Scribd Logo
Upload

Welcome to Scribd!

  • 12 views

    SQL Injection Technique Upload

    Uploaded by

    Om Sutariya
    SQL injection is a code injection technique that allows attackers to execute malicious SQL statements to extract or modify data in a database. It works by inserting SQL code through vulnerable web forms instead of expected user input. This can allow attackers to determine database schema, extract data, bypass authentication, and modify or delete data. Proper input sanitization, use of prepared statements, limiting database privileges, and web application firewalls can help defend against SQL injection attacks.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    SQL Injection Technique Upload

    Uploaded by

    Om Sutariya
    12 views19 pages
    SQL injection is a code injection technique that allows attackers to execute malicious SQL statements to extract or modify data in a database. It works by inserting SQL code through vulnerable web forms instead of expected user input. This can allow attackers to determine database schema, extract data, bypass authentication, and modify or delete data. Proper input sanitization, use of prepared statements, limiting database privileges, and web application firewalls can help defend against SQL injection attacks.

    Original Description:

    This is about SQL Injection Technique

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SQL injection is a code injection technique that allows attackers to execute malicious SQL statements to extract or modify data in a database. It works by inserting SQL code through vulnerable web forms instead of expected user input. This can allow attackers to determine database schema, extract data, bypass authentication, and modify or delete data. Proper input sanitization, use of prepared statements, limiting database privileges, and web application firewalls can help defend against SQL injection attacks.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    12 views19 pages

    SQL Injection Technique Upload

    Uploaded by

    Om Sutariya
    SQL injection is a code injection technique that allows attackers to execute malicious SQL statements to extract or modify data in a database. It works by inserting SQL code through vulnerable web forms instead of expected user input. This can allow attackers to determine database schema, extract data, bypass authentication, and modify or delete data. Proper input sanitization, use of prepared statements, limiting database privileges, and web application firewalls can help defend against SQL injection attacks.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 19

    • Introduction

    • Attack Intent
    • Real World Examples
    • How SQL Injection works?
    • Impact of SQL injection
    • Defence Against SQL Injection
    • SQL Injection tools
    • Conclusion
    • SQL injection is a code injection technique,
    used to attack data-driven applications, in
    which malicious SQLstatements are inserted
    into an entry field for execution
    • This is a method to attack web applications
    that have a data repository.
    • The attacker would send a specially crafted
    SQL statement that is designed to cause
    some malicious action.
    • Determining database schema
    • Extracting data
    • Adding or modifying data
    • Bypassing authentication
    • On August 17, 2009, the United States Justice
    Department charged an American citizen
    Albert Gonzalez and two Russians with the
    theft of 130 million credit card numbers using
    an SQL injection attack.
    • In 2008 a sweep of attacks began exploiting
    the SQL injection vulnerabilities of Microsoft's
    IIS web server and SQL database server. Over
    500,000 sites were exploited.
    • The ability to inject SQL commands into the
    database engine through an existing
    application
    • SQL injection is the use of publicly available
    fields to gain entry to your database.
    • This is done by entering SQL commands into
    your form fields instead of the expected data.
    • Improperly coded forms will allow a hacker to
    use them as an entry point to your database
    1. App sends form to user. Attacker
    Form
    2. Attacker submits form with SQL
    exploit data. User
    3. Application builds string with ‘ or 1=1--
    exploit data. Pass
    4. Application sends SQL query to
    DB.
    5. DB executes query, including
    exploit, sends data back to Firewall
    application.
    6. Application returns data to user.

    DB Server
    Web Server
    1. Leakage of sensitive
    information.
    2. Reputation decline.
    3. Modification of sensitive
    information.
    4. Loss of control of db server.
    5. Data loss.
    6. Denial of service.
    • Websites require constant access to the
    database.
    • Firewalls provide little or no defense against
    SQL injection attacks.
    • Your website is public and firewalls must be
    set to allow every site visitor access to your
    database, usually over port 80/443.
    • Antivirus programs are equally ineffective at
    blocking SQL injection attacks.
    1. Comprehensive data sanitization
    • Web sites must filter all user input
    • For example, e-mail addresses should be
    filtered to allow only the characters allowed in
    an e-mail address.
    • Its SQL injection defenses can catch most
    attempts to sneak SQL through web channels.
    2. Use a web application firewall
    • A popular example is the free, open source
    module ModSecurity.
    • ModSecurity provides a sophisticated and
    ever-evolving set of rules to filter potentially
    dangerous web requests.
    3. Limit database privileges by context
    • Create multiple database user accounts with
    the minimum levels of privilege for their usage
    environment.
    • For example, the code behind a login page
    should query the database using an account
    limited only to the relevent credentials table.
    • This way, a breach through this channel
    cannot be leveraged to compromise the entire
    database.
    4. Avoid constructing SQL queries with user
    input
    • Even data sanitization routines can be flawed.
    • Using SQL variable binding with prepared
    statements or stored procedures is much safer
    than constructing full queries.
    • BSQL Hacker
    • SQLmap
    • SQLninja
    • Safe3 SQL Injector
    • SQLSus
    • Mole
    • Havij
    • SQL injection is technique for exploiting
    applications that use relational databases as
    their back end.
    • Applications compose SQL statements and
    send to database.
    • SQL injection use the fact that many of these
    applications concatenate the fixed part of SQL
    statement with user-supplied data that forms
    WHERE predicates or additional sub-queries.
    • The technique is based on malformed user-
    supplied data
    • Transform the innocent SQL calls to a malicious
    call
    • Cause unauthorized access, deletion of data, or
    theft of information
    • All databases can be a target of SQL injection and
    all are vulnerable to this technique.
    • The vulnerability is in the application layer
    outside of the database, and the moment that
    the application has a connection into the
    database.

    You might also like