KEMBAR78
Sql Injection attacks and prevention | PPTX
Uploaded byhelloanand
PPTX, PDF26,273 views

Sql Injection attacks and prevention

SQL injection is a critical security vulnerability that allows attackers to execute unintended SQL queries in a database, potentially leading to data theft or loss. To mitigate the risk, it is essential to escape and validate all user input, use prepared statements, and apply the principle of least privilege to database accounts. Additionally, guidelines for safe URL practices and awareness of common SQL injection patterns can help prevent these attacks.

Technology
In this document
Powered by AI

Introduces SQL Injection by explaining how it enables unintended SQL queries to execute in the database, altering original queries.

Describes how SQL injection occurs, providing examples of vulnerable queries and how attackers can extract sensitive data using them.

Outlines the steps in SQL attacks, emphasizing the severe implications of data theft or alteration and the impact on user trust and company security.

Discusses strategies to mitigate SQL injection risks, including input validation, use of prepared statements, and maintaining least privilege principles.

Suggests quick fixes for mitigating SQL injection in legacy systems, lists common SQL injection URL patterns to recognize and avoid.

Provides links for further reading on SQL injection techniques and the OWASP resource for security best practices.

Downloaded 1,289 times
SQL Injection Anand Jain @helloanand Tech at Network18 1
What is it? SQL Injection allows a programmer user specified query to execute in the database 2
Excuse me, WHAT? Unintended SQL queries run in the DB Most of the times it also alters the original query 3
see how it happens we 4
Actual use case $sql = “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”]; //executed query - SELECT * FROM ARTICLES WHERE ID = 1234 $result = mysql_query($sql); 5
SQL injected input $sql = “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”]; //executed query - SELECT * FROM ARTICLES WHERE ID = 1234; DROP TABLE ARTICLES $result = mysql_query($sql); 6
Ok, but… How will the attacker know what I’ve named my table? 7
Good question 8
There are queries for that too… http://www.site.com/articles.php ?id=1234 UNION SELECT group_concat(schema_name),2,3,4, 5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24 from information_schema.schemata -- 9
There are queries for that too… http://www.site.com/articles.php ?id=1234 UNION SELECT group_concat(table_name),2,3,4,5 ,6,7,8,9,10,11,12,13,14,15,16,17 ,18,19,20,21,22,23,24 from information_schema.tables where table_schema=database()-- 10
11
SQL Attack steps • Searching for a vulnerable point • Fingerprinting the backend DB • Enumerating or retrieving data of interest – table dumps, usernames/passwords etc. • Eventual exploiting the system once the information is handy – OS take over, data change, web server take over etc. 12
It is a very serious problem • The attacker can delete, modify or even worse, steal your data • Compromises the safety, security & trust of user data • Compromises a company’s competitiveness or even the ability to stay in business 13
How to mitigate the risk • Escape all user supplied input • Always validate input • Use prepared statements – For PHP+MySQL – use PDO with strongly typed parameterized queries (using bindParam()) • Code reviews • Don’t store password in plain text in the DB – Salt them and hash them 14
Escape & Validate input • Escape all input – Whether supplied via the URL or via POST data – Even for internal APIs – Anything that goes to the DB is escaped • Validate all input - Validating a Free Form Text Field for allowed chars (numbers, letters, whitespace, .-_) – ^[a-zA-Z0-9s._-]+$ (Any number of characters) – ^[a-zA-Z0-9s._-]{1-100}$ (This is better, since it limits this field to 1 to 100 characters) • source https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet 15
Least privilege • To minimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment. • Do not assign DBA or admin type access rights to your application accounts. • Don't run your DBMS as root or system! 16
URL rules • No parentheses or angular brackets in the URLs – While saving or generating remove from the URLs – If you really need to have parentheses or angular brackets in the URL, then encode them • URL should not end with two or more dashes “--“ – While saving or generating remove these from the URLs • URL should not end with “/*” – While saving or generating remove these from the URLs • No schema, table or column names should be part of your URL • These rules should be followed even for AJAX/JSON URLs 17
Quick fixes • For companies that have a large setup or a lot of legacy code that will take a long time to audit and fix, put some SQL injection detection patterns in your Load Balancer itself • Enable mod_security on Apache • Run the RIPS scanner on your PHP code for detecting vulnerabilities - http://sourceforge.net/projects/rips-scanner/ 18
Common (My)SQL injection URL patterns • ending with “--” • ending with “/*” • containing UNION, (ALL), SELECT and FROM • BENCHMARK • Containing “information_schema” • Containing “load_file” 19
Further reading • SQL attacks by example - http://www.unixwiz.net/techtips/sql- injection.html • OWASP - https://www.owasp.org/index.php/SQL_Inject ion 20
source: http://xkcd.com/327/ Thanks 21

More Related Content

PDF
Advanced SQL injection to operating system full control (whitepaper)
byBernardo Damele A. G.
 
PPTX
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PPTX
Ppt on sql injection
byashish20012
 
PPTX
SQL Injection
byAsish Kumar Rath
 
PPTX
Sql injections - with example
byPrateek Chauhan
 
PPT
Sql injection
byPallavi Biswas
 
Advanced SQL injection to operating system full control (whitepaper)
byBernardo Damele A. G.
 
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
Ppt on sql injection
byashish20012
 
SQL Injection
byAsish Kumar Rath
 
Sql injections - with example
byPrateek Chauhan
 
Sql injection
byPallavi Biswas
 

What's hot

PPTX
Sql injection
byHemendra Kumar
 
PPTX
Sql injection - security testing
byNapendra Singh
 
PPT
Sql injection
byNitish Kumar
 
PPTX
seminar report on Sql injection
byJawhar Ali
 
PPTX
Sql injection
byZidh
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PPT
SQL Injection
byAdhoura Academy
 
PDF
How to identify and prevent SQL injection
byEguardian Global Services
 
PPTX
SQL injection prevention techniques
bySongchaiDuangpan
 
PPT
A Brief Introduction in SQL Injection
bySina Manavi
 
PPTX
SQL injection
byRaj Parmar
 
PPT
Sql injection
byNikunj Dhameliya
 
PPTX
SQL Injections (Part 1)
byn|u - The Open Security Community
 
PPTX
SQL INJECTION
byMentorcs
 
PPTX
Presentation on Web Attacks
byVivek Sinha Anurag
 
PDF
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
PPTX
Sql injection
bySasha-Leigh Garret
 
PPTX
Sql injection in cybersecurity
bySanad Bhowmik
 
PDF
Sql injection with sqlmap
byHerman Duarte
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
Sql injection
byHemendra Kumar
 
Sql injection - security testing
byNapendra Singh
 
Sql injection
byNitish Kumar
 
seminar report on Sql injection
byJawhar Ali
 
Sql injection
byZidh
 
Sql injection attack
byRajKumar Rampelli
 
SQL Injection
byAdhoura Academy
 
How to identify and prevent SQL injection
byEguardian Global Services
 
SQL injection prevention techniques
bySongchaiDuangpan
 
A Brief Introduction in SQL Injection
bySina Manavi
 
SQL injection
byRaj Parmar
 
Sql injection
byNikunj Dhameliya
 
SQL Injections (Part 1)
byn|u - The Open Security Community
 
SQL INJECTION
byMentorcs
 
Presentation on Web Attacks
byVivek Sinha Anurag
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
Sql injection
bySasha-Leigh Garret
 
Sql injection in cybersecurity
bySanad Bhowmik
 
Sql injection with sqlmap
byHerman Duarte
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 

Similar to Sql Injection attacks and prevention

PDF
20111204 web security_livshits_lecture01
byComputer Science Club
 
PPSX
Web application security
bywww.netgains.org
 
PDF
Not so blind SQL Injection
byFrancisco Ribeiro
 
PPT
Sql injection attacks
bychaitanya Lotankar
 
PPT
Sql injection attacks
byNitish Kumar
 
PDF
My app is secure... I think
byWim Godden
 
PPT
Sql injection attacks
byKumar
 
PPTX
Sql injection
byMehul Boghra
 
PPTX
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
PPTX
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PPTX
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
SQL INJECTION
byAnoop T
 
PDF
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
PDF
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
PPT
SQLSecurity.ppt
byLokeshK66
 
PPT
SQLSecurity.ppt
byCNSHacking
 
PDF
SQL Injection: complete walkthrough (not only) for PHP developers
byKrzysztof Kotowicz
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PPT
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
20111204 web security_livshits_lecture01
byComputer Science Club
 
Web application security
bywww.netgains.org
 
Not so blind SQL Injection
byFrancisco Ribeiro
 
Sql injection attacks
bychaitanya Lotankar
 
Sql injection attacks
byNitish Kumar
 
My app is secure... I think
byWim Godden
 
Sql injection attacks
byKumar
 
Sql injection
byMehul Boghra
 
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
SQL INJECTION
byAnoop T
 
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
SQLSecurity.ppt
byLokeshK66
 
SQLSecurity.ppt
byCNSHacking
 
SQL Injection: complete walkthrough (not only) for PHP developers
byKrzysztof Kotowicz
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 

Recently uploaded

PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
PPTX
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PPTX
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
PPTX
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 

Sql Injection attacks and prevention

  • 1.
    SQL Injection Anand Jain @helloanand Tech at Network18 1
  • 2.
    What is it? SQLInjection allows a programmer user specified query to execute in the database 2
  • 3.
    Excuse me, WHAT? Unintended SQL queries run in the DB Most of the times it also alters the original query 3
  • 4.
    see how ithappens we 4
  • 5.
    Actual use case $sql= “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”]; //executed query - SELECT * FROM ARTICLES WHERE ID = 1234 $result = mysql_query($sql); 5
  • 6.
    SQL injected input $sql= “SELECT * FROM ARTICLES WHERE id = “ . $_GET[“id”]; //executed query - SELECT * FROM ARTICLES WHERE ID = 1234; DROP TABLE ARTICLES $result = mysql_query($sql); 6
  • 7.
    Ok, but… How willthe attacker know what I’ve named my table? 7
  • 8.
  • 9.
    There are queriesfor that too… http://www.site.com/articles.php ?id=1234 UNION SELECT group_concat(schema_name),2,3,4, 5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21,22,23,24 from information_schema.schemata -- 9
  • 10.
    There are queriesfor that too… http://www.site.com/articles.php ?id=1234 UNION SELECT group_concat(table_name),2,3,4,5 ,6,7,8,9,10,11,12,13,14,15,16,17 ,18,19,20,21,22,23,24 from information_schema.tables where table_schema=database()-- 10
  • 11.
  • 12.
    SQL Attack steps •Searching for a vulnerable point • Fingerprinting the backend DB • Enumerating or retrieving data of interest – table dumps, usernames/passwords etc. • Eventual exploiting the system once the information is handy – OS take over, data change, web server take over etc. 12
  • 13.
    It is avery serious problem • The attacker can delete, modify or even worse, steal your data • Compromises the safety, security & trust of user data • Compromises a company’s competitiveness or even the ability to stay in business 13
  • 14.
    How to mitigatethe risk • Escape all user supplied input • Always validate input • Use prepared statements – For PHP+MySQL – use PDO with strongly typed parameterized queries (using bindParam()) • Code reviews • Don’t store password in plain text in the DB – Salt them and hash them 14
  • 15.
    Escape & Validateinput • Escape all input – Whether supplied via the URL or via POST data – Even for internal APIs – Anything that goes to the DB is escaped • Validate all input - Validating a Free Form Text Field for allowed chars (numbers, letters, whitespace, .-_) – ^[a-zA-Z0-9s._-]+$ (Any number of characters) – ^[a-zA-Z0-9s._-]{1-100}$ (This is better, since it limits this field to 1 to 100 characters) • source https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet 15
  • 16.
    Least privilege • Tominimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment. • Do not assign DBA or admin type access rights to your application accounts. • Don't run your DBMS as root or system! 16
  • 17.
    URL rules • Noparentheses or angular brackets in the URLs – While saving or generating remove from the URLs – If you really need to have parentheses or angular brackets in the URL, then encode them • URL should not end with two or more dashes “--“ – While saving or generating remove these from the URLs • URL should not end with “/*” – While saving or generating remove these from the URLs • No schema, table or column names should be part of your URL • These rules should be followed even for AJAX/JSON URLs 17
  • 18.
    Quick fixes • Forcompanies that have a large setup or a lot of legacy code that will take a long time to audit and fix, put some SQL injection detection patterns in your Load Balancer itself • Enable mod_security on Apache • Run the RIPS scanner on your PHP code for detecting vulnerabilities - http://sourceforge.net/projects/rips-scanner/ 18
  • 19.
    Common (My)SQL injectionURL patterns • ending with “--” • ending with “/*” • containing UNION, (ALL), SELECT and FROM • BENCHMARK • Containing “information_schema” • Containing “load_file” 19
  • 20.
    Further reading • SQLattacks by example - http://www.unixwiz.net/techtips/sql- injection.html • OWASP - https://www.owasp.org/index.php/SQL_Inject ion 20
  • 21.