SQL Injection Attacks - Is Your Data Secure? SQL Saturday Rochester

•Download as PPTX, PDF•

0 likes•208 views

SQL injection is one of the most common ways that hackers gain access to your SQL server. Do you know how to protect your data from malicious users? This session will provide an overview of how SQL injection works as well as T-SQL examples and techniques to protect against it. We’ll also take a look at why some commonly used techniques aren’t as secure as many people think. If you ever write or maintain dynamic SQL queries then this session is for you.

Technology

SQL Injection Attacks:
Is Your Data Secure?
| Bert Wagner | March 24, 2018

Objective
SQL injection prevention does not have an “easy” solution

Disclaimers
• Try this at home
• Not at work
• Not on other people’s systems

Background
• Business Intelligence Developer
• Tech security enthusiast
• Saw my first injection attempts in ~2001 – MySQL logs
Demo code and slides available at bertwagner.com

Overview
1. Importance of SQL injection protection
2. Dynamic SQL
3. What does SQL injection look like?
4. Common misconceptions
5. Preventing SQL injection

• Data Leaks
• Data Validity
• Server Availability

Dynamic SQL
“Just because you can, doesn’t mean you should.”
• Can’t parameterize
everything
• Adaptable Queries
• Performance
However…

What is SQL Injection?
• Dynamic string execution
• Unsanitized input (could be from a column or parameter)
• Performing something the query wasn’t originally intended to do

What is SQL Injection?
SQL injection can occur without concatenated parameters too

Common Misconceptions
“The structure of my
database isn’t public”
You don’t have a Users table? Products?
Inventory? etc...
“The Amazing Bert”

Common Misconceptions
“I obfuscate my table names”
sys.objects? Errors displayed in app?
Logs, emails, social engineering…?

Common Misconceptions
“The developers should validate, restrict output”
True. But multiple layers of security are better than one.
Front end validation doesn’t stop malicious users Server side validation stops some

Common Misconceptions
“I’m not important enough to get hacked”
Automated injection tools target everyone
https://github.com/sqlmapproject/sqlmap/wiki/Techniques

Common Misconceptions
“I use an ORM to code my SQL queries”
ORMs are still vulnerable if you need to pass an argument that can’t be
parameterized by SQL Server or if you use a vulnerable stored procedure
ORMs are vulnerable other ways too:
https://bertwagner.com/2018/03/06/2-5-ways-your-orm-will-allow-sql-injection/

Protecting Against SQL Injection
Must take a multi-layered approach.
Demos:
• Don’t write dynamic SQL
• sp_executesql
• QUOTENAME()
• REPLACE()
• EXECUTE AS
• Limit inputs
• Homoglyph attacks
• Proactively find injection vulnerabilities

Recap
• No easy, single-approach solution
• Validate, sanitize, escape
• Developers and DBAs both responsible
• Limit executing account privileges
• Use other software to help test, find vulnerabilities

Thank you!
@bertwagner
bertwagner.com
youtube.com/c/bertwagner
bert@bertwagner.com
20
New posts and videos
every Tuesday!

What's hot

AWS Security Ideas - re:Invent 2016

Teri Radichel

Computer Network Simulation Projects Assistance

Network Simulation Tools

Secured Development

Burhan Khalid

Secure coding practices

Mohammed Danish Amber

A5: Security Misconfiguration

Tariq Islam

OWASP Top Ten in Practice

Security Innovation

Using Maslow's hierarchy of needs to define elegance in system architecture

Alejandro Salado

12 steps to_cloud_security

Wisecube AI

Entrepreneurship for hackers

snyff

This talk will help you, as a decision maker or architect, to understand the risks of migrating a thick client or traditional web application to the modern web. In this talk I’ll give you tools and techniques to make the migration to the modern web painless and secure so you can mitigate common pitfalls without having to make the mistakes first. I’ll be doing demos, and telling lots of stories throughout. Making some good architectural decisions up front can help you: - Minimize the risk of data breach - Protect your user’s privacy - Make security choices easy the easy default for your developers - Understand the cloud security model - Create defaults, policies, wrappers, and guidance for developers - Detect when developers have bypassed security controls

Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...

Security Innovation

So Your Company Hired A Pentester

NorthBayWeb

Security testing

Tabăra de Testare

Secure your jenkins

Loves Cloud

What's hot (13)

AWS Security Ideas - re:Invent 2016

Computer Network Simulation Projects Assistance

Secured Development

Secure coding practices

A5: Security Misconfiguration

OWASP Top Ten in Practice

Using Maslow's hierarchy of needs to define elegance in system architecture

12 steps to_cloud_security

Entrepreneurship for hackers

Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...

So Your Company Hired A Pentester

Security testing

Secure your jenkins

Similar to SQL Injection Attacks - Is Your Data Secure? SQL Saturday Rochester

How to Destroy a Database

John Ashmead

Web security

dogangcr

Sql server security in an insecure world

Gianluca Sartori

Luis Grangeia IBWAS

Luis Grangeia

In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution? Presented at https://www.owasp.org/index.php/OWASP_IBWAS10

IBWAS 2010: Web Security From an Auditor's Standpoint

Luis Grangeia

Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here

Java application security the hard way - a workshop for the serious developer

Steve Poole

For Business's Sake, Let's focus on AppSec

Lalit Kale

When you work with a lot of companies scrutinizing their security, you get to see some amazing things. One of the joys of being a commercial security consultant working for big name firms, is that you get to see a lot of innovation and interesting approaches to common problems. However, as great as this is, the discrete projects you work on are usually a small representation of the overall company. When you look at the company in its entirety, a familiar pattern of weakness begins to reveal itself. While some companies are obviously better than others, the majority of companies are actually weak in remarkably similar ways. My work in the attacker modeled pentest and enterprise risk assessment realms focuses on looking at a company as a whole. The premise is that, this is what an attacker would do. They won’t just try to attack your quarterly code reviewed main web site, or consumer mobile app. They won’t directly attack your PCI relevant systems to get to customer credit card data. They won’t limit their attacks to those purely against your IT infrastructure. Instead – they’ll look at your entire company, and they will play dirty. In this session, I’ll focus on the things that plague us all (well most of us), and I’ll offer some simple advice for how to try and tackle each of these areas: – Weaknesses in Physical Security – Susceptibility to Phishing – Vulnerability Management Immaturity – Weaknesses in Authentication – Poor Network Segmentation – Loose Data Access Control – Terrible Host / Network Visibility – Unwise Procurement & Security Spending Decisions

Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn

North Texas Chapter of the ISSA

Survey Presentation About Application Security

Nicholas Davis

Owasp tds

snyff

Application Security 101 (OWASP DC)

mikemcbryde

Sql injection

The Avi Sharma

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF

Brian Huff

Make your Azure PaaS Deployment More Safe

Thuan Ng

Essential security measures in ASP.NET MVC

Rafał Hryniewski

This talk provides an introduction and detailed overview of Java deserialization attacks. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work, what solutions exist and the advantages and disadvantages of each. Finally, a new approach will be presented, using Runtime Virtualization, Compartmentalization and Privilege De-escalation. This talk was presented by Apostolos Giannakidis at the OWASP London meetup on May 2017.

Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...

Apostolos Giannakidis

Securing the continuous integration

Irene Michlin

Practical Approach towards SQLi ppt

Ahamed Saleem

The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack. This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security. How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down: • Vulnerability anatomy – how they present themselves • Analysis of vulnerability root cause and protection schemas • Test procedures to validate susceptibility (or not) for each threat

How to Test for The OWASP Top Ten

Security Innovation

Geek Sync | Field Medic’s Guide to Database Mirroring

IDERA Software

Similar to SQL Injection Attacks - Is Your Data Secure? SQL Saturday Rochester (20)

How to Destroy a Database

Web security

Sql server security in an insecure world

Luis Grangeia IBWAS

IBWAS 2010: Web Security From an Auditor's Standpoint

Java application security the hard way - a workshop for the serious developer

For Business's Sake, Let's focus on AppSec

Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn

Survey Presentation About Application Security

Owasp tds

Application Security 101 (OWASP DC)

Sql injection

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF

Make your Azure PaaS Deployment More Safe

Essential security measures in ASP.NET MVC

Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...

Securing the continuous integration

Practical Approach towards SQLi ppt

How to Test for The OWASP Top Ten

Geek Sync | Field Medic’s Guide to Database Mirroring

More from Bert Wagner

The war between DBAs and developers has been raging since the dawn of relational databases. One reason for disagreement comes from developers who want to store their data in JSON because it is fast, standard, and flexible. DBAs cringe when they hear of long text strings being stored in their SQL databases; they cry with concern, “No data validation? No schema binding?”. Is there any hope for these two warring factions to see eye-to-eye? This session will explore the new JSON functionality introduced in SQL Server 2016. We will use T-SQL examples to learn how these functions can be used to parse, create, and modify JSON data. More importantly, we will discuss how to optimize performance when using these functions. By the end of this session DBAs and developers will know how to efficiently work with JSON in SQL Server 2016 and 2017. It will also usher in an era of peace between DBAs and developers… … at least until someone brings up the topics of cursors, NOLOCKs, or Entity Framework.

DBAs vs Developers - JSON in SQL Server

Bert Wagner

DBAs vs Developers: JSON in SQL Server - CBusPASS

Bert Wagner

SQL Server Reporting Services (SSRS) is an easy-to-use tool for automating reports and creating highly visual dashboards. Although SSRS is easy to learn there are many tips and tricks that can improve your report building experience, not to mention make your reports run blazing fast! This rapid-fire session goes over my learnings from the past six years of developing high-performance SSRS reports, including topics like multivalue parameter efficiencies, how to best utilize subreports, and performing SQL CRUD operations with SSRS. Each rapid-fire topic includes sample data and an SSRS reporting example that users will be able to try out for themselves.

High Performance SSRS

Bert Wagner

This session will explore the new JSON functionality introduced in SQL Server 2016 and what improvements are added with 2017. We will use T-SQL examples to learn how these functions can be used to parse, create, and modify JSON data. More importantly, we will discuss how to optimize performance when using these functions. By the end of this session DBAs and developers will know how to efficiently work with JSON in SQL Server 2016. Download demos

DBAs vs Developers: JSON in SQL Server

Bert Wagner

This session will explore the new JSON functionality introduced in SQL Server 2016. We will use T-SQL examples to learn how these functions can be used to parse, create, and modify JSON data. More importantly, we will discuss how to optimize performance when using these functions. By the end of this session DBAs and developers will know how to efficiently work with JSON in SQL Server 2016. Demo code available at https://bertwagner.com/presentations

JSON in SQL Server 2016

Bert Wagner

JSON has become the standard format for transmitting serialized data in today's websites, APIs, and applications. With SQL Server 2016, Microsoft has made it easy to work with JSON strings in T-SQL. This session is an introduction to the new JSON functions added in SQL Server 2016. We will use T-SQL query examples to learn how these new functions can be used to parse, create, and modify JSON data. We will also discuss when it's appropriate to store JSON in databases as well as how to optimize performance when using these new functions. By the end of this presentation DBAs and developers will know how to efficiently work with JSON data in SQL Server 2016.

Json usage and performance in sql server 2016

Bert Wagner

SQL Server Reporting Services (SSRS) is an easy-to-use tool for automating reports and creating highly visual dashboards. Although SSRS is easy to learn there are many tips and tricks that can improve your report building experience, not to mention make your reports run blazing fast! This rapid-fire session goes over my learnings from the past six years of developing high performance SSRS reports, including topics like multivalue parameter efficiencies, how to best utilize subreports, and performing SQL CRUD operations with SSRS.

High Performance SSRS

Bert Wagner

More from Bert Wagner (7)

DBAs vs Developers - JSON in SQL Server

DBAs vs Developers: JSON in SQL Server - CBusPASS

High Performance SSRS

DBAs vs Developers: JSON in SQL Server

JSON in SQL Server 2016

Json usage and performance in sql server 2016

High Performance SSRS

Recently uploaded

Exploring Multimodal Embeddings with Milvus

Zilliz

In this session, we will discuss the journey of API governance from its initial, ungoverned state to the development of sophisticated models that tackle contemporary challenges. We'll explore how APIs have become essential in the intersection of business and technology, adapting to advancements and evolving needs. We'll focus on how organizations have moved from launching to monetizing APIs, using models like pay-per-use and subscriptions, and finding the right balance between technical implementation and business strategy. We'll also highlight the impact of governance on monetization strategies, especially how data security, compliance, and service quality influence pricing. Real-world examples will demonstrate the effective integration of governance with monetization, including AI's role in dynamic pricing. Looking ahead, we'll share insights into future trends in API governance and monetization, emphasizing the importance of adaptability, continuous learning, and innovation.

API Governance and Monetization - The evolution of API governance

WSO2

Design and Development of a Provenance Capture Platform for Data Science

Paolo Missier

The presentation was made in “Web3 Fusion: Embracing AI and Beyond” is more than a conference; it's a journey into the heart of digital transformation. The conference a provided a platform where the future of technology meets practical application. This three-day hybrid event, set in the heart of innovation, served as a gateway to the latest trends and transformative discussions in AI, Blockchain, IoT, AR/VR, and their collective impact on the information space.

AI in Action: Real World Use Cases by Anitaraj

AnitaRaj43

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

In the ever-evolving landscape of data management, Zero-ETL is an approach that is reshaping how businesses handle and integrate their data. This webinar explores Zero-ETL, a paradigm shift from the traditional Extract, Transform, Load (ETL) process, offering a more streamlined, efficient, and real-time data integration method. We will begin with an introduction to the concept of Zero-ETL, including how it allows direct access to data in its native environment and real-time data transformation, providing up-to-date information with significantly reduced data redundancy. Next, we'll take you through several demonstrations showing how Zero-ETL can deliver real-time data and enable the free movement of data between systems. We will also discuss the various tools that support all aspects of Zero-ETL, providing attendees with an understanding of how they can adopt this innovative approach in their organizations. Lastly, the session will conclude with an interactive Q&A segment, allowing participants to gain deeper insights into how Zero-ETL can be tailored to their specific business needs and how they can get started today. Join us to discover how Zero-ETL can elevate your organization's data strategy.

The Zero-ETL Approach: Enhancing Data Agility and Insight

Safe Software

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....

rightmanforbloodline

Introduction to use of FHIR Documents in ABDM

Kumar Satyam

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Stronger Together: Developing an Organizational Strategy for Accessible Desig...

caitlingebhard1

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Recently uploaded (20)

Exploring Multimodal Embeddings with Milvus

API Governance and Monetization - The evolution of API governance

Design and Development of a Provenance Capture Platform for Data Science

AI in Action: Real World Use Cases by Anitaraj

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

The Zero-ETL Approach: Enhancing Data Agility and Insight

Corporate and higher education May webinar.pptx

TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....

Introduction to use of FHIR Documents in ABDM

MINDCTI Revenue Release Quarter One 2024

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

AWS Community Day CPH - Three problems of Terraform

Stronger Together: Developing an Organizational Strategy for Accessible Desig...

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Six Myths about Ontologies: The Basics of Formal Ontology

WSO2's API Vision: Unifying Control, Empowering Developers

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

SQL Injection Attacks - Is Your Data Secure? SQL Saturday Rochester

1. SQL Injection Attacks: Is Your Data Secure? | Bert Wagner | March 24, 2018

2. Objective SQL injection prevention does not have an “easy” solution

3. Disclaimers • Try this at home • Not at work • Not on other people’s systems

4. Background • Business Intelligence Developer • Tech security enthusiast • Saw my first injection attempts in ~2001 – MySQL logs Demo code and slides available at bertwagner.com

5. Overview 1. Importance of SQL injection protection 2. Dynamic SQL 3. What does SQL injection look like? 4. Common misconceptions 5. Preventing SQL injection

6. • Data Leaks • Data Validity • Server Availability

7. Dynamic SQL “Just because you can, doesn’t mean you should.” • Can’t parameterize everything • Adaptable Queries • Performance However…

8. What is SQL Injection? • Dynamic string execution • Unsanitized input (could be from a column or parameter) • Performing something the query wasn’t originally intended to do

9. What is SQL Injection? SQL injection can occur without concatenated parameters too

10. Let’s go back to 1998…

11. OWASP 2004

12. OWASP – Present Day

13. Common Misconceptions “The structure of my database isn’t public” You don’t have a Users table? Products? Inventory? etc... “The Amazing Bert”

14. Common Misconceptions “I obfuscate my table names” sys.objects? Errors displayed in app? Logs, emails, social engineering…?

15. Common Misconceptions “The developers should validate, restrict output” True. But multiple layers of security are better than one. Front end validation doesn’t stop malicious users Server side validation stops some

16. Common Misconceptions “I’m not important enough to get hacked” Automated injection tools target everyone https://github.com/sqlmapproject/sqlmap/wiki/Techniques

17. Common Misconceptions “I use an ORM to code my SQL queries” ORMs are still vulnerable if you need to pass an argument that can’t be parameterized by SQL Server or if you use a vulnerable stored procedure ORMs are vulnerable other ways too: https://bertwagner.com/2018/03/06/2-5-ways-your-orm-will-allow-sql-injection/

18. Protecting Against SQL Injection Must take a multi-layered approach. Demos: • Don’t write dynamic SQL • sp_executesql • QUOTENAME() • REPLACE() • EXECUTE AS • Limit inputs • Homoglyph attacks • Proactively find injection vulnerabilities

19. Recap • No easy, single-approach solution • Validate, sanitize, escape • Developers and DBAs both responsible • Limit executing account privileges • Use other software to help test, find vulnerabilities

20. Thank you! @bertwagner bertwagner.com youtube.com/c/bertwagner bert@bertwagner.com 20 New posts and videos every Tuesday!

Editor's Notes

Hard to pin point exactly who first discovered SQL injection. DO know that in 1998 already appearing in hacker zines. This examples is showing a SQL query that’s variabalized in some app code
- Web 2.0, shiny buttons and every company trying to make money online. Problem was, no one knew how to do security. Unless you had a really security conscious developer, you were out of luck. Open Web Application Security Project was formed because a group of people realized needed to create education, information about the types of attacks out there. Put together top 10 list In the initial years, these ranked by guessing/first hand experience – no statistics available SQL and other injection attacks ranked as #6.

SQL Injection Attacks - Is Your Data Secure? SQL Saturday Rochester

Recommended

Recommended

More Related Content

What's hot

What's hot (13)

Similar to SQL Injection Attacks - Is Your Data Secure? SQL Saturday Rochester

Similar to SQL Injection Attacks - Is Your Data Secure? SQL Saturday Rochester (20)

More from Bert Wagner

More from Bert Wagner (7)

Recently uploaded

Recently uploaded (20)

SQL Injection Attacks - Is Your Data Secure? SQL Saturday Rochester

Editor's Notes