KEMBAR78
Sql injections (Basic bypass authentication) | PPTX
Ravindra Singh Rathore, profile picture
Uploaded byRavindra Singh Rathore
996 views

Sql injections (Basic bypass authentication)

This document discusses SQL injections and how to prevent them. It begins by defining SQL injection as the ability to inject SQL commands into a database through an application. It then explains how SQL injections work by exploiting vulnerabilities in user input validation. The document outlines common techniques used in SQL injections and discusses how widespread this issue is. It provides recommendations for input validation, securing databases, and detecting and discouraging SQL injection attacks. The key takeaway is that proper input validation and server hardening are needed to prevent SQL injections.

BY :- RAVINDRA SINGH RATHORE BRANCH :- COMPUTER SCIENCE BATCH :- B3 SQL INJECTIONS
SQL Injections
The ability to inject SQL commands into the database engine through an existing application What is SQL Injection?
SQL Injection  Generally, the purpose of SQL injection is to convince the application to run SQL code that was not intended.  SQL injection occurs when an application processes user-provided data to create a SQL statement without first validating the input.
SQL Injection  The user input is then submitted to a web application database server for execution.  When successfully exploited, SQL injection can give an attacker access to database content or allow the hacker to remotely execute system commands.  In the worst-case scenario, the hacker can take control of the server that is hosting the database.
6 SQL Injection  This exploit can give a hacker access to a remote shell into the server file system.  The impact of a SQL injection attacks depends on – where the vulnerability is in the code, – how easy it is to exploit the vulnerability, – what level of access the application has to the database.  Theoretically, SQL injection can occur in any type of application, but it is most commonly associated with web applications.  The web applications are easy targets because by their very nature they are open to being accessed from the Internet.
It is probably the most common Website vulnerability today! It is a flaw in "web application" development, it is not a DB or web server problem Most programmers are still not aware of this problem A lot of the tutorials & demo “templates” are vulnerable Even worse, a lot of solutions posted on the Internet are not good enough In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection HOW COMMON IS IT?
8 How does SQL Injection work? Common vulnerable login query SELECT * FROM users WHERE login = ‘silent' AND password = ‘hexor' (If it returns something then login!) ASP/MS SQL Server login syntax var sql = "SELECT * FROM users WHERE login = '" + formusr + “’ AND password = '" + formpwd + "'";
9 Injecting through Strings formusr = ' or 1=1 – – formpwd = anything Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1 – – AND password = 'anything'
10 SQL Injection Defense It is quite simple: input validation The real challenge is making best practices consistent through all your code Enforce "strong design" in new applications You should audit your existing websites and source code Even if you have an air tight design, harden your servers
11  Define data types for each field  Implement stringent "allow only good" filters  If the input is supposed to be numeric, use a numeric variable in your script to store it  Reject bad input rather than attempting to escape or modify it Input Validation
12 1. Run DB as a low-privilege user account. 2. Remove unused stored procedures and functionality or restrict access to administrators. 3. Change permissions and remove "public" access to system objects. 4. Audit password strength for all user accounts. 5. Firewall the server so that only trusted clients can connect to it (typically only: administrative network, web server and backup server). Harden the Server
13  You may want to react to SQL injection attempts by:  Logging the attempts  Sending email alerts  Blocking the offending IP  Sending back intimidating error messages:  "WARNING: Improper use of this application has been detected. A possible attack was identified. Legal actions will be taken."  Check with your lawyers for proper wording  This should be coded into your validation scripts Detection and Dissuasion
14  SQL Injection is a fascinating and dangerous vulnerability  All programming languages and all SQL databases are potentially vulnerable  Protecting against it requires  strong design  correct input validation  hardening Conclusion
THANK YOU…

More Related Content

PPT
Web security 2010
byAlok Babu
 
PDF
Owasp top 10
byYasserElsnbary
 
PPTX
Owasp first5 presentation
byAshwini Paranjpe
 
PPTX
Owasp top 10 2017
byibrahimumer2
 
PPTX
Secure Code Warrior - Trust no input
bySecure Code Warrior
 
PPTX
SQL Server Security and Intrusion Prevention
byGabriel Villa
 
PPTX
Secure Code Warrior - Least privilege
bySecure Code Warrior
 
PDF
OWASP TOP 10 & .NET
byDaniel Krasnokucki
 
Web security 2010
byAlok Babu
 
Owasp top 10
byYasserElsnbary
 
Owasp first5 presentation
byAshwini Paranjpe
 
Owasp top 10 2017
byibrahimumer2
 
Secure Code Warrior - Trust no input
bySecure Code Warrior
 
SQL Server Security and Intrusion Prevention
byGabriel Villa
 
Secure Code Warrior - Least privilege
bySecure Code Warrior
 
OWASP TOP 10 & .NET
byDaniel Krasnokucki
 

What's hot

PPT
Owasp Top 10
byShivam Porwal
 
PDF
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
byVeracode
 
PDF
Owasp Top 10
byShivam Porwal
 
PPTX
Owasp top 10 security threats
byVishal Kumar
 
PPTX
Sql injection
byThe Avi Sharma
 
PPT
Get Ready for Web Application Security Testing
byAlan Kan
 
PDF
t r
byelectronicmingle01
 
PDF
Testing Web Application Security
byTed Husted
 
PPTX
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
byAndre Van Klaveren
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
byIshan Mathur
 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
PPTX
A7 Missing Function Level Access Control
bystevil1224
 
PPTX
OWASP -Top 5 Jagjit
byJagjit Singh Brar
 
PPTX
Evaluation of Web Application Vulnerability Scanners
byyuliana_mar
 
PDF
Top 10 Web Application vulnerabilities
byTerrance Medina
 
PDF
The Complete Web Application Security Testing Checklist
byCigital
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PDF
Owasp Top 10-2013
byn|u - The Open Security Community
 
PDF
Security Awareness
byLucas Hendrich
 
Owasp Top 10
byShivam Porwal
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
byVeracode
 
Owasp Top 10
byShivam Porwal
 
Owasp top 10 security threats
byVishal Kumar
 
Sql injection
byThe Avi Sharma
 
Get Ready for Web Application Security Testing
byAlan Kan
 
t r
byelectronicmingle01
 
Testing Web Application Security
byTed Husted
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
byAndre Van Klaveren
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
byIshan Mathur
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
A7 Missing Function Level Access Control
bystevil1224
 
OWASP -Top 5 Jagjit
byJagjit Singh Brar
 
Evaluation of Web Application Vulnerability Scanners
byyuliana_mar
 
Top 10 Web Application vulnerabilities
byTerrance Medina
 
The Complete Web Application Security Testing Checklist
byCigital
 
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
Owasp Top 10-2013
byn|u - The Open Security Community
 
Security Awareness
byLucas Hendrich
 

Viewers also liked

PPTX
Sql basic things
byNishil Jain
 
PPTX
Sql Basic Selects
byBob Litsinger
 
PPTX
Sql
byMahfuz1061
 
PPT
4. SQL in DBMS
bykoolkampus
 
PPT
Sql Server Basics
byrainynovember12
 
PPT
SQL : introduction
byShakila Mahjabin
 
PPTX
SQL Basics
byHammad Rasheed
 
PPT
SQL Tutorial - Basic Commands
by1keydata
 
PPT
Sql ppt
byAnuja Lad
 
PPTX
Customer relationship management
bycharanreddy589
 
PPT
Data mining slides
bysmj
 
PPTX
Data mining
byAkannsha Totewar
 
PPT
Customer Relationship Management (CRM)
byJaiser Abbas
 
PPTX
Crm final ppt
byKrishma Sandesra
 
Sql basic things
byNishil Jain
 
Sql Basic Selects
byBob Litsinger
 
Sql
byMahfuz1061
 
4. SQL in DBMS
bykoolkampus
 
Sql Server Basics
byrainynovember12
 
SQL : introduction
byShakila Mahjabin
 
SQL Basics
byHammad Rasheed
 
SQL Tutorial - Basic Commands
by1keydata
 
Sql ppt
byAnuja Lad
 
Customer relationship management
bycharanreddy589
 
Data mining slides
bysmj
 
Data mining
byAkannsha Totewar
 
Customer Relationship Management (CRM)
byJaiser Abbas
 
Crm final ppt
byKrishma Sandesra
 

Similar to Sql injections (Basic bypass authentication)

PPT
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
PDF
Sql injection bypassing hand book blackrose
byNoaman Aziz
 
PPTX
SQL INJECTION
byAnoop T
 
PPTX
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
byprasadGade6
 
DOCX
Understanding SQL Injection_ A Guide to Website Security.docx
byOscp Training
 
PPTX
Sql Injection
bypenetration Tester
 
PPTX
Sql injection
byUzair ul Haq Khan
 
PDF
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
PPT
Sql injection
byPallavi Biswas
 
PDF
Op2423922398
byIJERA Editor
 
PPSX
Web application security
bywww.netgains.org
 
PPTX
Whatis SQL Injection.pptx
bySimplilearn
 
PPTX
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
PPTX
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
PPTX
Code injection and green sql
byKaustav Sengupta
 
PPTX
Greensql2007
byKaustav Sengupta
 
PDF
sql-inj_attack.pdf
byssuser07cf8b
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PPTX
SQL Injection: Unraveling the Threats
byInsecureLab
 
PPTX
Sql injection
byNuruzzaman Milon
 
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
Sql injection bypassing hand book blackrose
byNoaman Aziz
 
SQL INJECTION
byAnoop T
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
byprasadGade6
 
Understanding SQL Injection_ A Guide to Website Security.docx
byOscp Training
 
Sql Injection
bypenetration Tester
 
Sql injection
byUzair ul Haq Khan
 
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
Sql injection
byPallavi Biswas
 
Op2423922398
byIJERA Editor
 
Web application security
bywww.netgains.org
 
Whatis SQL Injection.pptx
bySimplilearn
 
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
Code injection and green sql
byKaustav Sengupta
 
Greensql2007
byKaustav Sengupta
 
sql-inj_attack.pdf
byssuser07cf8b
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
SQL Injection: Unraveling the Threats
byInsecureLab
 
Sql injection
byNuruzzaman Milon
 

Recently uploaded

PPTX
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
PDF
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
PDF
Who Owns the Narrative? Data, Disinformation, and the Missing Voice of Academia
byIsmail Fahmi
 
PDF
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
PDF
Nernst Distribution Law and factors affecting distribution constant
byMithil Fal Desai
 
PPTX
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
DOCX
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
PPTX
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
PPTX
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
PPTX
DPSM-BITDA Introduction Presentation Slides
byGreat Files
 
PPTX
Capitol Webinar October 2025 Dr. Jha.pptx
byCapitolTechU
 
PDF
Admin Slides for Oct'25 semester (Progression)
byGreat Files
 
PDF
The purpose of Ethics and Values in a project context webinar, 14 October 202...
byAssociation for Project Management
 
PDF
Admin Slides for Oct'25 semester - PB1_MC5.pdf
byGreat Files
 
PPTX
Capital Budgeting - Risk Analysis Using Sensitivity Analysis
bySundar B N
 
PDF
Yaksha Prashna | General Quiz at RLAC | Amlan Sarkar | Full Set
byAmlan Sarkar
 
PPTX
How can education build trust in a polarised world_Jonathan James_OECD .pptx
byEduSkills OECD
 
PDF
The Children’s Support Fund, set up to support the welfare and education of c...
bynservice241
 
PPTX
Single entry System Vs Double entry System.pptx
bylavanyafranklin0804
 
PDF
BUSINESS ETHICS – UNIT I: Introduction to Business Ethics
byD NANEE
 
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
Who Owns the Narrative? Data, Disinformation, and the Missing Voice of Academia
byIsmail Fahmi
 
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
Nernst Distribution Law and factors affecting distribution constant
byMithil Fal Desai
 
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
Nerve lecture 2:strength-duration curve and an introduction to action potential
bydina merzeban
 
DPSM-BITDA Introduction Presentation Slides
byGreat Files
 
Capitol Webinar October 2025 Dr. Jha.pptx
byCapitolTechU
 
Admin Slides for Oct'25 semester (Progression)
byGreat Files
 
The purpose of Ethics and Values in a project context webinar, 14 October 202...
byAssociation for Project Management
 
Admin Slides for Oct'25 semester - PB1_MC5.pdf
byGreat Files
 
Capital Budgeting - Risk Analysis Using Sensitivity Analysis
bySundar B N
 
Yaksha Prashna | General Quiz at RLAC | Amlan Sarkar | Full Set
byAmlan Sarkar
 
How can education build trust in a polarised world_Jonathan James_OECD .pptx
byEduSkills OECD
 
The Children’s Support Fund, set up to support the welfare and education of c...
bynservice241
 
Single entry System Vs Double entry System.pptx
bylavanyafranklin0804
 
BUSINESS ETHICS – UNIT I: Introduction to Business Ethics
byD NANEE
 

Sql injections (Basic bypass authentication)

  • 1.
    BY :- RAVINDRASINGH RATHORE BRANCH :- COMPUTER SCIENCE BATCH :- B3 SQL INJECTIONS
  • 2.
  • 3.
    The ability toinject SQL commands into the database engine through an existing application What is SQL Injection?
  • 4.
    SQL Injection  Generally,the purpose of SQL injection is to convince the application to run SQL code that was not intended.  SQL injection occurs when an application processes user-provided data to create a SQL statement without first validating the input.
  • 5.
    SQL Injection  Theuser input is then submitted to a web application database server for execution.  When successfully exploited, SQL injection can give an attacker access to database content or allow the hacker to remotely execute system commands.  In the worst-case scenario, the hacker can take control of the server that is hosting the database.
  • 6.
    6 SQL Injection  Thisexploit can give a hacker access to a remote shell into the server file system.  The impact of a SQL injection attacks depends on – where the vulnerability is in the code, – how easy it is to exploit the vulnerability, – what level of access the application has to the database.  Theoretically, SQL injection can occur in any type of application, but it is most commonly associated with web applications.  The web applications are easy targets because by their very nature they are open to being accessed from the Internet.
  • 7.
    It is probablythe most common Website vulnerability today! It is a flaw in "web application" development, it is not a DB or web server problem Most programmers are still not aware of this problem A lot of the tutorials & demo “templates” are vulnerable Even worse, a lot of solutions posted on the Internet are not good enough In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection HOW COMMON IS IT?
  • 8.
    8 How does SQLInjection work? Common vulnerable login query SELECT * FROM users WHERE login = ‘silent' AND password = ‘hexor' (If it returns something then login!) ASP/MS SQL Server login syntax var sql = "SELECT * FROM users WHERE login = '" + formusr + “’ AND password = '" + formpwd + "'";
  • 9.
    9 Injecting through Strings formusr= ' or 1=1 – – formpwd = anything Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1 – – AND password = 'anything'
  • 10.
    10 SQL Injection Defense Itis quite simple: input validation The real challenge is making best practices consistent through all your code Enforce "strong design" in new applications You should audit your existing websites and source code Even if you have an air tight design, harden your servers
  • 11.
    11  Define datatypes for each field  Implement stringent "allow only good" filters  If the input is supposed to be numeric, use a numeric variable in your script to store it  Reject bad input rather than attempting to escape or modify it Input Validation
  • 12.
    12 1. Run DBas a low-privilege user account. 2. Remove unused stored procedures and functionality or restrict access to administrators. 3. Change permissions and remove "public" access to system objects. 4. Audit password strength for all user accounts. 5. Firewall the server so that only trusted clients can connect to it (typically only: administrative network, web server and backup server). Harden the Server
  • 13.
    13  You maywant to react to SQL injection attempts by:  Logging the attempts  Sending email alerts  Blocking the offending IP  Sending back intimidating error messages:  "WARNING: Improper use of this application has been detected. A possible attack was identified. Legal actions will be taken."  Check with your lawyers for proper wording  This should be coded into your validation scripts Detection and Dissuasion
  • 14.
    14  SQL Injectionis a fascinating and dangerous vulnerability  All programming languages and all SQL databases are potentially vulnerable  Protecting against it requires  strong design  correct input validation  hardening Conclusion
  • 15.