SlideShare a Scribd company logo

Web Application Security II - SQL Injection

Md Syed Ahamad
Md Syed Ahamad

The document presents a project on detecting and preventing SQL injection, detailing methods, mechanisms, and tools like WebGoat and WebScarab. It discusses the nature of SQL injection attacks and their impacts, as well as prevention techniques such as parameterized queries and indirect SQL queries. The conclusion emphasizes the necessity of advanced scanning structures and hashing of user credentials for improved security.

Internet
1 of 12
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
Web Application Security Presented by: Md Syed Ahamad Detection and Prevention of SQL Injection 1 Project under: Dr. Ferdous Ahmed
Project Role  Theory  Analysis  Implementation CS200Detection and Prevention of SQL Injection 2
Topics  Introduction  Webgoat and WebScarab  Prevention Mechanism and Detection Mechanism  Methods  Visual  Advantage and disadvantage  Conclusion CS200Detection and Prevention of SQL Injection 3
Introduction  Thread Agent – Application Specific  Attack Vector  Exploitability – Easy  Security Weakness  Prevalence – Common  Detectability – Average  Technical impacts – severe  Business impacts – Business Specific CS200Detection and Prevention of SQL Injection 4
WebGoat and WebScarab  WebGoat – Web based application for demonstration of common Web App. Flaws.  Application penetration testing techniques  WebScarab – use as proxy in the localhost for WebGoat.  Shows Request and Response intercept  Parameters can be modified CS200Detection and Prevention of SQL Injection 5
WebScarab CS200Detection and Prevention of SQL Injection 6
SQL Injection  Serious thread  String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";  Select * from account where username=‘”+a+”’ and PIN=‘”+b+”’;  Here, a=998’or’1’=‘1, b may be empty or anything. CS200Detection and Prevention of SQL Injection 7
Prevention Mechanism  Parametrized Query  Specific primitive data type CS200Detection and Prevention of SQL Injection 8
Prevention Mechanism  Indirect SQL Query  Avoid Direct SQL Query  Some tuple similar to the input is taken out and match  If match is found go ahead otherwise return false CS200Detection and Prevention of SQL Injection 9
Detection Mechanism  Methods  Regular Expression – /w*((%27)|('))((%6F)|o|(%4F))((%72)|r|(%52))/ix  @"(;|s)(exec|execute|select|insert|update|delete|create|alter|drop|rename|truncate |backup|restore)s"  Parametrized  Visual  Advantage and disadvantage CS200Detection and Prevention of SQL Injection 10
Detection Mechanism CS200Detection and Prevention of SQL Injection 11
Conclusion  Its not solving the all injection flaws.  Hierarchical structure of Scanner is required.  Hashing of user’s input credentials. CS200Detection and Prevention of SQL Injection 12

More Related Content

What's hot (20)

PDF
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Pichaya Morimoto
 
PDF
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
PPTX
SQL Injection
Asish Kumar Rath
 
PPTX
Owasp Top 10 A1: Injection
Michael Hendrickx
 
PPTX
Sql injection - security testing
Napendra Singh
 
PPTX
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
PPTX
SQL Injections (Part 1)
n|u - The Open Security Community
 
PPT
D:\Technical\Ppt\Sql Injection
avishkarm
 
PPTX
Web Security: SQL Injection
Vortana Say
 
PDF
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
PPTX
SQL Injection in action with PHP and MySQL
Pradeep Kumar
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
PPTX
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
PDF
What is advanced SQL Injection? Infographic
JW CyberNerd
 
PPT
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
PPT
Sql injection attack
RajKumar Rampelli
 
PPTX
Ppt on sql injection
ashish20012
 
PPT
SQL Injection
Adhoura Academy
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Pichaya Morimoto
 
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL Injection
Asish Kumar Rath
 
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Sql injection - security testing
Napendra Singh
 
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
SQL Injections (Part 1)
n|u - The Open Security Community
 
D:\Technical\Ppt\Sql Injection
avishkarm
 
Web Security: SQL Injection
Vortana Say
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
SQL Injection in action with PHP and MySQL
Pradeep Kumar
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
What is advanced SQL Injection? Infographic
JW CyberNerd
 
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
 
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
Sql injection attack
RajKumar Rampelli
 
Ppt on sql injection
ashish20012
 
SQL Injection
Adhoura Academy
 

Similar to Web Application Security II - SQL Injection (20)

PDF
Cryptoghaphy
anita bodke
 
PDF
Ijcet 06 10_005
IAEME Publication
 
PPTX
SQL INJECTION ATTACKS.pptx
REMEGIUSPRAVEENSAHAY
 
PDF
SQL injection Colombo Cybersecurity Meetup
Janith Malinga
 
PDF
How to identify and prevent SQL injection
Eguardian Global Services
 
PDF
Approaches to detect and prevent sql injection in web applications
Sandeep Kumbhar
 
PDF
Devoid Web Application From SQL Injection Attack
IJRESJOURNAL
 
PDF
SQL Injection Prevention by Adaptive Algorithm
IOSR Journals
 
PDF
E017131924
IOSR Journals
 
PDF
Spi dynamik-sql-inj
drkimsky
 
PDF
Ijcatr04041018
Editor IJCATR
 
PPSX
Web application security
www.netgains.org
 
PDF
Op2423922398
IJERA Editor
 
PPT
Sql
Manish Dixit Ceh
 
PDF
ieee
Radheshyam Dhakad
 
PDF
IRJET - SQL Injection: Attack & Mitigation
IRJET Journal
 
PPT
8 sql injection
drewz lin
 
PPTX
Understanding and preventing sql injection attacks
Kevin Kline
 
PDF
Protect Your Database_ SQL Injection Attack Prevention.pdf
Sachin FromDev
 
PPTX
SQL Injection and Clickjacking Attack in Web security
Moutasm Tamimi
 
Cryptoghaphy
anita bodke
 
Ijcet 06 10_005
IAEME Publication
 
SQL INJECTION ATTACKS.pptx
REMEGIUSPRAVEENSAHAY
 
SQL injection Colombo Cybersecurity Meetup
Janith Malinga
 
How to identify and prevent SQL injection
Eguardian Global Services
 
Approaches to detect and prevent sql injection in web applications
Sandeep Kumbhar
 
Devoid Web Application From SQL Injection Attack
IJRESJOURNAL
 
SQL Injection Prevention by Adaptive Algorithm
IOSR Journals
 
E017131924
IOSR Journals
 
Spi dynamik-sql-inj
drkimsky
 
Ijcatr04041018
Editor IJCATR
 
Web application security
www.netgains.org
 
Op2423922398
IJERA Editor
 
Sql
Manish Dixit Ceh
 
ieee
Radheshyam Dhakad
 
IRJET - SQL Injection: Attack & Mitigation
IRJET Journal
 
8 sql injection
drewz lin
 
Understanding and preventing sql injection attacks
Kevin Kline
 
Protect Your Database_ SQL Injection Attack Prevention.pdf
Sachin FromDev
 
SQL Injection and Clickjacking Attack in Web security
Moutasm Tamimi
 
Ad

More from Md Syed Ahamad (10)

PDF
Bulk-Synchronous-Parallel - BSP
Md Syed Ahamad
 
PDF
E mail protocol - SMTP
Md Syed Ahamad
 
PDF
3rdYearStudentProject
Md Syed Ahamad
 
PPTX
Coap based application for android phones-end
Md Syed Ahamad
 
PPTX
Coap based application for android phones
Md Syed Ahamad
 
PPTX
Hierarchical clustering techniques
Md Syed Ahamad
 
PPTX
Gps technology presentation
Md Syed Ahamad
 
PDF
Web application security I
Md Syed Ahamad
 
PDF
Sociolinguistic and law
Md Syed Ahamad
 
PDF
Wlan 802.11n - MAC Sublayer
Md Syed Ahamad
 
Bulk-Synchronous-Parallel - BSP
Md Syed Ahamad
 
E mail protocol - SMTP
Md Syed Ahamad
 
3rdYearStudentProject
Md Syed Ahamad
 
Coap based application for android phones-end
Md Syed Ahamad
 
Coap based application for android phones
Md Syed Ahamad
 
Hierarchical clustering techniques
Md Syed Ahamad
 
Gps technology presentation
Md Syed Ahamad
 
Web application security I
Md Syed Ahamad
 
Sociolinguistic and law
Md Syed Ahamad
 
Wlan 802.11n - MAC Sublayer
Md Syed Ahamad
 
Ad

Recently uploaded (20)

PPTX
英国假毕业证诺森比亚大学成绩单GPA修改UNN学生卡网上可查学历成绩单
Taqyea
 
PPT
Computer Securityyyyyyyy - Chapter 1.ppt
SolomonSB
 
PDF
Apple_Environmental_Progress_Report_2025.pdf
yiukwong
 
PPTX
原版西班牙莱昂大学毕业证(León毕业证书)如何办理
Taqyea
 
PDF
Build Fast, Scale Faster: Milvus vs. Zilliz Cloud for Production-Ready AI
Zilliz
 
PPTX
法国巴黎第二大学本科毕业证{Paris 2学费发票Paris 2成绩单}办理方法
Taqyea
 
PDF
Web Hosting for Shopify WooCommerce etc.
Harry_Phoneix Harry_Phoneix
 
PDF
Azure_DevOps introduction for CI/CD and Agile
henrymails
 
PDF
DevOps Design for different deployment options
henrymails
 
PPTX
Optimization_Techniques_ML_Presentation.pptx
farispalayi
 
PPTX
L1A Season 1 ENGLISH made by A hegy fixed
toszolder91
 
PPTX
PM200.pptxghjgfhjghjghjghjghjghjghjghjghjghj
breadpaan921
 
PPT
introduction to networking with basics coverage
RamananMuthukrishnan
 
PPTX
unit 2_2 copy right fdrgfdgfai and sm.pptx
nepmithibai2024
 
PDF
The-Hidden-Dangers-of-Skipping-Penetration-Testing.pdf.pdf
naksh4thra
 
PDF
AI_MOD_1.pdf artificial intelligence notes
shreyarrce
 
PPTX
Orchestrating things in Angular application
Peter Abraham
 
PPT
introductio to computers by arthur janry
RamananMuthukrishnan
 
PPTX
INTEGRATION OF ICT IN LEARNING AND INCORPORATIING TECHNOLOGY
kvshardwork1235
 
PPTX
Presentation3gsgsgsgsdfgadgsfgfgsfgagsfgsfgzfdgsdgs.pptx
SUB03
 
英国假毕业证诺森比亚大学成绩单GPA修改UNN学生卡网上可查学历成绩单
Taqyea
 
Computer Securityyyyyyyy - Chapter 1.ppt
SolomonSB
 
Apple_Environmental_Progress_Report_2025.pdf
yiukwong
 
原版西班牙莱昂大学毕业证(León毕业证书)如何办理
Taqyea
 
Build Fast, Scale Faster: Milvus vs. Zilliz Cloud for Production-Ready AI
Zilliz
 
法国巴黎第二大学本科毕业证{Paris 2学费发票Paris 2成绩单}办理方法
Taqyea
 
Web Hosting for Shopify WooCommerce etc.
Harry_Phoneix Harry_Phoneix
 
Azure_DevOps introduction for CI/CD and Agile
henrymails
 
DevOps Design for different deployment options
henrymails
 
Optimization_Techniques_ML_Presentation.pptx
farispalayi
 
L1A Season 1 ENGLISH made by A hegy fixed
toszolder91
 
PM200.pptxghjgfhjghjghjghjghjghjghjghjghjghj
breadpaan921
 
introduction to networking with basics coverage
RamananMuthukrishnan
 
unit 2_2 copy right fdrgfdgfai and sm.pptx
nepmithibai2024
 
The-Hidden-Dangers-of-Skipping-Penetration-Testing.pdf.pdf
naksh4thra
 
AI_MOD_1.pdf artificial intelligence notes
shreyarrce
 
Orchestrating things in Angular application
Peter Abraham
 
introductio to computers by arthur janry
RamananMuthukrishnan
 
INTEGRATION OF ICT IN LEARNING AND INCORPORATIING TECHNOLOGY
kvshardwork1235
 
Presentation3gsgsgsgsdfgadgsfgfgsfgagsfgsfgzfdgsdgs.pptx
SUB03
 

Web Application Security II - SQL Injection

  • 1. Web Application Security Presented by: Md Syed Ahamad Detection and Prevention of SQL Injection 1 Project under: Dr. Ferdous Ahmed
  • 2. Project Role  Theory  Analysis  Implementation CS200Detection and Prevention of SQL Injection 2
  • 3. Topics  Introduction  Webgoat and WebScarab  Prevention Mechanism and Detection Mechanism  Methods  Visual  Advantage and disadvantage  Conclusion CS200Detection and Prevention of SQL Injection 3
  • 4. Introduction  Thread Agent – Application Specific  Attack Vector  Exploitability – Easy  Security Weakness  Prevalence – Common  Detectability – Average  Technical impacts – severe  Business impacts – Business Specific CS200Detection and Prevention of SQL Injection 4
  • 5. WebGoat and WebScarab  WebGoat – Web based application for demonstration of common Web App. Flaws.  Application penetration testing techniques  WebScarab – use as proxy in the localhost for WebGoat.  Shows Request and Response intercept  Parameters can be modified CS200Detection and Prevention of SQL Injection 5
  • 7. SQL Injection  Serious thread  String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";  Select * from account where username=‘”+a+”’ and PIN=‘”+b+”’;  Here, a=998’or’1’=‘1, b may be empty or anything. CS200Detection and Prevention of SQL Injection 7
  • 8. Prevention Mechanism  Parametrized Query  Specific primitive data type CS200Detection and Prevention of SQL Injection 8
  • 9. Prevention Mechanism  Indirect SQL Query  Avoid Direct SQL Query  Some tuple similar to the input is taken out and match  If match is found go ahead otherwise return false CS200Detection and Prevention of SQL Injection 9
  • 10. Detection Mechanism  Methods  Regular Expression – /w*((%27)|('))((%6F)|o|(%4F))((%72)|r|(%52))/ix  @"(;|s)(exec|execute|select|insert|update|delete|create|alter|drop|rename|truncate |backup|restore)s"  Parametrized  Visual  Advantage and disadvantage CS200Detection and Prevention of SQL Injection 10
  • 11. Detection Mechanism CS200Detection and Prevention of SQL Injection 11
  • 12. Conclusion  Its not solving the all injection flaws.  Hierarchical structure of Scanner is required.  Hashing of user’s input credentials. CS200Detection and Prevention of SQL Injection 12