • Safe3 SQL Injector • SQLSus • Mole • Havij
  • 11.
    1. Comprehensive datasanitization • Web sites must filter all user input • For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address. • Its SQL injection defenses can catch most attempts to sneak SQL through web channels.
  • 12.
    2. Use aweb application firewall • A popular example is the free, open source module ModSecurity. • ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests.
  • 13.
    3. Limit databaseprivileges by context • Create multiple database user accounts with the minimum levels of privilege for their usage environment. • For example, the code behind a login page should query the database using an account limited only to the relevent credentials table. • This way, a breach through this channel cannot be leveraged to compromise the entire database.
  • 14.
    4. Avoid constructingSQL queries with user input • Even data sanitization routines can be flawed. • Using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries.
  • 15.
    • The techniqueis based on malformed user-supplied data • Transform the innocent SQL calls to a malicious call • Cause unauthorized access, deletion of data, or theft of information • All databases can be a target of SQL injection and all are vulnerable to this technique. • The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
  • 16.
    • https://www.owasp.org/index.php/Query_Parameterization_Cheat_S heet#Parameterized_Query_Examples • www.slideshare.net •www.beyondsecurity.com • www.breakthesecurity.cysecurity.org • http://www.esecurityplanet.com/ • http://resources.infosecinstitute.com/best-free-and-open-source-sql- injection-tools/