sql injection last few lectures
play

SQL Injection Last Few Lectures XSS - Cross-site scripting - PowerPoint PPT Presentation

Jan 18, 2023 •169 likes •287 views

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

  1. SQL Injection

  2. Last Few Lectures • XSS - Cross-site scripting • XSRF/CSRF - Cross-site request forgery

  3. Code Injection Attacks • Attacker executes arbitrary code on server • “Programming the program” • Not sanitizing user inputs/outputs

  4. SQL Injection • Attacker enters bad information which is sent to the server • Server executes a SQL query with unintended outcomes.

  5. Sample SQL query • dogs(name, breed, owner name) • Danger, lab, Fred • Tinkerbell, poodle, Teri • select * from dogs where owner=‘$name’; • select name from dogs where breed=‘$btype’;

  6. Problem? • $name and $btype are directly passed to the function • select * from dogs where owner=‘$name’; • select name from dogs where breed=‘$btype';

  7. SQL Injection 1. Post malicious input to form 2. Requests unintended SQL query 3. Returns unintended data to attacker

  8. Malicious Input https://xkcd.com/327/

  9. Malicious Input • select * from dogs where owner=‘$name’; • suppose $name was ‘or 1=1- - • or even ′ ; drop table dogs --

  10. How to Thwart • Don’t build SQL commands yourself. • Use parameterized functions where you specify what input you expect.

  11. Demo • hackthissite.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
Vocal fold injection Joseph C. Sniezek, MD FACS COL, MC Tripler Army Medical Center 1 Medical

Vocal fold injection Joseph C. Sniezek, MD FACS COL, MC Tripler Army Medical Center 1 Medical

Vocal fold injection Joseph C. Sniezek, MD FACS COL, MC Tripler Army Medical Center 1 Medical Lectures: 1.Me 2.You Injection laryngoplasty 2 Sniezeks single 5 patients: 2/5 successful injection laryngoplasty in office 2/5 unsuccessful with

146 views • 14 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
Lectures 1&2: Change over Time, Select, Navigate 4 labs core foundational

Lectures 1&2: Change over Time, Select, Navigate 4 labs core foundational

Whats when Reading Topics 8 lectures in 4 weeks same as before Lectures 1&2 Manipulate View Mon & Wed, 11am-12:20pm (80 min), Mar 20 - Apr 12, ORCH 3058 Lectures 1&2: Change

158 views • 3 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore Integrity Network Meeting. Calgary Alberta May 14, 2009 Agenda Wellbore integrity Well design with annular integrity Well design without

443 views • 22 slides
Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits Unit February, 2019 1 Railroad Commission of Texas | June 27, 2016 (Change Date In First Master Slide) Session Overview Overview: UIC Online

1.01k views • 79 slides
Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

1S-1 An Automatic Place-and-Routed Two- Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro Ueno, Teerachot Siriburanon, Satoshi Kondo, Kenichi Okada, and Akira Matsuzawa Tokyo Institute of

423 views • 10 slides
NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for market expectations Modern cars Demanding users Workshop time saving KME trademark Major assumptions of NEVO system Simple Quick to

222 views • 21 slides
Lectures for 3rd Edition Note: these lectures are often supplemented with other materials and

Lectures for 3rd Edition Note: these lectures are often supplemented with other materials and

Lectures for 3rd Edition Note: these lectures are often supplemented with other materials and also problems from the text worked out on the blackboard. Youll want to customize these lectures for your class. The student audience for these

634 views • 61 slides
Combining objects A class can use another class as a

Combining objects A class can use another class as a

Combining objects A class can use another class as a member variable (a field). This called object composi<on. Use this when you would

390 views • 10 slides
Stetho: using Dev Tools for native app debugging Maksim Lin Freelance Android Developer

Stetho: using Dev Tools for native app debugging Maksim Lin Freelance Android Developer

Stetho: using Dev Tools for native app debugging Maksim Lin Freelance Android Developer www.manichord.com Chrome Dev Tools ( aka F12 ) ? What is Stetho ? Android library project from Facebook Implements Chrome DevTools Protocol

500 views • 14 slides
Career Advice For Young Grasshoppers (or I whish someone told

Career Advice For Young Grasshoppers (or I whish someone told

www.applied-duality.com Career Advice For Young Grasshoppers (or I whish someone told me this 30 years ago) IOBservable<IObservable<Experience>> career

1.08k views • 95 slides
Towards Type-safe Composition of Actors Dominik Charousset, January 2016 1 Problem Statement

Towards Type-safe Composition of Actors Dominik Charousset, January 2016 1 Problem Statement

Towards Type-safe Composition of Actors Dominik Charousset, January 2016 1 Problem Statement 1. Actors lack (message) interfaces 2. Actors hard-code receivers 3. Actors do not compose 2 Actors lack Interfaces Erlang and Akka use dynamic

616 views • 45 slides
Variables CS105 : Saelee puts "Hello, Michael" puts "Pleased to meet

Variables CS105 : Saelee puts "Hello, Michael" puts "Pleased to meet

Variables CS105 : Saelee puts "Hello, Michael" puts "Pleased to meet you, Michael." puts "Michael, welcome to CS 105!" puts "The name of your instructor is Michael

677 views • 26 slides
Testing TLS Hubert Kario Quality Engineer 24-10-2015 2014 Heartbleed 24-10-2015 3/55

Testing TLS Hubert Kario Quality Engineer 24-10-2015 2014 Heartbleed 24-10-2015 3/55

Testing TLS Hubert Kario Quality Engineer 24-10-2015 2014 Heartbleed 24-10-2015 3/55 OpenSSL CCS bug 24-10-2015 4/55 gotofail 24-10-2015 5/55 Certifjcate handling 24-10-2015 6/55 CVE-2014-6321 in schannel a.k.a. Winshock

774 views • 55 slides
Comparatives Katy Carlson Morehead State University k.carlson@moreheadstate.edu Virtual ECBAE3,

Comparatives Katy Carlson Morehead State University k.carlson@moreheadstate.edu Virtual ECBAE3,

Parallelism and Ellipsis in Comparatives Katy Carlson Morehead State University k.carlson@moreheadstate.edu Virtual ECBAE3, July 2020 The Project in a Nutshell Comparative constructions can have a range of syntactic continuations, from

519 views • 35 slides
Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative 2014 was a bad year for FOSS security The Linux Foundation created the Core Infrastructure Initiative

931 views • 25 slides

More recommend