Download - Presentation on SQL Injection

8/11/2019 Presentation on SQL Injection

1/19

SQL INJECTION


2/19

Contents

SQL

SQL Injection

Classification of Attacks

Attack Techniques

Prevention Techniques

Conclusion


3/19

SQL (Structured QueryLanguage)

Standard language for relational database mansystems, as per ANSI.

Used to perform tasks such as update data on a datretrieve data from a database.

Standard SQL commands such as SelectInsert,Delete,Create,and Drop.


4/19

SQL Injection

A technique used to take advantage of non-validatto pass SQL commands through a web applicaexecution by a backend database.

Programmers often chain together SQL commands w

provided parameters.


5/19

Classification of Attacks

Identifying Database Finger-Print

Identifying Injectable Parameters

Discovering Database Schema

Bypassing Authentication

Extracting/Modifying Database Data

Downloading/Uploading File


6/19


7/19

1.Tautology : Exploit whereclause

Create a query that always evaluates to true for entthe database. To bypass authentication pages and e

data. If attacker submits user or 1=1 - for the

input field.

The resulting query is:SELECT info FROM userTable WHERE username=us

1=1ANDpassword=


8/19

Injecting through input string

user = ' or 1=1

password = anything

Final query would look like this:

SELECT * FROM acctWHERE username = '' or 1=1

' AND password = 'anything'


9/19

2. Piggy-backed Query


usr = xyz

pwd = 0;drop table users

Final query would look like this:SELECT * FROM acct

WHERE username = ' xyz'

AND password = 0;drop table users


10/19

3. Union Query: To retrieve specificinformation


usr = ' UNION SELECT cardNo from CreditCards whe

acctNo = 7032 --

pwd = anythingFinal query would look like this:SELECT * FROM acctWHERE username = UNIONSELECT cardNo fromCreditCards where acctNo = 7032

-- AND password = anything


11/19

Prevention Techniqu


12/19

1. Use Parameterized Queri

Separates data from query.

Allow creation of static queries with bind variables.


13/19

2. Customized Error Messag

Knowing database schema makes attackersjob easie

Avoid display detailed error messages and stack external users.


14/19

3. White List Based Validati

Involves defining exactly what IS authorized

Allow input within well-defined set of safe values

- By defining a very strong validation pattern

Implement stringent "known bad" filters

Eg: Reject "select", "insert", "update", "sh"delete", "drop", "--",


15/19


16/19

5. Other preventions

Validate and filter the input data using strongexpression patterns.

System Stored Procedure Reduction.

Encrypting Sensitive Data.


17/19

Conclusion

Present day development is more focused Applications so there is an urgent need for educdevelopers & Students on SQL Injection thereby programmers and system administrators to undersattacks more thoroughly, more attacks will be dete

more countermeasures will be introduced into the s


18/19

Thank You


19/19