SlideShare a Scribd company logo

Web Security: SQL Injection

V
Vortana Say

The document provides an overview of SQL injection attacks, discussing their mechanics, common vulnerabilities, and various countermeasures. It outlines the project's objectives, technical implementations, and best practices for securing applications against these threats. The paper also emphasizes the severity of SQL injection vulnerabilities and the importance of effective defenses in application development.

Technology
1 of 40
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Web Security: SQL Injection Professor : Dr. Eduard Babulak Students : Vortana SAY Budi Chandra Stephane Moluh 1 Maharishi University of Management Department of Computer Science Computer Professional Program Computer Security: CS466 February Entry, 2015
Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 2
Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 3
Objective of the project 4 •Provide the overview of SQL Injection. •Examine various technical implementations of the SQL injection. •Countermeasures against the SQL injection. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
Introduction to SQL injection 5 • SQL Injection is an attack where the user supplies input in order to construct SQL request that will retrieve information from Database [1]. • SQL injection is an attack in which the SQL code is inserted or appended into application, or user input parameters that are later passed to a back-end SQL server for parsing and execution [2]. • SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution [3]. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
Introduction to SQL injection 6 SQL Injection attack illustrate [4] 3 Attacker sends data containing SQL fragments Attacker enters SQL fragments into a web page that uses input in a query 1 Attacker views unauthorized data Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions Database 2 Application sends modified query to database, which executes it Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
Introduction to SQL injection 7 • Vulnerability detection on web application • Everything between the <FORM> and </FORM> have potential parameters that might be useful [5]. • Try to look especially for URL that takes parameters, like: GET method, i.e.: http://test/index.php?id=10 [2]. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
Introduction to SQL injection 8 • Vulnerability detection on web application (Cont’) • POST parameters can be injected using a traffic manipulation tool or web browser plug-in [2]. • Using blind SQL injection to inject and analyse the error message from database if any. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
Introduction to SQL injection 9 Introduction ConclusionArchitecture of the simulation system Implementation Best Practices Consequences [6] Confidentiality SQL databases generally contains sensitive data, so loss of confidentiality is a big problem. Authentication If poor SQL commands are used to check user names and passwords, authentication can be compromised. Authorization If authorization information is held in a SQL database, it can be exploited. Integrity SQL Injection attack can change or delete data.
Introduction to SQL injection 10 • Examples [7] COMPANY DATE RESULTS Mapp.nl (Online store) 2015 157,000 email addresses and passwords were stolen US Federal (Army, NASA, ...) 2013 More than 100,000 user information Yahoo 2012 450,000 plain text passwords Ingenicard 2012 estimated financial fraud losses $9 million Global Payments 2011 950,000 card numbers stolen estimated loss $92.7 million Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 11
Architecture of the simulation system 12 Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
Architecture of the simulation system 13 Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 14
Choice of Technologies 15 Web Server LAMP (Linux, Apache, MySQL, PHP) Web Client side HTML (Hyper Text Markup Language) CSS (Cascading Style Sheets) Bootstrap Server side PHP Tools Web browser: Firefox Integrated Development Environment (IDE): Netbeans OS Ubuntu 14.10 Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
SQL injection attacks 16 1. Incorrectly filtered escape characters 2. Incorrect type handling 3. Second Order SQL Injection 4. Blind SQL Injection Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
SELECT id FROM users WHERE username = ‘$_GET[usrname]’ AND password = ‘$_GET[psw]’; SELECT id FROM users WHERE username = ‘’OR ‘1’ = ‘1’ AND password = ‘’OR ‘1’ = ‘1’; SQL injection attacks 17 1. Incorrectly filtered escape characters • When the user input is not filter for escape characters Example: SQL Injection SQL Injection Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
SQL injection attacks 18 2. Incorrect type handling • When an input is not appropriately typed or is not checked for type constraints. Example: Query: “SELECT * FROM usersInfo WHERE id= ”.$_GET[“var_number_id”].“;” SQL Injection: 1;DROP TABLE users Interpreted query: SELECT * FROM usersInfo WHERE id=1;DROP TABLE users; SQL Injection Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
SQL injection attacks 19 3. Second Order SQL Injection • When the submitted values contain SQL injection are stored in database (not yet executed immediately). • Normally developer trust the data from database. • SQL injection retrieve from database might be executed by another part of that application without controls to protect against SQL injection. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
SQL injection attacks 20 4. Blind SQL Injection • When the web application is vulnerable to an SQL injection, but the results of the injection are not known to the attacker. • No output from verbose database error messages or in-band data concatenation. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
SQL injection attacks 21 4. Blind SQL Injection (Cont’) Introduction ConclusionArchitecture of the simulation system Implementation Best Practices • Slight changes are visible in the resulting page.Partially • they do not produce difference in output so, it is harder to determine if an injection does take place. Totally
SQL injection attacks 22 3. Blind SQL Injection (Cont’) • SQLMap is an open source testing tool • Automates the process of detecting and exploiting SQL injection flaws • Taking over of database servers Introduction ConclusionArchitecture of the simulation system Implementation Best Practices SQLMap tool [8]
23 Demonstration Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
SQL Injection countermeasures 24 1. Hexadecimal Conversion 2. Database permission 3. Pattern check 4. Escaping 5. Parameterized statements Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system
SQL injection countermeasures 25 1. Hexadecimal Conversion PHP Functions: • DECHEX — Decimal to hexadecimal [9]. • BIN2HEX — Convert any other type of variable into hex [9]. MySQL Function: • UNHEX — Return a string containing hex representation of a number [10]. Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system Example "SELECT * FROM user WHERE `usrname`= UNHEX(".bin2hex($userInput).")";
SQL injection countermeasures 26 2. Securing Database • Well-defined user role membership and provide only needed privileged • Segregated (separate) Database login • Revoke public permission • Use strong cryptography to protect stored sensitive data Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system
SQL injection countermeasures 27 3. Pattern check: Input validation using regular expression • Whitelist the practice of only accepting input that is known to be good • Blacklisting the practice of only rejecting input that is known to be bad Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system
SQL injection countermeasures 28 3. Pattern check: Input validation using regular expression • Whitelist (points should be considered) • Known value • Data type • Data size • Data range • Data content Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system Example for data content: US Zip code: ^d{5}(-d{4})?$
SQL injection countermeasures 29 3. Pattern check: Input validation using regular expression • Blacklisting Reject input that contains malicious content Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system Example of known bad character, string or pattern: [(' OR)|('(''|[^'])*')|(;)|((ALTER|CREATE|DELETE|DROP|EXEC(UTE){0,1}|INSERT( +INTO){0,1}|MERGE|SELECT|UPDATE|UNION( +ALL){0,1}))]
SQL injection countermeasures 30 4. Escaping Escape characters that have special meaning in SQL. Example of forming a valid SQL string literal: • A single quote (‘) in a parameter two single quotes (‘’) • Escaped using back slash(’) Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system
SQL injection countermeasures 31 5. Parameterized statements • Differentiate between SQL statements and data. • Used parameters which act exactly like a placeholders or bind variables. • Website only send the data to replace the placeholders. Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system Example: if (!($stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)"))) { echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error; }
32 Demonstration Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 33
Best Practices 34 1. Code-level defenses • Data sanitization • Data validation • Trust no one (data from either users or database) 2. Platform-level defenses • Secure database • Change password of the super users regularly • Web Application Firewall Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 35
Conclusion 36 • SQL Injection is a dangerous vulnerability • Transform a normal SQL calls to a malicious calls • Leads to unauthorized access, change or delete data and data stolen • All programming languages and all SQL databases are potentially vulnerable • Do not take SQL injection for granted !! Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
REFERENCES 37 [1] William Stalling, Computer Security Principles and Practice. United State of America: Pearson Education, 2012, 364. [2] Justin Clarke, SQL Injection Attacks and Defense. United State of America: Elsevier, 2012, 22. [3] [online] 2000, http://en.wikipedia.org/wiki/SQL_injection (Accessed: 15 April 2015). [4] M. Morana, “OWASP Top And Insecure Software Root Causes," [online] 2008, http://fr.slideshare.net/marco_morana/owasp-top-10- and-insecure-software-root-causes-presentation (Accessed: 20 April 2015).
REFERENCES 38 [5] [online] 2002, http://www.securiteam.com/securityreviews/5DP0N1P76E.h tml (Accessed: 20 April 2015). [6] [online] 2014, https://www.owasp.org/index.php/SQL_Injection (Accessed: 14 April 2015). [7] Ranger78, “SQL INJECTION HALL OF SHAME" [online], http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/ (Accessed: 20 April 2015).
REFERENCES 39 [8] [online] 2006-2015, http://sqlmap.org/ (Accessed: 20 April 2015). [9] [online] 2001-2015, http://php.net/manual/en/index.php (Accessed: 20 April 2015). [10] [online] 2015, https://dev.mysql.com/doc/refman/5.0/en/string- functions.html (Accessed: 20 April 2015).
Thank for your attention Q & A 40

More Related Content

PPTX
Osi security architecture in network.pptx
VinzoCenzo
 
PPTX
Introduction to cyber security
Geevarghese Titus
 
PPTX
Introduction to SDN and NFV
CoreStack
 
PPTX
Wireshark
Kasun Madusanke
 
PPT
Sql injection
Pallavi Biswas
 
PPT
Chapter01
Muhammad Ahad
 
PPTX
Ethical hacking - Footprinting.pptx
Nargis Parveen
 
PPTX
CCNA 4 Hierarchical Network Design
Jonathan Alvarado Covarrubias
 
Osi security architecture in network.pptx
VinzoCenzo
 
Introduction to cyber security
Geevarghese Titus
 
Introduction to SDN and NFV
CoreStack
 
Wireshark
Kasun Madusanke
 
Sql injection
Pallavi Biswas
 
Chapter01
Muhammad Ahad
 
Ethical hacking - Footprinting.pptx
Nargis Parveen
 
CCNA 4 Hierarchical Network Design
Jonathan Alvarado Covarrubias
 

What's hot (20)

PPTX
Malware Classification and Analysis
Prashant Chopra
 
PPT
Chapter07
Muhammad Ahad
 
PPTX
Vulnerability assessment &amp; Penetration testing Basics
Mohammed Adam
 
PPTX
Web Security Attacks
Sajid Hasan
 
PDF
Open Vulnerability Assesment System (OpenVAS)
Information Technology Inistitute
 
PPT
SQL Injection
Adhoura Academy
 
PDF
Module 19 (evading ids, firewalls and honeypots)
Wail Hassan
 
PPT
Apache web-server-architecture
IvanGeorgeArouje
 
PPT
Protection and Security in Operating Systems
vampugani
 
PPTX
Threat modelling(system + enterprise)
abhimanyubhogwan
 
PPTX
NETWORK PENETRATION TESTING
Er Vivek Rana
 
PPTX
Security & protection in operating system
Abou Bakr Ashraf
 
PPTX
OpenVAS
svm
 
PPTX
Lecture 10 intruders
rajakhurram
 
PPTX
User authentication
CAS
 
PPT
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PPT
Sql injection
Nikunj Dhameliya
 
PDF
Nessus Software
Megha Sahu
 
PPTX
Routing algorithms
Parameswaran Selvakumar
 
PPT
Web servers – features, installation and configuration
webhostingguy
 
Malware Classification and Analysis
Prashant Chopra
 
Chapter07
Muhammad Ahad
 
Vulnerability assessment &amp; Penetration testing Basics
Mohammed Adam
 
Web Security Attacks
Sajid Hasan
 
Open Vulnerability Assesment System (OpenVAS)
Information Technology Inistitute
 
SQL Injection
Adhoura Academy
 
Module 19 (evading ids, firewalls and honeypots)
Wail Hassan
 
Apache web-server-architecture
IvanGeorgeArouje
 
Protection and Security in Operating Systems
vampugani
 
Threat modelling(system + enterprise)
abhimanyubhogwan
 
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Security & protection in operating system
Abou Bakr Ashraf
 
OpenVAS
svm
 
Lecture 10 intruders
rajakhurram
 
User authentication
CAS
 
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Sql injection
Nikunj Dhameliya
 
Nessus Software
Megha Sahu
 
Routing algorithms
Parameswaran Selvakumar
 
Web servers – features, installation and configuration
webhostingguy
 
Ad

Viewers also liked (20)

PDF
DEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
James Arlen
 
PDF
Defcon 22-anton-sapozhnikov-acquire-current-user-hashes-with
Priyanka Aash
 
PDF
Defcon 22-quaddi-r3plicant-hefley-hacking-911
Priyanka Aash
 
PDF
SQL injection: Not only AND 1=1
Bernardo Damele A. G.
 
DOC
16 Tenses In English
adimursalin888
 
PPT
Management vs. Leadership - Linked 2 Leadership
Linked 2 Leadership
 
PPT
Professional basic selling skills
shehzad Chohan
 
PPTX
Optical fiber communiction system
rahulohlan14
 
PPT
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
PDF
An Anatomy of a SQL Injection Attack
Imperva
 
PDF
Web Application Security 101 - 14 Data Validation
Websecurify
 
PDF
Cryptoghaphy
anita bodke
 
PDF
Defcon 17-joseph mccray-adv-sql_injection
Ahmed AbdelSatar
 
PPTX
Sql injection - security testing
Napendra Singh
 
PPTX
PCI security requirements secure coding and code review 2014
Haitham Raik
 
PDF
Communication progress ltd Startup Grind Tirana Albania
Communication Progress
 
RTF
Flamuri shqiptar
Vilson Shehu
 
PPT
Advanced SQL Injection
amiable_indian
 
PPT
D:\Technical\Ppt\Sql Injection
avishkarm
 
PPTX
Albanian flag
Anida Ago
 
DEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
James Arlen
 
Defcon 22-anton-sapozhnikov-acquire-current-user-hashes-with
Priyanka Aash
 
Defcon 22-quaddi-r3plicant-hefley-hacking-911
Priyanka Aash
 
SQL injection: Not only AND 1=1
Bernardo Damele A. G.
 
16 Tenses In English
adimursalin888
 
Management vs. Leadership - Linked 2 Leadership
Linked 2 Leadership
 
Professional basic selling skills
shehzad Chohan
 
Optical fiber communiction system
rahulohlan14
 
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
An Anatomy of a SQL Injection Attack
Imperva
 
Web Application Security 101 - 14 Data Validation
Websecurify
 
Cryptoghaphy
anita bodke
 
Defcon 17-joseph mccray-adv-sql_injection
Ahmed AbdelSatar
 
Sql injection - security testing
Napendra Singh
 
PCI security requirements secure coding and code review 2014
Haitham Raik
 
Communication progress ltd Startup Grind Tirana Albania
Communication Progress
 
Flamuri shqiptar
Vilson Shehu
 
Advanced SQL Injection
amiable_indian
 
D:\Technical\Ppt\Sql Injection
avishkarm
 
Albanian flag
Anida Ago
 
Ad

Similar to Web Security: SQL Injection (20)

PPTX
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
prasadGade6
 
PPTX
Sql Injection attacks and prevention
helloanand
 
PDF
Protect Your Database_ SQL Injection Attack Prevention.pdf
Sachin FromDev
 
PPTX
Sql Injection
penetration Tester
 
PPTX
Whatis SQL Injection.pptx
Simplilearn
 
PPT
Sql injection attacks
Nitish Kumar
 
DOCX
Understanding SQL Injection_ A Guide to Website Security.docx
Oscp Training
 
PPT
Sql injection attacks
chaitanya Lotankar
 
PPT
Sql injection attacks
Kumar
 
PDF
Op2423922398
IJERA Editor
 
PPTX
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
PPTX
Sql injection
Hemendra Kumar
 
PDF
Spi dynamik-sql-inj
drkimsky
 
PPT
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bankservicehyd
 
PPTX
SQL INJECTION
Anoop T
 
PPTX
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
RAKIBULISLAM529074
 
ODP
Database security for PHP
Rohan Faye
 
PPTX
Sql injection ( http://etabz.blogspot.com/2014/11/sql-injection.html )
Ehtisham Ullah
 
PDF
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
PPSX
Web application security
www.netgains.org
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
prasadGade6
 
Sql Injection attacks and prevention
helloanand
 
Protect Your Database_ SQL Injection Attack Prevention.pdf
Sachin FromDev
 
Sql Injection
penetration Tester
 
Whatis SQL Injection.pptx
Simplilearn
 
Sql injection attacks
Nitish Kumar
 
Understanding SQL Injection_ A Guide to Website Security.docx
Oscp Training
 
Sql injection attacks
chaitanya Lotankar
 
Sql injection attacks
Kumar
 
Op2423922398
IJERA Editor
 
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
Sql injection
Hemendra Kumar
 
Spi dynamik-sql-inj
drkimsky
 
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bankservicehyd
 
SQL INJECTION
Anoop T
 
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
RAKIBULISLAM529074
 
Database security for PHP
Rohan Faye
 
Sql injection ( http://etabz.blogspot.com/2014/11/sql-injection.html )
Ehtisham Ullah
 
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
Web application security
www.netgains.org
 

Recently uploaded (20)

PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
Doc9.....................................
SofiaCollazos
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PDF
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
Doc9.....................................
SofiaCollazos
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 

Web Security: SQL Injection

  • 1. Web Security: SQL Injection Professor : Dr. Eduard Babulak Students : Vortana SAY Budi Chandra Stephane Moluh 1 Maharishi University of Management Department of Computer Science Computer Professional Program Computer Security: CS466 February Entry, 2015
  • 2. Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 2
  • 3. Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 3
  • 4. Objective of the project 4 •Provide the overview of SQL Injection. •Examine various technical implementations of the SQL injection. •Countermeasures against the SQL injection. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 5. Introduction to SQL injection 5 • SQL Injection is an attack where the user supplies input in order to construct SQL request that will retrieve information from Database [1]. • SQL injection is an attack in which the SQL code is inserted or appended into application, or user input parameters that are later passed to a back-end SQL server for parsing and execution [2]. • SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution [3]. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 6. Introduction to SQL injection 6 SQL Injection attack illustrate [4] 3 Attacker sends data containing SQL fragments Attacker enters SQL fragments into a web page that uses input in a query 1 Attacker views unauthorized data Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions Database 2 Application sends modified query to database, which executes it Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 7. Introduction to SQL injection 7 • Vulnerability detection on web application • Everything between the <FORM> and </FORM> have potential parameters that might be useful [5]. • Try to look especially for URL that takes parameters, like: GET method, i.e.: http://test/index.php?id=10 [2]. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 8. Introduction to SQL injection 8 • Vulnerability detection on web application (Cont’) • POST parameters can be injected using a traffic manipulation tool or web browser plug-in [2]. • Using blind SQL injection to inject and analyse the error message from database if any. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 9. Introduction to SQL injection 9 Introduction ConclusionArchitecture of the simulation system Implementation Best Practices Consequences [6] Confidentiality SQL databases generally contains sensitive data, so loss of confidentiality is a big problem. Authentication If poor SQL commands are used to check user names and passwords, authentication can be compromised. Authorization If authorization information is held in a SQL database, it can be exploited. Integrity SQL Injection attack can change or delete data.
  • 10. Introduction to SQL injection 10 • Examples [7] COMPANY DATE RESULTS Mapp.nl (Online store) 2015 157,000 email addresses and passwords were stolen US Federal (Army, NASA, ...) 2013 More than 100,000 user information Yahoo 2012 450,000 plain text passwords Ingenicard 2012 estimated financial fraud losses $9 million Global Payments 2011 950,000 card numbers stolen estimated loss $92.7 million Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 11. Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 11
  • 12. Architecture of the simulation system 12 Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 13. Architecture of the simulation system 13 Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 14. Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 14
  • 15. Choice of Technologies 15 Web Server LAMP (Linux, Apache, MySQL, PHP) Web Client side HTML (Hyper Text Markup Language) CSS (Cascading Style Sheets) Bootstrap Server side PHP Tools Web browser: Firefox Integrated Development Environment (IDE): Netbeans OS Ubuntu 14.10 Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 16. SQL injection attacks 16 1. Incorrectly filtered escape characters 2. Incorrect type handling 3. Second Order SQL Injection 4. Blind SQL Injection Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 17. SELECT id FROM users WHERE username = ‘$_GET[usrname]’ AND password = ‘$_GET[psw]’; SELECT id FROM users WHERE username = ‘’OR ‘1’ = ‘1’ AND password = ‘’OR ‘1’ = ‘1’; SQL injection attacks 17 1. Incorrectly filtered escape characters • When the user input is not filter for escape characters Example: SQL Injection SQL Injection Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 18. SQL injection attacks 18 2. Incorrect type handling • When an input is not appropriately typed or is not checked for type constraints. Example: Query: “SELECT * FROM usersInfo WHERE id= ”.$_GET[“var_number_id”].“;” SQL Injection: 1;DROP TABLE users Interpreted query: SELECT * FROM usersInfo WHERE id=1;DROP TABLE users; SQL Injection Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 19. SQL injection attacks 19 3. Second Order SQL Injection • When the submitted values contain SQL injection are stored in database (not yet executed immediately). • Normally developer trust the data from database. • SQL injection retrieve from database might be executed by another part of that application without controls to protect against SQL injection. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 20. SQL injection attacks 20 4. Blind SQL Injection • When the web application is vulnerable to an SQL injection, but the results of the injection are not known to the attacker. • No output from verbose database error messages or in-band data concatenation. Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 21. SQL injection attacks 21 4. Blind SQL Injection (Cont’) Introduction ConclusionArchitecture of the simulation system Implementation Best Practices • Slight changes are visible in the resulting page.Partially • they do not produce difference in output so, it is harder to determine if an injection does take place. Totally
  • 22. SQL injection attacks 22 3. Blind SQL Injection (Cont’) • SQLMap is an open source testing tool • Automates the process of detecting and exploiting SQL injection flaws • Taking over of database servers Introduction ConclusionArchitecture of the simulation system Implementation Best Practices SQLMap tool [8]
  • 23. 23 Demonstration Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 24. SQL Injection countermeasures 24 1. Hexadecimal Conversion 2. Database permission 3. Pattern check 4. Escaping 5. Parameterized statements Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system
  • 25. SQL injection countermeasures 25 1. Hexadecimal Conversion PHP Functions: • DECHEX — Decimal to hexadecimal [9]. • BIN2HEX — Convert any other type of variable into hex [9]. MySQL Function: • UNHEX — Return a string containing hex representation of a number [10]. Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system Example "SELECT * FROM user WHERE `usrname`= UNHEX(".bin2hex($userInput).")";
  • 26. SQL injection countermeasures 26 2. Securing Database • Well-defined user role membership and provide only needed privileged • Segregated (separate) Database login • Revoke public permission • Use strong cryptography to protect stored sensitive data Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system
  • 27. SQL injection countermeasures 27 3. Pattern check: Input validation using regular expression • Whitelist the practice of only accepting input that is known to be good • Blacklisting the practice of only rejecting input that is known to be bad Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system
  • 28. SQL injection countermeasures 28 3. Pattern check: Input validation using regular expression • Whitelist (points should be considered) • Known value • Data type • Data size • Data range • Data content Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system Example for data content: US Zip code: ^d{5}(-d{4})?$
  • 29. SQL injection countermeasures 29 3. Pattern check: Input validation using regular expression • Blacklisting Reject input that contains malicious content Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system Example of known bad character, string or pattern: [(' OR)|('(''|[^'])*')|(;)|((ALTER|CREATE|DELETE|DROP|EXEC(UTE){0,1}|INSERT( +INTO){0,1}|MERGE|SELECT|UPDATE|UNION( +ALL){0,1}))]
  • 30. SQL injection countermeasures 30 4. Escaping Escape characters that have special meaning in SQL. Example of forming a valid SQL string literal: • A single quote (‘) in a parameter two single quotes (‘’) • Escaped using back slash(’) Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system
  • 31. SQL injection countermeasures 31 5. Parameterized statements • Differentiate between SQL statements and data. • Used parameters which act exactly like a placeholders or bind variables. • Website only send the data to replace the placeholders. Introduction Team and Planning ConclusionImplementationArchitecture of the simulation system Example: if (!($stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)"))) { echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error; }
  • 32. 32 Demonstration Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 33. Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 33
  • 34. Best Practices 34 1. Code-level defenses • Data sanitization • Data validation • Trust no one (data from either users or database) 2. Platform-level defenses • Secure database • Change password of the super users regularly • Web Application Firewall Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 35. Outline 1. Introduction 1. Objective of the project 2. Introduction to SQL injection 2. Architecture of the simulation system 3. Implementation 1. Choice of the technologies 2. SQL injection attacks 3. Demonstration 4. SQL injection countermeasures 5. Demonstration 4. Best Practices 5. Conclusion 35
  • 36. Conclusion 36 • SQL Injection is a dangerous vulnerability • Transform a normal SQL calls to a malicious calls • Leads to unauthorized access, change or delete data and data stolen • All programming languages and all SQL databases are potentially vulnerable • Do not take SQL injection for granted !! Introduction ConclusionArchitecture of the simulation system Implementation Best Practices
  • 37. REFERENCES 37 [1] William Stalling, Computer Security Principles and Practice. United State of America: Pearson Education, 2012, 364. [2] Justin Clarke, SQL Injection Attacks and Defense. United State of America: Elsevier, 2012, 22. [3] [online] 2000, http://en.wikipedia.org/wiki/SQL_injection (Accessed: 15 April 2015). [4] M. Morana, “OWASP Top And Insecure Software Root Causes," [online] 2008, http://fr.slideshare.net/marco_morana/owasp-top-10- and-insecure-software-root-causes-presentation (Accessed: 20 April 2015).
  • 38. REFERENCES 38 [5] [online] 2002, http://www.securiteam.com/securityreviews/5DP0N1P76E.h tml (Accessed: 20 April 2015). [6] [online] 2014, https://www.owasp.org/index.php/SQL_Injection (Accessed: 14 April 2015). [7] Ranger78, “SQL INJECTION HALL OF SHAME" [online], http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/ (Accessed: 20 April 2015).
  • 39. REFERENCES 39 [8] [online] 2006-2015, http://sqlmap.org/ (Accessed: 20 April 2015). [9] [online] 2001-2015, http://php.net/manual/en/index.php (Accessed: 20 April 2015). [10] [online] 2015, https://dev.mysql.com/doc/refman/5.0/en/string- functions.html (Accessed: 20 April 2015).
  • 40. Thank for your attention Q & A 40

Editor's Notes

  • #7: http://me5145.blogspot.com/2014_09_01_archive.html
  • #22: Partially Blind Injections In the resulting page slight changes are visible, for example, one can be redirected to the main page when the injection is unfruitful, whereas the fruitful one will return a blank page. Totally Blind Injections As for the totally one, they do not produce difference in output of any kind. Hence, it is harder to determine whether an injection does take place. Conditional Responses The logical statement is evaluated by the database, on the side of the attacker
  • #23: Partially Blind Injections In the resulting page slight changes are visible, for example, one can be redirected to the main page when the injection is unfruitful, whereas the fruitful one will return a blank page. Totally Blind Injections As for the totally one, they do not produce difference in output of any kind. Hence, it is harder to determine whether an injection does take place. Conditional Responses The logical statement is evaluated by the database, on the side of the attacker
  • #27: Every database server platform has a default role to which every login belongs, usually called the public role, which has a default set of permissions that includes access to system objects.
  • #29: ^\d{5} Match exactly five numeric digits at the start of the string. (–\d{4})? Match the dash character plus exactly four digits either once (present) or not at all (not present). $ This would appear at the end of the string. If there is additional content at the end of the string, the regular expression will not match.
  • #30: This commonly involves rejecting input that contains content that is specifically known to be malicious by looking through the content for a number of “known bad” characters, strings, or patterns.