Nitish Kumar, profile picture
Uploaded byNitish Kumar
PPT, PDF561 views

Sql injection attacks

SQL injection attacks involve inserting malicious SQL statements into user input on a web form to manipulate the database. For example, an attacker could enter SQL code that returns all data from the database or deletes an entire table. Developers can prevent this by escaping special characters, validating input syntax, limiting permissions, and using bound parameters instead of concatenating user input into queries.

Embed presentation

Download to read offline
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz
What is a SQL Injection Attack? • Many web applications take user input from a form • Often this user input is used literally in the construction of a SQL query submitted to a database. For example: – SELECT productdata FROM table WHERE productname = ‘user input product name’; • A SQL injection attack involves placing SQL statements in the user input
An Example SQL Injection Attack Product Search: • This input is put directly into the SQL statement within the Web application: – $query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘” . $_POST[‘prod_search’] . “’”; • Creates the following SQL: – SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR ‘x’ = ‘x’ – Attacker has now successfully caused the entire database to be returned. blah‘ OR ‘x’ = ‘x
A More Malicious Example • What if the attacker had instead entered: – blah‘; DROP TABLE prodinfo; -- • Results in the following SQL: – SELECT prodinfo FROM prodtable WHERE prodname = ‘blah’; DROP TABLE prodinfo; --’ – Note how comment (--) consumes the final quote • Causes the entire database to be deleted – Depends on knowledge of table name – This is sometimes exposed to the user in debug code called during a database error – Use non-obvious table names, and never expose them to user • Usually data destruction is not your worst fear, as there is low economic motivation
Other injection possibilities • Using SQL injections, attackers can: – Add new data to the database • Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site • Perform an INSERT in the injected SQL – Modify data currently in the database • Could be very costly to have an expensive item suddenly be deeply ‘discounted’ • Perform an UPDATE in the injected SQL – Often can gain access to other user’s system capabilities by obtaining their password
Defenses • Use provided functions for escaping strings – Many attacks can be thwarted by simply using the SQL string escaping mechanism • ‘  ’ and “  ” – mysql_real_escape_string() is the preferred function for this • Not a silver bullet! – Consider: • SELECT fields FROM table WHERE id = 23 OR 1=1 • No quotes here!
More Defenses • Check syntax of input for validity – Many classes of input have fixed languages • Email addresses, dates, part numbers, etc. • Verify that the input is a valid string in the language • Sometime languages allow problematic characters (e.g., ‘*’ in email addresses); may decide to not allow these • If you can exclude quotes and semicolons that’s good – Not always possible: consider the name Bill O’Reilly • Want to allow the use of single quotes in names • Have length limits on input – Many SQL injection attacks depend on entering long strings
Even More Defenses • Scan query string for undesirable word combinations that indicate SQL statements – INSERT, DROP, etc. – If you see these, can check against SQL syntax to see if they represent a statement or valid user input • Limit database permissions and segregate users – If you’re only reading the database, connect to database as a user that only has read permissions – Never connect as a database administrator in your web application
More Defenses • Configure database error reporting – Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.) – Configure so that this information is never exposed to a user • If possible, use bound variables – Some libraries allow you to bind inputs to variables inside a SQL statement – PERL example (from http://www.unixwiz.net/techtips/sql- injection.html) $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email);
Be careful out there!

More Related Content

PPT
Sql injection attacks
bychaitanya Lotankar
 
PPT
Sql injection attacks
byKumar
 
PPTX
Sql Injection attacks and prevention
byhelloanand
 
PPTX
seminar report on Sql injection
byJawhar Ali
 
PPTX
SQL injection prevention techniques
bySongchaiDuangpan
 
PDF
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
byijtsrd
 
PPT
A Brief Introduction in SQL Injection
bySina Manavi
 
PDF
Web Application Security 101 - 14 Data Validation
byWebsecurify
 
Sql injection attacks
bychaitanya Lotankar
 
Sql injection attacks
byKumar
 
Sql Injection attacks and prevention
byhelloanand
 
seminar report on Sql injection
byJawhar Ali
 
SQL injection prevention techniques
bySongchaiDuangpan
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
byijtsrd
 
A Brief Introduction in SQL Injection
bySina Manavi
 
Web Application Security 101 - 14 Data Validation
byWebsecurify
 

What's hot

PPT
Sql injection attack
byRajKumar Rampelli
 
PPTX
SQL Injection Defense in Python
byPublic Broadcasting Service
 
PPT
SQL Injection
byAdhoura Academy
 
PPT
Sql Injection Attacks Siddhesh
bySiddhesh Bhobe
 
PPTX
Sql injection
byHemendra Kumar
 
PPT
Advanced SQL Injection
byamiable_indian
 
PPTX
SQL Injection in action with PHP and MySQL
byPradeep Kumar
 
PPT
Web application attacks using Sql injection and countermasures
byCade Zvavanjanja
 
KEY
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
PPT
D:\Technical\Ppt\Sql Injection
byavishkarm
 
PPTX
Sql injections - with example
byPrateek Chauhan
 
PPT
Sql injection
byNikunj Dhameliya
 
PPTX
Sql injection
byMathewHarrison3
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PPTX
Sql injections
byKK004
 
PPTX
SQL Injection
byAsish Kumar Rath
 
PPTX
SQL Injection Attacks cs586
byStacy Watts
 
PPTX
Web Security: SQL Injection
byVortana Say
 
PPT
Advanced Sql Injection ENG
byDmitry Evteev
 
PPTX
Sql injection attack
byRaghav Bisht
 
Sql injection attack
byRajKumar Rampelli
 
SQL Injection Defense in Python
byPublic Broadcasting Service
 
SQL Injection
byAdhoura Academy
 
Sql Injection Attacks Siddhesh
bySiddhesh Bhobe
 
Sql injection
byHemendra Kumar
 
Advanced SQL Injection
byamiable_indian
 
SQL Injection in action with PHP and MySQL
byPradeep Kumar
 
Web application attacks using Sql injection and countermasures
byCade Zvavanjanja
 
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
D:\Technical\Ppt\Sql Injection
byavishkarm
 
Sql injections - with example
byPrateek Chauhan
 
Sql injection
byNikunj Dhameliya
 
Sql injection
byMathewHarrison3
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
Sql injections
byKK004
 
SQL Injection
byAsish Kumar Rath
 
SQL Injection Attacks cs586
byStacy Watts
 
Web Security: SQL Injection
byVortana Say
 
Advanced Sql Injection ENG
byDmitry Evteev
 
Sql injection attack
byRaghav Bisht
 

Viewers also liked

PPTX
Sql injection attack_analysis_py_vo
byJirka Vejrazka
 
PPTX
Protecting your data from SQL Injection attacks
byKevin Alcock
 
PPT
Sql Injection Attacks And Defense Presentatio (1)
byguest32e5cfe
 
PPT
Sql injection
byNitish Kumar
 
PDF
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 
PDF
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
byPichaya Morimoto
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
PPTX
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
byShivam Sahu
 
PDF
Advanced SQL injection to operating system full control (whitepaper)
byBernardo Damele A. G.
 
PPTX
SQL Injection
byMarios Siganos
 
DOCX
Types of sql injection attacks
byRespa Peter
 
PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
PPTX
Sql injection
byZidh
 
PDF
SQL injection: Not Only AND 1=1 (updated)
byBernardo Damele A. G.
 
PPT
Sql injection
byPallavi Biswas
 
PDF
Sql Injection Myths and Fallacies
byKarwin Software Solutions LLC
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PDF
How to Become a Thought Leader in Your Niche
byLeslie Samuel
 
Sql injection attack_analysis_py_vo
byJirka Vejrazka
 
Protecting your data from SQL Injection attacks
byKevin Alcock
 
Sql Injection Attacks And Defense Presentatio (1)
byguest32e5cfe
 
Sql injection
byNitish Kumar
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
byPichaya Morimoto
 
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
byShivam Sahu
 
Advanced SQL injection to operating system full control (whitepaper)
byBernardo Damele A. G.
 
SQL Injection
byMarios Siganos
 
Types of sql injection attacks
byRespa Peter
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
Sql injection
byZidh
 
SQL injection: Not Only AND 1=1 (updated)
byBernardo Damele A. G.
 
Sql injection
byPallavi Biswas
 
Sql Injection Myths and Fallacies
byKarwin Software Solutions LLC
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
How to Become a Thought Leader in Your Niche
byLeslie Samuel
 

Similar to Sql injection attacks

PPTX
Code injection and green sql
byKaustav Sengupta
 
PPTX
Greensql2007
byKaustav Sengupta
 
PPT
SQLSecurity.ppt
byLokeshK66
 
PPT
SQLSecurity.ppt
byCNSHacking
 
PPTX
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
PPT
Sql security
bySafwan Hashmi
 
PPT
SQL Injection Attacks
byCompare Infobase Limited
 
PPSX
Web application security
bywww.netgains.org
 
PDF
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
PPTX
SQL INJECTION
byAnoop T
 
PDF
Sql injection course made by Cristian Alexandrescu
byCristian Alexandrescu
 
PPT
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
PPT
Sql Injection Adv Owasp
byAung Khant
 
PPT
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
PPTX
Sql Injection
bypenetration Tester
 
PPTX
Sql injections (Basic bypass authentication)
byRavindra Singh Rathore
 
PPTX
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
PDF
Op2423922398
byIJERA Editor
 
PPTX
Sql injection
byMehul Boghra
 
PDF
Sql injection bypassing hand book blackrose
byNoaman Aziz
 
Code injection and green sql
byKaustav Sengupta
 
Greensql2007
byKaustav Sengupta
 
SQLSecurity.ppt
byLokeshK66
 
SQLSecurity.ppt
byCNSHacking
 
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
Sql security
bySafwan Hashmi
 
SQL Injection Attacks
byCompare Infobase Limited
 
Web application security
bywww.netgains.org
 
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
SQL INJECTION
byAnoop T
 
Sql injection course made by Cristian Alexandrescu
byCristian Alexandrescu
 
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
Sql Injection Adv Owasp
byAung Khant
 
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
Sql Injection
bypenetration Tester
 
Sql injections (Basic bypass authentication)
byRavindra Singh Rathore
 
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
Op2423922398
byIJERA Editor
 
Sql injection
byMehul Boghra
 
Sql injection bypassing hand book blackrose
byNoaman Aziz
 

Sql injection attacks

  • 1.
    SQL Injection Attacks CS183 : Hypermedia and the Web UC Santa Cruz
  • 2.
    What is aSQL Injection Attack? • Many web applications take user input from a form • Often this user input is used literally in the construction of a SQL query submitted to a database. For example: – SELECT productdata FROM table WHERE productname = ‘user input product name’; • A SQL injection attack involves placing SQL statements in the user input
  • 3.
    An Example SQLInjection Attack Product Search: • This input is put directly into the SQL statement within the Web application: – $query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘” . $_POST[‘prod_search’] . “’”; • Creates the following SQL: – SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR ‘x’ = ‘x’ – Attacker has now successfully caused the entire database to be returned. blah‘ OR ‘x’ = ‘x
  • 4.
    A More MaliciousExample • What if the attacker had instead entered: – blah‘; DROP TABLE prodinfo; -- • Results in the following SQL: – SELECT prodinfo FROM prodtable WHERE prodname = ‘blah’; DROP TABLE prodinfo; --’ – Note how comment (--) consumes the final quote • Causes the entire database to be deleted – Depends on knowledge of table name – This is sometimes exposed to the user in debug code called during a database error – Use non-obvious table names, and never expose them to user • Usually data destruction is not your worst fear, as there is low economic motivation
  • 5.
    Other injection possibilities •Using SQL injections, attackers can: – Add new data to the database • Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site • Perform an INSERT in the injected SQL – Modify data currently in the database • Could be very costly to have an expensive item suddenly be deeply ‘discounted’ • Perform an UPDATE in the injected SQL – Often can gain access to other user’s system capabilities by obtaining their password
  • 6.
    Defenses • Use providedfunctions for escaping strings – Many attacks can be thwarted by simply using the SQL string escaping mechanism • ‘  ’ and “  ” – mysql_real_escape_string() is the preferred function for this • Not a silver bullet! – Consider: • SELECT fields FROM table WHERE id = 23 OR 1=1 • No quotes here!
  • 7.
    More Defenses • Checksyntax of input for validity – Many classes of input have fixed languages • Email addresses, dates, part numbers, etc. • Verify that the input is a valid string in the language • Sometime languages allow problematic characters (e.g., ‘*’ in email addresses); may decide to not allow these • If you can exclude quotes and semicolons that’s good – Not always possible: consider the name Bill O’Reilly • Want to allow the use of single quotes in names • Have length limits on input – Many SQL injection attacks depend on entering long strings
  • 8.
    Even More Defenses •Scan query string for undesirable word combinations that indicate SQL statements – INSERT, DROP, etc. – If you see these, can check against SQL syntax to see if they represent a statement or valid user input • Limit database permissions and segregate users – If you’re only reading the database, connect to database as a user that only has read permissions – Never connect as a database administrator in your web application
  • 9.
    More Defenses • Configuredatabase error reporting – Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.) – Configure so that this information is never exposed to a user • If possible, use bound variables – Some libraries allow you to bind inputs to variables inside a SQL statement – PERL example (from http://www.unixwiz.net/techtips/sql- injection.html) $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email);
  • 10.