SlideShare a Scribd company logo

Web application security

www.netgains.org
www.netgains.org

The document discusses web application security and SQL injections. It defines a web application as any application served via HTTP/HTTPS from a remote server. Web applications often collect sensitive personal data, so security is important to protect privacy and limit legal liability. Hackers can exploit vulnerabilities like SQL injections to access unauthorized data. The document outlines common SQL injection techniques, like modifying queries with additional commands or UNION operators, and recommends best practices like parameterized queries and input validation to prevent SQL injections.

1 of 31
Presented by:
What is a web-application?  Any application that is served commonly via the http or https protocol.  Usually being served from a remote computer acting as the host or the server.
Why is Web Application Security Important?  Web applications are used to perform most major tasks or website functions. They include forms that collect personal, classified and confidential information such as medical history, credit and bank account information as well as user satisfaction feedback.  If your organization is legally bound by legislations to protect the privacy and security of personally identifiable information, and hackers can get at this sensitive information, you run the risk of being found guilty of non- compliance.  Almost 75 percent of attacks are tunneling through web applications .  The consequences of a security breach are great: loss of revenues, damage to credibility, legal liability and loss of customer trust.
 On average, there are anywhere from 5 to 15 defects per 1,000 lines of code.  A 5-year Pentagon study concluded that it takes an average of 75 minutes to track down one defect.  Fixing one of these defects takes 2 to 9 hours each. That translates to 150 hours, or roughly $30,000, to clean every 1,000 lines of code. • Researching each of the 4,200 vulnerabilities published by CERT for just 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours.  Gartner Group estimates that a company with 1,000 servers can spend $300,000 to test and deploy a patch; most companies deploy several patches a week.
How Hackers Get In ? Browser-based attacks use flaws in the web-based application code. Software most vulnerable to these types of attacks includes:  User interface code -- provides the look and feel of the site .  Web server -- supports the physical communication between the user’s browser and the web applications .  Front-end applications -- interfaces directly with the user interface code, and back-end systems .
Common Vulnerabilities Hack attack What hackers use it for ? Cookie Poisoning Identity theft/ Session Hijack Hidden Field Manipulation eShoplifting Parameter Tampering Fraud Buffer Overflow Denial of Service/ Closure of Business Cross-Site Scripting Hijacking/ Identity Theft Backdoor and Debug Trespassing Options Forceful Browsing Breaking and Entering HTTP Response Splitting Phishing, Identity Theft and eGraffiti Known Vulnerabilities Taking control of the site SQL Injection Manipulation of DB information Broken Authentication Login without authentication/Trespassing Information leakage Trespassing
SQL Injections Securing your script/DB
What is SQL injection?  SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.  The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.  A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata.  The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the attacker terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.
Exploiting a Basic Vulnerability Consider a web-application deployed by a book retailer that enables users to search books based on author,publisher,etc. Now when the user searches for all the books published by Wiley, the application performs the following query:- SELECT * FROM books WHERE publisher = ‘WILEY’; This part comprises of the sql keywords and names Item of DATA supplied of tables and columns within the database. by the USER. All of this was written by the programmer. String data should always be encapsulated within ‘ ‘ in sql queries.
Now consider the following query when the user searches for O’Reilly. SELECT * FROM books WHERE publisher = ‘O’Reilly’; In this case the interpreter would generate an error since Reilly’ is not a valid sql syntax. Hence when an application behaves in such a manner, it is wide open to SQL Injections.
Injecting Into Different Statement Types SELECT statement  SELECT statements are used to retrieve information from the database.  The entry point of SQL injection attacks is normally the WHERE clause of the query, in which the user supplied data is passed to the database to control the scope of the query result.  Since WHERE clause is usually the final component of the query enabling the attacker to use the comment symbol(-- ) to truncate the query to his input without invalidating any syntax.
SELECT * FROM register WHERE uname='' OR 1=1-- ' && pword='abc123‘ ‘OR 1=1--
You are logged in as the first registered user.
INSERT statement  INSERT statements are used to create a new row of data within a table. INSERT INTO users(uname,password,id,priv) VALUES (‘daf’,’secret’,2241,1)  If the username or password fields are vulnerable to SQL injections , the attacker can insert arbitrary values into the database, assign admin privileges to himself, etc.  In case of a complete blind attack, the attacker may not know in advance about the number and type of fields. So he can keep adding additional fields to VALUES until the desired account is created.
UPDATE statement  UPDATE statements are used to modify one or more existing rows of data within a table.  These are used in functions where the user modifies his existing information for eg. Changing contact information, changing password, etc.  It works in a similar way to the INSERT statement except that it has a WHERE clause to tell the database which rows to update. UPDATE users SET password=‘newsecret’ WHERE user = ‘marcus’ and password = ‘secret’ If the function is vulnerable to SQL injections the attacker can bypass the existing password check and change the password
for the admin by entering the query as: UPDATE users SET password=‘newsecret’ WHERE user = ‘admin’-- and password = ‘secret’ This way the password part is ignored. If the attacker uses admin’ OR 1=1 – then the query becomes: UPDATE users SET password=‘newsecret’ WHERE user = ‘admin’ OR 1=1 -- and password = ‘newsecret’ In this case the password of every user is reset to newsecret.
DELETE statement:  DELETE statement is used to delete rows from the specified table.  In this case also the WHERE clause is used to specify which rows to delete. Hence by making changes to the WHERE clause can have far-reaching effects on the database. "SELECT * FROM customers WHERE username ='$name'"; In the above query $name is provided by the user, so when executed it will display the row where username matches the one provided by the user.
SELECT * FROM customers WHERE username =‘anu’ User input
If the user enters a malicious input ,the query becomes: SELECT * FROM CUSTOMER WHERE name='';DELETE FROM customer WHERE 1-- '‘ ‘;DELETE FROM CUSTOMER WHERE 1=1 –‘
The UNION Operator  The UNION operator is used to combine the results of two or more SELECT statements into a single result set.  If there exists a SQL injection vulnerability in the SELECT statement, the attacker can use the UNION operator to perform another query and combine the result with the first one. SELECT * FROM customer WHERE name = ‘$name’ This would return the original result.
SELECT * FROM customer WHERE name = ‘anu’ UNION SELECT id,name FROM product– ‘ ‘UNION SELECT id,name FROM product – ‘
Shows all the rows of the customer table along the data from product table:
NOTE:  When the results of two queries are combined using the UNION operator, the two result sets must have the same structure. SELECT name FROM CUSTOMER WHERE name='' UNION SELECT id,name FROM product-- '' The used SELECT statements have a different number of columns  Also the attacker should know the name of the target database table along-with its relevant column names.
Preventing SQL Injections  Partially effective measures: ◦ Because single quotation marks play an important role in SQL injections, so common approach is to escape any user entered single quotation mark by doubling them up.  The above method proves ineffective when numeric data is being embedded into SQL queries.  Also in second order injections ,when the data that has been inserted using the INSERT query is used in another SQL query. ◦ Using custom stored procedures can also help provide security.  But using them does not guarantee to prevent SQL injections since a procedure can itself contain SQL injection vulnerabilities within its code.  Also if the procedure is invoked in an unsafe way using user-supplied input.
 Parameterized Queries: The construction of queries involving user input is performed two steps: ◦ The application specifies the structure of the query leaving placeholders for each user input. ◦ The application specifies values for the placeholders.
Example: <?php $mysqli = new mysqli("server", "username", "password", "database_name"); // mysqli is a class : represents a relation b/w mysql and PHP $unsafe_variable = $_POST["user-input"]; $stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)"); // prepare function used to prepare SQL statement for execution $stmt->bind_param("s", $unsafe_variable); // s means the database expects a string $stmt->execute(); $stmt->close(); $mysqli->close(); // close database connection ?>
 Configuring the PHP Environment : There are various configuration options in the php.ini file that can affect the applications security, such as: ◦ Register Globals : If register_globals option is enabled then PHP creates global variables for all the request parameters. Since it is not required to initialize them before use, they can cause security issues. It has been removed entirely from PHP 6 . ◦ Safe Mode : If safe_mode option is enabled then PHP places restrictions on the use of some functions. For eg. shell_exec function is disabled since it can be used to execute OS commands, the additional_parameters parameter of the mail function is disabled as it can lead to SMTP injection flaws..etc
◦ Magic Quotes : If magic_quotes_gpc option is enabled then single quote, double quote, backslash and NULL characters are automatically escaped using a backslash. If magic_quotes_sybase option is enabled then single quotes are escaped using single quotes. Using magic quotes can alter the user data that does not need escaping, hence the slashes need to be removed using stripslashes function. Magic quotes have been removed from PHP 6.  addslashes You can even perform your own escaping of the required input parameters by passing them through the addslashes function only when required. When using addslashes , if the magic quotes are enabled then this will lead to double escaping (i.e double slashes) which is interpreted as literal backslash, leaving the user input unescaped.
 Mysql_real_escape_string() : It calls the library function mysql_real_escape_string which prepends backslashes to the following characters: x00, n, r, , '," and x1a.
Recent attacks using SQL injections  On February 5, 2011 HBGary, a technology security firm, was broken into by Anonymous using a SQL injection in their CMS-driven website.  On March 27, 2011 mysql.com, the official homepage for MySQL, was compromised by TinKode using SQL blind injection.  On June 27, 2011, Lady Gaga's website was hacked by a group of US cyber attackers called SwagSec and thousands of her fans’ personal details were stolen from her website.  In October, 2011, Malaysian Hacker, managed to extract data from www.canon.com.cn by exploiting a vulnerability he came across. He himself reported the vulnerability to the company within minutes and claiming to have used SQL Injection.
THANK YOU!

Recommended

SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Magno Logan
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
Overview on SQL Injection Attacks
Overview on SQL Injection AttacksOverview on SQL Injection Attacks
Overview on SQL Injection Attacks
ijsrd.com
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 

Recommended

SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Magno Logan
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
Overview on SQL Injection Attacks
Overview on SQL Injection AttacksOverview on SQL Injection Attacks
Overview on SQL Injection Attacks
ijsrd.com
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
Sql injection
Sql injectionSql injection
Sql injection
Suraj Tiwari
 
Sql
SqlSql
SqlIJASCSE
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? Infographic
JW CyberNerd
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
n|u - The Open Security Community
 
Sql injection
Sql injectionSql injection
Sql injection
Safwan Hashmi
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
Vortana Say
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
IOSR Journals
 
E017131924
E017131924E017131924
E017131924
IOSR Journals
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
newbie2019
 

More Related Content

What's hot

Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
Sql injection
Sql injectionSql injection
Sql injection
Suraj Tiwari
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? Infographic
JW CyberNerd
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
n|u - The Open Security Community
 
Sql injection
Sql injectionSql injection
Sql injection
Safwan Hashmi
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
Vortana Say
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
IOSR Journals
 

What's hot (20)

Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql
SqlSql
Sql
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Sql injection
Sql injectionSql injection
Sql injection
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? Infographic
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
 

Similar to Web application security

E017131924
E017131924E017131924
E017131924
IOSR Journals
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
newbie2019
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
IRJET Journal
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
Kaustav Sengupta
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & Mitigation
IRJET Journal
 
Ijcet 06 10_005
Ijcet 06 10_005Ijcet 06 10_005
Ijcet 06 10_005
IAEME Publication
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
Alok Babu
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
PetraVukmirovic
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
Rana sing
 
Final review ppt
Final review pptFinal review ppt
Final review ppt
Rana sing
 
Ijcatr04041018
Ijcatr04041018Ijcatr04041018
Ijcatr04041018
Editor IJCATR
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
Sql injection
Sql injectionSql injection
Sql injection
Ashok Kumar
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
ijtsrd
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
SamsonMuoki
 

Similar to Web application security (20)

E017131924
E017131924E017131924
E017131924
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
ieee
ieeeieee
ieee
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & Mitigation
 
Ijcet 06 10_005
Ijcet 06 10_005Ijcet 06 10_005
Ijcet 06 10_005
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
 
Final review ppt
Final review pptFinal review ppt
Final review ppt
 
Ijcatr04041018
Ijcatr04041018Ijcatr04041018
Ijcatr04041018
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
 
Code injection
Code injectionCode injection
Code injection
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 

More from www.netgains.org

Exploring iTools
Exploring iToolsExploring iTools
Exploring iTools
www.netgains.org
 
What is a Responsive Website
What is a Responsive WebsiteWhat is a Responsive Website
What is a Responsive Website
www.netgains.org
 
Twitter bootstrap1
Twitter bootstrap1Twitter bootstrap1
Twitter bootstrap1
www.netgains.org
 
Magento
MagentoMagento
Magento
www.netgains.org
 
Dream weaver
Dream weaverDream weaver
Dream weaver
www.netgains.org
 
Introduction to wordpress & theme implementation
Introduction to wordpress & theme implementationIntroduction to wordpress & theme implementation
Introduction to wordpress & theme implementationwww.netgains.org
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
www.netgains.org
 
Introduction to Html5
Introduction to Html5Introduction to Html5
Introduction to Html5
www.netgains.org
 

More from www.netgains.org (8)

Exploring iTools
Exploring iToolsExploring iTools
Exploring iTools
 
What is a Responsive Website
What is a Responsive WebsiteWhat is a Responsive Website
What is a Responsive Website
 
Twitter bootstrap1
Twitter bootstrap1Twitter bootstrap1
Twitter bootstrap1
 
Magento
MagentoMagento
Magento
 
Dream weaver
Dream weaverDream weaver
Dream weaver
 
Introduction to wordpress & theme implementation
Introduction to wordpress & theme implementationIntroduction to wordpress & theme implementation
Introduction to wordpress & theme implementation
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
Introduction to Html5
Introduction to Html5Introduction to Html5
Introduction to Html5
 

Recently uploaded

Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 

Recently uploaded (20)

Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 

Web application security

  • 2. What is a web-application?  Any application that is served commonly via the http or https protocol.  Usually being served from a remote computer acting as the host or the server.
  • 3. Why is Web Application Security Important?  Web applications are used to perform most major tasks or website functions. They include forms that collect personal, classified and confidential information such as medical history, credit and bank account information as well as user satisfaction feedback.  If your organization is legally bound by legislations to protect the privacy and security of personally identifiable information, and hackers can get at this sensitive information, you run the risk of being found guilty of non- compliance.  Almost 75 percent of attacks are tunneling through web applications .  The consequences of a security breach are great: loss of revenues, damage to credibility, legal liability and loss of customer trust.
  • 4.  On average, there are anywhere from 5 to 15 defects per 1,000 lines of code.  A 5-year Pentagon study concluded that it takes an average of 75 minutes to track down one defect.  Fixing one of these defects takes 2 to 9 hours each. That translates to 150 hours, or roughly $30,000, to clean every 1,000 lines of code. • Researching each of the 4,200 vulnerabilities published by CERT for just 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours.  Gartner Group estimates that a company with 1,000 servers can spend $300,000 to test and deploy a patch; most companies deploy several patches a week.
  • 5. How Hackers Get In ? Browser-based attacks use flaws in the web-based application code. Software most vulnerable to these types of attacks includes:  User interface code -- provides the look and feel of the site .  Web server -- supports the physical communication between the user’s browser and the web applications .  Front-end applications -- interfaces directly with the user interface code, and back-end systems .
  • 6. Common Vulnerabilities Hack attack What hackers use it for ? Cookie Poisoning Identity theft/ Session Hijack Hidden Field Manipulation eShoplifting Parameter Tampering Fraud Buffer Overflow Denial of Service/ Closure of Business Cross-Site Scripting Hijacking/ Identity Theft Backdoor and Debug Trespassing Options Forceful Browsing Breaking and Entering HTTP Response Splitting Phishing, Identity Theft and eGraffiti Known Vulnerabilities Taking control of the site SQL Injection Manipulation of DB information Broken Authentication Login without authentication/Trespassing Information leakage Trespassing
  • 8. What is SQL injection?  SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.  The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.  A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata.  The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the attacker terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.
  • 9. Exploiting a Basic Vulnerability Consider a web-application deployed by a book retailer that enables users to search books based on author,publisher,etc. Now when the user searches for all the books published by Wiley, the application performs the following query:- SELECT * FROM books WHERE publisher = ‘WILEY’; This part comprises of the sql keywords and names Item of DATA supplied of tables and columns within the database. by the USER. All of this was written by the programmer. String data should always be encapsulated within ‘ ‘ in sql queries.
  • 10. Now consider the following query when the user searches for O’Reilly. SELECT * FROM books WHERE publisher = ‘O’Reilly’; In this case the interpreter would generate an error since Reilly’ is not a valid sql syntax. Hence when an application behaves in such a manner, it is wide open to SQL Injections.
  • 11. Injecting Into Different Statement Types SELECT statement  SELECT statements are used to retrieve information from the database.  The entry point of SQL injection attacks is normally the WHERE clause of the query, in which the user supplied data is passed to the database to control the scope of the query result.  Since WHERE clause is usually the final component of the query enabling the attacker to use the comment symbol(-- ) to truncate the query to his input without invalidating any syntax.
  • 12. SELECT * FROM register WHERE uname='' OR 1=1-- ' && pword='abc123‘ ‘OR 1=1--
  • 13. You are logged in as the first registered user.
  • 14. INSERT statement  INSERT statements are used to create a new row of data within a table. INSERT INTO users(uname,password,id,priv) VALUES (‘daf’,’secret’,2241,1)  If the username or password fields are vulnerable to SQL injections , the attacker can insert arbitrary values into the database, assign admin privileges to himself, etc.  In case of a complete blind attack, the attacker may not know in advance about the number and type of fields. So he can keep adding additional fields to VALUES until the desired account is created.
  • 15. UPDATE statement  UPDATE statements are used to modify one or more existing rows of data within a table.  These are used in functions where the user modifies his existing information for eg. Changing contact information, changing password, etc.  It works in a similar way to the INSERT statement except that it has a WHERE clause to tell the database which rows to update. UPDATE users SET password=‘newsecret’ WHERE user = ‘marcus’ and password = ‘secret’ If the function is vulnerable to SQL injections the attacker can bypass the existing password check and change the password
  • 16. for the admin by entering the query as: UPDATE users SET password=‘newsecret’ WHERE user = ‘admin’-- and password = ‘secret’ This way the password part is ignored. If the attacker uses admin’ OR 1=1 – then the query becomes: UPDATE users SET password=‘newsecret’ WHERE user = ‘admin’ OR 1=1 -- and password = ‘newsecret’ In this case the password of every user is reset to newsecret.
  • 17. DELETE statement:  DELETE statement is used to delete rows from the specified table.  In this case also the WHERE clause is used to specify which rows to delete. Hence by making changes to the WHERE clause can have far-reaching effects on the database. "SELECT * FROM customers WHERE username ='$name'"; In the above query $name is provided by the user, so when executed it will display the row where username matches the one provided by the user.
  • 18. SELECT * FROM customers WHERE username =‘anu’ User input
  • 19. If the user enters a malicious input ,the query becomes: SELECT * FROM CUSTOMER WHERE name='';DELETE FROM customer WHERE 1-- '‘ ‘;DELETE FROM CUSTOMER WHERE 1=1 –‘
  • 20. The UNION Operator  The UNION operator is used to combine the results of two or more SELECT statements into a single result set.  If there exists a SQL injection vulnerability in the SELECT statement, the attacker can use the UNION operator to perform another query and combine the result with the first one. SELECT * FROM customer WHERE name = ‘$name’ This would return the original result.
  • 21. SELECT * FROM customer WHERE name = ‘anu’ UNION SELECT id,name FROM product– ‘ ‘UNION SELECT id,name FROM product – ‘
  • 22. Shows all the rows of the customer table along the data from product table:
  • 23. NOTE:  When the results of two queries are combined using the UNION operator, the two result sets must have the same structure. SELECT name FROM CUSTOMER WHERE name='' UNION SELECT id,name FROM product-- '' The used SELECT statements have a different number of columns  Also the attacker should know the name of the target database table along-with its relevant column names.
  • 24. Preventing SQL Injections  Partially effective measures: ◦ Because single quotation marks play an important role in SQL injections, so common approach is to escape any user entered single quotation mark by doubling them up.  The above method proves ineffective when numeric data is being embedded into SQL queries.  Also in second order injections ,when the data that has been inserted using the INSERT query is used in another SQL query. ◦ Using custom stored procedures can also help provide security.  But using them does not guarantee to prevent SQL injections since a procedure can itself contain SQL injection vulnerabilities within its code.  Also if the procedure is invoked in an unsafe way using user-supplied input.
  • 25. Parameterized Queries: The construction of queries involving user input is performed two steps: ◦ The application specifies the structure of the query leaving placeholders for each user input. ◦ The application specifies values for the placeholders.
  • 26. Example: <?php $mysqli = new mysqli("server", "username", "password", "database_name"); // mysqli is a class : represents a relation b/w mysql and PHP $unsafe_variable = $_POST["user-input"]; $stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)"); // prepare function used to prepare SQL statement for execution $stmt->bind_param("s", $unsafe_variable); // s means the database expects a string $stmt->execute(); $stmt->close(); $mysqli->close(); // close database connection ?>
  • 27. Configuring the PHP Environment : There are various configuration options in the php.ini file that can affect the applications security, such as: ◦ Register Globals : If register_globals option is enabled then PHP creates global variables for all the request parameters. Since it is not required to initialize them before use, they can cause security issues. It has been removed entirely from PHP 6 . ◦ Safe Mode : If safe_mode option is enabled then PHP places restrictions on the use of some functions. For eg. shell_exec function is disabled since it can be used to execute OS commands, the additional_parameters parameter of the mail function is disabled as it can lead to SMTP injection flaws..etc
  • 28. ◦ Magic Quotes : If magic_quotes_gpc option is enabled then single quote, double quote, backslash and NULL characters are automatically escaped using a backslash. If magic_quotes_sybase option is enabled then single quotes are escaped using single quotes. Using magic quotes can alter the user data that does not need escaping, hence the slashes need to be removed using stripslashes function. Magic quotes have been removed from PHP 6.  addslashes You can even perform your own escaping of the required input parameters by passing them through the addslashes function only when required. When using addslashes , if the magic quotes are enabled then this will lead to double escaping (i.e double slashes) which is interpreted as literal backslash, leaving the user input unescaped.
  • 29. Mysql_real_escape_string() : It calls the library function mysql_real_escape_string which prepends backslashes to the following characters: x00, n, r, , '," and x1a.
  • 30. Recent attacks using SQL injections  On February 5, 2011 HBGary, a technology security firm, was broken into by Anonymous using a SQL injection in their CMS-driven website.  On March 27, 2011 mysql.com, the official homepage for MySQL, was compromised by TinKode using SQL blind injection.  On June 27, 2011, Lady Gaga's website was hacked by a group of US cyber attackers called SwagSec and thousands of her fans’ personal details were stolen from her website.  In October, 2011, Malaysian Hacker, managed to extract data from www.canon.com.cn by exploiting a vulnerability he came across. He himself reported the vulnerability to the company within minutes and claiming to have used SQL Injection.