Md Syed Ahamad, profile picture
Uploaded byMd Syed Ahamad
PDF, PPTX349 views

Web Application Security II - SQL Injection

The document presents a project on detecting and preventing SQL injection, detailing methods, mechanisms, and tools like WebGoat and WebScarab. It discusses the nature of SQL injection attacks and their impacts, as well as prevention techniques such as parameterized queries and indirect SQL queries. The conclusion emphasizes the necessity of advanced scanning structures and hashing of user credentials for improved security.

Internet
Related topics:
Web Security Overview

Embed presentation

Download as PDF, PPTX
Web Application Security Presented by: Md Syed Ahamad Detection and Prevention of SQL Injection 1 Project under: Dr. Ferdous Ahmed
Project Role  Theory  Analysis  Implementation CS200Detection and Prevention of SQL Injection 2
Topics  Introduction  Webgoat and WebScarab  Prevention Mechanism and Detection Mechanism  Methods  Visual  Advantage and disadvantage  Conclusion CS200Detection and Prevention of SQL Injection 3
Introduction  Thread Agent – Application Specific  Attack Vector  Exploitability – Easy  Security Weakness  Prevalence – Common  Detectability – Average  Technical impacts – severe  Business impacts – Business Specific CS200Detection and Prevention of SQL Injection 4
WebGoat and WebScarab  WebGoat – Web based application for demonstration of common Web App. Flaws.  Application penetration testing techniques  WebScarab – use as proxy in the localhost for WebGoat.  Shows Request and Response intercept  Parameters can be modified CS200Detection and Prevention of SQL Injection 5
WebScarab CS200Detection and Prevention of SQL Injection 6
SQL Injection  Serious thread  String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";  Select * from account where username=‘”+a+”’ and PIN=‘”+b+”’;  Here, a=998’or’1’=‘1, b may be empty or anything. CS200Detection and Prevention of SQL Injection 7
Prevention Mechanism  Parametrized Query  Specific primitive data type CS200Detection and Prevention of SQL Injection 8
Prevention Mechanism  Indirect SQL Query  Avoid Direct SQL Query  Some tuple similar to the input is taken out and match  If match is found go ahead otherwise return false CS200Detection and Prevention of SQL Injection 9
Detection Mechanism  Methods  Regular Expression – /w*((%27)|('))((%6F)|o|(%4F))((%72)|r|(%52))/ix  @"(;|s)(exec|execute|select|insert|update|delete|create|alter|drop|rename|truncate |backup|restore)s"  Parametrized  Visual  Advantage and disadvantage CS200Detection and Prevention of SQL Injection 10
Detection Mechanism CS200Detection and Prevention of SQL Injection 11
Conclusion  Its not solving the all injection flaws.  Hierarchical structure of Scanner is required.  Hashing of user’s input credentials. CS200Detection and Prevention of SQL Injection 12

More Related Content

PDF
Sql Injection and XSS
byMike Crabb
 
PDF
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
byijtsrd
 
KEY
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
PPTX
Sql Injection attacks and prevention
byhelloanand
 
PPT
Sql injection attacks
byKumar
 
PPTX
Sql injection attack
byRaghav Bisht
 
PPTX
SQL injection prevention techniques
bySongchaiDuangpan
 
PPTX
seminar report on Sql injection
byJawhar Ali
 
Sql Injection and XSS
byMike Crabb
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
byijtsrd
 
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
Sql Injection attacks and prevention
byhelloanand
 
Sql injection attacks
byKumar
 
Sql injection attack
byRaghav Bisht
 
SQL injection prevention techniques
bySongchaiDuangpan
 
seminar report on Sql injection
byJawhar Ali
 

What's hot

PDF
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPTX
SQL Injection
byAsish Kumar Rath
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PPTX
Sql injection - security testing
byNapendra Singh
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PPTX
SQL Injections (Part 1)
byn|u - The Open Security Community
 
PPT
D:\Technical\Ppt\Sql Injection
byavishkarm
 
PPTX
Web Security: SQL Injection
byVortana Say
 
PDF
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
PPTX
SQL Injection in action with PHP and MySQL
byPradeep Kumar
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
PPTX
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
PDF
What is advanced SQL Injection? Infographic
byJW CyberNerd
 
PPT
Sql Injection Attacks Siddhesh
bySiddhesh Bhobe
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PPTX
Ppt on sql injection
byashish20012
 
PPT
SQL Injection
byAdhoura Academy
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
SQL Injection
byAsish Kumar Rath
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
Sql injection - security testing
byNapendra Singh
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
SQL Injections (Part 1)
byn|u - The Open Security Community
 
D:\Technical\Ppt\Sql Injection
byavishkarm
 
Web Security: SQL Injection
byVortana Say
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
SQL Injection in action with PHP and MySQL
byPradeep Kumar
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
What is advanced SQL Injection? Infographic
byJW CyberNerd
 
Sql Injection Attacks Siddhesh
bySiddhesh Bhobe
 
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
Sql injection attack
byRajKumar Rampelli
 
Ppt on sql injection
byashish20012
 
SQL Injection
byAdhoura Academy
 

Similar to Web Application Security II - SQL Injection

PDF
Cryptoghaphy
byanita bodke
 
PDF
Ijcet 06 10_005
byIAEME Publication
 
PPTX
SQL INJECTION ATTACKS.pptx
byREMEGIUSPRAVEENSAHAY
 
PDF
SQL injection Colombo Cybersecurity Meetup
byJanith Malinga
 
PDF
How to identify and prevent SQL injection
byEguardian Global Services
 
PDF
Approaches to detect and prevent sql injection in web applications
bySandeep Kumbhar
 
PDF
Devoid Web Application From SQL Injection Attack
byIJRESJOURNAL
 
PDF
SQL Injection Prevention by Adaptive Algorithm
byIOSR Journals
 
PDF
E017131924
byIOSR Journals
 
PDF
Spi dynamik-sql-inj
bydrkimsky
 
PDF
Ijcatr04041018
byEditor IJCATR
 
PPSX
Web application security
bywww.netgains.org
 
PDF
Op2423922398
byIJERA Editor
 
PPT
Sql
byManish Dixit Ceh
 
PDF
ieee
byRadheshyam Dhakad
 
PDF
IRJET - SQL Injection: Attack & Mitigation
byIRJET Journal
 
PPT
8 sql injection
bydrewz lin
 
PPTX
Understanding and preventing sql injection attacks
byKevin Kline
 
PDF
Protect Your Database_ SQL Injection Attack Prevention.pdf
bySachin FromDev
 
PPTX
SQL Injection and Clickjacking Attack in Web security
byMoutasm Tamimi
 
Cryptoghaphy
byanita bodke
 
Ijcet 06 10_005
byIAEME Publication
 
SQL INJECTION ATTACKS.pptx
byREMEGIUSPRAVEENSAHAY
 
SQL injection Colombo Cybersecurity Meetup
byJanith Malinga
 
How to identify and prevent SQL injection
byEguardian Global Services
 
Approaches to detect and prevent sql injection in web applications
bySandeep Kumbhar
 
Devoid Web Application From SQL Injection Attack
byIJRESJOURNAL
 
SQL Injection Prevention by Adaptive Algorithm
byIOSR Journals
 
E017131924
byIOSR Journals
 
Spi dynamik-sql-inj
bydrkimsky
 
Ijcatr04041018
byEditor IJCATR
 
Web application security
bywww.netgains.org
 
Op2423922398
byIJERA Editor
 
Sql
byManish Dixit Ceh
 
ieee
byRadheshyam Dhakad
 
IRJET - SQL Injection: Attack & Mitigation
byIRJET Journal
 
8 sql injection
bydrewz lin
 
Understanding and preventing sql injection attacks
byKevin Kline
 
Protect Your Database_ SQL Injection Attack Prevention.pdf
bySachin FromDev
 
SQL Injection and Clickjacking Attack in Web security
byMoutasm Tamimi
 

More from Md Syed Ahamad

PDF
Bulk-Synchronous-Parallel - BSP
byMd Syed Ahamad
 
PDF
E mail protocol - SMTP
byMd Syed Ahamad
 
PDF
3rdYearStudentProject
byMd Syed Ahamad
 
PPTX
Coap based application for android phones-end
byMd Syed Ahamad
 
PPTX
Coap based application for android phones
byMd Syed Ahamad
 
PPTX
Hierarchical clustering techniques
byMd Syed Ahamad
 
PPTX
Gps technology presentation
byMd Syed Ahamad
 
PDF
Web application security I
byMd Syed Ahamad
 
PDF
Sociolinguistic and law
byMd Syed Ahamad
 
PDF
Wlan 802.11n - MAC Sublayer
byMd Syed Ahamad
 
Bulk-Synchronous-Parallel - BSP
byMd Syed Ahamad
 
E mail protocol - SMTP
byMd Syed Ahamad
 
3rdYearStudentProject
byMd Syed Ahamad
 
Coap based application for android phones-end
byMd Syed Ahamad
 
Coap based application for android phones
byMd Syed Ahamad
 
Hierarchical clustering techniques
byMd Syed Ahamad
 
Gps technology presentation
byMd Syed Ahamad
 
Web application security I
byMd Syed Ahamad
 
Sociolinguistic and law
byMd Syed Ahamad
 
Wlan 802.11n - MAC Sublayer
byMd Syed Ahamad
 

Recently uploaded

PPTX
AWS Architecture Design Icons Template.pptx
bybiqtor1
 
PPTX
Living in IT Era Module 5 - (DIGITAL TECHNOLOGY AND SOCIAL CHANGES).pptx
bycjregua03
 
PDF
Weaponizing the Neutral Web: Analyzing Adversary Botnets for Offensive Cyber ...
byJoe Slowik
 
PDF
The Girl Who Left a Mark - Deep Impact of Kindness to a person
byAnoop Singh Nagi
 
PDF
Beacon Kit paper date: 11 February 2026 pdf
bySteven McGee
 
PPTX
Your Complete Brand Protection Guide with Fieldwatch.ai!
byFieldwatch ai
 
PDF
Top 3 Snapchat Monitoring Apps of 2026 for Activity Tracking
byMichael Carter
 
AWS Architecture Design Icons Template.pptx
bybiqtor1
 
Living in IT Era Module 5 - (DIGITAL TECHNOLOGY AND SOCIAL CHANGES).pptx
bycjregua03
 
Weaponizing the Neutral Web: Analyzing Adversary Botnets for Offensive Cyber ...
byJoe Slowik
 
The Girl Who Left a Mark - Deep Impact of Kindness to a person
byAnoop Singh Nagi
 
Beacon Kit paper date: 11 February 2026 pdf
bySteven McGee
 
Your Complete Brand Protection Guide with Fieldwatch.ai!
byFieldwatch ai
 
Top 3 Snapchat Monitoring Apps of 2026 for Activity Tracking
byMichael Carter
 

Web Application Security II - SQL Injection

  • 1.
    Web Application Security Presentedby: Md Syed Ahamad Detection and Prevention of SQL Injection 1 Project under: Dr. Ferdous Ahmed
  • 2.
    Project Role  Theory Analysis  Implementation CS200Detection and Prevention of SQL Injection 2
  • 3.
    Topics  Introduction  Webgoatand WebScarab  Prevention Mechanism and Detection Mechanism  Methods  Visual  Advantage and disadvantage  Conclusion CS200Detection and Prevention of SQL Injection 3
  • 4.
    Introduction  Thread Agent– Application Specific  Attack Vector  Exploitability – Easy  Security Weakness  Prevalence – Common  Detectability – Average  Technical impacts – severe  Business impacts – Business Specific CS200Detection and Prevention of SQL Injection 4
  • 5.
    WebGoat and WebScarab WebGoat – Web based application for demonstration of common Web App. Flaws.  Application penetration testing techniques  WebScarab – use as proxy in the localhost for WebGoat.  Shows Request and Response intercept  Parameters can be modified CS200Detection and Prevention of SQL Injection 5
  • 6.
  • 7.
    SQL Injection  Seriousthread  String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";  Select * from account where username=‘”+a+”’ and PIN=‘”+b+”’;  Here, a=998’or’1’=‘1, b may be empty or anything. CS200Detection and Prevention of SQL Injection 7
  • 8.
    Prevention Mechanism  ParametrizedQuery  Specific primitive data type CS200Detection and Prevention of SQL Injection 8
  • 9.
    Prevention Mechanism  IndirectSQL Query  Avoid Direct SQL Query  Some tuple similar to the input is taken out and match  If match is found go ahead otherwise return false CS200Detection and Prevention of SQL Injection 9
  • 10.
    Detection Mechanism  Methods Regular Expression – /w*((%27)|('))((%6F)|o|(%4F))((%72)|r|(%52))/ix  @"(;|s)(exec|execute|select|insert|update|delete|create|alter|drop|rename|truncate |backup|restore)s"  Parametrized  Visual  Advantage and disadvantage CS200Detection and Prevention of SQL Injection 10
  • 11.
    Detection Mechanism CS200Detection andPrevention of SQL Injection 11
  • 12.
    Conclusion  Its notsolving the all injection flaws.  Hierarchical structure of Scanner is required.  Hashing of user’s input credentials. CS200Detection and Prevention of SQL Injection 12